How should the law define AI?
How do you regulate something which has no single clear definition? Here's my idea...and it's inspired by legos.
Author’s note: This article will be continuously tested, reviewed and revised.
Last update: 12 May 2024.
Law is built on definitions (which drive the scope of the law). In some cases, definitions are relatively straightforward or non-contentious to draft. But in other fields, definitions can be a fundamental threshold roadblock that stumps policymakers.
AI is an example of the latter case. Since the launch of ChatGPT in late 2022, AI regulation has moved from a niche topic to a global concern, with governments striving to ensure safe AI use while mitigating risks like misinformation and privacy breaches. However, the lack of a universally accepted definition of AI complicates this process, leaving each government to determine its own interpretation for regulatory purposes.
But I might have a suggestion...and it’s inspired by lego pieces 🤭
The challenge with defining AI
There is no one universally accepted definition of AI. What AI should or should not cover has been a long debated topic among technologists, governments, legal theorists, etc.
In fact, when you search for “definition of AI” in Google, you’ll get a bunch of different results, such as the below (just to list a few examples):
“The ability of a digital computer or computer-controlled robot to perform tasks commonly associated with intelligent beings.” (Britannica)
“The capacity of computers or other machines to exhibit or simulate intelligent behaviour; the field of study concerned with this.” (Oxford Dictionary)
“The science and engineering of making intelligent machines.” (Stanford)
“A technical and scientific field devoted to the engineered system that generates outputs such as content, forecasts, recommendations or decisions for a given set of human-defined objectives.” (International Organisation for Standardisation)
AI includes “(1) systems that think like humans (e.g. cognitive architectures and neural networks; (2) systems that act like humans (e.g. pass the Turing Test, natural language processing; (3) systems that think rationally (e.g. logic solvers, inference, optimisation); and (4) systems that act rationally (e.g. intelligent software agents and embodied robots that achieve goals via perception, planning, etc)” (Russell / Norvig AI)
“information-processing technologies that integrate models and algorithms that produce a capacity to learn and to perform cognitive tasks leading to outcomes such as prediction and decision-making in material and virtual environments. AI systems are designed to operate with varying degrees of autonomy by means of knowledge modelling and representation and by exploiting data and calculating correlations. AI systems may include several methods, such as but not limited to:(i) machine learning, including deep learning and reinforcement learning; (ii) machine reasoning, including planning, scheduling, knowledge representation and reasoning, search, and optimization. AI systems can be used in cyber-physical systems, including the Internet of things, robotic systems, social robotics, and human-computer interfaces, which involve control, perception, the processing of data collected by sensors, and the operation of actuators in the environment in which AI systems work” (UNESCO Recommendation on ethics of AI).
“discipline concerned with the building of computer systems that perform tasks requiring intelligence when performed by humans” (ISO/IEC 39794-16:2021).
“capability to acquire, process, create and apply knowledge, held in the form of a model, to conduct one or more given tasks” (ISO/TR 5255-2:2023).
“capability of a functional unit to perform functions that are generally associated with human intelligence such as reasoning and learning” (ISO/IEC 2382:2015).
Indeed, there’s a whole plethora of literature on what is AI. While I don’t propose to dive into the literature, I’ve found that definitions tend to range from (broad to narrow in each case):
AI as a form of simulating intelligence (or even a form of intelligence itself) versus AI as only an algorithm.
AI as a field of science versus AI as an applied technology.
AI is not exclusive to machine learning versus AI is exclusive to machine learning.
Defining AI is tricky because it covers a wide and ever-changing range of technologies, from narrow predictive algorithms used in finance to large language models embedded in chatbots that can deliver human-like conversations.
In fact, AI historian Pamela McCorduck has described this as an "odd paradox" - i.e. as computer scientists find new and innovative solutions, computational techniques once considered AI lose the title as they become common and repetitive.
For example, expert systems (which emulate the decision-making processes through if-then-else logic statements) were once considered AI throughout the 1980/90s. Expert systems were an example of deterministic systems (i.e. the same inputs will always produce the same output).
