On January 8, 2024, New York Governor Kathy Hochul and the New York Office of Information Technology Services (NY ITS) announced two major initiatives on artificial intelligence (AI) that will impact private and public organizations in New York and beyond.
First, Governor Hochul announced the creation of a new “Empire AI” consortium as part of her 2024 State of the State proposal. The consortium consolidates computing resources and funding often needed to support AI research and aims to create a technology hub in upstate New York that will “harness the power of artificial intelligence and ensure this technology is being used for the public interest.” The consortium initially will consist of seven institutions—Columbia University, Cornell University, New York University (NYU), Rensselaer Polytechnic Institute, the State University of New York system (SUNY), the City University of New York (CUNY) and the Simons Foundation—and will receive $400 million from the state, the Simons Foundation and Tom Secunda, a co-founder of Bloomberg LP.
Second, at the governor’s direction, NY ITS issued a new state IT policy on the “Acceptable Use of Artificial Intelligence Technologies,” NYS-P24-001. Under this policy, any state use of AI must include:
- Human oversight
- Fairness and equity, and explainability
- Transparency
- AI risk assessment and management
- Privacy controls
- Security
- Protection of intellectual property
Important Takeaways
In the long term, the governor’s consortium seeks to draw opportunities into New York by attracting more innovation and high-paying AI jobs to the state. More importantly, in the short run, the NY ITS policy will force many organizations to quickly build a full AI compliance program rather than adopt a “wait-and-see” attitude. Here’s why:
- Wide Application – The NY ITS policy not only covers any “state entity” or agency but also any local governments, contractors or third parties that may access or manage an AI system on behalf of a state entity. An AI system is defined as all technology systems that deploy AI technology. Other public bodies or boards are also “strongly encouraged” to adopt the NY ITS policy. Therefore, a wide variety of organizations will likely feel the impact of the AI policy, especially in health care, where many health care providers and health plans access AI systems on behalf of a state entity. It is also possible that the state may require health care providers and health plans to comply with the NY ITS policy with regard to their own AI systems if they use these systems to perform a function on behalf of or for the Department of Health.
- Rapid AI Inventory Review – The NY AI policy requires all covered entities to conduct an inventory of all their AI systems within 180 days and maintain a running inventory thereafter. NY ITS will provide more specific guidance around reporting obligations.
- Required AI Risk Assessments – The NY ITS policy also requires a risk assessment of any new or existing AI system. Assessments must follow the National Institute of Standards and Technology (NIST) AI 100-1 Artificial Intelligence Risk Management Framework (RMF) and Roadmap, as well as NY ITS information classification and security risk procedures.
- Immediate Effect – The NY ITS policy on AI took effect immediately upon its publication on January 8, 2024.
Recommendations
Based on these announcements, we recommend that potentially affected organizations immediately take steps to form a Data Governance Committee, especially in health care, where additional privacy and cybersecurity requirements are percolating and there is increasing scrutiny regarding the potential of AI to be biased or discriminatory in health care decision making. This will allow the organization to bring together a variety of internal and outside experts (e.g., from IT, HR, Legal, Marketing, Compliance, Operations) and take a holistic approach to their data use. We also recommend that affected organizations start building their AI inventory and risk assessment procedures, as required by the NY ITS policy. Finally, we recommend that clients score some quick “wins” by reviewing examples of “acceptable” and “unacceptable” uses of AI published by the NY ITS office and adopting the same. Among these:
- Prohibit the use of personal or confidential information in public AI tools;
- Require any AI “chatbots” to include a pop-up disclosure, stating that the responses are generated by a machine, not a human; and
- Make sure that all AI results are reviewed and vetted by a human.