Red Teaming AI Policy: A Taxonomy of Avoision and the EU AI Act

TL;DR

This paper develops a framework and taxonomy to analyze how firms might strategically avoid or minimize compliance with the upcoming EU AI Act, focusing on different levels of regulatory exposure and organizational tactics.

Contribution

It introduces a novel taxonomy of avoision strategies under the EU AI Act, categorizing them into tiers based on regulatory exposure and detailing organizational and technological methods.

Findings

Identifies three tiers of AIA exposure and associated avoision strategies.

Provides a structured framework for red teaming AI regulation compliance.

Highlights organizational and technological forms of avoision.

Abstract

The shape of AI regulation is beginning to emerge, most prominently through the EU AI Act (the "AIA"). By 2027, the AIA will be in full effect, and firms are starting to adjust their behavior in light of this new law. In this paper, we present a framework and taxonomy for reasoning about "avoision" -- conduct that walks the line between legal avoidance and evasion -- that firms might engage in so as to minimize the regulatory burden the AIA poses. We organize these avoision strategies around three "tiers" of increasing AIA exposure that regulated entities face depending on: whether their activities are (1) within scope of the AIA, (2) exempted from provisions of the AIA, or are (3) placed in a category with higher regulatory scrutiny. In each of these tiers and for each strategy, we specify the organizational and technological forms through which avoision may manifest. Our goal is to provide an adversarial framework for "red teaming" the AIA and AI regulation on the horizon.