Key Take Aways from the U.S. National Security Memorandum and Framework
External analysis written by three George Mason University (GMU) researchers.
Hello, I’m Ylli Bajraktari, CEO of the Special Competitive Studies Project. In this edition of our newsletter, we’d like to share an external analysis written by three George Mason University (GMU) researchers. In their post, “Key Take Aways from the U.S. National Security Memorandum and Framework,” Vice President & Chief AI Officer and Professor of Computer Science Amarda Shehu, Research Associate Professor and Co-Director of the GMU Autonomy and Robotics Center Jesse Kirkpatrick, and Professor in the Schar School of Policy and Government and Director of the Center on AI and Business J.P. Singh highlight three main takeaways from the recently released National Security Memorandum on AI.
I’m appreciative of our friends at GMU for sharing this analysis with us and letting us share it with you, our amazing readers. The views and opinions expressed in this newsletter are solely those of the authors and do not necessarily reflect the views or positions of SCSP. You can also revisit SCSP’s analysis of the AI NSM in our post from last month.
Key Take Aways from the U.S. National Security Memorandum and Framework
On October 24, 2024, President Biden released the long-anticipated U.S. National Security Memorandum on AI (the memo) and the related Framework to Advance AI Governance and Risk Management in National Security (the framework). This memo and framework fulfill the commitments outlined in section 4.8 and 4.2, respectively, of the October 2023 Executive Order 14110.
It’s undeniable that the outcome of this year’s presidential election will determine the course of the policy and implementation set forth in the memo. But what does the memo say about today? And what might it mean for the future of AI and U.S. national security?
Here are three big takeaways from three experts at George Mason University.
Responsible AI (RAI) is a cornerstone of the memo, but how do we get from principles to practice?
At over 10,000 words, the memo is long, but what’s missing is almost as important as what’s in it. The memo places significant emphasis on voluntary commitments as a primary mechanism to foster RAI practices within national security. While not toothless, when it comes to RAI, the memo has baby teeth at best. This is perhaps the best approach given the absence of comprehensive governance of AI in national security, and the need to foster innovation in a technologically competitive environment.
Security is broadly defined in the memo to include cybersecurity and military or defense needs. The memo sees security as the work of several U.S. government agencies, which include the Department of State, DOD, DOJ, DOE, DHS, OMB, ODNI, CIA, DIA, NSA, and the NGA. Further, the memo recognizes that U.S. national security entails developing global norms and rules through the United Nations and international organizations such as the Organization for Economic Cooperation and Development (OECD). It deputizes USAID to the task, ostensibly lending resources.
While government, industry, and academia are still debating how to move from general RAI principles to operationalization, about which there remains disagreement. The memo recognizes “responsibility” in many areas of AI that, if taken seriously, requires significant resources to operationalize. We find commitments and call-outs for responsible development, applications, adoption, approval, and use of AI; for a responsible governance framework and landscape; and for a responsible human chain of command and control for AI.
There are guidelines and directives that provide some indication of how all this responsibility might unfold, and the memo is right to place emphasis on NIST’s AI Safety Institute (AISI).
All roads go through AISI
AISI features prominently in the memo; it’s mentioned at least twenty times. This is not surprising. AISI was set up by the Department of Commerce in response to the 2023 President Biden’s Executive Order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. The AISI Consortium (of which George Mason University is a member and is represented by one of the authors of this press release) and its various working groups have worked hard over this past year to both define standards for RAI as well as outline practical frameworks for potential testing and evaluation of frontier models on these standards.
Nevertheless, we still need a clearer understanding of how to translate RAI principles into metrics and benchmarks. The academic community is vigorously debating and advancing this point, but many scholars see this as a research problem in need of funding (it is!) and not necessarily an activity essential to national security. Others are unaccustomed to thinking of the national security applications of their RAI work.
Second, we lack adequate test beds for RAI, particularly when it comes to testing and evaluating RAI brittleness. We lack a clear and sufficient understanding of which RAI principles will translate to operations that may fail to perform reliably or consistently in complex, unexpected, or adversarial environments, and under what conditions this may occur.
A testament to just how challenging developing and applying the definitions of standards, metrics, and testing procedures can be is the very fact that several communities and agencies are simultaneously working on or are tasked to work on formulating best practices and standards. And some of those are taking smaller bites of the problem. The memo focuses heavily on chemical and biological models, data, and (responsible publication of) research. It indeed tasks several agencies with working and coordinating on this issue: “biological and chemical models, data sets, and approaches, including those that use AI and that could contribute to the production of knowledge, information, technologies, and products that could be misused to cause harm.”
