America’s AI Policy Is Truly Chaotic. What we need is real regulation, fast (Francis Fukuyama)

This year has been a crazy time with regard to Washington’s treatment of artificial intelligence, and the pace has picked up in the last couple of weeks. This train of events began in February when Defense Secretary Pete Hegseth declared the leading AI firm Anthropic, a “supply chain risk,” meaning that neither the Pentagon nor its contractors could use Anthropic models without risking legal liability.

Then, in April, Anthropic announced that its latest Mythos model was so powerful that it would be released to only a handful of organizations. Mythos, it was claimed, had extraordinary abilities to break into computer systems, and these early organizations were asked to use it to test and secure their systems. In June, Senator Mark Warner told the Senate Banking Committee, “thank God it was Anthropic. When the head of the NSA and Cyber Command came and said, ‘This tool broke into almost all of our classified systems, not in weeks, but in hours,’ … we are not going to solve this problem if we rely on a less ethical CEO operating on the basis of plain voluntary testing alone.”

Experts later added caveats to this description of Mythos 5’s capabilities, but it is clear that the politics of AI regulation has shifted dramatically in the past month. The Trump administration came into office last year being advised by tech bros like David Sacks and Marc Andreessen, who opposed any form of AI regulation. The latter in fact created an organization called Leading the Future that put significant money behind lobbying against AI regulation. The Trump White House nonetheless intervened against Anthropic, but only for what looked like typically bad political reasons. The company, according to Hegseth, was too “woke”; otherwise, the administration’s default position was to oppose all regulation.

This has now changed. The national security community has woken up to the fact that the latest AI models pose a clear and present danger to the security of the government’s data. This is not a speculative outcome years in the future, but one that is here right now. The Sacks-Andreessen faction can’t really argue against this, and so the balance of opinion on the need for regulation—at least, the pre-approval of new AI models—has shifted in favor of intervention. The latest twist is the Commerce Department giving Anthropic the green light to give its latest Mythos 5 models to a group of “trusted partners” so that they could ferret out vulnerabilities in the security of their systems. Similarly, OpenAI announced last week that its newest model would be restricted to a few government-approved organizations. So the White House has now joined the larger consensus in the tech community that believes that, however useful AI may be, it needs regulation.

The problem is that the Trump administration’s AI policy is typically chaotic. It is not clear who has final authority to issue new rules for AI, and on what basis. It appears that the turn towards regulation is driven by serious people in the national security community raising serious concerns, and not some clownish attempt by political actors like Pete Hegseth to punish woke enemies. But how are such decisions being made, and how will they be made going forward?

The problem up to now was that pro-regulation advocates could not define clearly the sorts of harms regulation was meant to protect against. Now there is a clear harm (cybersecurity), and so a more thoughtful institutional design effort can begin. Such an effort would need to answer the following questions:

• Do we need a specialized regulator for AI, or is this a function that can be added on to existing bodies like the NSA or the Defense or Commerce Departments?
• Regardless of which government entity does the regulation, how do we get sufficient capacity into the bureaucracy so that it can make well-informed decisions? U.S. government capacity in this area is woefully deficient. The typical approach in the past has been to outsource state capacity to private actors, but under present circumstances this could easily lead to regulatory capture by big, self-interested players.
• How does a regulator do surveillance and enforcement of any rules that it creates? The AI industry is huge and growing bigger by the day; moreover, foreign countries like China also have significant capabilities very close to those of the United States. If we deem a certain AI capability to be dangerous, how will we know that it is being developed, and how will we enforce rules limiting it? As Senator Warner’s remarks indicate, we are currently dependent on the good intentions of the CEOs running today’s large companies.
• To what extent should we delegate discretionary authority to the new regulator? In the past, statutes have spelled out the specific rules that the regulator was meant to enforce. But the AI field is evolving so quickly that any effort to write such specifications into hard law will be almost immediately overtaken by technological change.

These are just some of the real-world institutional design questions we need to answer if we are to adequately regulate artificial intelligence. My suspicion is that we will indeed need a specialized regulator, because AI is a sector very different from other parts of the economy. When trucking became an important means of transporting goods early in the 20^th century, Congress decided to give regulatory authority to the Interstate Commerce Commission. But this was a mistake: the ICC was designed to regulate railroads, and the economics of trucking are very different from rail transport. This is why the advent of air transport led to the creation of specialized agencies like the FAA and CAB.

It is time to stop talking about whether we need an AI regulator; the dangers are here and now and we need to move quickly. The discussion needs to shift to a much deeper and more specific analysis of how to regulate, understanding that the dangers posed by AI are likely to change over time. Our main competitor, China, is moving in this direction as we speak: the country is not run by a bunch of libertarians who want to let the technology rip, come what may. That may have been our position in the past, but it can’t define our policy today.