AI Gatekeepers

Artificial Intelligence (AI) has profoundly shaped commercial and private life. Corporations have been experiencing its impact across areas such as product design, risk management, human resources, and geopolitical strategy. Several jurisdictions, for instance US states and the EU, have started to regulate certain use-cases of AI. Unsurprisingly, this has led to various types of intermediaries spawning that propose to support corporations in their compliance efforts and “guard to gate” to integrating AI, as it were. 

This working paper examines the emerging role of an institution it addresses as ‘AI-gatekeepers’: entities that support corporations in validating compliance with artificial intelligence regulation. Drawing on classical gatekeeper theory for financial markets, the paper highlights similar signaling and monitoring functions. Still, it claims that core differences between classical and AI-gatekeepers exclude using (modified) strict liability as a third-party enforcement strategy. Instead, the paper suggests a transparency and governance regime.

The paper analyzes three distinct groups of AI-gatekeepers: incumbents, new entrants, and designated AI-gatekeepers. The first group are established gatekeepers, primarily auditors and law firms. They bring accumulated reputational capital and regulatory expertise from traditional financial services. The second group comprise specialist new entrants that focus specifically on AI compliance. These offer domain-specific expertise but lack what classical theory calls ‘reputational bonds’ of incumbent gatekeepers. The third group are institutions that have a specific role conferred by an AI-law. They can be public institutions or private entities with some form of public accreditation, for instance notified bodies under the EU AI Act.

The paper first draws a distinction between ‘old law’ and designated AI-law. Old law concerns commercial activities that have been regulated all along. If a corporation integrates AI into its activities, for instance to support credit underwriting or hiring, the new process must comply with old laws, for instance those on discriminatory practices. Designated AI-laws, by contrast, focus on the development or use of AI as such. Surveying designated AI-laws in US states and in the EU, the paper finds that designated AI laws follow or combine sectoral (for instance, health insurance), situational (for instance, the use of AI to deny care), and categorical (for instance, categories of risk) approaches. Examples include the EU AI Act, the New York City Local Law 144—which requires independent bias audits for hiring algorithms—and Colorado’s impact assessment for high-risk AI systems.

Next, the paper explores AI-gatekeepers in more detail. It describes designated AI-gatekeepers, the third group mentioned above. AI-audits under US state law and the EU AI Act’s notified bodies provide illustrations. Additionally, it finds that most designated AI laws have an optional AI-gatekeeper regime. While mandatory audits are a rare exception, the paper suggests that market expectations are likely to tend towards involving some form of AI-gatekeepers.

Against this background, the paper makes three claims. It rejects strict AI-gatekeeper liability. Instead, it proposes audit transparency and governance rules.

For now, transplanting strict gatekeeper liability from financial markets to AI regulation does not provide a good fit. Several factors distinguish AI-gatekeepers from their financial-market predecessors: core technical concepts such as ‘fairness’ and ‘explainability’ lack settled definitions even within the AI research community. This creates conceptual fluidity that contrasts sharply with established accounting principles. AI laws are preliminary and dynamic, they include vague rules, and delegate authority to standard-setting bodies. Various value-laden judgments resist bright-line formulation. Then, there is no institutional analogue to independent auditors, the classical financial-markets gatekeeper. Some AI-gatekeepers provide consultancy services (where independence expectations are minimal) while others conduct product-safety assessments (where independence is expected but the focus of their service is narrow). Additionally, market-entry gatekeepers lack reputational capital to pledge. This removes a core disciplining mechanism of classical gatekeeper liability as a third-party enforcement tool. Instead, it creates rational incentives for captured auditing that delivers overly positive certifications. Moreover, the expectation gap between what the public assumes AI-compliance certification covers versus the narrow, issue-specific mandates gatekeepers discharge creates a heightened risk that gatekeepers would become defendants in litigation they cannot reasonably defend against. In this environment, gatekeepers would rationally respond through overinclusive and inefficient monitoring rather than optimal care.

Instead of strict liability, the paper suggests different lessons from classical gatekeeper theory in financial markets, governed largely by established rules and standards. First, a dual-layer transparency regime is proposed to require AI-gatekeepers to disclose aggregate testing methodologies and standards at the collective level while providing compact certifications or scores at the individual level. This protects proprietary AI-gatekeeper methodologies and client confidentiality while informing policymakers, competitors, and the public about evolving standards. By making transparent the ‘rules of the game’, this approach enables producers and users of AI systems to anticipate and adapt to changing compliance expectations, already during product design.

Second, governance requirements should operate at two sites. At the gatekeeper level, accreditation and independence requirements modeled on the EU’s notified-body regime should ensure competence and prevent conflicts of interest. At the interface between gatekeeper and client, institutional structures analogous to audit committees should facilitate effective monitoring. These interface structures must bridge the cultural divide between AI developers—accustomed to the language of coding—lawyers and board members who navigate vague regulatory terms.

The author’s paper is available here.

Katja Langenbucher is Professor of Banking and Financial Markets Regulation at the Institute for Monetary and Financial Stability and Goethe University.