Skip to content
Delegation Risk

Regulatory Approaches

Regulatory Approaches to AI Independence

Section titled “Regulatory Approaches to AI Independence”

Entanglement is not just a technical problem—it’s also a policy problem. When critical infrastructure, financial systems, and public services all depend on a handful of AI providers, systemic risk becomes a regulatory concern.

This page surveys existing and proposed regulatory approaches to AI independence, drawing lessons from financial regulation, antitrust, and critical infrastructure governance.

Why Regulation Matters for Entanglement

Section titled “Why Regulation Matters for Entanglement”

Market Failure Analysis

Section titled “Market Failure Analysis”

The problem: Individual actors have incentives that create collective risk.

Individual IncentiveCollective Outcome
Use the best model (GPT-4)Provider monoculture
Minimize costsShared infrastructure
Move fastSkip independence testing
Use proven approachesArchitectural convergence

Market failure type: Negative externality—each actor’s choice to use the dominant provider increases systemic risk for everyone, but they don’t bear the full cost.

Regulatory Rationale

Section titled “Regulatory Rationale”
WITHOUT REGULATION:
- Each company optimizes locally
- Systemic entanglement accumulates
- No one is responsible for systemic risk
- Crisis reveals vulnerability (too late)


WITH REGULATION:
- Requirements for independence/diversity
- Systemic risk monitoring
- Accountability for concentration
- Prevention rather than reaction

Existing Regulatory Frameworks

Section titled “Existing Regulatory Frameworks”

Financial Sector: Concentration Risk

Section titled “Financial Sector: Concentration Risk”

Basel III / IV Framework:

  • Banks must diversify counterparty exposure
  • Single-name concentration limits
  • Stress testing for correlated failures

Application to AI:

FINANCIAL ANALOGY:


Bank concentration risk → AI provider concentration risk
Counterparty limits → Provider dependency limits
Stress testing → Entanglement stress testing
Systemic importance designation → Critical AI infrastructure

What regulators learned:

  • Concentration creates systemic risk
  • “Too big to fail” applies to infrastructure
  • Correlation matters as much as individual exposure

Aviation: Independence Requirements

Section titled “Aviation: Independence Requirements”

FAA regulations require:

  • Independent flight systems (fly-by-wire redundancy)
  • Different design teams for redundant systems
  • Diverse software implementations for critical functions

Example: Airbus A320 fly-by-wire uses:

  • Two different processor types
  • Two different software teams
  • Two different programming languages

Application to AI: Critical AI systems could require similar architectural diversity mandates.

Nuclear: Defense in Depth

Section titled “Nuclear: Defense in Depth”

NRC requirements:

  • Multiple independent barriers
  • Single failure criterion (any single failure must not defeat safety)
  • Diversity requirements for safety systems

Application to AI:

NUCLEAR SAFETY LAYERS → AI SAFETY LAYERS


Physical barriers → Verification layers
Independent trip systems → Independent AI verifiers
Single failure criterion → No single-point AI failures
Diversity requirements → Provider/architecture diversity

Antitrust: Market Concentration

Section titled “Antitrust: Market Concentration”

Existing tools:

  • Merger review for concentration
  • Market share thresholds
  • Conduct remedies for dominant firms

Application to AI:

  • Provider market share monitoring
  • Interoperability requirements
  • Data access requirements

Proposed AI-Specific Regulations

Section titled “Proposed AI-Specific Regulations”

EU AI Act

Section titled “EU AI Act”

Relevant provisions:

  • High-risk AI systems require conformity assessment
  • Technical documentation including dependencies
  • Quality management systems
  • Post-market monitoring

Entanglement-relevant requirements:

RequirementEntanglement Relevance
Risk management systemShould include entanglement assessment
Technical documentationShould document dependencies
Human oversightMay not be independent (see psychology of oversight)
Accuracy/robustnessShould include correlated failure testing

Gap: EU AI Act doesn’t explicitly address provider concentration or architectural monoculture.