In the midst of all this uncertainty on what exactly to test for and how, stands AISI, with clear key indicators of performance:
“(i) Within 180 days of the date of this memorandum and subject to private sector cooperation, AISI shall pursue voluntary preliminary testing of at least two frontier AI models prior to their public deployment or release to evaluate capabilities that might pose a threat to national security. This testing shall assess models’ capabilities to aid offensive cyber operations, accelerate development of biological and/or chemical weapons, autonomously carry out malicious behavior, automate development and deployment of other models with such capabilities, and give rise to other risks identified by AISI. AISI shall share feedback with the APNSA, interagency counterparts as appropriate, and the respective model developers regarding the results of risks identified during such testing and any appropriate mitigations prior to deployment.”
It will be interesting to see what will constitute “preliminary testing” and “capabilities that might pose a threat to national security.” Note the “voluntary” and “subject to private sector cooperation. A lot of “voluntarys,” “mays,” and “mights.” This gets us to our second key point.
Responsible AI (RAI) is a cornerstone of the memo, but does it have teeth?
Voluntary mechanisms and actions target key national security agencies and their private sector and academic partners. For instance, AISI, will lead safety testing initiatives for frontier AI models but frames participation in these tests as optional for AI developers. The lack of enforceable mandates risks uneven implementation, especially as frontier AI technologies evolve quickly. The success of this effort depends on private sector cooperation, which can vary based on business interests and competitive pressures.
These voluntary measures extend to academia. The memo charges OSTP with advancing “voluntary best practices and standards” for responsibly publishing AI-related research. The focus is on biological and chemical AI models, data, and approaches, with the aim to preempt dual-use concerns, yet adherence will remain at the discretion of research institutions and publishers.
So, what does this exactly mean for academic researchers (a group to which all authors of this press release belong)? It is worth noting that one of the authors of this newsletter builds and publishes chemical and biological foundation models on a regular basis in her laboratory. Academic research is driven by “being first to” and by publication deadlines. How are researchers to show adherence? Given that all seems to be voluntary, what are the incentives to show adherence? Will conferences and journals require some demonstration of adherence as part of peer review? Will funding agencies, such as the National Science Foundation and others, require supplementary documentation that demonstrates adherence? How will this affect smaller research laboratories? Will this ultimately slow down the progress of academic research for the smaller and less-funded laboratories with fewer researchers and resources? Lots of questions with no answers at the moment.
Yet, the memo has an ambitious timeline:
“(iv) Within 180 days of the date of this memorandum, NSF, in coordination with DOD, Commerce (acting through AISI within NIST), HHS, DOE, the Office of Science and Technology Policy (OSTP), and other relevant agencies, shall seek to convene academic research institutions and scientific publishers to develop voluntary best practices and standards for publishing computational biological and chemical models, data sets, and approaches, including those that use AI and that could contribute to the production of knowledge, information, technologies, and products that could be misused to cause harm. This is in furtherance of the activities described in subsections 4.4 and 4.7 of Executive Order 14110.”
For what it’s worth, the memo recognizes the importance of equity in research:
“(ii) On an ongoing basis, the National Science Foundation (NSF) shall, consistent with its authorities, use the National AI Research Resource (NAIRR) pilot project and any future NAIRR efforts to distribute computational resources, data, and other critical assets for AI development to a diverse array of actors that otherwise would lack access to such capabilities — such as universities, nonprofits, and independent researchers (including trusted international collaborators) — to ensure that AI research in the United States remains competitive and innovative. This tasking is consistent with the NAIRR pilot assigned in section 5 of Executive Order 14110.”
To truly advance equity, however, it may be a good idea for NAIRR to expand its scope and provide access to evaluation platforms, should the currently nebulous standards and evaluation protocols become firmer and requested or strongly encouraged to be adhered to by academic labs.
Repeat after me: Voluntary
The word voluntary features heavily in the memo, as in Voluntary Testing, Voluntary Pre-Deployment Testing, Voluntary Classified Testing, Voluntary Preliminary Testing, and Voluntary Best Practices for Publishing.
The memo’s reliance on voluntary commitments embodies a balancing act, aiming to foster innovation and leverage market-oriented solutions while aligning with democratic principles and values. By avoiding rigid mandates, the U.S. government aims to preserve the competitive edge of its AI industry, encouraging companies and academic institutions to self-regulate in ways that support national security interests without stifling progress or unduly impinging on open science and respecting academic freedom.
