State Artificial Intelligence Policy Comprehensive Analysis PDF Free Download
1 / 52
/52
100%
State Artificial Intelligence Policy
1
Comprehensive Analysis
Jeffrey Sonnenfeld & Yale CELI Research Team [Stephen Henriques, Steven Tian, Gigi Hsu, Dan Kent, Delia Reyes,
Tate Lloyd, Amy Choi, Ash Duong, Raghav Chaudhary]*
January 2025
STRICTLY CONFIDENTIAL – PLEASE DO NOT FORWARD OR CITE
THIS DOCUMENT SHOULD NOT BE CONSIDERED AN OFFICIAL OPINION OR
STATEMENT BY YALE UNIVERSITY OR ITS AFFILIATED SCHOOLS
*The 9-person research team brings backgrounds in AI, entrepreneurship, computer science, engineering, public policy, auditing, finance, strategy, and regulation
The Yale CELI Research Team received invaluable support from leading experts in
the field, from academia to industry
2
David Siegel, Co-founder, Two Sigma; Board Member (Executive Committee), MIT; Ph.D., Computer Science, MIT
Matt McCooe, CEO, Connecticut Innovations
Logan Graham, Frontier Red Team Leader, Anthropic; Former Special Adviser to the Prime Minister on Science and Technology, United Kingdom;
Ph.D., Machine Learning, Oxford University
Josh Geballe, Senior Associate Provost for Entrepreneurship & Innovation, Yale University
Rachel Gretencord, Vice President of Research, AdvanceCT
Vineet Kumar, Associate Professor of Marketing, Yale School of Management; Ph.D., Industrial Administration, Carnegie Mellon University; with
expertise on Digital Technologies & AI
Beth Anne Helgason, Assistant Professor of Organizational Behavior, Yale School of Management; Ph.D., Organizational Behavior, London
Business School; focus on ethical challenges from innovation/entrepreneurship, including fraud, misinformation, human-algorithm collaboration
Vivek Wadhwa, Founder & CEO, Vionix Biosciences; Senior Research Associate, Labor and Work-life Program, Harvard Law School; Executive-
in-Residence/Adjunct Professor, Pratt School of Engineering, Duke University
Julián Posada, Assistant Professor of American Studies, Yale University; Visiting Scholar, Leventhal Center for Advanced Urbanism, MIT; Ph.D.,
Information Science, University of Toronto; focus on theories and methods from information science, sociology, and human-computer interaction
Executive Summary
3
Key Findings
•Four approaches to state AI-regulatory policy emerged in 2024: General AI Legislation (Colorado, California), Consumer Protection (Utah,
Massachusetts), Risk-Based (deep fakes), and Sectoral (healthcare)
•Looking back at 2024, specifically what passed (Colorado, Utah) and did not pass (California, Connecticut), provides an opportunity to learn about the
issues as defined by public interest groups (transparency, testing but burdensome) and business leaders (limited intervention but potential abuse)
•2025 is already promising to be a more active year, with the potential for even more sweeping AI regulatory legislation and executive action (e.g.,
Texas’ TRAIGA, New York’s AI-related layoffs disclosure)
•In addition, while self-regulation is not the long-term solution, leading AI companies have begun to embed their own safeguards – currently forming
the core of AI governance – but their efforts are fragmented and less effective because of it
•According to research by the US Chamber of Commerce, Connecticut small business adoption of AI leads the nation, meaning any AI regulation
will have an immediate tangible impact on the state
Recommendations
•Leverage existing legislation, such as consumer protections/unfair trade practices, intellectual property, data privacy, civil rights and other applicable
state laws, to protect against misuse and abuse of AI technologies
•Continue to advance “low-hanging fruit” legislation that will address harmful misuse and abuse and risky-use cases of AI (e.g., political/election
deepfakes, child sexual abuse material, property rights infringement)
•Establish a cross-sector task force to identify sector-specific regulations and/or guidance that provide use-case guidance for key state industries
and to identify actions that accelerate innovation and adoption, positioning Connecticut as a vanguard of AI-empowered technologies
•Designate members of the cross-sector task force (above) to consider potential regulations of high probability spill-over effects from more advanced
AI systems in coordination with other states and federal officials
•Partner with an economic development NGO to launch and oversee an AI testing “sandbox” and AI support hub for key state industries
4
Table of Contents
Review of Legislative Activity in 2023/2024 (pg. 3)
What to Expect in 2025 (pg. 20)
Implications for Connecticut in 2025 (pg. 29)
Appendix (pg. 42)
AI Policy State of Play: 2024
5
Nearly 700 bills were introduced across nearly
every state in US
Of those that made it to the floor, 519 failed to
pass or were vetoed
However, 113 were still adopted or enacted;
only two were sweeping general AI bills
© GeoNames, Microsoft, TomTom
Powered by Bing
1
19
Count of Enacted Legislation
Count of AI Laws Enacted by State
Sources: National Conference of State Legislatures
“In 2024, state lawmakers introduced hundreds of
AI policy proposals. Only a small fraction passed,
and of those, the vast majority were fairly anodyne,
such as creating protections for malicious deepfakes
or initiating state government committees to study
different aspects of AI policy.”
- Dean Woodley Ball, Research Fellow in AI & Progress
Project, George Mason University’s Mercatus Center
Four approaches to state AI-regulatory policy emerged in 2024
6
1. General AI Legislation – Sweeping regulation covering specific requirements and protocols that AI
model developers must follow (e.g., Colorado’s AI Bill, Utah Artificial Intelligence Policy Act)
2. Consumer Protection – Addressing risks to consumers, typically through explicating with laws or legal
opinions that AI systems are subject to the same consumer protections as other businesses (e.g.,
Massachusetts’ AG advisory, California’s AG recent dual-advisory)
3. Risk-Based – Addressing specific risks of AI such as deepfakes or someone unknowingly interacting
with an AI system (e.g., Florida: elections, child sexual abuse material or CSAM)
4. Sectoral – Regulating specific applications and sectors (e.g., Illinois focus on healthcare)
Regulation has also been supplemented in several ways:
•Standing up impact assessments, study councils, and government advisory bodies through
legislation
•Funding the development and build-up of AI expertise in their state through appropriations to specific
bodies, universities, education institutions, etc.