US Executive Order on AI (2023)

Section titled “US Executive Order on AI (2023)”

Relevant provisions:

  • Reporting requirements for large AI models
  • Red team testing requirements
  • NIST AI risk management framework

Entanglement implications:

  • Reporting could include provider dependencies
  • Red teaming could include entanglement testing
  • Risk framework could incorporate correlation metrics

Gap: No explicit concentration limits or diversity requirements.

UK AI Safety Framework

Section titled “UK AI Safety Framework”

Approach: Principles-based, sector-specific application.

Relevant principles:

  • Safety and robustness
  • Transparency and explainability
  • Contestability and redress

Entanglement application: Safety principle could be interpreted to require independence assessment.

China AI Regulations

Section titled “China AI Regulations”

Approach: Government approval for deployment, content requirements.

Entanglement relevance:

  • Approval process could assess dependencies
  • State interest in resilience aligns with diversity requirements
  • But may create different monoculture (government-approved models)

Regulatory Options

Section titled “Regulatory Options”

Option 1: Disclosure Requirements

Section titled “Option 1: Disclosure Requirements”

Mechanism: Require disclosure of AI dependencies and concentration.

MANDATORY DISCLOSURES:


□ Foundation model providers used
□ Percentage of AI operations per provider
□ Architecture types deployed
□ Shared infrastructure dependencies
□ Entanglement assessment results
□ Incident correlation data

Pros:

  • Low burden
  • Enables market-based risk assessment
  • Creates accountability

Cons:

  • Disclosure alone doesn’t fix the problem
  • Competitive sensitivity concerns
  • Requires standardized reporting

Option 2: Concentration Limits

Section titled “Option 2: Concentration Limits”

Mechanism: Cap dependency on any single provider.

EXAMPLE CONCENTRATION LIMITS:


Critical infrastructure: Max 30% from any single provider
Financial services: Max 40% from any single provider
Healthcare: Max 35% from any single provider
General commercial: Disclosure only (no cap)

Pros:

  • Directly addresses concentration
  • Creates market for alternatives
  • Prevents “too big to fail”

Cons:

  • May increase costs
  • May reduce quality (if alternatives are worse)
  • Hard to define “provider” (subsidiaries, partnerships)
  • Difficult to enforce across complex supply chains

Option 3: Diversity Requirements

Section titled “Option 3: Diversity Requirements”

Mechanism: Mandate architectural or methodological diversity for critical functions.

DIVERSITY MANDATE EXAMPLE:


For safety-critical AI decisions:
- At least two verification approaches from different paradigms
- Example: Neural + rule-based, or Neural + formal verification
- Paradigms defined by regulation

Pros:

  • Addresses correlation at architectural level
  • Provider-agnostic
  • Encourages innovation in diverse approaches

Cons:

  • Hard to define “different paradigms”
  • May not be feasible for all applications
  • Increased complexity and cost

Option 4: Stress Testing Requirements

Section titled “Option 4: Stress Testing Requirements”

Mechanism: Mandate testing for correlated failures.

STRESS TESTING REQUIREMENTS:


□ Transfer attack testing between verification layers
□ Correlation measurement during degraded conditions
□ Cascading failure scenario analysis
□ Common-mode failure identification
□ Entanglement tax calculation


Results must be:
- Reported to regulator
- Within specified thresholds
- Remediated if exceeded

Pros:

  • Outcome-focused rather than prescriptive
  • Encourages internal improvement
  • Creates measurement baseline

Cons:

  • Requires sophisticated testing capability
  • Gaming risk (optimize for test scenarios)
  • Threshold-setting is technically difficult

Option 5: Systemic Importance Designation

Section titled “Option 5: Systemic Importance Designation”

Mechanism: Designate certain AI providers as systemically important, with enhanced requirements.

Analogy: Systemically Important Financial Institutions (SIFIs) under Dodd-Frank.