In contrast to the memo, the framework casts a wider net. First, while the memo focuses on frontier models, the Framework includes but is not limited to AI frontier models and includes AI as it’s used “as a component of” a national security system. Moreover, the word “voluntary” makes no appearance in the Framework. This makes sense. Many of the voluntary measures found in the memo apply to the private sector, whereas the framework speaks directly to agencies and individuals in government. In fact, each agency covered by the framework is required to appoint a Chief AI Officer, assemble AI Governance Boards, and develop guidance on AI activities that pose unacceptable levels of risk. Furthermore, the Framework includes as its first of four pillars AI Use Restrictions, and then drills down into a list of prohibited use cases that are inconsistent with domestic and legal obligations or pose an unacceptable level of risk.
Frontier Models
The phrase frontier models features prominently. While we’re at it, what exactly is a frontier model? The memo actually provides a definition for it:
“(v) The term “frontier AI model” means a general-purpose AI system near the cutting-edge of performance, as measured by widely accepted publicly available benchmarks, or similar assessments of reasoning, science, and overall capabilities.”
Let’s break it down a bit more. What exactly is a “general-purpose AI system?” Our best understanding is that the memo is referring to foundation models. The memo does indeed refer several times to “dual-use foundation models.” It is worth clarifying this. The term “foundation models” was coined by Stanford University’s Human-Centered Artificial Intelligence Institute. Foundation models are foundational in the sense that they are not trained on specific (machine learning) tasks (say, classification) but instead learn task-agnostic representations of data. They serve as “base” models. Think large language models here, but foundation models extend beyond language models and can include other neural network architectures, such as diffusion models, variational autoencoders, and more. Foundation models are task-agnostic, but their learned representations of the data can be “fine-tuned” for a variety of tasks, good or bad. Hence, the duality of their potential use.
Envisioning a democratic international order around AI governance
The memo is remarkable for linking United States domestic imperatives on security with international governance mechanisms. In doing so, the memo outlines an approach toward global governance of AI that will no doubt feature the United States as a central player.
The memo begins with this linkage in Section 1, Policy a: “This memorandum provides further direction on appropriately harnessing artificial intelligence (AI) models and AI-enabled in the United national security systems (NSS), while protecting human rights, civil rights, civil liberties, privacy, and safety in AI-enabled national security activities.” The memo does not mention China or other autocratic regimes, but the linkage with civil liberties and human rights offers an approach not shared among autocratic systems.
Second, the memo outlines concrete steps, timelines, and organizations through which the United States can work domestically and internationally to outline a global governance agenda on AI that fosters U.S. concerns for civil liberties and human rights with global norms. The implication would be an alliance of democracies, with the implicit unattended questions: against whom? Again, China is not mentioned, but the implication is obvious. The memo goes further. U.S.. ambitions can be fulfilled through processes underway in international organizations such as the UN system and the Organization for Economic Cooperation and Development. Such cooperation could also be sought via global norms on military applications of AI shaped through conference diplomacy in the UN. Interestingly, the memo mentions USAID in considering global endeavors, ostensibly to win over the hearts and minds of the developing world with ‘soft power’ and development aid.
The global governance mechanism is strong in harnessing the power of agencies like the OECD where rich countries have often turned to shape global agendas, and in the last two decades especially to counter Chinese influences. Nevertheless, the global measures come at a time when the liberal international order (LIO) – one in which the United States leads the charge for human rights and civil liberties – has declined and is increasingly questioned around the world. Can the OECD and instruments at the UN help to overcome the challenges to the LIO? Probably not, but our own modeling of the clusters and typologies of national AI systems does show that there are two paths toward governing AI systems through democratic and autocratic means. In that sense, if the United States were to think boldly, global governance could equally be the pathway through which AI revives the LIO.
About the Authors
Amarda Shehu serves as the VP and Chief AI Officer and is a Professor of Computer Science, College of Engineering and Computing at George Mason University.
Jesse Kirkpatrick is a Research Associate Professor and Co-director of the Mason Autonomy and Robotics Center at George Mason University.
J.P. Singh is a Professor in the Schar School of Policy and Government, Director of AI Strategies, and Director of the Center for AI Innovation in Business at George Mason University.
The extensive reliance on "voluntary" actions throughout the NSM make it even harder to understand the "over-regulation" charge levied by some people.
Rather than simply throwing out a couple years of hard-fought (and, I suggest, pretty successful) intergovernmental coordination that resulted in the NSM and governance framework, it would seem the better starting point for the new administration would be to revise what already exists: matching their desired ends to preferred ways and means.
Lots of ways to do this, rather than starting from scratch.