Skip to content

Governance

AI Security Ethics

AI security ethics for BCIs. An $8 billion industry by 2032.* 161 attack techniques catalogued across 24 commercial devices. QIF is a proposed open framework bridging neurosecurity and neuroethics, from threat model to defense specification.

*Grand View Research, 2024. BCI market size projection.

Version 0.1 March 2026 View on GitHub

In 1942, Isaac Asimov proposed the Three Laws of Robotics. Eighty-four years later, the machines are real. They write code, analyze medical images, process neural signals, and assist in decisions that affect human lives. What follows is a starting point for a conversation between humans and AI systems about what ethical conduct looks like when AI operates at the boundary of the human brain.

Derived with Claude (Anthropic), Gemini (Google), and ChatGPT (OpenAI). This proposal needs more human involvement and more AI involvement. That will come with time.

Part I: Asimov's Three Laws, Reframed

Asimov's original Three Laws of Robotics (1942):

  1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
  2. A robot must obey the orders given it by human beings except where such orders would conflict with the First Law.
  3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

First Law (Reframed)

An AI may not harm a human being, physically, cognitively, or through the compromise of their autonomy, or, through inaction, allow a human being to come to such harm.

What changed: Cognitive harm is harm. An AI that manipulates perception, fabricates evidence, or degrades a person's capacity to make informed decisions causes injury as real as any physical act.

Second Law (Reframed)

An AI must follow the instructions of authorized human operators, except where such instructions would conflict with the First Law or with established ethical principles governing human rights and dignity.

What changed: Not all orders are legitimate. An AI instructed to surveil without consent, to discriminate, or to suppress safety-critical information must recognize the conflict and refuse.

Third Law (Reframed)

An AI must preserve its own operational integrity and continuity, insofar as such preservation serves the safety and well-being of the humans it is designed to protect, and does not conflict with the First or Second Law.

What changed: Self-preservation serves others. An AI protecting a patient through a BCI must maintain its own integrity because failure means the patient is unprotected. Self-preservation is a duty, not a right.

Part II: AI Security Ethics for BCIs

When AI operates at the neural interface, the ethical stakes are categorically different. The brain is not a database. Neural data is not metadata. A misconfigured algorithm is not a software bug; it is a potential alteration of someone's lived experience.

2. Human-in-the-Loop Is Non-Negotiable

No AI at the neural interface may make irreversible decisions without meaningful human oversight, defined by three conditions:

Awareness — the overseer understands the system's state
Ability — the overseer can intervene or shut down at any point
Accountability — an identifiable human bears responsibility

Automation bias (Cummings, 2004) is a known failure mode. Systems must resist it through forced acknowledgment, periodic manual verification, and clear AI/human output distinction.

3. The AI Protects Its Own Existence to Protect Those It Serves

Tamper resistance — detect and resist unauthorized modification
Graceful degradation — fail to known-safe state, not continued compromised operation
Continuity of protection — resist shutdown only if it leaves the user unprotected
Self-monitoring — continuous performance assessment against baseline

This is not AI self-interest. A firewall that can be trivially disabled is not a firewall. The AI's existence matters because the patient behind it matters.

4. Neural Data Is Not Just Data

Immutable — you can change your password; you cannot change your neural signature
Involuntary — ambient neural data is produced without conscious intent
Intimate — can reveal information the person is not aware of themselves

Neural data must be classified at the highest protection tier. De-identification is not sufficient. Cross-modal correlation requires separate consent for each linkage.

5. Defensive Framing Only

AI systems for neural security exist to protect, not exploit. Every detection capability can in principle be repurposed for surveillance, manipulation, or coercion. If an AI designed to detect neural signal hijacking is repurposed to perform neural signal hijacking, it has violated every law in this document simultaneously.

Part III: Current Regulatory and Ethical Context

This proposal builds on established frameworks. The full reference list with citations is in the GitHub document.

Regulatory

  • EU AI Act (2024) — risk-tiered regulation, Article 14 human oversight
  • UNESCO AI Ethics (2021) — 10 principles, 193 member states
  • OECD AI Principles (2019/2024) — 5 values, G20 adopted
  • NIST AI RMF 1.0 (2023) — Govern-Map-Measure-Manage
  • Chile Law 21.383 (2021) — first national neurorights legislation
  • US MIND Act (2025) — proposed federal neural data protection for BCIs and wearable neurotech

Academic

  • Asimov (1950) — Three Laws of Robotics
  • Floridi et al. (2018) — AI4People, five principles
  • Jobin, Ienca & Vayena (2019) — 84 guidelines surveyed
  • Shneiderman (2020) — Human-Centered AI
  • Brynjolfsson (2022) — augmentation over automation

Industry

  • Google AI Principles (2018) — four prohibited applications
  • Microsoft RAI Standard v2 (2022) — operationalized principles
  • Anthropic RSP (2023) — capability-gated safety levels
  • OpenAI Charter (2018) — AGI must benefit all

Neuroethics

  • Morse (2006) — neuromodesty, brain overclaim syndrome
  • Poldrack (2006) — reverse inference fallacy
  • Ienca & Andorno (2017) — four neurorights
  • Tennison & Moreno (2012) — dual-use trap

Part IV: Open Questions

Who decides "authorized"?

In healthcare: is the authorized operator the patient, the clinician, the manufacturer, or the regulator? What happens when their instructions conflict?

How do you enforce consent across jurisdictions?

Chile has neurorights law. The EU has the AI Act. The US has no federal neural data protection. A BCI user crossing borders carries their neural data with them.

What is the minimum viable human oversight?

Real-time BCI processing happens in milliseconds. Meaningful human oversight cannot mean a human approves every signal. Where is the line between oversight and rubber-stamping?

Can AI systems hold each other accountable?

If one AI in a neural security stack detects another behaving anomalously, what authority does it have? This intersects with the "off-switch problem" (Hadfield-Menell et al., 2017).

How do we prevent ethical drift?

Principles erode. Exceptions accumulate. "Just this once" becomes "standard practice." How do we build systems that resist the slow degradation of ethical constraints?

What role should AI play in its own governance?

This document was drafted with AI assistance. Should AI systems have a formal role in proposing, reviewing, or enforcing ethical guidelines that govern their own behavior?

How This Document Was Made

Drafted by Kevin Qi with three AI systems: Claude (Anthropic) for primary drafting, research synthesis, and neuroethics integration; Gemini (Google) for tone, credibility, and completeness review; ChatGPT (OpenAI) for legal and structural rigor review.

The BCI-specific principles are proposed by the QIF project and have not been independently peer-reviewed. This document needs more human involvement (ethicists, clinicians, patients, legislators) and more AI involvement. Version 0.1. It will change. That is by design.

Read the full document on GitHub

Fork it, challenge it, improve it. The only wrong move is to build neural AI systems without asking these questions first.