Change is happening quickly in the age of generative AI. About a year ago, I wrote a blog post describing Colorado’s new bill that seeks to regulate some uses of AI. Colorado is one of only a handful of states to seek to regulate the use of AI broadly, and it did so in a unique way. Like other states, the function of the law was basically to require developers to undertake a lot more safety testing for their models. I’m unabashedly in favor of that.
How Colorado’s Approach Differed From Other States
Colorado’s law was unique, though. Whereas California and New York headline laws took direct aim at the large frontier models like ChatGPT, Gemini, and Claude, Colorado’s law applied to all developers and deployers of AI to make consequential decisions. So, even though Colorado’s law was narrowly focused on discrimination whereas the other states were also concerned about existential threats posed by AI, Colorado’s bill actually would have had a more powerful effect because it would require all developers (who build AI systems) and deployers (who use it) to undertake testing and safety research.
The new version of this law, repealed and reenacted as SB 26-189, largely preserves the incentives set up by the last bill and might actually even make them stronger. Both bills claim they do not create a new private right of action, saying that enforcement is up to the Colorado Attorney General. But, the new version now specifically states that a developer or deployer “may be held liable in an action alleging unlawful discrimination under state anti-discrimination laws” arising from a consequential decision materially influenced by a covered automated decision making technology.
Since individuals do have a private right of action under state anti-discrimination laws, I wonder if this might function to actually create a shadow personal cause of action indirectly. If so, this might actually make the incentives to test generative AI for bias even stronger, as the scope of possibility liability is broader. This reading is strengthened by sections of the new law that explain developers and deployers are only liable for their relative fault. That is, if an AI tool discriminates against employees, the employer and the software developer may both be liable to the extent of how much they contributed to the problem. They’re not both automatically fully responsible. However, contract provisions purporting to indemnify liability for a party’s own discrimination are now void as against public policy if they’re in a contract involving provision of automated decision making services.
On the other hand, this new bill could be read to merely say that the use of AI is not a defense to discrimination and the use of AI to discriminate was already actionable. If that’s true, then this section doesn’t add much more pressure to conduct safety testing that didn’t already exist.
Where the New Bill Pulls Back
In other ways, though, the law clearly seeks to lower the pressure on developers and deployers. The old bill applied to consequential decisions regarding provision of services in many high-risk fields, including “legal services.” These categories have been refined in the new bill as a list of “covered domains,” and now legal services is out. Potentially a disturbing development if you’re worried about government agencies and judges making decisions using AI, but a welcome change if you think consumers can use AI to advance access to justice.
The list of exclusions from what kind of system is covered has changed. Now called “Automated Decision Making Technology” ADMT instead of “AI,” the new bill excludes more forms of traditional software. It also seems to build a bit of a “human in the loop” safety net to many of its provisions. Tools used solely to summarize, organize, translate, draft, route or present information for human review are now excluded, as are chat bots that are not used to make consequential decisions and are subject to an acceptable use policy. In other words, if a deployer only uses AI tools internally to help their own workflow or a customer chatbot that’s only there to provide information and a human makes the final decisions that allegedly isn’t meaningfully altered by what the AI produces, they can argue they do not fall within the new law. Since AI is vastly used in these roles, this seemingly weakens the incentive for comprehensive safety testing.
Raising the Bar for Triggering Regulation
Finally, the new bill changes the language surrounding how much an AI or other automated system has to contribute to a “consequential decision” before it triggers regulation. The old law covered any AI system that “makes, or is a substantial factor in making” a consequential decision. All a system had to do in order to be a “substantial factor” was to “assist” in making the decision and be capable of affecting the outcome. But, the new bill covered systems that “materially influence a consequential decision.” “Materially influence” is defined to mean that the output of the system is a non-de minimis factor and meaningfully alters how the decision was made. Once again, this seems to invite deployers to claim there is always a human in the loop and avoid any safety regulations.
In several places, the new law seems to give a pass to AI systems – even powerful models that have not yet been tested for safety – so long as the developer says it is designed for a human to oversee the tool and so long as deployers claim there is a human in the loop. To be sure, the idea of a human in the loop is a good one. But, I’m skeptical that it is a workable rule for a few reasons.
First, AI tools are useful precisely when they expand the capabilities of the user. You don’t use an AI tool to do something you could already do yourself easily. You use it to do more than you had time to do previously; to multitask; to scale; or to do things that were previously beyond your capabilities. The more useful the AI tool is to the user, the less capable the user is of meaningful oversight, nearly by definition. The law does point to certain requirements designed to ensure the human in the loop is exercising real control, such as having authority to override, not defaulting to system output, and so on. But, these seem like the sort of things that are easy to write in an employee handbook and very hard to monitor day to day.
Second, I suspect human nature works against the idea of a human in the loop. If an AI tool provides quality results and gets the job done almost all of the time, humans will surrender their judgment to the tool. It will be easier and, when the tool is acting properly, probably is the correct decision from an efficiency standpoint. Anyone who is supposed to be the human in the loop supervising an AI tool will face extremely strong incentives to shirk this responsibility. The AI is producing good work, so why not sleep in? Why bother re-reading all of those documents when you could be watching Netflix? And, this problem goes much deeper than just individual laziness. Companies also have an incentive to load up staff with workloads making it impossible for humans to meaningfully review everything in the name of increased efficiency.
A Step Back When We Needed a Step Forward
So, while the stealth private cause of action might prove me wrong, I suspect this new law removes much of the incentives that the last law did to encourage research into interpreting and understanding how large language models actually operate. That’s a shame. AI holds a lot of promise but also a lot of risk, and the most serious existential threats from AI are only going to be avoided if we develop a robust interpretability and control mechanism before the AI’s capabilities get too far advanced. I was encouraged that Colorado’s law was helping pull the breaks a bit on this, but this new law is easing off.