Litigation emerges as real AI guardrail as lawsuits outpace regulation in shaping deployment

Why AI guardrails need common sense built around defensibility

Human pragmatism playing larger role than government regulations with guardrails The EU AI Act comes into force for UK businesses in a matter of months - but the extent to which it'll be able to keep pace with AI development is questionable. The truth is that human pragmatism and existing authorities are likely to play a much larger role in establishing AI guardrails for businesses than new regulations. Litigation in particular will also play a key part in shaping how we use and govern AI tools. AI technologies have achieved escape velocity in recent years, evolving at an exponentially rapid pace. New editions of leading foundation models have been released not on a biannual basis, but almost monthly. Law making, on the other hand, is famously slow to move, passing through interminable committee stages and negotiations before hitting the statute books. Promulgating new regulations moves only a bit more quickly, but like new laws, often arrive late or miss the mark in rapidly developing markets. The Mythos warning Anthropic's Mythos model is a perfect case in point here. The new LLM has caused serious concern globally as a result of its ability to spot zero-day vulnerabilities in IT systems - theoretically exposing the cybersecurity infrastructure of the world to significant risk. Its existence was announced on 7 April, along with Anthropic's intention to restrict its use to a handful of key tech firms and banks like Apple and Goldman Sachs. By 22 April, Anthropic was investigating reports that unauthorized users had accessed the model. We have also seen significant risk in the software supply chain, such as the LiteLLM hack that was at the center of the Mercor breach. At time of writing, the entire security infrastructure of the internet hasn't collapsed, but security and compliance teams are losing sleep. The point is that the span between Mythos's existence becoming known to the first time it posed a real-world risk was measured in days, not years. Which means that in that time, it would have been functionally impossible for lawmakers to learn about the new AI developments Mythos represents, consider their possible impacts, and adjust legislation to match. As far as the law is concerned, AI is the slipperiest of fish. It is also where we are more likely to see regulators and lawyers rely on existing rules and authorities, versus waiting for something net new. Call in the lawyers In that context, checks and balances on the AI industry will need to come from elsewhere. Rather than next-gen tech, businesses will need to turn to those most human of attributes - common sense and survival instincts. Pragmatism, driven by the threat of litigation and fines under new liability frameworks, is more likely to curb harmful or irresponsible AI deployment far earlier than formal regulation can. In other words, if successful lawsuits are brought for unethical AI creation or use, we can expect to see far more pre-emptive work done by the industry itself - constrained not by all-seeing legislation, but the precedent of litigation. This isn't wishful thinking - the AI startup Mercor, valued at $10bn, is already facing seven class-action lawsuits following a data breach that raised concerns about provenance of training data and opacity in their practices. According to the lawsuits, Mercor was found to have monitored contractors' computers and shared the resulting data with clients, used recorded candidate interviews to train AI models, and trained client models on materials potentially owned by other companies. The Mercor lawsuits are based on existing statutes and regulations, including privacy, cybersecurity, and even record keeping causes of action. This is instructive, as claims arising from AI issues do not need novel AI laws or regulations, and the Plaintiff's Bar is unlikely to stop here. Over time, legal action targeting improper use, breaches, or bias, will create a framework of legal precedent, as impactful to the market as new AI regulation Defensibility-A Pragmatic Approach As a result, leaders will recognize the need for a pragmatic approach in how AI models are built and used. As the caseload of AI litigation increases, it will be increasingly self-evident that organizations must be able to defend the training, use, and ongoing operation of AI applications and agents. Not only will this be important when the plaintiff's bar or a regulator shows up, but to stay in the good graces of cyber insurance carriers. In the same manner in which restaurants handle allergens or hospitals handle patient consent have been shaped in large part by high-profile litigation, so the AI industry may be molded by the courts far quicker than by parliaments and legislatures. As a result, AI businesses need to take a structured, intelligent approach to their data and AI governance practices. It's crucial they understand the lineage of their data, where it is managed, how AI and agents can access and use it, and monitor the outcomes. Without the foundational data governance practices, the risk of a misstep increases exponentially - potentially exposing the organisation to litigation, even if no specific AI regulation applies to limit the activity in question. Pragmatism will set the pace - technology will make it possible. We list the best password manager. This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