Sources: National Conference of State Legislatures
Deep dive to follow
1: General AI Legislation – The Utah AI Policy Act, a middle-of-the-road approach
7
Passed in 2024, the Utah AI Policy Act (UAIPA) can best be outlined in two sections:
1. Affirms use of an AI system is not a defense for violation of the state’s current consumer protection laws. Requires
disclosure of consumer engagement with AI technology, otherwise considered a violation of Utah’s consumer
protection laws :
•Proactive disclosure must occur in occupations which require a license or state certification to practice (e.g.,
accountants, architects, social workers, healthcare)
•Prompted disclosure (when asked by consumer) must occur with occupations which engage in activities
controlled by Utah Division of Consumer Protection, such as consumer sales, telemarketing
2. Mandates the further study of AI policy, encouraging testing and development of AI systems
•Creates the Office of Artificial Intelligence Policy to research the potential impacts of AI, evaluate current AI
policy, and make policy recommendations, as well as encourage the development of AI via newly established AI
Learning Laboratory Program
•Oversees temporary safe harbor protections for developers, allowing applicants to test AI systems in the
state within a limited scope while avoiding some regulatory restrictions
Notably, the legislature designed the UAIPA to automatically repeal in May 2025
Sources: Utah State Legislature
1: General AI Legislation – Beyond the Utah AI Policy Act
8
Utah also signed into law several other bills, covering many of the more common and less
controversial areas of AI regulation that states are implementing:
•UT HB 148, prohibits sexual deepfakes (amendment to include computer generated videos)
•UT HB 238, prohibits sexual deepfakes of children
•UT SB 66, prohibits fraudulent deepfakes (amendment to include generated depictions)
•UT SB 131, prohibits political deepfakes
•UT SB 231, establishes illegality of government biometric surveillance
Sources: Utah State Legislature
1: General AI Legislation – Colorado Artificial Intelligence Act, a more aggressive
approach (1/2)
9
Colorado Governor Polis signed [“with reservations”] into law the Colorado Artificial Intelligence Act (CAIA) to regulate the
development, deployment, and use of certain AI systems – to take effect February 2026
Protects against “high-risk” AI systems that make or substantially help to make “consequential decisions” regarding
humans, including decision to provide or deny education, employment, lending, government services, health care, housing,
insurance, or legal services
Imposes general duty of “reasonable care” for developers and deployers from any known or “reasonably foreseeable”
risks of algorithmic discrimination, whereby:
•Developers are required to make certain disclosures and documentation available to deployers, the state attorney general
and the public (e.g., known risks, training data)
•Deployers will be required to implement a risk management policy and program, complete an impact assessment of the
system and comply with several other new regulations, such as an annual review for algorithmic discrimination; must also
provide disclosures ahead of a “consequential decision”
•Exemption: Deployers with fewer than 50 employees that do not use their own information or data to train the AI
Continued on next page
Sources: Colorado State Legislature
1: General AI Legislation – Colorado Artificial Intelligence Act, a more aggressive
approach (2/2)
10
In addition, the act requires that individuals be informed of a statutory right to opt out from having their personal data
processed (granted by the Colorado Privacy Act)
Provides certain rights to individuals including:
•Explanation of an adverse consequential decision
• Right to correct any information
• Right to appeal the matter for human review
Enforced exclusively by the Colorado Attorney General when deemed to be an unfair trade practice under the Colorado
Consumer Protection Act, with penalties of up to $20,000 per violation
Offers affirmative defense if violations cured through own means or with sought-after feedback from users, if in
compliance with latest AI Risk Management Framework by the National Institute of Standards and Technology
Colorado Governor Jared Polis issued a strong statement “with reservations” after signing the law and urged lawmakers
to work with industry to make changes that strike a balance between consumer protection and spurring innovation
Sources: Colorado State Legislature
2: Consumer Protection – States are also emphasizing their power to regulate AI
under existing laws without new legislation
11
A. Massachusetts Attorney General Campbell issued an advisory in April 2024 clarifying the state’s
consumer protection law extends to abuses of AI
B. Texas Attorney General Paxton launched a data privacy and security initiative to protect consumers
from illegal exploitation by tech, AI, and other companies
C. California issued two separate legal advisories – consumer, privacy, and civil rights & AI-use in
healthcare – on January 13 affirming that AI is subject to existing laws
D. Utah’s legislature passed an AI-focused consumer protection bill – Artificial Intelligence Policy Act –
disallowing companies from blaming GenAI for violations [see prior pages]
Deep dive to follow
2A: Consumer Protection – The Massachusetts advisory provided examples of AI
abuse which consumer protection laws prohibit
13
Source: Massachusetts Attorney General’s Office
2B: Consumer Protection – Texas’ Attorney General launched a data privacy and
security initiative to protect against exploitation by technology and AI
14
Attorney General Paxton has signaled the intent of his office to vigorously enforce state privacy and consumer
protection laws
Like many other states, the Texas Consumer Protection Act makes it unlawful to engage in “false, misleading, or
deceptive acts or practices in the conduct of any trade or commerce”
Paxton’s office recently launched an investigation into a healthcare technology company using AI alleging the
company violated the Texas Deceptive Trade Practices – Consumer Protection Act after making false and misleading
statements to hospitals about the accuracy of its generative AI hallucination rates
Specifically, the Texas Attorney General asserted that claims by the company stating its generative AI was “highly
accurate” with an error rate of less than 1 per 100,000 were inaccurate and may have misled hospital customers about
the accuracy and safety of the product
A settlement with the company was reached in September 2024 whereby the company would adhere to an Assurance
of Voluntary Compliance for five years
Source: Texas Attorney General’s Office, Orrick, Quarles
2C: Consumer Protection – California’s Attorney General issued two advisories
affirming AI is subject to existing consumer, privacy, and civil rights laws, in
addition to healthcare protections
15
California Attorney General Rob Bonta issued two separate legal advisories on January 13 reaffirming that
AI is already subject to existing laws
•AI Must Comply With Consumer, Privacy, and Civil Rights Laws – AI-driven decisions in hiring,
lending, healthcare, and advertising are not exempt from anti-discrimination and privacy laws, the first
advisory says. If AI systems generate biased, deceptive, or harmful outcomes, businesses can be held
liable
•AI Use in Healthcare – An industry-focused advisory targets AI-driven healthcare decisions, stating that
