Overview of the Executive Order and OMB Memorandum

On October 30, 2023, President Joe Biden signed the much-anticipated Executive Order on Safe, Secure and Trustworthy Artificial Intelligence (AI). The Executive Order is part of the White House’s strategy for responsible innovation and is built upon existing non-binding frameworks and initiatives like the AI Bill of Rights, the National Institute of Standards and Technology’s AI Risk Management Framework and the Voluntary Commitments from Leading AI Companies to Manage the Risks Posed by AI. The Executive Order is wide-ranging in scope and will likely impact stakeholders across various industries in the private sector who do business with federal agencies. 

The Executive Order mandates certain actions for federal agencies and incorporates certain core principles that have been featured in draft AI regulations and existing frameworks to promote responsible and effective use of AI technologies. Those principles include transparency and accuracy, safety and security, prevention of discrimination and unintended bias, protection of privacy and personal data, and promotion of innovation and competition. 

After the Executive Order was issued, the Office of Management and Budget (OMB) released for comment a draft memorandum titled Advancing Governance, Innovation and Risk Management for Agency Use of AI. The memorandum mandates a set of minimum evaluation, monitoring and risk mitigation practices that are largely based upon the AI Bill of Rights and AI Risk Management Framework, and which are tailored for federal agencies. The comment period is through December 5, 2023. As mandated by the Executive Order, after the draft memorandum is finalized, OMB will be tasked with developing a process to ensure that all federal contracts comply with its requirements. 

The scope of the OMB memorandum is “to address risks specifically arising from the use of AI, as well as governance and innovation issues that are directly tied to agencies’ use of AI.” The AI covered by it includes “new and existing AI that is developed, used, or procured by or on behalf of covered agencies.” 

The Executive Order requires that the federal agencies designate a Chief AI Officer (CAIO) within 60 days from the date the memorandum is issued. The memorandum details the CAIO’s responsibilities and duties. It sets forth requirements for agencies to convene AI Governance Bodies, submit and post publicly the agency’s AI Compliance Plans and submit an inventory of AI use cases unless exempted. 

The memorandum defines AI that is presumed to be safety-impacting or rights-impacting and contains numerous examples of AI that falls within those definitions. It also outlines minimum practices that are required before agencies use new or existing AI that is either safety-impacting or rights-impacting, including but not limited to, 

• Completing an AI impact assessment; 
• Conducting ongoing monitoring and establishing thresholds for period human review; 
• Providing appropriate human consideration as part of decisions that pose high risks to rights or safety; and 
• Providing public notice and plain-language documentation through the AI use case inventory. 

There are additional minimum practices for rights-impacting AI, which include taking steps to ensure that AI will advance equity, dignity and fairness, consulting and incorporating feedback from affected groups, conducting ongoing monitoring and AI mitigation for AI-enabled discrimination, notifying negatively affected individuals, maintaining human considerations and remedy processes, and maintaining an opt-out where practicable.

Privacy Provisions

One of the core principles emphasized in the Executive Order and throughout the accompanying OMB memorandum is the protection of personal data. The Executive Order calls on Congress to pass national data privacy legislation. And, as federal agencies implement the memorandum’s requirements, they will be required to evaluate how they collect and use commercially available information, including information procured from data brokers. Federal agencies are also directed to strengthen privacy guidance to account for AI risks. Further, there is a focus on the development and use of privacy-preserving techniques that would allow training of AI systems while preserving the privacy of the training data. 

Protection of personal data and compliance with applicable privacy statutes and regulations is an important consideration for any actor who is developing or implementing AI. It involves a comprehensive understanding of the data that is being used within the AI system, including who owns the data, whether it contains protected personal information or personal health information, how the data was collected and any restrictions on its use. That in turns requires careful consideration of consents, disclosures and authorizations, as well as vendor contracts and applicable data privacy laws. For example, there may need to be specific restrictions placed on the unauthorized use and disclosure of data used or prohibitions on the use of data by third-party vendors in subsequent training of AI products and services.

Conclusion

The Executive Order and OMB memorandum provide insights into how the federal government is approaching AI regulation. Although not directly binding on the private sector, the Executive Order and OMB requirements will impact many business sectors that interact with federal agencies. The Executive Order and OMB memorandum may provide a useful framework for private companies that are developing AI governance programs and accompanying internal policies guiding the implementation and use of AI in their businesses.