Synopsis: In this AI Leadership Insights video interview, Mike Vizard speaks with Kevin Cochrane, the chief marketing officer for Vultr, about the need for AI regulation.

Mike Vizard: Hello and welcome to the latest edition of the video series. I’m your host, Mike Vizard. Today we’re with Kevin Cochrane, who’s chief marketing officer for Vultr, they’re a provider of cloud services, and we’re talking about the need for regulation as it applies to AI. Kevin, welcome to the show.

Kevin Cochrane: Thank you so much, Mike, for having me.

Mike Vizard: There are those who would argue, and we’ve seen some recent op-eds about this, that regulations are going to do more harm than good because they’re hampering innovation in a way that might benefit humans. And then there’s others who are on the other side of this argument who are saying, “Well, of course we need regulations, because AI is one of the most profound changes in the technology landscape as anybody can remember, and it’s an existential threat to all kinds of different things.” Is there a right or a wrong here, or is there something in the middle? Or what’s your sense of where are we with this whole conversation around regulations?

Kevin Cochrane: First off, again, Mike, thanks for having me, I think this is a very important topic. And to answer this topic, it’s oftentimes good to learn from our past. Now, in the past, with the digital advertising industry and with the proliferation of social media, we started to enter into a world where we were collecting more and more data and we were sharing more and more data amongst different service providers, and we were using that data in order to monetize it for our business models leveraging digital advertising. And we saw an explosion in social media, we saw an explosion of the MarTech stack, and it took many, many years for us to recognize that at the heart of all this data was an ever clearer picture of our identities and ever more accurate predictions on the things that made us live and work every single day.
And it was only after the fact that we started to introduce legislation in order to protect people’s personal data, in order to protect people’s privacy, but much of that was too little, too late and we are still dealing with the aftermath of having not properly thought about people’s personal privacy, people’s personal data protection. Everything is an afterthought. It’s a bandaid on a problem that we allowed to proliferate. So now the question really becomes is this, are we at a similar inflection point as we were in the digital advertising and social media industry over a decade ago? And if we knew now what we knew then, would we have done something different at that inflection point? And the answer I would argue is absolutely we would’ve done something very, very different. So why now would we repeat the sins of the past and not take this opportunity to recognize that, again, we are now leveraging even larger data sets, data sets that need to be governed, data sets that need to have bias eliminated from them, and governance and control needs to be put around how the data is leveraged, shared, and used?
So I would argue let’s not repeat the sins of the past. We have been here before. If we don’t start legislation now, six years from now, once we’re dealing with the unintended consequences of the AI revolution, we will attempt to put in legislation, but great damage will have already been done.

Mike Vizard: Do the folks who are crafting this legislation really understand what’s at stake? Because, most of them, as far as I know, are maybe lawyers turn politicians, but they don’t really seem to understand how the algorithms work and how the whole framework can be used for both good and ill.

Kevin Cochrane: Correct. And here is the answer to your first question, is there a middle way? And the answer is there needs to be a middle way. Now, we can also take a positive lesson from the past, and that positive lesson from the past is the open source industry. In the open source ecosystem, you have organizations like the Apache Software Foundation that happen to set up governance and enable contributors all around the world to create high quality, safe and secure software that now today is powering every single enterprise application in our entire world. Now, that wasn’t the case way back in the early 2000s. When open source was just becoming a thing, people debated whether or not open source could be trusted. It’s open source, anyone can see it, anyone can contribute to it, isn’t that dangerous, isn’t that scary? But what came to pass is a self-governing body with solid peer review and controls and good governance structure, and what happened was open source became trusted,, it became the foundation of all of our enterprise software stacks.
So to that end, let’s take that positive example of what we did correctly versus what we did incorrectly with digital advertising and social media, and let’s apply that principle here, which is let us follow that model and get a group of industry leaders, practitioners in the field to form a central governance body, a standards body that can promote community-led practices for the safe development of algorithms and good governance policies around data handling, data processing, and let that same community guidelines, through just the power of network, start enforcing it in all of their member organizations, and let’s have everyone become a member of that organization and have to adhere to those standards if they’re presumed to be safe and trusted.
So if you’re building some sort of cool new AI tech, let’s educate people to look for the badge that they’re a member of this organization and they’re following their best practices and principle. And then, in turn, let that be the proper incubator to advance new legislation. So you let the experts start the process of community review, community development, community adoption, community enforcement, and then let the best practices from those community regulations then, in turn, turn into proper legislation. And that way we can learn by doing, we can be led by the experts, but we can mutually hold ourselves accountable to making change happen.