insurers and providers cannot use AI to deny care, override doctors, or impose discriminatory barriers to
healthcare access
Source: California Office of the Attorney General, Fisher Phillips
2: Consumer Protection – Federal regulatory agencies have also emphasized their
power to regulate AI under existing laws
16
•FTC asserted authority to regulate AI under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in
or affecting commerce”. The FTC is focused on 1) marketing AI products or services in a way that overpromises to
consumers as a deceptive or unfair practice; 2) any publicly facing claims or representations about how it uses AI must not
be false or misleading; 3) holding companies accountable for an alleged lack of transparency with consumers about their
use of AI, especially when an individual's privacy rights are implicated; and 4) discriminatory “acts” by AI, including the
misuse of biometric information
•Securities & Exchange Commission invoked authority over ‘false and misleading statements’ made in SEC filings; for
example, SEC charged two investment advisers with “making false and misleading statements about their use of AI”—a
practice known as “AI washing”—and in June 2024, filed an action in the Southern District of NY charging the former CEO of
a company with securities fraud arising from representations about its platform's use of AI, algorithms, and machine learning
•Consumer Financial Protection Bureau issued a joint statement in April 2023 pledging to use their existing authority to
combat AI-based bias and discrimination in their respective regulatory domains
•Equal Employment Opportunity Commission has also issued technical guidance on how AI’s use in hiring and evaluating
employees could be affected by anti-discrimination law requirements
Source: SEC, Bloomberg Law
3: Risk-based – A “menu” of targeted protections against AI misuse and abuse (1/2)
17
•Appropriations: Funding for AI-focused programs, studies
•Audit: Evaluation of how the use of AI is functioning
•Child Pornography: Prohibits the use of AI to create or
generate pornographic images of children or
representations of children
•Criminal Use: Use of AI as an element or in the
commission of a crime
•Cybersecurity: Use of AI in cyberattacks or to assist in
bolstering cybersecurity efforts
•Education/Training: Education or training programs to
develop skills or knowledge in AI
•Education Use: Use of AI by K-12 and other educational
institutions, including use in instruction and use by students
•Effect on Labor/Employment: Effect of AI on the
workforce, type, quality and number of jobs and labor
•Elections: Use of AI in processing election results and
campaign materials
•Government Use: Use of AI by government agencies and
law enforcement
•Health Use: Use of AI in health care or by health care
professionals
•Housing: Use of AI and automated decision-making in
setting rent and other housing decisions
•Impact Assessment: Required documentation of risk-
based evaluation for an automated decision tool or AI tool
Continued on next page
The National Conference of State Legislatures developed a robust categorization of risk-based AI legislation that has been
passed in the prior two years…
Sources: National Conference of State Legislatures
3: Risk-based – A “menu” of targeted protections against AI misuse and abuse (2/2)
18
•Intellectual Property: Assigns property right in use of
name, image, voice, or likeness
•Judicial Use: Use of AI in judicial proceedings, including
evidentiary rules, and by legal professionals
•Notification: Informs consumers or employees of potential
interaction with AI tools
•Oversight/Governance: Requires an office or agency to
oversee the use of AI and ensure its responsible use
•Personhood: Determines whether AI can be considered a
person with all rights associated to an individual
•Private Right of Action: Provisions that grant individuals a
private right of action as a legal remedy
•Private Sector Use: Use of AI by private sector
businesses and organizations
•Provenance: Requires disclosure of data sources to train
AI systems and mechanisms, like watermarking and
disclosures
•Responsible Use: Prohibits use of AI tools that contribute
to any type of algorithmic discrimination, unjustified
differential treatment, or impacts disfavoring people based
on classifications protected by state laws
•Studies: Requires study of AI issues or creates a task
force, advisory body, commission or other regulatory,
advisory or oversight entity
•Taxes: Provides tax benefits related to AI
[Cont.] The National Conference of State Legislatures developed a robust categorization of risk-based AI legislation that has
been passed in the prior two years…
Sources: National Conference of State Legislatures
19
Categories of Legislation, 2024 States State Count
Appropriations* CT, IA, MA, MD, MI, NC, NJ, OR, SC, WA, WY 11
Child Sexual Abuse Material* AL, CA, CT, IA, ID, IL, KY, NC, OK, PA, SD, TN, UT, VA, WI 15
Criminal Use AL, CA, IN, NC, PA, SD 6
Cybersecurity Use CA 1
Deepfakes AL, CA, DE, ID, IL, LA, MS, TN, UT, WA 10
Education Use* CA, CT, FL, IA, LA, MD, MI, NE, NY, OR, SC, TN, VA, WV, WY 15
Education/Training IA, NJ, SC, UT, WA 5
Effect on Labor/Employment CA, IL, MD, NJ, OR, UT, WA 7
Election Protections* AL, AZ, CA, CO, DE, FL, HI, ID, IN, LA, NH, NM, NY, MD, MI, MN, OR, UT, WI 19
Government Use* CA, DE, FL, HI, IN, LA, MA, MD, NH, NY, PA, TN, UT, VA, WA, WV 16
Health Use* CA, FL, HI, IL, MD, NC, NE, NY, PA, WA, WV 11
Impact Assessment CO, MD, NY, VA, WA 5
Judicial Use NY 1
Notification CA, CO, FL, UT 4
Oversight/Governance FL, MD, NY, UT 4
Personhood UT 1
Private Sector Use* CA, FL, IL, MD, MA, NY, PA, SC, UT, WA, WV 11
Provenance CA, FL, WA 3
Responsible Use* CA, CO, FL, IL, LA, MD, NJ, NH, PA, VA, WA 11
Studies* CA, CO, DE, FL, IL, IN, LA, MA, MD, NC, OR, PA, TN, WA, WV 15
*Most common regulatory themes
3: Risk-based –
Several regulatory
themes were common
among passed state
legislation, namely:
• Appropriations
•Child Sexual Abuse
•Education Use
•Election Protections
•Government Use
• Health Use
• Private Sector Use
•Responsible Use
•Studies by Committee
Sources: National Conference of State Legislatures
3: Risk-based – Examples of enacted state legislation
20
Tennessee (H 2091) – Ensuring Likeness, Voice and Image Security Act of 2024 – Provides every individual has a property
right in the use of that individuals name, photograph, voice, or likeness in any medium in any manner; provides exclusive
right to commercial exploitation of the property rights is terminated…by an executor, assignee, heir, or devisee.
New Hampshire (H 1432) – Deepfakes – Establishes a cause of action for fraudulent use of deepfakes; provides that a person
is guilty of a Class B felony if the person knowingly creates, distributes, or presents any likeness in video, audio, or any
other media of an identifiable individual that constitutes a deepfake for certain purposes.
California (A 2655) – Defending Democracy from Deepfake Deception Act of 2024 – Prevents the online dissemination of
manipulated media and disinformation meant to deceive voters and to prevent voting
Oklahoma (H 3642) – Oklahoma Law on Obscenity and Child Pornography – Relates to any visual depiction of a child that
has been adapted, altered, or modified so that the child depicted appears to be engaged in any act of sexually explicit
conduct… regardless of whether the image is a depiction of an actual child, a computer-generated image, or an image altered.
