The Column – Cyber Security Week
The government’s recent measures regarding AI seem to move along an understandable line: promoting innovation, protecting citizens, educating young people, assigning responsibility and punishing those who play with powerful systems as if they were electric trains. All agreeable, but the problem, as often happens, is not in the single rule, but the regulatory ecosystem in which it must be placed. The idea of a national framework on artificial intelligence, linked to the European AI Act, is necessary. No one can seriously think that these tools enter schools, hospitals, businesses, public administration and perhaps decision-making processes without leaving deep traces. However, here the first node appears: Europe tries to build a common playing field, while national states tend to plant their own stakes and if some can be useful, others can turn into obstacles. If the national rule clarifies, fine, but if it duplicates, confuses or adds uncoordinated obligations, it ends up producing that magnificent bureaucratic invention for which everyone is responsible and no one knows exactly what.
The case of the school is exemplary. On the one hand the use of smartphones is limited, on the other the aim is to teach artificial intelligence, digital citizenship and awareness in the use of platforms. Apparently it’s a contradiction. In reality it may not be, as long as it explains itself. Wanting to talk about AI after having given up on educating about the everyday digital object par excellence, that is, the smartphone, generates a paradox. If the ban becomes a substitute for digital education, then it prepares the ground poorly because AI is no less problematic, indeed it is the smartphone after having eaten a library, an answering machine, an abusive psychologist, a search engine and an illusionist. The same goes for age restrictions. Establishing a threshold for access to online platforms and AI systems is reassuring, but bringing these systems into schools and then banning them at home is like giving math lessons and then banning students from practicing on their own.
Then there is the issue of safety. The hypothesis of punishing, as the new art should provide. 437-bis of the penal code, anyone who does not adopt adequate security measures for AI platforms and systems is fine. In the abstract it is right: if I put into circulation a system capable of impacting people’s lives, I cannot get away with saying that “it was a beta version”, as if society were a laboratory with voluntary guinea pigs. But a question immediately arises: why shouldn’t the same reasoning apply to non-AI software, OT systems, medical devices, healthcare or industrial infrastructures that can kill in the same way? The healthcare case is exemplary. If a software produces incorrect data on diagnoses, dosages, triage priorities, vital signs or availability of therapies, the risk to life does not depend on the presence of neural networks. It depends on whether the system enters into the clinical decision. The algorithm can also be “stupidly” deterministic: if it makes a mistake in the right place, at the right time, with the wrong authority, it causes very real damage. It should not detect whether the system is AI, OT, medical software, cloud platform, or traditional automation. What makes the difference should be whether the system is included in a critical process, whether the omission of safety measures was serious and foreseeable and whether that omission results in a concrete danger to life, health, public safety or state security.
Otherwise we risk a somewhat superstitious rule: it punishes the technological fetish called AI, while leaving the old opaque software that governs hospitals, systems, networks, drugs, reports, alarms and machines in the shadows. The monster sometimes runs on a forgotten server, with a fossil password and an update that was never installed.
The most insidious point is that we continue to treat artificial intelligence as a new object, when in large part it is a new way of concentrating old fragilities. Data, software, infrastructure, people, suppliers, errors, wrong incentives. AI does not erase these things: it accelerates them, makes them more convincing, more scalable, more difficult to see. This is why the measures are important, but they are not enough. The real question is not having a law on artificial intelligence, but whether we will have institutions, schools, businesses and citizens capable of inhabiting it without transforming it into yet another requirement: a law can impose a seat belt, but it cannot drive for us. Artificial intelligence does not ask to be feared or adored: it asks to be governed which, in the digital world, means remembering that the future is not forbidden or suffered: it is prepared.
