Another Frontier for Ethics: Use & Development of AI

by INDERPREET SAWHNEY

_{SPRING 2025 |}_FEATURE

Another Frontier for Ethics: Use & Development of AI

by INDERPREET SAWHNEY

Organizations have traditionally been evaluated by markets & investors for their adherence to law and ethical practices. With artificial intelligence (AI) increasingly dominating conversations across board rooms, news outlets and consumers, the ethical and legal development of AI is clearly a new frontier for many organizations.

AI systems are software programs, but the way they are developed and used is unlike software in many ways. It is important to note that the ethical challenges of AI begin at very foundations of AI systems that rupture the boundary between data and software.

INDERPREET SAWHNEY is the Chief Legal Officer and Chief Compliance Officer of Infosys. In this role she leads the legal and compliance function for the Company. Inderpreet also has additional responsibility for Privacy and Data Protection at Infosys.

An AI model consists of its neural network design and the model weights of its results from training-runs of glacial-scale computations applied over internet-scale bodies of data. Once trained, an AI system is used for inferencing against given inputs to generate net-new intellectual property (IP)/data. Given that this training phase itself consumes compute and datasets at unprecedented scales compared to those of traditional software systems, universal ethical and legal frameworks need to be developed and disseminated around this emerging technology.

History suggests that the velocity of a consumer-driven tech wave is always greater than a business-driven one. As the cost of deployment goes down, AI consumerization will rise. This will cause a particularly interesting disruption by enabling experts of one domain to leverage AI that specializes in another domain, without themselves possessing that domain specialization. This cross-functional access to skills will unlock value, but it also exposes society to unforeseen risks. These risks demand the ramping up of regulatory oversight, ethical frameworks, and the reskilling of workforces.

While technology waves of Web3 and quantum computing are anticipated, AI is already reducing innovation cycles in fundamental sciences. As a result, its ability to identify complex data patterns beyond human capability is creating opportunities in sectors such as health, climate, defense, space tech and material sciences. However, the absence of ethical considerations in implementing these systems can lead to significant negative impacts. This raises the question of whether regulations should target the end use of AI or the technology of AI itself.

Here are some examples of interesting regulatory proposals around AI, many of which would present various operational challenges:

Additional compliance requirements if the computational power used for AI model training is greater than 10²⁶ floating-point operations per second (FLOPS)
Laws that require AI providers to maintain the details of customers who license those AI products to the same (if not greater) levels of personal privacy and date security already in effect
Regulatory obligations for organizations to inform their relevant authorities about what datasets they are using for the pre-training runs of AI models.

Unlike traditional software systems, the workforce ready for handling Responsible AI needs to attend to both upstream and downstream ethical & legal risks.

INDERPREET SAWHNEY, Infosys

At the core of any regulation is an AI-ready workforce. While organizations are driving reskilling aggressively, there are reports of employees sometimes feeling that AI usage would make them look lazy or incompetent. Unlike traditional software systems, the workforce ready for handling Responsible AI needs to attend to both upstream and downstream ethical & legal risks. It needs to understand licensing practices around open vs. closed AI models, liability distribution among value chain participants, “use-case”-level compliances, IP issues in training datasets, ownership of AI generated outputs, synthetic data generation, caching of user inputs, regurgitation due to over-training, etc.

And all these issues are over and above the issues of safety, privacy, security, hallucinations, bias, and explainability that already dominate conversations around ethical and responsible AI. Unfortunately, legal opinions across countries are neither emerging at same pace, nor in the same direction. Thus, we are looking at a jigsaw puzzle of AI laws across major markets.

Major AI Legislation

In the U.S., for example, no AI law is expected at federal level in near future. But states have taken the lead and have passed more than two dozen AI lows to date. Four states (New Hampshire, Tennessee, Montana, and Oregon) have enacted AI legislation. Another 18 states (including California, New York, Texas, and Florida) have a mix of enacted and proposed legislation. And another 17 states have proposed legislation. Only 7 states have no proposed legislation.

In sharp contrast, we see another jigsaw puzzle across the Atlantic. The recently passed EU AI Act lays out very nuanced requirements on companies. This law is very significant, as it places penalties of up to 7% of global revenue for being non-compliant. It expects companies to classify and adhere to additional compliance for their AI use cases into (a) prohibited ones (b) high risk ones.

Misconceptions about web scraping are already causing legal frictions among organizations. Organizations also need to sensitize its user base about prompt etiquettes, especially when the AI system is fine-tuned according to user interactions that might change its behavioral patterns. For such shape-shifting AI systems, attribution of legal liability to the AI system or to the user remains an unchartered area.

Other challenges that enterprises can face in development of AI are from sector-specific regulations and lawsuits. The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are two good examples of where data laws are crucial in training AI models.

Within the EU and California, AI providers can collect data only with explicit consent that must be informed as to the usage of collected data. And personal privacy is only the tip of the regulatory iceberg. AI compliance must also address export controls, record-keeping, and local consumer protection regulations to ensure ethical and legal AI development.

Major AI Legislation

AI Readiness

Meanwhile, enterprise-level AI readiness is a prerequisite for AI itself to scale as a usable technology. However, according to a study by Infosys, while companies expect up to a 40% productivity gain from implementing AI into their workflow, only 2% of firms are ready for AI across all five dimensions of strategy, governance, talent, data, and technology. This is clearly an issue, as the Diffusion of Innovation theory notes that the tipping point for the adoption of new ideas, at which benefits start to accrue, is between 10% to 25% of adopters.

To ensure ethical AI systems, it is crucial to conduct regular, independent audits to identify biases in data and algorithms. Maintaining detailed audit trails and documentation of AI decision-making processes enhances transparency and accountability. Promoting literacy of AI ethics education and training for developers, policymakers, and the public is vital, focusing on ethical decision-making, bias recognition etc.

Using inclusive data that represents all demographic groups helps reduce the risk of marginalization. Incorporating human oversight in critical decision-making areas, such as healthcare and hiring, ensures AI errors can be corrected. Ethical AI design involves embedding principles of fairness, transparency, accountability, and privacy into the AI development lifecycle from the start, integrating these principles into both the algorithms and the organizational culture. ■

Infosys adherence to Responsible AI adaption is based on a "Scan, Shield, and Steer" framework to monitor and protect AI models. It relies on a Responsible-by-Design (RBD) framework that runs model-based and template-based guardrails. Among other risks, these guardrails prevent prompt injection, jailbreak, profanity, privacy violation, and organizational policy violations. Infosys is an ISO 42001:2023 certified company and is a founding signatory to AI pact signed in Brussels.