But when machine learning came to the fore, it introduced the ability for computers to predict new data based on patterns in historical data (as opposed to calculating new data based on pre-coded logic/rules). Machine learning represented a form of ‘non-deterministic’ computing (i.e. the same inputs could produce different outputs) as a machine learning system could continuously refine its outputs over time by ingesting more historical data and developing better approximation of patterns (without being explicitly programmed to do so).
This led to the impression that machine learning apps are ‘smarter’ (or more ‘intelligent’) than deterministic systems, which has since then complicated the terminology around “AI”. Some see “AI” as exclusive to “machine learning”, while others still think “AI” covers other legacy deterministic systems (e.g expert systems), which is often now known as “symbolic AI”.
No one knows who’s right.
So how should AI be defined under law?
Given the complexities around the terminology of AI, how should we go about defining AI for the purposes of regulation?
Obviously, there’s an earlier threshold question of whether AI should be regulated in the first place. I don’t propose to go into this (as it’s a whole topic in itself), and will assume for the sake of this article that AI regulation is a given premise. Nor will I go into what rules/obligations should be attached to any regulated AI.
This piece is purely about AI definition and terminology. And on that, here are some factors to consider:
💡 This question is more relevant for governments who are looking to regulate AI as a general technology (e.g. EU, Canada) rather than specific applications of AI (e.g. China). Obviously, the latter case is less complex because you can define the specific purpose and attributes of an AI application - for example, China has a law regulating recommendation algorithms (which is a specific application with a specific definition).
💡 We don’t necessarily need a settled definition of AI to create a legal definition of AI. Legal definitions only need to be clear enough to define the scope of the law, but don’t necessarily have to go all the way to capture the technical specifics/nuances of the subject matter. This might sound counter-intuitive so I’ll give a simple example. Imagine you’re trying to define the term “book” for a law related to publishing. A legal definition might be “a collection of printed or written pages bound together”, which is sufficient to establish the scope of the law. This definition doesn’t need to delve into the nuances of genres, literary styles, or binding techniques. It’s broad enough to cover all types of books, from novels to cookbooks, without getting lost in the specifics.
💡 A definition for AI will need to be precisely formulated in a way that strikes a balance between being sufficiently broad (to be future-proof) and specificity (so that it does not over-regulate all forms of machines, automation, or software). This balance is especially important in a broad sector-agnostic AI regulation where the scope and application of the regulation hinges upon a few blanket definitions that must be capable of being applied to a wide range of sectors and applications. The EU AI Act is one such example of a broad sector-agnostic AI regulation.
Case study - EU AI Act
The EU AI Act (Act) defines “AI system” as “machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.”
I have already written my analysis of this definition in my article on the EU AI Act (see below).
But in short, I thought that key phrases like “varying levels of autonomy” and “infers” were vague and it’s unclear how they would apply to ‘edge case’ symbolic AI applications that don’t necessarily use machine learning but still pose high risk decisions/outputs. I cited Robodebt as a case study (i.e. the Australian government’s failed automated debt recovery program) and questioned whether it would be caught under the AI Act’s definition.
My suggestion - the ‘lego’ approach
In my view, the better approach would be to re-structure the definitions in a hierarchical manner so that each definition cross-references or builds upon the previous definition…as if they were lego pieces that stack on top on each other.
Hence, why I called it the “lego” approach. Technically, the more proper word is “modular” but lego sounds more fun!
As to the question of what is AI, I propose a minimal framework of four core legal definitions:
“artificial intelligence”
“artificial intelligence system”
“artificial intelligence model”
“machine learning”
I don’t propose to rewrite definitions - in fact, I have reused/adapted existing definitions found in various ISO standards (which are generally well-accepted industry standards for AI risk and quality management).
But my approach might offer a way to reorganise these terms in a way that is both future-proof and clear enough to define the scope of the law yet with the least amount of risk of definitional overlap or conflation.
I think it’s a win-win-win - let me explain.
“artificial Intelligence”
Suggested definition:
includes:
(a) machine learning; or
(b) any other engineered method or functionality that is designed to generate predictive outputs for a given set of objectives or parameters.
