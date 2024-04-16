The concepts of “open” and “closed” source exist on a spectrum, rather than being binary choices, Google says in response to the request for comments by the US Department of Commerce’s National Telecommunications and Information Administration (NTIA) on the risks, benefits, and potential policy-related to dual-use foundation models for which the model weights are widely available.

It argues that access to artificial intelligence (AI) systems is better understood in terms of different degrees of access to different components of a given system, giving the example of Gemma which offers free access to model weights, but under a custom license that requires adherence to its prohibited use policy. “Although there are signs of misuse in some current open models, we believe that, on balance, the benefits of many open models still significantly outweigh the risks,” the company states.

Discussing the risks posed by AI models, Google says that they depend on the model’s capabilities. Risk is also influenced by other factors like the potential for the model’s performance to change over time including from post-training enhancements, and also the use of the model at scale. The company suggests that NTIA should develop recommendations that appropriately support the release of open models by accounting for their attributes—and benefits and risks—holistically. A comprehensive risk assessment should look at the impact of sharing the specific components of a model (like metadata, training data, training code, etc.) rather than treating the model as a monolithic entity. Further, the risk posed by a model should not be judged based on its size, for example, small specialized models may pose higher risks in particular domains than large, general-purpose models do.

Some context:

Dual-use foundational models are open foundation models that can be fine-tuned by developers using widely available computing. The weight of the model refers to the numerical parameters within an AI model that help determine its output in response to inputs. This weight changes based on its learning over time.

Key Highlights from Google’s comments:

The spectrum of openness:

The company says that AI models exist on a spectrum with the following categories—

Fully closed model, where all the components are kept private

Application Programming Interface (API) Access, which allows for controlled usage wherein the users can use a defined interface but cannot directly inspect or modify the model’s internal architecture, weights, hyperparameters, or training data.

Restricted weight access, limits a trained model’s weights to selected external researchers and/or developers, usually under certain license terms and usage restrictions.

Fully weight access, which permits anyone to download a trained model’s weights, but some or all of the model code (e.g., training code and tokenizers) is withheld.

Fully open models, which involve public availability of a fully pre-trained model and additional components (architecture, weights, code, and sometimes training data.

“The appropriate level of access will differ based on various factors, but what is key is ensuring that appropriate AI capabilities are accessible to appropriately provisioned sets of developers (i.e., developers committed to responsible use),” Google proposes.

Elements that increase the risk posed by an open-weight model:

Once model weights become publicly available, it becomes impossible to revoke access afterward. Restricting access later would not prevent other hosting platforms from hosting and sharing the same content.

It is hard to prevent bad actors from fine-tuning an open model for malicious purposes, even when access to the model is subject to a prohibited use policy. More work is needed to prevent intentional misuse of open models.

Open source projects can be compromised in ways that introduce risks for downstream organizations that integrate the project into their own systems. This risk is not only valid for open AI models but also for the open source software landscape, and lessons learned there may be helpful in this context.

AI models where access is managed (by systems like API) allow organizations deploying the model to apply a number of centralized mitigations for unintended model behavior. Such mitigations are more difficult to coordinate and achieve at scale for open models.

Some AI models may have emergent capabilities, that are not fully understood in earlier phases of deployment. As such, the model may wrongfully get treated as having limited risk, when in fact it has developed new risky or concerning behaviors that are not yet known. In such a situation, a mitigation strategy could be a longer observation time followed by staged deployment.

The risk landscape of a model is evolving:

Google argues that an AI’s performance and capabilities are dynamic, not static. Post-training enhancements, or better prompting and inference mechanisms, or fine-tuning a model to access the internet, can significantly improve performance. This means that the risks and benefits of a model assessed today may be substantially different for the same model assessed a year from now.

How to mitigate risks posed by an open AI model:

Protect model weights against unauthorized release: Many of the risk mitigation measures are dependent on robust protection of model weights from the beginning of the model development process. NTIA should advocate for the adoption of safety frameworks (like Google’s Secure AI Framework ) that both government and the private sector could use to collaboratively secure AI technology.

Address safety and harm prior to deployment: When deploying models behind an API, risks like toxic language and discrimination can be prevented by fine-tuning and filtering. Google says it prevents these risks by implementing robust data governance practices on pre-training data and assessing models against standardized AI safety benchmarks. It recognizes that open models are vulnerable to unintended behaviors via adversarial fine-tuning.

The company says that developers should approach model development and deployment decisions using a framework that prioritizes safety and security, and employs a high bar of evaluations. It gives the example of Gemma for which it conducted dangerous capability evaluations for chemical, biological, radiological, and nuclear (CBRN) risks, cybersecurity, and autonomous replication. It encourages NTIA to work with the AI community to develop more rigorous criteria for evaluations in areas such as dangerous capabilities and fine-tuning to reduce the uncertainty about the capabilities of AI models.

Make progress on novel mitigations: Google says that the AI industry should aim to identify additional mechanisms for mitigating the risks surrounding open models. It says that one area of opportunity here is developing a better empirical understanding of the spread and use of open models.

Cybersecurity measures: Developers should implement robust cybersecurity protections for model weights to ensure that models are only made widely available when intended.

Legal and business issues associated with open foundational models:

When companies make their models open, it increases the risk that intellectual property will be leaked, Google points out. Research shows that data can be easily extracted from open-source models, and even closed-source models are vulnerable.

The model could be misused, despite mitigation measures. NTIA should explore solutions that acknowledge the shared responsibility for safety by model developers, deployers and users. NTIA should also recognize that updated liability frameworks may be useful to fully realizing the benefits of open models, given that the entity at the closest point to the AI product end-user is best positioned to monitor and prevent misuse. This would help drive continued investment in open models.

Open models can expose companies to reputational harm if a model is misused.

How should the government decisions around open-source AI:

Google says domain experts should consult with governments to establish thresholds on the potential risks of open models, in order to inform release decisions—including thresholds beyond which the model weights should not be openly shared. Such thresholds will require progress on model evaluation mechanisms with some directed at certain types of risks (like CBRN risks) or directed toward specific domains like health and finance.

It says that NTIA should look into whether open foundation models present heightened risks and consider the extent to which these models empower bad actors compared to existing technology. For instance, NTIA should not base policy decisions on the potential that bad actors might use a large language model as a search engine, because bad actors have had access to search engines for decades. NTIA should explore policies that place liability closest to the end-use of an applicable AI product, especially in situations where upstream developers have no control over the final use a model is put to. It should also recognize the critical need to sustain open-source software communities.

Also read:

STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!