AI regulation: What businesses need to know in 2025

Generative AI tools go mainstream

In 2023, generative artificial intelligence systems -- tools based on machine learning algorithms and capable of producing new content such as images, text or audio -- became ubiquitous in public discourse. Companies began scrambling to understand, embrace and effectively implement OpenAI's GPT-4 and other large language models and algorithms. The potential benefits for companies of all sizes have come into sharp focus: greater efficiencies in processes, reductions in human errors, reduced costs through automation, and discovery of unknown and unanticipated insights in the massive and growing heaps of proprietary and public domain data.

As AI's capabilities and business benefits have grown, however, so have its complexities and risks, driving governments worldwide to address how best to protect the public while not stifling innovation.

The urgency of AI regulation

Governments today are laser-focused on regulating AI. Perennial concerns such as consumer protection, civil liberties, intellectual property rights and fair business practices largely explain the interest of legislators around the world in AI.

But at least as important as safeguards for citizens against the downsides of AI is the competition among governments for supremacy in AI. Attracting brains and businesses necessarily means creating predictable and navigable regulatory environments in which AI enterprises can thrive.

In effect, governments are confronting an AI regulatory Scylla and Charybdis: on the one hand, seeking to protect citizens from the very real downsides of AI implementation at scale, and on the other, needing to engineer governance regimes for a complex and dynamic train of AI shock waves that are starting to permeate society -- all while not impeding the advancement of the underlying technologies.

Amid the rapid evolution and adoption of AI tools, AI regulations and regulatory proposals are spreading almost as rapidly as AI applications.

U.S. regulatory protections and policies

In the U.S., government at every level is actively working to implement new regulatory protections and related frameworks and policies designed to simultaneously cultivate AI development and curb AI-enabled societal harms.

Federal AI regulation. AI risk assessment is presently a top priority for the federal government. Congress has made considerable progress in passing laws that support domestic AI research and the implementation of AI within federal agencies, such as the National AI Initiative Act of 2020 and the AI in Government Act of 2020, respectively.

U.S. lawmakers are particularly sensitive to the difficulties of understanding how algorithms are created and how they arrive at certain outcomes. So-called black box systems make it difficult to mitigate risk or map processes and enable documentation of their effects on citizens.

To address these issues, the Algorithmic Accountability Act (H.R. 5628; S.2892) is presently being debated in Congress. If it becomes law, it would require entities that use generative AI systems in critical decisions pertaining to housing, healthcare, education, employment, family planning and personal areas of life to determine impacts on citizens before and after the algorithms are used.

Protection of intellectual property is also a priority for Congress, as indicated by its consideration of the NO FAKES Act of 2024 (H.R. 9551). Should it survive Congress and become enforced law, the NO FAKES Act would provide significant protection against AI-enabled infringement of intellectual property rights related to an individual's voice and likeness.

The most significant domestic federal action, however, has been Executive Order (EO) 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, released by President Joe Biden's administration in October 2023. Building upon the White House's Blueprint for an AI Bill of Rights and AI Risk Management Framework promulgated by the National Institute of Standards and Technology, the EO marks a new level of aggressiveness in the government's efforts to promulgate responsible AI deployment and use.

Focusing on federal agency usage, regulation of domestic industry and collaboration with likeminded international partners, the EO expresses regulatory ambition manifested in at least eight discrete goals:

1. Mitigation of risks posed by the increased adoption of AI in industry and private use.
2. AI talent acquisition and consolidation by attending to the concerns of small business founders and intellectual property protection.
3. Protection for workers whose livelihoods will likely be significantly affected by generative AI.
4. Protection of civil rights via intensified monitoring and mitigation of AI biases.
5. Stronger consumer protections.
6. Greater protection of consumer data, personal data and privacy.
7. More efficient use of generative AI in federal government with greater oversight and guardrails.
8. U.S. leadership in the global governance of AI, ideally in collaboration with international partners.