This definition has a notable two-limb setup which could offer the following advantages:
By cross-referring to both machine learning and symbolic AI methods, the definition covers the broad field of AI without delving into the theoretical complexities of what exactly is AI.
Limb (a) covers machine learning which I don’t expect will be a contentious inclusion (rather it’s whether machine learning is the sole category or a subset of AI that attracts debate). As the term “machine learning” will have its own definition (see below), the cross-reference to it ensures consistency and enable any updates to the “machine learning” definition to automatically carry over into this definition.
Limb (b) is intended to cover the symbolic AI cases which I don’t think should be categorically dismissed from being AI. The wording here is adapted from the corresponding definitions in ISO/IEC 22989:20221:
“engineered system that generates outputs such as content, forecasts, recommendations or decisions for a given set of human defined objectives”.
I’ve adapted the above ISO\IEC definition as follows:
Focused on “method or functionality” rather than “system” (since I’ll be distinguishing it from “system” - see next section).
Removed “human defined” qualifier before “objectives” to account for methods/functions that may be autonomously configured without human intervention.
Added the word “parameters” to cover concepts like metadata or weights in case the word “objectives” is limited to higher-level constructs.
Added the words “that is designed to” to ascribe an element of purpose to the method/functionality so that it doesn’t inadvertently cover all forms of software.
Replaced the examples “content, forecasts, recommendations or decisions” (which may create a misinterpretation of exhaustiveness) with the phrase “generate predictive outputs” which I think is the core characteristic of AI. Think of about - whether you’re using an expert system or machine learning algorithm, the output is some sort of prediction generated based on either hardcoded rules/logic (deterministic) or historic data (non-deterministic) respectively. Yet the wording in limb (b) doesn’t discriminate between deterministic or non-deterministic methods, making it flexible but also not too broad that would extend to all forms of software and machines.
Most importantly, I’ve framed “artificial intelligence” as a neutral term which is then referenced in the terms “artificial intelligence model” and “artificial intelligence system”. This could help ensure that regulation only applies to the development, deployment and use of AI, rather than the science or field of AI itself.
As to the distinction between AI model and AI system, this is like the distinction between an engine and a car. An engine powers the car but an engine is not the same as the car. Likewise, AI models power AI systems, but AI models are not synonymous to AI systems (e.g, GPT powers ChatGPT, but GPT is not ChatGPT).
By creating separate categories for model and system, we can allow for different substantive rules and obligations at the model and system layer respectively. This is because rules around AI models tend to focus on the technology itself while rules around AI systems tend to focus on the relevant purpose or use case. This is the structure adopted in the EU AI Act, so it’s a validated idea.
“artificial intelligence model”
Suggested definition:
means a model which implements artificial intelligence (but is not an artificial intelligence system).
I’ve kept it simple:
While the word “model” might seem to make this definition circular, I think there’s an advantage to keeping this word flexible. Unlike the term “artificial intelligence”, there seems to be more consensus on what is a model (or at least it’s easier to identify what is a model than what is AI). Even if there are varying interpretations, I don’t expect they will diverge beyond the idea of a model as a form of algorithm or program. At the same time, I’m inclined to avoid including synonyms like “algorithm” or “program” for the sake of limiting the amount of new terms in a definition.
The word “implements” acts as the casual link between model and “artificial intelligence”. I feel like the word “implements” has a stronger sense of directness and intention than the word “uses” (which could otherwise arguably capture indirect uses). Even if “implement” has a broader definition that I originally thought, at least the object of the sentence (i.e. “artificial intelligence”) itself is qualified to mitigate over-capture.
As expected, there’s the reference to the defined term “artificial intelligence” - see analysis from above.
The clarification carveout “(but is not an artificial intelligence system)” supports the model v system distinction.
“artificial intelligence system”
Suggested definition:
means an application or process which uses an artificial intelligence model to carry out a purpose or function for which the application or process was deployed.