Mike Vizard: There are a lot of malicious actors in the world who might not adhere to those standards, so how do we thwart those efforts? Will it just evolve into my AI bots can beat up your AI bots, or how is this going to play out from your perspective?

Kevin Cochrane: Well, I think that that’s where we all need to become aware of the governing body and look for the good housekeeping, so to speak, badge of approval. There will be bad actors, that is absolutely going to happen. There is no question. The trick is let’s make sure that people only adopt and leverage AI technology in their own stacks, in their own lives if it is certified, it is approved as having followed these community standards and regulations. And then, over time, as proper legislation gets drafted off of those community guidelines, then we can start enforcing proper enforcement of those regulations to go after the bad actors. But I think first as an industry we need to come together and say, “What are the policies and procedure that we think are necessary to advance innovation without unleashing Pandora’s box in terms of unintended consequences?”
Because I would actually argue that if you get this right, innovation will accelerate. It’s the same with the open source community, how has it the Apache Software Foundation became as significant as it is with as many projects as it has that have really formed the backbone of all enterprise software today, and it’s simply because innovation was truly unleashed once the community guidelines really became hardened so that it was safe for more and more people to get involved, more and more people to contribute, and the end product was always a very good end product with no bad results. It’s not like the latest software project from Apache wound up being less secure than any other project. They all have the same standards, they all have the same guidelines, you see Apache, you know can trust it. And the same thing needs to happen here. And, again, once innovation accelerates because of this community guidelines and then we get proper legislation drafted, then, again, law enforcement can start going after the bad actors.

Mike Vizard: Is it too late? Have we proverbially already let the horse out of the barn?

Kevin Cochrane: No, no, no, no, no. This is actually the perfect time to do it. So we saw with the release of ChatGPT, the explosion in interest in AI, people now realize that the time is here, the time is now. We’re seeing this massive innovation coming out of the open source community in particular, as well as massive innovation coming out of AI leaders like Nvidia that make all of this possible. And so now that we’re all on the same page, that the time is here, the time is now, reality is setting in, so now’s the proper time to actually start pulling together these industry groups and to start making this new community led best practices the model. I think if you wait a year, then I think it starts becoming too late. But we need to do this, I would argue, sometime in the next six to nine months.

Mike Vizard: Will we need AI models to govern our AI models essentially because of the speed of these things and what is that going to look like?

Kevin Cochrane: Yeah. Well, I think, again, you can go back to in software development, you have your DevOps processes, you have your whole CI/CD pipeline, continuous innovation, continuous delivery, and you have all sorts of automated tests and checks that you put in place to ensure the quality, the consistency, the security of your code. And we’ve instrumented all of this software to speed development of cloud native applications. So all of the great SaaS services and mobile apps that we use in our daily works and lives are all made possible because of continuous innovation, continuous updates made possible by good CI/CD pipelines. And we don’t ever worry about, oh my God, I’m going to update my new mobile app and is it going to work or not? You don’t worry about that stuff, because the pipeline automates all of the checks and processes for you. So two, we need to put in place all of the pipeline equivalents for new algorithms and models.
And, again, this innovation should occur in the open source realm under the rubric of some community standards organization like the Apache Software Foundation, and we should be leveraging AI technology itself to continuously provide the checks to ensure that nothing malicious is actually getting put out into the public sphere. And the only way you can do it is by instrumenting that CICD pipeline, all of your algorithms, all of your models, and actually leveraging AI itself to police itself to make sure that those things that get released in the public realm are actually good.
Now, there’s already infrastructure that you could leverage for things like this. So there’s open source project called Helm, and Helm is a container registry that can be both public and private that enables the sharing of your models across different servers, different organizations, what have you, and already in such technology there’s built in hooks to insert different checks, particularly security checks, to make sure that the quality of what you’re distributing is not going to do unintended harm. And I would actually argue that if we had more of a public registry that’s Helm based, that has a properly instrumented CI/CD pipeline to enable all of these automated checks, I think we would be in a far better and more trusting place than we would if we were not. This is something we believe very importantly at Vultr, being a security first company, zero trust policy, we believe pretty passionately about building a CI/CD pipeline tied to a container registry.