California (S 926) – Crimes: Distribution of Intimate Images – Makes it a crime for a person to intentionally distribute or
cause to be distributed any photo realistic image, digital image…of an intimate body part or parts of another identifiable
person… depicted engaged in specified sexual acts…would cause a reasonable person to believe the image is authentic
Sources: Legislative information centers of Tennessee, New Hampshire, California, Oklahoma
Table of Contents
21
Review of Legislative Activity in 2023/2024 (pg. 3)
What to Expect in 2025 (pg. 20)
Implications for Connecticut in 2025 (pg. 29)
Appendix (pg. 42)
2025 is already promising to be a more active year, with the potential for even
more sweeping AI regulatory legislation and executive action
22
A deep dive into notable legislation for 2025 provided in the following pages
Deep Dive #1: Texas is already capturing attention for the 2025 legislative session
23
The Texas legislature is expected to take up the Texas Responsible AI Governance Act (TRAIGA) in the 2025 session. It builds upon the
Colorado AI Act and the EU AI Act and introduces key obligations for developers, deployers, and distributors (e.g., deepfakes, consumer
notifications, “reasonable care” provisions), but notable differences do exist that, in some instances, go even further than the two, such as:
•Broader Scope for High-Risk AI Systems: Covers systems that are a “contributing factor” in consequential decisions, with a broader
definition of such decisions (e.g., affecting access to transportation, criminal assessments, or electricity)
•New “Distributor” Responsibilities: “Distributors” must prevent algorithmic discrimination and may need to withdraw or recall non-compliant
systems
•Ban on Unacceptable Risk AI: Prohibits systems that manipulate behavior, engage in social scoring, infer sensitive attributes without
consent, or produce harmful deepfakes
•Generative AI Record-Keeping: Developers of generative AI must maintain detailed records of training datasets
•Expanded Reporting for Deployers: Deployers must notify authorities and consumers about algorithmic discrimination or inappropriate
outcomes, but developers have no such obligations
•Exemptions: Small businesses, research activities, and open-source developers with safeguards are exempt
•Enforcement: Grants enforcement powers to the Texas Attorney General, with provisions for civil penalties, injunctive relief, and limited
private rights of action
TRAIGA also includes an AI Regulatory Sandbox Program for testing AI systems under statutory exemptions, amends the Texas Data Privacy
& Security Act, an AI workforce grant program, and establishes an AI Council to provide guidance
Sources: Covington; National Law Review; Texas Responsible AI Governance Act
Deep Dive #2: Governor Hochul announced a new requirement for businesses to
report AI-related layoffs in her 2025 State of the State Address
24
“At the Governor’s direction, DOL will require businesses submitting
notices of worker layoffs to its Worker Adjustment and Retraining
Notification (WARN) system to convey whether a layoff is related to a
businesses’ use of AI. Any impacted worker will be able to access the
broad array of workforce training programs and supports offered by DOL
or local partners.”
- Governor Kathy Hochul, 2025 State of State Address
Source: NY 2025 State of State Book
Looking back at 2024, specifically Colorado, provides a comprehensive view of
the issues as defined by public interest groups…
25
A group of national and Colorado-based public interest organizations have voiced support for the existing provisions in the Colorado AI Act
(2024) calling it a welcome step in the right direction. They praise the:
•Broad definition of covered systems, making it harder for companies to evade the law
•Notice to consumers subjected to AI-driven decisions about the use and purpose of the system
•Impact assessments testing AI decision systems for discrimination risks and documenting decision processes
•Right to an explanation of the principal decisions and right to appeal decisions to a human
•Grant the Attorney General authority to issue rules interpreting and clarifying the law
However, those same advocates say more is needed and have recommended the Colorado law be strengthened, including:
•Build on existing civil rights protections by prohibiting the sale or use of discriminatory AI decision systems
•Expand transparency so consumers understand why companies use AI decision systems and what and how tools are used
•Require expanded testing of AI decision systems for validity and the risk of violating consumer protection, labor, civil rights, and others
•Eliminate loopholes that exclude consumers, workers, and companies from the protections and obligations, and overbroad rebuttable
presumptions and affirmative defenses that reduce accountability
•Grant consumers and local DAs the right to seek redress in court when companies fail to comply with the law
Source: Consumer Reports
…and as defined by technology and small business industry groups
26
On the other end, the US Chamber of Commerce and Chamber of Progress both issued strong warnings to Governor
Polis outlining the various risks associated with an unchecked regulatory agenda on emerging technology, including:
• Limit the ability of small business to compete against each other and larger counterparts [assumption: AI increases ability
of small businesses to compete]
•Place unnecessary burden of new regulations when AI technology is already covered by existing laws and regulations –
biased outcomes are problematic for developers, deployers, and end-users – recommend risk-based “gap-filling” approach
• Potentially increase litigation and compliance costs, particularly due to a patchwork of state technology laws
•Forced disclosure of essential business intelligence to competitors and customers
•Hampers innovation in a highly competitive domestic and international market
Source: Consumer Reports
Expert interviews suggested sector-specific, not generalized, regulation is
needed, and ongoing self-regulation should not be overlooked
27
In addition to what has been shared in the pages above, AI/technology experts emphasized a few other points
that are important to consider:
•Many organizations welcome government regulation. However, the type of regulation needed is not
generalized consumer protections – some citing expectations that existing consumer, privacy, and civil
rights laws apply – rather sector-specific guidance is where the real need exists
•It is in the best interest of companies using AI to ensure the technology provides fair, accurate, and
responsible outputs. Given the fast-paced advancements in AI, self-regulation, while not a panacea, is a
powerful force and necessity in the existing hyper-competitive environment…
While self-regulation is not the solution, leading AI companies have begun to
embed their own safeguards – currently forming the core of AI governance (1/2)
28
AI Risk Description Industry Response
Misuse and Abuse Publicly reporting domains of appropriate and inappropriate use
Prohibiting nonconsensual deepfakes and sexual deepfakes
Thorn’s Safety by Design for Generative AI: 3-Month Progress
Report on Civitai and Metaphysic (collaboration with All Tech Is
Human, Amazon, Anthropic, Civitai, Google, Meta, Metaphysic,
Microsoft, Mistral AI, OpenAI, and Stability AI), September 2024
Misinformation and
Disinformation
Developing and deploying mechanisms that enable users to
understand if content is AI-generated, including provenance or
watermarking. Disclose when AI is used to create content to influence
an election
OpenAI’s Influence and cyber operations (October 2024)
Anthropic’s US Election Readiness (October 2024)
Google’s How we’re increasing transparency for gen AI content with
the C2PA (September 2024)
Meta’s Our Approach to Labeling AI-Generated Content and
Manipulated Media (April 2024)
Meta’s More Speech and Fewer Mistakes (January 2025)
Bias and Discrimination Ensuring fairness with harmful bias managed Nvidia’s Trustworthy AI Principles on Privacy, Safety, Transparency,
and Nondiscrimination (March 2024)
Technical Vulnerabilities Ensure products are safe before introducing them to the public and