SYSTEMICALLY IMPORTANT AI PROVIDER (SIAP):


Criteria (example):
- >30% market share in any critical sector
- Dependency by >100 significant institutions
- Revenue >$10B from AI services


Enhanced requirements:
- Living will (resolution plan)
- Enhanced capital/insurance requirements
- Interoperability mandates
- Regular systemic risk assessment

Pros:

  • Targets regulation where risk is concentrated
  • Allows differential treatment
  • Analogous to proven financial regulation

Cons:

  • May entrench designated providers
  • Threshold gaming
  • Complex to administer

Option 6: Interoperability and Portability

Section titled “Option 6: Interoperability and Portability”

Mechanism: Require that AI systems be portable between providers.

INTEROPERABILITY REQUIREMENTS:


□ Standard APIs for model deployment
□ Data portability between providers
□ Model format interoperability
□ Prompt/fine-tuning portability
□ Maximum switching time requirements

Pros:

  • Reduces lock-in
  • Enables rapid diversification if needed
  • Promotes competition

Cons:

  • Technical challenges (models differ)
  • May reduce provider incentives to innovate
  • Doesn’t directly address architectural correlation

Sector-Specific Considerations

Section titled “Sector-Specific Considerations”

Financial Services

Section titled “Financial Services”

Current state: Heavy AI use in trading, risk, fraud detection, customer service.

Entanglement risk: If multiple banks use the same AI for fraud detection, adversaries find single bypass.

Regulatory approach:

FINANCIAL AI REGULATION:


Existing frameworks to extend:
- OCC model risk management (SR 11-7)
- Basel operational risk
- Stress testing (CCAR, DFAST)


New requirements:
- AI dependency reporting
- Correlation stress testing
- Provider concentration limits for critical functions

Healthcare

Section titled “Healthcare”

Current state: AI in diagnostics, treatment recommendations, administrative functions.

Entanglement risk: Shared diagnostic AI blind spots cause correlated medical errors.

Regulatory approach:

HEALTHCARE AI REGULATION:


Existing frameworks:
- FDA SaMD (Software as Medical Device)
- HIPAA data requirements


Extensions:
- Multi-site validation requirements
- Diverse population testing
- Post-market surveillance for correlated outcomes

Critical Infrastructure

Section titled “Critical Infrastructure”

Current state: AI in power grid management, transportation, communications.

Entanglement risk: Single AI failure cascades across infrastructure.

Regulatory approach:

CRITICAL INFRASTRUCTURE AI:


Existing frameworks:
- NERC reliability standards (power)
- TSA security requirements (transport)
- CISA critical infrastructure protection


Extensions:
- AI dependency mapping requirements
- Backup/fallback mandates
- Provider diversity requirements for critical functions

International Coordination

Section titled “International Coordination”

The Collective Action Problem

Section titled “The Collective Action Problem”
WITHOUT COORDINATION:
Country A imposes AI diversity rules → AI providers relocate
Country B has no rules → Gains competitive advantage
Country A faces pressure to relax → Race to bottom


WITH COORDINATION:
Multiple countries adopt similar rules
No regulatory arbitrage
Systemic risk addressed globally

Potential Coordination Mechanisms

Section titled “Potential Coordination Mechanisms”
MechanismModelFeasibility
TreatyBasel Accords for financeHigh (precedent exists)
Mutual recognitionEU adequacy decisionsMedium
Standards bodyISO/IEC standardsMedium-High
Forum/dialogueG20 AI principlesLow effectiveness
Sector-specificIOSCO for financeMedium-High

Geopolitical Considerations

Section titled “Geopolitical Considerations”

US-China dynamics:

  • Both have interest in resilience
  • Both have strategic AI champions
  • Cooperation difficult but not impossible on technical standards

EU as standard-setter:

  • Brussels Effect (regulatory extraterritoriality)
  • AI Act may become de facto global standard
  • But may not address entanglement specifically

Implementation Challenges

Section titled “Implementation Challenges”

Defining Boundaries

Section titled “Defining Boundaries”
DIFFICULT DEFINITIONAL QUESTIONS:


What is a "provider"?
- OpenAI vs. Microsoft (partnership)
- Open source models (who's responsible?)
- Fine-tuned models (derivative vs. new?)


