Darren O'Rourke Urges Ireland to Tighten AI Risk Rules

Thanks very much to the witnesses. Maybe I'll continue along a similar line, just in relation to this regulatory and governance space, maybe with yourself first, Miss Pascal. Just maybe some reflections on the EU AI Act. I think you had some commentary in your opening statement and what you might advise the Irish government in terms of its relationship with it, but also how it operationalises, implements or goes beyond it in Ireland. Do you think, for example, there should be national standards? Have we that flexibility and what might that look like? As I mentioned, Ireland is a massive opportunity here because the EU AI Act is incomplete and is not covering different cases and relevant cases for Ireland specifically. So first of all, Article 15 in the EU AI Act identifies which systems are high risk and should be regulated. But as I was mentioning, this article doesn't include systems that are in the lived space, for example, smart home devices. And you think about the potential attackers that could easily target these devices. It can cause massive outage in many, many households in Ireland. So in Ireland and in Europe, I think we are vulnerable because these systems are not regulated. So this will be one of the first things I will suggest. Consider additional systems that should fall into the high risk application. For example, video games, they are considered low risk. But if you take into account that video games use AI and AI can cause dependency, so this system should be high risk, I believe. So I think the first thing is that the way in which systems are classified should be revised and should be reconsidered because we can be exposed to a massive attack surface in Ireland and in Europe. Everyone is using, for example, ring doorbell or a smart camera, smart speaker. These systems are highly, highly vulnerable. So this will be the first suggestion. The second suggestion is to really link the EU bill with something like the NIST cybersecurity framework that is being implemented in US. So this framework is very good because it provides some practical guidelines and it adopts an approach where security is taught at design time. So it's a proactive approach, so where it suggests some principle, some practices that should be implemented before the system are designed. So Ireland has done very well to establish a national cybersecurity center and I believe they should work in close collaboration with the national cybersecurity center to establish practices to demonstrate, for example, how to test AI system, how to provide assurances of such systems, how incidents in such systems should be reported. Because at the moment, yes, incidents should be reported, but how? There are no guidelines. And also, because AI systems use different tools or the problems could be in the model itself, could be in the training data, how data and incidents can be reported to provide sufficient explanation of how an incident actually took place. I mean, there is not really guidelines on that. And suggesting automated and repeatable tools and techniques that can be used to assure and secure systems that are offered and supplied in all products right now. So AI systems have been integrated everywhere. So the Cyber Resilience Act actually should apply to many, many of these systems because now AI is integrated in everywhere. Okay, yeah, thanks very much for that. Professor O'Sullivan, I don't know if you want to add to any of that, but I would also be interested in, like you say, that Ireland's well-positioned, you know, what might advancing that position look like and have you suggestions? Yes, just on the first matter of the EU AI Act, I think the EU AI Act gets us some of the way there, except I think there's a lot of uncertainty about what it actually really means, right? So if you're in, if you're a company in your local industrial estate and you're building some AI system, so what does it really mean for you? You know, what should you be doing today? And I think the big challenge for the EU AI Act are things that are not well classified. So for example, large language models, general purpose AI systems, you know, these are the things that are potentially really harmful. We know how to regulate medical devices, for example, we know how to do that. The EU AI Act is silent on national security issues, it's silent on military issues, and, of course, it never will. The omnibus, and, you know, these are just defined, these are just, you know, interpreting certain aspects and, you know, redefining others. That's, this is just sort of, you know, modifying maybe the fine tuning the AI Act. The other thing I suppose, just to bear in mind, is that some of the people that are going to be most impactful with using AI against us, don't care one bit about the law, you know. So despite the fact that there is a piece of legislation out there that governs AI systems, doesn't necessarily mean that they're going to abide by it, you know. So, and in certain areas, we do need to think about, well, how do we deal with non-state actors and AI-enabled terrorism, AI-enabled astroturfing. AI systems can be, can be, from the EU AI Act, it can be perfectly usable and publicly available and so on, but they can be used in ways that are harmful. So we see now a growing, the growing extent to which people are succumbing to sort of mental illness and forms of psychosis as a consequence of interacting with AI systems. So there's lots of issues here that we really do need to sort of pay attention to. In terms of Irish positioning, I think when it comes to dealing with security matters, I think we really do have an incredible reputation. And I think what that could look like, how we could drive that forward, it could simply be, you know, facilitating the dialogue or driving ahead, you know, convening discussions on these issues. Do we have the, because I presume you mean from a diplomatic point of view, and what about the technical expertise? So Ireland is, really does punch above its weight on many areas of AI, not all areas of AI, but there are many areas of AI in which we are world leaders. And where we don't have that leadership, we certainly know where to find it. So we would have no problem in dealing with that, I think. Okay, thank you.