build systems that put security first, including internal and external red
teaming, information sharing, cybersecurity and insider threat
safeguards, third-party discovery, and reporting
Scale AI’s Responsible AI with Scale Evaluation for the Public Sector
(June 2024)
Privacy and Data
Protection
Consumer privacy protections, including profiling and automated
decision making
Abridge AI’s My Statement to the US Senate AI Insight Forum on
Privacy and Liability (November 2023)
Source: Risks from Figure 50 of REGULATING UNDER UNCERTAINTY: Governance Options for Generative AI by Stanford's Cyber Policy Center
While self-regulation is not the solution, leading AI companies have begun to
embed their own safeguards – currently forming the core of AI governance (2/2)
29
AI Risk Description Industry Response
Copyrights Training AI on copyrighted data to generate outputs with close
resemblance to existing works, potentially infringing on the copyright of
the original creators (e.g., images, text, videos)
Adobe’s A clarification on Adobe Terms of Use (June 2024)
Opacity Transparency, explainability and interpretability Anthropic’s Mapping the Mind of a Large Language Model
New Capabilities Safeguarding from dangerous or emergent capabilities, including the
potential for AI exacerbating CBRN (chemical, biological, radiological,
and nuclear) misuses
Anthropic’s The case for targeted regulation and Responsible
Scaling Policy update (October 2024)
Open-Source Models Some of the most powerful models are available to the public, known
as open-source models, to in effort democratize AI, but this raises
concerns, such as use by malicious actors for nefarious purposes, loss
of control and the consequential impact
Hugging Face, Irene Solaiman (Policy Director) gives nuanced
opinion on gradient release (May 2023)
Impact on Labor Market Understand AI’s impact on workers and how to support them in the
event of displacement
Microsoft’s The Golden Opportunity for American AI (Jan 2025)
Environmental Impact Understand potential for AI to improve electric grid infrastructure and
support development of AI tools
Google’s A new approach to data center and clean energy growth
(Dec 2024)
Source: Risks from Figure 50 of REGULATING UNDER UNCERTAINTY: Governance Options for Generative AI by Stanford's Cyber Policy Center
Table of Contents
30
Review of Legislative Activity in 2023/2024 (pg. 3)
What to Expect in 2025 (pg. 20)
Implications for Connecticut in 2025 (pg. 29)
Appendix (pg. 42)
31
Connecticut established an AI Working Group to develop recommendations for
potential legislation that would advance ethical and equitable AI use
Regulatory
•Explore methods to ensure transparency across different applications
(i.e., metrics, processes)
•Align any CT regulations to relevant global technical standards
•Establish a task force to align definitions, explore a voluntary pledge,
explore ways to grow other AI businesses
•Prevent deepfakes for election and non-consensual intimate images
•Prohibit models from training on child sexual abuse materials (CSAM)
•Designate a single point of contact for AI businesses within DECD
•Expand the study by CASE, with CT higher education institutions, to
determine paths for promoting AI innovation
•Create a permanent advisory committee composed of representatives
from industry, academic, and government
•Work with SDE, OPM to create model AI Use Policies for school districts
•Exempt AI used for scientific research for the common good from any
regulations
•Exempt open-source models contingent upon transparency requirements
Workforce Development
•Create Citizens AI Academy, including responsible use of AI
•Create certificates and badges for online Citizens AI
Academy (Charter Oak State College)
•Establish higher education certificate programs related to AI
in small business
•Create professional development for teachers (higher
education, SDE)
•Incorporate AI training into workforce programs (WIB, other
workforce agencies)
•Provide compute power to researchers and businesses
•Incentivize and grow AI business, starting with healthcare,
defense, and finance and assist all businesses with starting
their digital transformation
Government Use
•Explore government us of AI
Deep dive to follow
Source: Connecticut AI Working Group report
The Working Group conducted interviews with experts from academia to industry
32
Notable examples of topics covered by experts
“Focus on regulating risky use cases rather than the technology itself…a light regulatory touch in the early stages of AI development allows for
innovation”
- Arvind Krishna, CEO, IBM [pg. 31]
“Stressed importance of setting up frameworks and guardrails rather than focusing on regulating specific technologies, which evolve
rapidly…need accountability reports and disclosures about potential biases in AI systems…challenge lies in regulating AI's application in
significant life-altering domains while allowing benign uses in everyday technologies”
- Joseph Nguyen, State Senator, Washington (background: Microsoft, start-ups) [pg. 20]
“Inability to reach consensus on a definition for Automated Decision Systems led to the focus on prioritizing resources for systems with the
highest impact on individual rights and freedoms…underscores challenges in creating cohesive AI policy frameworks that balance innovation
with risk management and ethical considerations”
- Nick Stowe, Chief Technology Officer, Washington
“Emphasized role of industry in self-regulation and competition among leading industrialized nations to demonstrate AI leadership”
- Chloe Autio, independent AI policy and governance advisor [pg. 23]
“Explained Gen AI systems work by statistically predicting each subsequent word in a sentence based on vast amounts of training data…process
is not about having an understanding or opinion but about statistically deriving most likely next word or phrase” [i.e., about output, not process]
- Beth Tsai, Director of Policy for Gen AI, Google [pg. 17]
Source: Connecticut AI Working Group report
33
Deep Dive: Regulatory recommendations by the Working Group (1/3)
Recommendation Working Group Insights Yale CELI Analysis
Explore the importance of
transparency for different
applications and the
requirements metrics and
processes for ensuring
transparency in those cases
•Frameworks work if based on outcomes; industries
have specific functions for final deliverables
•Focus on guardrails is a must, as risks cannot be fully
understood at the beginning. Frameworks should be
developed to help businesses achieve minimum
levels of responsible development and deployment
•Companies can define risk processes following
government guidance and use AI in non-technical /
non-core processes
•Avoiding long lead times for newly required approvals
by government must be balanced with enforcement
•Evaluation of Assessment vs. Adversarial Testing of AI
systems – regulations must consider implications for
different types of companies and scope of AI tool
•In highly sensitive, emerging AI applications, a "human
in the loop" back-up option provides businesses and
consumers accountability and ensures proper oversight
“Licensing AI like an 'ingredient label’ for AI, offering users insight
into the functioning of AI algorithms, similar for toys and drugs” –
Senator Richard Blumenthal
“Focus on regulating risky use cases rather than the technology
…advocated for light regulatory touch in the early stages of AI
development to allow for innovation” – Arvind Krishna, CEO, IBM
“Algorithmic impact assessments, which are typically created
before a system's deployment and include details about the AI
system’s use case, context, and deployment” – Evi Fuelle & Ehrik
Aldana, Credo.AI
“Importance of setting up frameworks and guardrails rather than
focusing on regulating specific technologies, (…) particularly in
high-risk areas like sentencing and housing” – State Senator
Joseph Nguyen, Washington
“Algorithmic decision-making tools and their impact on
consequential decisions as housing, lending and employment” –
Assembly Member Rebecca Bauer-Kahan, California
“NIST AI Risk Management Framework: framing and prioritizing
risks, ensuring trustworthiness, and focusing on fairness,
explainability, and privacy enhancement” – Susan Frederick, Sr.