But an EO should not be confused with legislation. Though they have the effect of law, executive orders can be revoked by a subsequent president at any time. Accordingly, EO 14110 has a good chance of being revoked by the new incoming presidential administration as soon as January 2025.

U.S. state and city AI regulation. States, too, are joining the race to regulate AI. California, Connecticut, Texas and Illinois are each attempting to strike the same balance as the federal government: encouraging innovation, while protecting constituents from AI downsides.

Colorado and Utah have made headway with the passage of laws that strengthen consumer protection laws against AI, while New Hampshire has passed a law that protects its citizens from AI surveillance by their state. Arguably, Colorado has gone furthest with its Algorithm and Predictive Model Governance Regulation, which would impose nontrivial requirements on the use of AI algorithms by Colorado-licensed life insurance companies.

Similarly, municipalities are moving ahead with their own AI ordinances. New York City is leading the way with Local Law 144, which focuses on automated employment decision tools -- that is, AI used in the context of human resource activities. Other U.S. cities are bound to follow the Empire City's lead in short order.

Global AI regulations

In Europe, the dominant source of AI governance is the European Union's Artificial Intelligence Act, which went into effect on Aug. 1, 2024, and applies to all 27 member countries. It is expected to be fully implemented by Aug. 2, 2026.

Like the Blueprint for an AI Bill of Rights in the U.S., the main objective of the EU's AI Act is to require developers who create or work with AI applications associated with high risk to test their systems, document their use of them and mitigate risks by taking appropriate safety measures. Importantly, the EU AI Act will likely generate a "Brussels effect," or significant regulatory reverberations well beyond the bounds of Europe.

China's Interim Measures for the Management of Generative Artificial Intelligence Services was enacted Aug. 15, 2023, following a period of public comment. The Cyberspace Administration was the primary agency behind the measures, which focus on regulating generative AI services provided to users in mainland China.

The Canadian Parliament is currently debating the Artificial Intelligence and Data Act, a legislative proposal designed to harmonize AI laws across its provinces and territories, with particular focuses on risk mitigation and transparency.

Across the Americas and Asia, at least eight other countries are at various stages of developing their own regulatory approaches to governing AI.

Potential impact of AI regulation on companies

For companies located in, doing business in or searching for talent in one or more of the above-mentioned jurisdictions, the significance of this regulatory ferment is twofold.

First, companies should anticipate a continued and perhaps accelerated rate of arrival of new regulatory proposals and enforced laws across all major jurisdictions and across all levels of government, combined with a potential reversal of EO 14110, over the next 12 months.

This crescendo of regulatory activity will very likely lead to at least two predictable outcomes: increased complexity of doing business, and increased compliance costs. A veritable thicket of AI regulation will require new expertise and likely regular updating from AI law specialists in order to assure workplace compliance as well as compliance in engagements with clients and customers, particularly in highly regulated industries.

A particularly thorny issue will likely be the potential interactions between AI policies and preexisting regulations. For example, in the U.S. context, the Federal Trade Commission has clearly signaled its intention to clamp down on exaggerated claims for enterprise AI. Companies will need to be especially aware of the ways that old laws apply to new algorithms, rather than simply focusing on the new laws that contain "AI" in their titles.

As well, businesses will need to be extremely careful in engaging with newly minted vendors emerging to facilitate the soon-to-be-common legal requirements for various types of AI use certification. Finding trustworthy vendors -- or in all likelihood, certified certifiers -- will be essential to not only complying with any new laws, but also signaling to consumers that they are as safe as possible, and to satisfying business insurers that companies are effectively managing AI risks.

The immediate future of AI regulation will almost certainly continue to be a bumpy road. Companies that stay focused on their missions, and that embrace AI with clear eyes and without being seduced by the hype, while simultaneously sourcing high-quality legal advice and effectively implementing it, will fare well.

Michael Bennett is director of educational programs, policy and law in the Institute for Experiential Artificial Intelligence at Northeastern University in Boston. Previously, he served as Discovery Partners Institute's director of student experiential immersion learning programs at the University of Illinois. He holds a JD from Harvard Law School.