Mike Vizard: Well, let’s use your example of learning from the past, because if I look at DevSecOps workflows and the shift left, then developers don’t know a whole lot about security and they frequently misconfigure things, and it’s arguably something of a mess that’s getting better, but I would argue that data scientists know even less about security and MLOps. So how are we going to address this then?

Kevin Cochrane: I think you’re 100% right, and I actually don’t have an answer for you at all, but I will just point out a couple of things that you talked about, which is we don’t just have DevOps, which first of all needed to be invented, but recently it was reinvented DevSecOps, super smart move. But, again, let’s take a listen from the past, let’s not wait 10 years to figure out that it’s not just MLOps, it’s MLSecOps, let’s actually put security in the pipeline. And you’re right, data scientists literally know nothing about security, I would argue. So we’ve got to get the security team involved ASAP. The CISO needs to step in, and the CISO is the one that can establish the standards and the governance and the compliance policies around integrating SecOps into your MLOps and CI/CD pipeline for your models.
But I’d almost actually go a step further because a lot of people are starting to talk about MLOps, but no one is talking about the DataOps as it pertains to MLOps. And I think that that is the elephant to the room because, honestly, you can do all you want in terms of your model and put all sorts of policies and procedures in place, but, remember, it’s the data that you’re leveraging to train your models that can introduce all sorts of biases. And we need to have governance not just around data sovereignty that’s things that we typically do like right now people are worried about the data adhering to privacy [inaudible 00:16:38] resident and country, all that’s great and necessary and foundation, but we need to go a step further and actually start saying we need people to actually inspect the data and understand how that data may or may not be introducing biases in terms of our AI model.
So I’ll just give you a stupid example, which is like if you look at all our large language models, they’re all trained on US English. So just as a simple example. So I guarantee you that if you’re a citizen in Korea or you’re a citizen in Germany, or you’re a citizen in some other country with some other non-English based language that there probably is just a hell of a lot of bias already built in to all of the responses, even if you’re translating them after the fact. So we need to get really, really sophisticated at the DataOps as it pertains to the ML flow. And it’s not just looking at the current compliance regulations that stem out of all of the sins of the past from digital advertising, but forecast forwards what are the new sins that we’re going to worry about in 10 years from now that we wish we had solved?
And it’s basically what types of biases are we introducing to our data and how can we think through a data strategy that eliminates that biases upfront. It’s also the same in the medical research world, we look at clinical trials, well, clinical trials are great if you’re someone that fits my profile and is a white American male, that’s great, but if you’re not a white American male, maybe some of the clinical trials don’t maybe necessarily have the great predictive outcomes for you. Again, we need to look at a little bit of the data first because we are in the future going to worry very, very much about bias in systems. And we’ve seen bias in systems with all of our advertising and look at what effect that that’s had on our society in terms of exacerbating differences between people, but what happens when you magnify that 100 times with AI?

Mike Vizard: Well, folks, you heard it here. It’s not clear to me that ML data DevSecOps rolls off the tongue, but you get the basic idea and you understand what needs to be done. Hey, Kevin, thanks for being on the show.

Kevin Cochrane: Great. Thank you so much, Mike.

Mike Vizard: All right. And thank you for all watching the latest episode of video series. You can find this and other episodes on our website. We invite you to check them all out. Until then, we’ll see you next time.