Federal Affairs Counsel, NCSL
Source: Connecticut AI Working Group report
34
Deep Dive: Regulatory recommendations by the Working Group (2/3)
Recommendation Working Group Insights Yale CELI Analysis
The importance of aligning any
CT regulations to relevant
global technical standards
•Regulation must preserve foundational protections
but be flexible enough to meet consumer expectations
(outcomes), capture economic benefits, and minimize
harm from a state-by-state policy patchwork
•A values-driven approach may be more practical in a
nascent technology, rather than one based on function
and data (still must adhere to data protection laws)
•Balancing data privacy and protection with data
access (for training) will be critical for some industries
“Focusing on the impact of AI rather than its technical details and
considering sector-specific approaches to AI regulation” – Susan
Frederick, Sr. Federal Affairs Counsel, NCSL
“Focus also on impact of AI on communities rather than rigid
definitions” – Assembly Member Rebecca Bauer-Kahan, California
“Policies that restrict data collection or limit the ability for
stakeholders to develop these best practices with overly punitive
liability regimes may inadvertently contribute to bias” – The App
Association, ACT Online
“[Example] Company is trying to buy hardware to initiate
development of AI tools in-house, which would allow for more
security and safety, but lack the necessary infrastructure. Their
plan was to start small and then scale. However, an effort to
obtain seed capital was unsuccessful” – CASE, 2024 Study
Source: Connecticut AI Working Group report
35
Deep Dive: Regulatory recommendations by the Working Group (3/3)
Recommendation Working Group Insights Yale CELI Analysis
Take steps to prevent deepfakes
for election and non-consensual
intimate images
Prohibit Models from recklessly
training on CSAM
•Addressing “low-hanging fruit” builds accountability
and encourages responsible deployment and training
•A government-sponsored “sandbox” can help
business test for bias before deployment and ensure
minimum requirements met in safer environment
•Multi-testing, or “red-teaming,” can be burdensome
on small business with limited resources
•Consider accountability of users harming other users
•While useful and needed, watermarks can be modified
Task force to align definitions,
explore a voluntary pledge,
explore ways to grow other AI
businesses in CT like financial
services
“Major AI companies implementing voluntary commitments for AI
transparency and security, highlighting pledges to share
information on AI vulnerabilities” – Susan Frederick, Sr. Federal
Affairs Counsel, NCSL
“The inability to reach a consensus on a definition for ADS led to
the focus…for systems with the highest impact on individual rights
and freedom” – Nick Stowe, Chief Technology Officer, Washington
“Building trust through mandatory transparency reporting, arguing
that voluntary commitments are insufficient for comprehensive risk
management in AI development and deployment” – Evi Fuelle &
Ehrik Aldana, Credo.AI
“AI tools are tested for discriminatory patterns before
deployment… including large corporations and small startups” –
Assembly Member Rebecca Bauer-Kahan, California
“Use of detection systems, like audio or image detection tech, and
use of watermarks and hashing to identify AI-generated content” –
Beth Tsai, Director of Policy for GenAI, Google
“Potential introduction of a bill mirroring the Child Online
Protection Act and amendments to Virginia's Data Privacy Act to
address AI development” – Delegate Michelle Maldonado, Virginia
•Reporting should be required for AI developers and
deployers to build transparency but must consider
degrees of reporting dependent on company size
•To achieve trust with public, while balancing proprietary
tech, government should work with business to
develop the standards for safety assessments
•Definitions are proving critical in AI regulation – for
instance, the definition of “high-risk” models in the EU
AI Act has been received unfavorably
•AI Governance terminology must also be defined
Source: Connecticut AI Working Group report
SB-2 – An Act Concerning Artificial Intelligence – was introduced in the 2024
legislative session, informed by the findings of the Working Group
36
While well intentioned in some cases, such as penalizing the use of AI deep-fake videos, SB-2 (An Act Concerning Artificial
Intelligence) also mandated that developers and deployers take “reasonable care to protect consumers from any known or
reasonably foreseeable risks of algorithmic discrimination”
These measures risked placing an unnecessary financial and legal burden on small- and mid-sized businesses hoping to
take advantage of the benefits provided by AI
Moreover, the bill risked placing Connecticut in an uncompetitive position for attracting entrepreneurs, start-ups, highly
skilled talent, and large business that are leading the globe in a critical and rapidly advancing technology
Thankfully never making it to the state house floor, SB-2’s failure was ill-fated from the start limited by the resources inherent
in the Connecticut AI Working Group. The Working Group had zero members representing the start-up/venture capital
community or small- and mid-sized business interests and overlooked many prominent experts in the field of AI who call
Connecticut home… Those gaps made themselves apparent in the Working Group report and the subsequent bill
A business-led task force could place Connecticut in a more proactive position for
balancing innovation and regulation
38
Rapid advancements in AI will undoubtedly require more attention from state and local government officials, particularly with
an absence of federal policy. However, the pace of innovation is moving too fast for government to go it alone. And while
leading companies are attempting to establish guardrails, their efforts are highly fragmented and ineffective
A state-organized consortium of business leaders representing companies, small and large, could be formed to not
only consider potential needs for regulation but also position Connecticut as a vanguard of AI-empowered technologies. Such
challenges and opportunities already exist and need to be addressed by such a task force, such as:
• How can sector-specific risk frameworks for larger-scale developers and deployers be crafted to not be overly burdensome?