What is "independence"?
- Different provider but same architecture?
- Different architecture but same training data?
- How much correlation is too much?


What is "critical"?
- Which applications require diversity?
- How to define criticality threshold?

Measurement and Enforcement

Section titled “Measurement and Enforcement”

Challenges:

  • Entanglement is complex to measure
  • Supply chains are opaque
  • Rapid technological change
  • Enforcement across jurisdictions

Possible approaches:

  • Standardized reporting frameworks
  • Third-party auditors (like financial auditors)
  • Regulatory technology (RegTech) for monitoring
  • Whistleblower incentives

Unintended Consequences

Section titled “Unintended Consequences”
RegulationPossible Unintended Consequence
Concentration limitsArtificial provider splitting
Diversity mandatesLower quality alternatives used
Disclosure requirementsCompetitive information leakage
Stress testingTeaching to the test
InteroperabilityReduced innovation incentives

Recommendations

Section titled “Recommendations”

For Regulators

Section titled “For Regulators”

  1. Start with disclosure

    • Lowest burden, creates visibility
    • Foundation for more targeted requirements

  2. Integrate into existing frameworks

    • Financial regulators: Add to model risk management
    • Healthcare: Add to SaMD requirements
    • Infrastructure: Add to sector-specific rules

  3. Develop measurement standards

    • Commission technical standards for entanglement measurement
    • Enable comparable reporting

  4. Consider systemic importance designation

    • Identify providers whose failure would be systemic
    • Apply enhanced requirements proportionally

  5. Coordinate internationally

    • Avoid regulatory arbitrage
    • Work through existing bodies (FSB, IOSCO, standards bodies)

For Organizations

Section titled “For Organizations”

  1. Anticipate regulation

    • Begin measuring dependencies now
    • Document provider relationships
    • Test for correlation

  2. Build switching capability

    • Don’t lock in to single provider
    • Maintain ability to migrate
    • Test alternatives regularly

  3. Engage with regulators

    • Share practical insights
    • Propose workable standards
    • Avoid adversarial positioning

For AI Providers

Section titled “For AI Providers”

  1. Support interoperability

    • Reduce switching costs
    • Standard APIs and formats
    • Avoid lock-in strategies that create systemic risk

  2. Enable customer diversity

    • Help customers assess entanglement
    • Provide tools for correlation testing
    • Support multi-provider architectures

  3. Self-regulate proactively

    • Internal concentration monitoring
    • Industry standards development
    • Voluntary disclosure

Timeline Considerations

Section titled “Timeline Considerations”

Near-Term (1-2 years)

Section titled “Near-Term (1-2 years)”

Likely developments:

  • Disclosure requirements in some jurisdictions
  • Integration into existing sector regulations
  • Industry standards development

Actions:

  • Begin voluntary disclosure
  • Build measurement capabilities
  • Engage with standards processes

Medium-Term (3-5 years)

Section titled “Medium-Term (3-5 years)”

Possible developments:

  • Concentration limits in critical sectors
  • Stress testing requirements
  • International coordination frameworks

Actions:

  • Reduce high-concentration dependencies
  • Develop diverse provider relationships
  • Build testing infrastructure

Long-Term (5+ years)

Section titled “Long-Term (5+ years)”

Possible developments:

  • Comprehensive AI independence regulation
  • Systemic importance designations
  • Global coordination regime

Actions:

  • Full integration of entanglement management
  • Continuous monitoring and optimization
  • Leadership in shaping regulation

Key Takeaways

Section titled “Key Takeaways”

  1. Entanglement creates systemic risk that individual actors won’t address without coordination or regulation.

  2. Existing regulatory frameworks from finance, aviation, and nuclear provide models for AI independence requirements.

  3. Disclosure is the natural starting point—it’s low burden and creates foundation for further action.

  4. Concentration limits and diversity requirements are more intrusive but may be necessary for critical applications.

  5. International coordination is essential to prevent regulatory arbitrage and address global providers.

  6. Organizations should anticipate regulation and begin building measurement and diversity capabilities now.

See also: