The EU AI Act Is a Cautionary Tale in Open-Source AI Regulation

The European Union’s window of opportunity to get the Artificial Intelligence Act (AI Act) right is quickly closing. The European Commission is pushing to conclude its negotiations on the legislation with the European Council and Parliament before the year ends. There are several areas of disagreement left to hash out within the text, including which agencies should enforce the requirements of the law and what the process for redress should be for individuals who are harmed by AI systems. Still, one of the most glaring problems in the Act’s current form is how it would create unreasonable requirements for developers of open-source AI systems. The EU is unlikely to fix its mistakes in time, but other countries should not follow its lead, as doing so would undermine innovation in open-source AI models.

Open-source AI models are systems whose code and design are freely accessible, allowing developers, researchers, and the public to use, modify, and distribute them for various applications. The fact that users have downloaded millions of copies of open-source AI models from HuggingFace, a data science platform that hosts hundreds of these models, is a testament to the value of these models to the AI ecosystem. These include state-of-the-art pre-trained models for natural language processing, image generation, and audio generation. Meta’s language model Llama 2 is another example, with the company open-sourcing both model weights, which provide the parameters that the model uses to make predictions and starting code for pre-trained and fine-tuned versions of the model. Additionally, Llama 2 has been made freely available for commercial use. In contrast, closed-source AI models, often proprietary in nature, keep their code and inner workings under wraps. A case in point is Google’s LaMDA, a language model that powers Bard, Google’s conversational AI service.

The EU AI Act would impose the same stringent requirements on open-source foundation models as it does on closed-source models. The proposed bill states that “[a] provider of a foundation model shall, prior to making it available on the market or putting it into service, ensure that it is compliant with the requirements set out in this Article, regardless of whether it is provided as a standalone model or embedded in an AI system or a product, or provided under free and open source licenses, as a service, as well as other distribution channels.” The obligations for these models include risk mitigation strategies, data governance measures, and a ten-year documentation requirement, among others.

The one-size-fits-all approach of the EU AI Act, which demands comprehensive control over the development process, creates significant and impractical barriers for providers of open-source foundation models. A key question arises: who is responsible for maintaining ten years of documentation after a foundation model is deployed, as mandated by Article 28b(3) of the Act, especially when the model is a product of decentralized, open-source collaboration? Consider BLOOM, an open multilingual language model developed by a consortium of 1,000 AI researchers, primarily academics. Under the current stipulations, these researchers would be obligated to maintain extensive documentation for their model. Further, the language in Article 28b(2(a)) seems to imply that providers of foundation models would be required to contract third-party specialists to audit their systems, which would be costly. However, unlike closed-source AI systems, open-source systems already permit independent experts to scrutinize them by the very nature that they are openly available, making this requirement an unnecessarily costly requirement for open-source AI.

In fact, open-source providers already score more highly on compliance with the draft EU AI Act than closed-source providers, according to a recent paper from Stanford researchers. The authors found “a clear dichotomy in compliance as a function of release strategy.” Major open-source foundation models generally performed better than closed-source ones at meeting the draft law’s requirements for disclosing information about its training data and compute usage, whereas closed-source models performed better on “deployment-related requirements.” This finding suggests that rather than focusing on stringent and unfeasible requirements for open-source AI developers, policymakers should focus on promoting policies that support accountability measures for deployers of their foundation models. In other words, regulate specific high-risk AI applications, not the underlying AI models. 

As it stands, the EU AI Act would stifle open-source development of AI models, which would, in turn, hinder innovation and competition within the AI industry. Many open-source AI innovations have found their way into several commercial applications. Indeed, more than 50,000 organizations use the open-source models on HuggingFace’s platform. But open-source AI models don’t only enable greater competition and lower the barriers to entry for new entrants to the AI space; they enable transparency and robust evaluation of systems.

The EU AI Act, in its current form, risks creating a regulatory environment that is not only burdensome and inappropriate for open-source AI developers but also counterproductive to the broader goals of fostering innovation, transparency, and competition in the AI sector. As the EU’s ongoing negotiations over the AI Act continue, particularly around the regulation of foundation models, policymakers need to adequately address these issues. If they do not amend the Act to better accommodate the unique nature and contributions of open-source AI, it could hamper the progress and openness in the AI sector. It is crucial for policymakers to recognize and preserve the distinct advantages that open-source AI brings to the technological landscape, ensuring that regulations are both effective and conducive to the continued growth and dynamism of the AI field.