Why Archive 360 says litigation rather than regulation is shaping AI deployment

It is a truism that AI models evolve faster than static legislation. Consequently, it could be argued that the real guardrails for AI adoption may emerge through litigation, liability, and reputational risk with lawsuits effectively acting as 'shadow regulation' for enterprise AI use. In the US AI legislation is developing largely at a State-level, with 38 States enacting or planning AI legislation. Globally, the EU AI Act is the broadest reaching legislation enacted so far, but the phased nature of its deployment means enforcement for high-risk systems is unlikely to occur until 2027. Currently the UK does not have any AI-specific regulation or legislation covering AI as a technology. Instead, AI is regulated in the context in which it is used, through existing legal frameworks, such as financial services legislation Lawsuits are forming shadow regulation Archive 360 is an AI and data governance platform designed to help customers in regulated industries meet their data compliance requirements. Many of the organizations that Archive 360 works with have years of data that has to be maintained and the company helps them both find all their data and use it safely and securely. George Tziahanas, VP of Compliance and Associate General Consul, Archive 360 says: Many customers are waiting for all kinds of AI legislation and regulation but what is already happening is that existing authority will form the basis of going forward. He cites the example of Mercor, a company providing AI-driven tools and analytics for sourcing, recruiting, and evaluating employment candidates. This meant that they aggregated personal data from public and private sources, along with biometric data and AI-based analysis of interviews. Mercor also helped create bespoke datasets used by large AI companies in training models. However, Mercor fell victim to a data breach via open-source components in the ecosystem. Tziahanas continues: The point is that nobody is waiting for AI regulation in order to pursue lawsuits with Mercor. The other place you are seeing lawsuits is with cybersecurity where organisations have failed to delete data that was supposed to be deleted. Yet another high-risk area is bias which comes up in different ways when protected characteristics are used by models to make decisions and regulators have signalled that this is an area of risk that they will be active in mitigating. Tziahanas believes that applying existing laws to new technologies can have as much impact as creating new regulations. For example, the lawsuits against Mercor have established that data used to train and operate AI systems is a governed, discoverable business asset that is subject to existing legal and regulatory obligations. Regulation and innovation require a push and pull model The EU AI Act approaches regulation from a risk perspective, looking at different AI areas and defining levels of risk. The frameworks that are evolving in the US are also based on a risk perspective. Tziahanas says: The EU AI Act focuses on triggering high risk thresholds but this is a grey area, as the thresholds are not measurable. It is quite vague and until we have enquiries and investigations it is difficult to gauge its effectiveness. The UK is currently relying on existing authorities regarding privacy, cybersecurity and bias. You do not need new regulation for some of that. The challenge governments have got is that they want to control model development. For example, in the US there is talk about creating a review process for frontier models." Indeed, President Trump has now signed an executive order seeking voluntary early access to frontier models for the federal government to review them. Tziahanas adds: You have to see how the regulation gets enforced and implemented. If you take a heavy hand, you throttle innovation. You need a push and pull model. No doubt the EU will issue a giant fine against a giant US company and then we will see the outcome It will be interesting to see whether the light touch, voluntary US federal approach proves more effective than the more heavy-handed EU regulated approach in mitigating risk. Either way, as an enterprise operating in the world of AI you have to be able to defend the data you are using, understand how the model was trained and be vigilant over how the model is changing over time. Tziahanas explains: Archive 360 helps with defensibility so that organizations can answer the question 'do I have and understand the lineage and provenance of the data for both training and inference?' Knowing what data is used in what way is important. We have artifacts that demonstrate how the model is working and whether it is drifting, whether an agent has gone rogue. Organisations need to be able to explain all that and we track it. We have an observability layer so that you can see how the agent is operating over time. The artifacts can be used to demonstrate legal proof. In the context of data privacy rules, from a data perspective we have mechanisms that delete data that companies should not be retaining. While we do not have control over the AI model itself, we can provide transparency into the training and tuning data. Furthermore, all the data that organisations have locked away in legacy systems, we can help retrieve that data so AI can come and consume it. My take There are well-known cultural differences in the way the US and the EU approach the management of risk introduced by Big Tech. The EU favours intervention, the US prefers more laissez-faire approaches, and the UK sits somewhat uneasily between the two. What is clear from the conversation with Tziahanas is that the lawsuits are already arriving, which makes waiting for AI regulation or law to govern deployment a risky business. This is all good news for vendors such as Archive 360 that can help enterprises with defensibility in court.