•Could AI tools be developed by to efficiently and effectively conduct AI impact assessments for businesses of all sizes?
•What is the long-term path to environmental sustainability in AI, including for data centers?
•What actions could Connecticut take to reduce the barriers for AI-driven energy demands?
•How could Connecticut better leverage its strategic benefits to attract data center development?
•How do you train the talent of the future to not only be innovators using AI but be ethical while using it?
• What will be the disruptive technologies that define key industries in Connecticut? How could adoption be accelerated? Do
additional protections need to be put into effect?
From these experts, we heard a range of invaluable feedback
39
“The presentation mostly focuses on the “no new legislation angle” which is what we discussed at lunch; that, in my view, is
the appropriate approach” – David Siegel, Co-founder, Two Sigma
“It cannot be understated how even seemingly small increases in compliance burden have the potential to shift AI growth
out of CT and disadvantage our businesses” – Rachel Gretencord, Vice President of Research, AdvanceCT
“Texas has been doing a lot on risk, but Texas is also where the $500 billion Stargate program will happen” – Beth Anne
Helgason, Assistant Professor of Organizational Behavior, Yale School of Management
“Most of what is being passed in other states is nonsense, potentially harmful to businesses and government, without
doing good…we should let the tech unfold and see what the Federal government does, so we have greater clarity on whether
individual states should be passing any laws at all” – Matt McCooe, CEO, Connecticut Innovations
“Certain small and mid-size companies…aren’t sure how to apply AI in their business; assistance in this area could also be
helpful” – Rachel Gretencord, Vice President of Research, AdvanceCT
“What’s needed is a bold, adaptive vision that anticipates these challenges and ensures AI serves humanity equitably,
sustainably, and ethically” – Vivek Wadhwa, Founder & CEO, Vionix Biosciences
Those experts also advised that government should be focused on approaches
being used to accelerate development of the AI ecosystem in other states
40
Texas continues to benefit from a light-regulatory tough and expedited government processes for target industries. Most
recently, President Trump announced a $500 billion initiative, Project Stargate, with Sam Altman/OpenAI, Masayoshi
Son/Softbank, and Larry Ellison/Oracle, to accelerate advancements in AI, much of which is will benefit Texas
Texas, like other states, deploys a range of incentives to attract companies with leading in AI technology and the benefits
that follow them, including:
•Tax breaks: Offering sales and property tax exemptions on data center hardware and infrastructure purchases
•Utility discounts: Providing reduced electricity rates for data center operations
•Streamlined permitting: Simplifying the process of obtaining necessary permits to build data centers and power generation
•Land availability: Highlighting areas with ample land suitable for large-scale data center construction
•Access to reliable power: Promoting regions with robust power grids and low electricity costs, including new power plants
•Fiber optic connectivity: Emphasizing high-speed internet infrastructure to facilitate data transfer
•Skilled workforce development: Investing in training programs to create a local workforce qualified to support data center
operations
Source: Scout Cities, CSG Midwest, Texas Comptroller
Recommendations
41
•Leverage existing legislation, such as consumer protections/unfair trade practices, intellectual property, data
privacy, civil rights and other applicable state laws, to protect against misuse and abuse of AI technologies, via
an advisory opinion from the Attorney General’s Office and/or legislation in the current session
•Continue to advance “low-hanging fruit” legislation that will address harmful misuse and abuse and risky-
use cases of AI (e.g., political/election deepfakes, child sexual abuse material, property rights infringement)
•Establish a cross-sector task force to identify sector-specific regulations and/or guidance that provide use-
case guidance for key state industries and to identify actions that accelerate innovation and adoption,
positioning Connecticut as a vanguard of AI-empowered technologies
•Designate members of the cross-sector task force to consider potential regulations of high probability
spill-over effects from more advanced AI systems in coordination with other state and federal officials
•Partner with an economic development NGO to launch and oversee an AI testing “sandbox” and AI support
hub for key state industries
Table of Contents
42
Review of Legislative Activity in 2023/2024 (pg. 3)
What to Expect in 2025 (pg. 20)
Implications for Connecticut in 2025 (pg. 29)
Appendix (pg. 42)
Summary of Connecticut’s CUTPA
43
•Connecticut has one of the most expansive consumer protection laws in the nation through CUTPA.
•The Connecticut Unfair Trade Practices Act (CUTPA) is a state law that protects consumers,
businesses, and the public from unfair or deceptive acts or practices in commerce. Enacted in 1973,
it provides broad protections and is modeled after the Federal Trade Commission Act. CUTPA
applies to all individuals, corporations, and entities engaged in trade or commerce in Connecticut.
•CUTPA allows individuals, businesses, and even the state to file lawsuits against violators. The
Connecticut Department of Consumer Protection (DCP) and the Attorney General have the
authority to investigate and enforce CUTPA violations. Private parties also have the right to bring
lawsuits independently.
How Connecticut, The Plaintiffs’ Bar, And Courts Have Interpreted CUTPA
44
The courts use a three-part test (based on the Federal Trade Commission guidelines) to determine if a
practice is unfair:
1. The practice offends public policy.
2. The practice is immoral, unethical, oppressive, or unscrupulous.
3. The practice causes substantial injury to consumers, competitors, or other businesses.
CUTPA’s definition of "unfair or deceptive" is flexible and broad. This broad interpretation allows courts
to address emerging or novel unfair practices without requiring new legislation. For example,
Connecticut courts have applied CUTPA against the gun manufacturer Remington following the Sandy
Hook massacre, and against Alex Jones/Infowars for his lies about the massacre.
Biden
Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence
sought to ensure AI was safely, equitably, and democratically developed
45
President Biden's Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence, issued on October 30, 2023 [rescinded by Trump
administration], establishes a comprehensive framework to regulate and guide the development and use of artificial intelligence (AI) in the United
States. Its main objectives are to ensure AI technologies are safe, equitable, and aligned with democratic values while fostering innovation and
protecting national security. Here are the key highlights:
1. AI Safety and Standards: Agencies, including the National Institute of Standards and Technology (NIST), are tasked with creating robust
testing and evaluation protocols to mitigate AI risks. This includes "red-teaming" to assess generative AI and other dual-use technologies.
2. Privacy and Civil Rights: The order emphasizes protecting personal privacy and civil liberties, particularly in AI applications involving data
collection, facial recognition, and decision-making in areas like criminal justice and credit scoring.
3. Economic and Labor Impacts: It prioritizes studying AI’s impact on the labor market, supporting workforce retraining, and addressing
potential inequities exacerbated by AI technologies.