The above wording is adapted from ISO/IEC/IEEE 29119-1:2022, with my tweaks as follows:
The word “application” is hopefully self-explanatory, suggesting an element of practical implementation.
I consider it worthwhile adding the alternative word “process” to capture not only technical processes, but also business or human operations and actions that surround the implementation of the technology. Remember, the scope of “artificial intelligence” is already qualified itself (see above) so I don’t expect the inclusion of “processes” here would disproportionately widen the scope of “AI systems”.
The word “uses” is the causal link. Compared to the word “implements” in the AI model definition, the word “uses” is softer and more neutral, intended to capture both direct and indirect use cases. Obviously, the indirect use cases can be uncertain (raising issues of remoteness), though this is where the next few words come in.
A reference to “artificial intelligence model” - see analysis from above.
The phrase “to carry out a purpose or function for which the application or process was deployed” is perhaps the most critical part of the definition - and admittedly one that I made up (so it’s not tested yet). The idea is that this phrase qualifies systems which rely on AI to carry out a primary purpose (e.g. a facial recognition system to detect suspects in camera footage) rather than system which uses AI for only an insignificant or incidental function (e.g. spam filter in email systems). In other words, this definition is a purpose-driven definition, which rightfully invites an analysis of the actual purpose/use case of the AI system.
The choice of the word “deployed” is deliberate. Perhaps this could have its own definition (e.g. “made available on market”), but the key point here is that the word “deploy” captures a sense of provision or implementation that would affect real life users (which is the point where the risks arise), whether it be B2C or B2B contexts. I could’ve inserted other words like “designed” and “developed” but such words don’t necessarily suggest a sense of implementation as well as “deployment”. I’m also concerned that words like “designed” and “developed” hinder innovation, especially when the word “deployed” might be enough. A competing alternative is “provided” (as used in the EU AI Act) but I feel like that word is arguably more broad and vague than “deployed”.
“machine learning”
Suggested definition:
is a method whereby a machine derives patterns or inferences from data to generate predictive outputs without being explicitly programmed to do so.
I have adapted this wording from ISO/IEC 22989:2022.
The key phrase is “without being explicitly programmed to do so”. Despite the complexities around defining AI, the above phrase is used consistently and recurrently in the context of machine learning (having originated from early machine learning pioneer Arthur Samuel in 1959).
This wording also puts the focus on the process of finding patterns rather than the patterns themselves. This is consistent with other established definitions.
For example, ISO/IEC 2382:2015 defines “machine learning” as “process by which a functional unit improves its performance by acquiring new knowledge or skills, or by reorganizing existing knowledge or skills”.
What about other definitions?
Wait, only four definitions. That’s it?
What about terms like generative AI, large language model, foundation models, etc?
In the context of a broad-sector agnostic law, I query whether these terms are necessary and/or appropriate given that they are inherently technology-specific.
If the goal is to make the law flexible and future-proof, I suggest going for ‘definitions by purpose’.
In other words, instead of introducing new definitions for specific applications (unless there is strong policy rationale to include them), express an application through the purpose of an “AI system” or “AI model”. For example:
generative AI could be referenced as “artificial intelligence system that generates multi-media content”.
large language model could be referenced as “artificial intelligence model that processes or generates natural language text”.
Obviously, we have to be careful with choice of words but notice the lego building in play again. Having a neutral terms like “AI system” or “AI model” allows us to ‘define-by-purpose’ for more specific applications.
Concluding remarks
I don’t profess that my proposal above is the panacea to the whole “what is AI” debate. I’m also still trying to work out the best wording, and will likely revise my ideas over time.
But hopefully my modular lego-building rationale can inspire a new way of thinking for policymakers and/or standard drafters.
What do you think?
Disclaimer: This article is based on my personal views, and not representative of any organisation. This article is not intended to provide legal advice or to be a comprehensive guide or reference.
Want more?
Global AI Regulation Tracker (an interactive world map that tracks AI regulations around the world).
Global Tech Law News Hub (a news hub that curates the latest tech law news).
AI Governance Library (a library of AI governance templates, policies and frameworks).