Biden’s Executive Order on AI and the EU AI Act: Business as usual?

When the Biden Administration released its Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence on October 30, it generated a lot of press. It arrived at a time when citizens and companies alike were expressing concern about the safe and secure operation of machine learning (ML) algorithms and looking for reassurances that governments had AI in hand. The following December, European Union (EU) regulators agreed upon the new EU AI Act, which is expected to be enacted later this year.

At AppZen, where we consider the safe and secure processing of company data to be table stakes, it was business as usual. Why the lack of urgency? Because we’re already well ahead of the new rules.

Why this Executive Order on AI is important

The Executive Order is meaningful, particularly for federal agencies and government sectors such as the National Security and Energy sectors, which will likely be heavy investors in AI technology, despite perceived concerns around AI safety. The Executive Order makes a request for cooperation and compliance with ethical guidelines within those agencies in a broad range of categories, such as privacy, civil rights, and AI safety and security. With the exception of very large LLMs with clear expectations around their cybersecurity measures, the Order lacks mandates on specific operational constraints within private organizations. As a result, the Order has no immediate impact on AppZen.

It does, however, offer a useful insight into what may, one day, be considered the safe use of AI by SaaS B2B companies in the US. At AppZen, it’s generated valuable discussions with our customers about machine learning algorithms in particular and whether they can be built to maintain the safety, security, and integrity of personal and sensitive data. It also offers some indication of the direction of more substantive regulation that may be developed in the near future. In this regard, any company planning a future AI strategy should take note of the Executive Order’s areas of concern.

Although the Executive Order hasn’t changed how AppZen operates, here’s how we’ve been talking to our customers about AI security overall.

A note from AppZen's Legal Team on Biden's Executive Order on AI [download PDF]

Machine learning and the safety of customer data: vectors and data abstraction

The rise of AI governance committees within companies has brought the intersection of data and AI increasingly into focus. InfoSec, Legal, and Compliance teams are all impacted by the need to answer questions asked by their colleagues, Boards of Directors, and customers about the training of ML algorithms on any personal or other sensitive data for which they are responsible. How is the algorithm interacting with or training itself using that data, and is it safe and compliant?

AppZen’s AI models are applied to finance-related items provided by our customers, such as receipts, expense reports, or invoice data. The models have a machine learning component that enables them to become, over time, more accurate at recognizing certain financial information that is relevant to our customers, such as the name of a business, expense category, or expense amount. Our customers then benefit from improved accuracy.

What’s most important is that our system immediately anonymizes the data. It does not, and cannot, judge what’s sensitive and what’s not because all data is immediately turned into numerical vectors in a process known as word embedding. The many levels of abstraction during that transition mean that reverse engineering is impossible. The models are trained to recognize only certain numerical vectors that would, at any given point, represent the information that is pertinent to a customer’s expense policy or AP processing, like an amount or a business name, for example. Vectors that represent information that is not pertinent to a customer’s expense policy are not recognized by the machine learning algorithm. These vectors would simply continue to exist as meaningless numerical values.

This is also why our models do not hold any bias. Data is immediately anonymized, and only very specific information pertinent to expense and invoice processing is used to train AppZen’s algorithms.

Case studies and complementary security measures

Even our most security-conscious customers, including one that doesn’t accept the use of its data for machine learning purposes at all, have agreed that when and how anonymization takes place within our ML process is sufficient to meet their most stringent requirements.

While word embeddings add a level of security by abstracting the data, it's important to understand that this process alone doesn't make the data implicitly secure and should not be solely relied upon for data security. A comprehensive approach involving multiple layers of protection and adherence to regulatory standards is essential.

To ensure the security of data processed by our ML algorithms, AppZen employs additional security measures. These include:

Data Encryption Encrypting data both in transit and at rest ensures that data remains unreadable without the encryption key, even if that data is intercepted or accessed.
Access Controls Access to the data and the ML model is restricted to authorized personnel only.
Regular Audits and Compliance Checks Security protocols are regularly reviewed and updated to ensure compliance with current cybersecurity standards.
Anonymization Techniques In cases where personally identifiable information (PII) is involved, we use additional techniques such as data anonymization to support the security of word embeddings.

The EU AI Act

The timing of the Executive Order was important, as other governments across the globe were also making headway with addressing perceived AI challenges. The most recent and arguably consequential of these actions was the new EU AI Act. AppZen and its customers will inevitably need to be aware of this sweeping legislation due to the broad application of the new Act. All those that sell and deploy AI in the EU, and even those AI providers outside of the EU but whose users may be within the EU, will be in scope.

The EU AI Act can reasonably be compared to the pivotal General Data Protection Regulation (GDPR), which came into force in 2018 and set the bar for global data privacy compliance. As with the GDPR, the Act takes a risk-based approach, categorizing AI systems into varying levels of risk, the highest being unacceptable risk (where certain AI systems would be outright banned) and the lowest being minimal risk, with little or nothing to do with the Act.

This is only the beginning. A number of other regions are developing or have implemented global AI policies and regulations, such as China, the UK, and Brazil. It’s reasonable to assume such legislation will continue to be developed as the global use of AI becomes increasingly commonplace.

For now, there is no impact on AppZen’s day-to-day operations as a result of either the EU AI Act or Biden’s Executive Order. For most B2B AI SaaS companies that are low risk, it's business as usual. But AI SaaS providers selling to the European market, and those with users there, do need to be aware of the EU AI Act’s provisions. As with the Executive Order, customers will rightly want to know that their AI providers are compliant and taking the safety precautions appropriate to their function. These organizations need to start thinking now about how these provisions will apply to them and how to answer the inevitable inquiries from customers.

AppZen has been working in the AI space for a decade. We welcome such questions from finance, IT, and legal teams about our AI security. That’s because we’re confident ours is the most secure finance AI on the market. If you’re curious whether AI is the right direction for your organization’s digital transformation initiative, we encourage you to evaluate us against other back-office finance automation solutions.

Whether you’re looking for assistance with Accounts Payable, T&E, cards, or email inbox management, contact us today to start the conversation.