4. Content Authentication: The Department of Commerce is directed to develop guidelines for watermarking and labeling AI-generated content
to combat misinformation and ensure transparency.
5. Government AI Use: Federal agencies are to lead by example in ethical AI adoption, ensuring their use of AI adheres to the same principles
of accountability and security.
6. Global Leadership: The order positions the U.S. as a leader in international AI governance by promoting global standards and collaboration
with other nations.
7. Research and Innovation: Investments in AI research, development, and education aim to support U.S. competitiveness while managing
risks associated with emerging AI technologies.
A helpful scorecard of administration accomplishments in 2024 can be found here and may be a valuable resource
Source: White House
The NIST AI Risk Management Framework was created in partnership with
industry to guide private organizations but can been helpful to government
46
In 2023, the Biden Administration issued the “Executive Order on Safe, Secure, and Trustworthy Development and Use of
Artificial Intelligence” which sought to establish a comprehensive framework to regulate and guide the development and use of
AI in the U.S., while still promoting innovation to maintain competitive edge on global stage [see appendix for more details]
As a part of the EO, the National Institute of Standards and Technology (NIST) was directed to develop safety and risk
management frameworks with input from industry-leading AI companies
NIST released the AI Risk Management Framework (version 1.0) soon after for the voluntary use of organizations “to improve
the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products,
services, and systems.” The Framework consists of four core functions map, measure, manage and govern
Of particular interest are the “Manage” and "Govern" functions within the Framework [see appendix for more details]
•Manage emphasizes an active and iterative approach to handling AI risks, ensuring that organizations can address
challenges effectively while maintaining trust and achieving their AI-related goals
•Govern establishes a structured and proactive approach to AI risk management, ensuring that organizations maintain
consistent and sustainable practices while adapting to evolving technologies and societal expectations
The Framework has received praise from industry leaders…
Source: National Institute of Standards and Technology, US Senate
Key elements of “Manage" function – NIST AI Risk Management Framework (1/3)
47
1. Risk Mitigation Strategies:
a) Identifying and implementing measures to reduce or eliminate risks associated with AI systems.
b) Prioritizing mitigation actions based on the severity and likelihood of risks, as well as their potential impact.
2. Operational Risk Controls:
a) Establishing controls and safeguards to ensure the AI system operates as intended and does not cause harm.
b) Regularly updating and refining these controls based on system performance and environmental changes.
3. Incident Response Planning:
a) Developing and maintaining a response plan to address incidents or failures, such as system malfunctions or
adversarial attacks.
b) Ensuring the organization is prepared to respond quickly to mitigate potential damages and recover operations.
4. Monitoring and Assessment:
a) Continuously monitoring AI systems to detect new risks, unintended outcomes, or deviations from expected behavior.
b) Employing tools and methods to assess the effectiveness of risk management actions over time.
Source: National Institute of Standards and Technology
Key elements of “Manage" function – NIST AI Risk Management Framework (2/3)
48
5. Feedback Mechanisms:
a) Implementing feedback loops to incorporate insights from monitoring, audits, and stakeholder input into ongoing risk
management efforts.
b) Using feedback to refine models, update policies, and improve system trustworthiness.
6. Alignment with Goals and Policies:
a) Ensuring that risk management activities align with the organization's broader objectives, ethical principles, and
governance policies.
b) Maintaining consistency between risk management practices and the organization’s risk appetite.
7. Documentation and Communication:
a) Documenting risk management activities, decisions, and outcomes to provide a clear record for accountability and
learning.
b) Communicating risk management processes and outcomes to stakeholders, including leadership, technical teams, and
external parties.
Source: National Institute of Standards and Technology
Key elements of “Manage" function – NIST AI Risk Management Framework (3/3)
49
8. Adaptability and Responsiveness:
a) Being prepared to adapt risk management strategies as new risks emerge or as external conditions change.
b) Ensuring flexibility in managing risks across diverse use cases and system contexts.
9. Collaboration and Coordination:
a) Promoting collaboration across organizational units, including technical, legal, and operational teams, to ensure
comprehensive risk management.
b) Engaging with external stakeholders, such as regulators and partners, to align risk management practices.
Source: National Institute of Standards and Technology
Key elements of "Govern" function – NIST AI Risk Management Framework (1/2)
50
1. Policy Development:
a) Establishing clear organizational policies for AI system design, development, and deployment.
b) Aligning policies with ethical principles, regulatory requirements, and organizational goals.
c) Incorporating guidelines to address trustworthiness characteristics like fairness, accountability, privacy, and security.
2. Roles and Responsibilities:
a) Defining and assigning roles and responsibilities for AI governance and risk management.
b) Ensuring accountability across all levels of the organization, from leadership to technical teams.
3. Risk Framework Integration:
a) Embedding AI-specific risk management practices into broader organizational risk frameworks.
b) Continuously updating processes to reflect new insights, risks, and technological advancements.
4. Transparency and Documentation:
a) Maintaining detailed documentation of AI systems, including their design, training, and operational processes.
b) Promoting transparency by making documentation accessible to relevant stakeholders.
Continued on next page
Source: National Institute of Standards and Technology
Key elements of "Govern" function – NIST AI Risk Management Framework (2/2)
51
5. Stakeholder Engagement:
a) Actively engaging internal and external stakeholders to gather diverse perspectives on potential risks and impacts.
b) Incorporating stakeholder feedback into risk management strategies.
6. Monitoring and Feedback Loops:
a) Implementing mechanisms for ongoing monitoring of AI systems to identify and mitigate emerging risks.
b) Establishing feedback loops to continuously improve policies and processes.
7. Education and Training:
a) Providing regular training to employees on AI governance, risk management, and ethical considerations.
b) Raising awareness about the importance of trustworthiness in AI systems.
8. Resource Allocation:
a) Allocating sufficient resources, including expertise, technology, and funding, to support risk management activities.
b) Prioritizing resources for high-impact or high-risk AI systems.
9. Compliance and Auditing:
a) Conducting regular internal and external audits to ensure compliance with policies and regulations.
b) Adopting standards and certifications that align with the organization’s risk management objectives.
Source: National Institute of Standards and Technology
52
State Artificial Intelligence Policy
Comprehensive Analysis
Jeffrey Sonnenfeld & Yale CELI Research Team [Stephen Henriques, Steven Tian, Gigi Hsu, Dan Kent, Delia
Reyes, Tate Lloyd, Amy Choi, Ash Duong, Raghav Chaudhary]*
January 2025
*The 9-person research team brings backgrounds in AI, entrepreneurship, computer science, engineering, public policy, auditing, finance, strategy, and regulation
