Interim Measures for Generative AI Service Management
CN-GENAI-2023 · CN
Joint CAC/MIIT/MPS measures. Registration + safety assessment for public-facing generative AI. Aligns with Algorithm Recommendation Rules (2022) and Deep Synthesis Rules (2022).
Background & scope
Interim Measures for Generative AI Service Management addresses 7 contested AI-governance topics explicitly, 3 via general principles, and is in tension with peer regimes on 1 topic.
Provisions & coverage
- governsFoundation Models / GPAIArt. 2 (applies to GenAI services regardless of size)[9]
- governsDeepfakes / Synthetic ContentArt. 12 (labelling) + Deep Synthesis Rules[9]
- conflictsTransparency ObligationsArt. 4 + Algorithm Recommendation Rules — disclosure to CAC, not public; conflicts with EU public-disclosure model[9]
- governsIndividual RedressArt. 15 (complaint channels)[9]
- governsTraining-Data RightsArt. 7 (legal source + IP requirements)[9]
- governsSovereign AI DoctrineArt. 17 (registration + algorithm filing)[9]
- governsTechnological SovereigntyArt. 4 + national-strategy alignment; domestic-AI doctrine explicit[9]
- implicitDevelopment-Rights FramingsPRC has invoked development rights in UN AI debates (2024 GA)[9]
- implicitAgentic AI GovernanceArts. 4, 8 (service-provision scope) — agent-like generative services fall within registration + safety-assessment obligations[9]
- implicitOpen-Weight Frontier ReleaseArt. 8 — registration / safety assessment applies regardless of weight release modality[9]
- governsSynthetic Content ProvenanceArt. 12 — mandatory marking of generative-AI output; aligns with Deep Synthesis Rules (2022) tagging requirements[9]
Operative mechanics
The Interim Measures for the Management of Generative AI Services (生成式人工智能服务管理暂行办法), jointly issued by the Cyberspace Administration of China (CAC) with six co-signing ministries (NDRC, MoE, MoST, MIIT, MPS and the NRTA) and effective 15 August 2023, regulate the provision of generative AI that produces text, images, audio or video to "the public within the territory of the PRC" (Art. 2), expressly exempting purely internal R&D and enterprise use that is not publicly offered 1. The instrument is conduct-based rather than product-certification based. Art. 4 imposes substantive content duties: outputs must "uphold the Core Socialist Values" and must not subvert state power, endanger national security, incite secession, promote terrorism, ethnic hatred, violence or obscenity, or generate "false and harmful information" (Art. 4(1)); providers must also take measures against discrimination (Art. 4(2)), respect IP and trade secrets (Art. 4(3)) and others' lawful rights including portrait, reputation and privacy (Art. 4(4)). Training-data duties (Art. 7) require lawful data sources, IP compliance, valid consent for personal information, and "effective measures to raise the quality of training data" and its truthfulness, accuracy, objectivity and diversity — duties that sit uneasily with foundation models shown to memorise and leak fragments of their training corpora 2. Data-annotation governance is mandated in Art. 8 (annotation rules, quality checks, annotator training). Crucially, Art. 9 designates the provider as the "producer of online information content" and the data-processing controller, fusing direct content liability with PIPL-style data-protection duties; Art. 12 cross-references the Deep Synthesis Provisions (2022) for output labelling. The signature ex-ante gate is Art. 17: services with "public-opinion attributes or capacity for social mobilization" (舆论属性或者社会动员能力) must complete a security/safety assessment and an algorithm filing (备案) under the Algorithm Recommendation Provisions before launch — the registration mechanism that anchors the whole regime.
Cross-jurisdiction position
China's Measures are the leading example of a vertical, sector-/application-specific and iterative model, contrasting sharply with the horizontal, risk-tiered architecture of Regulation (EU) 2024/1689 (the EU AI Act) 3. Where the EU AI Act assigns conformity assessment by risk class and added GPAI obligations (Arts. 51–55) only late in negotiations after ChatGPT, China layered the Interim Measures onto two pre-existing CAC instruments — the Algorithm Recommendation Provisions (effective 2022-03-01) and the Deep Synthesis Provisions (effective 2023-01-10) — reusing their algorithm-filing and content-labelling machinery rather than building anew 1. The defining divergence is the ex-ante registry: Art. 17's algorithm filing and security assessment for opinion-influencing services has no direct equivalent in the EU AI Act or in the United States, where governance has run through Executive Order 14110 (since rescinded) and the NIST AI RMF (2023) rather than binding registration. On content provenance, China moved earlier and harder than peers: its labelling regime culminating in the Measures for Labeling AI-Generated Synthetic Content and mandatory standard GB 45438-2025 (effective 2025-09-01) is more prescriptive than the EU AI Act's Art. 50 transparency duties 1. What is distinctive — and absent from EU/US/CoE frameworks — is the embedded ideological-content control (Core Socialist Values, Art. 4), continuous with the Cybersecurity Law lineage rather than fundamental-rights framing; the choice resonates with evidence that LLMs encode the ideologies of their creators, lending a technical rationale to home-grown models that reflect local cultural and political views 4.
Key fault lines and critiques
Scholarship identifies a marked softening between the April 2023 draft and the final text, read by some as the state privileging industrial competitiveness over strict control. The draft's outcome obligation to "ensure" training-data truth, accuracy, objectivity and diversity became a best-efforts "effective measures" duty (Art. 7), and the draft's strict liability for the "legitimacy" of all pre-training data and its three-month rectification deadline were dropped — an acknowledgement that hallucination and web-scale corpora make outcome guarantees technically infeasible 1. A first fault line is therefore the gap between sweeping content prohibitions (Art. 4) and the limited technical means to enforce truthfulness in probabilistic models that can memorise and reproduce their training data 2. A second concerns scope and circumvention: the narrowing to public-facing services and the R&D carve-out (Art. 2) leaves an open question of how the extraterritorial "technical measures" power over non-compliant foreign services (Art. 20) functions in practice. A third is liability allocation: although Art. 9 names the provider as content producer, comparative critics argue regimes in the US, EU and China still struggle to pin synthetic-media harm on the "landlords of creativity" — the upstream foundation-model providers 5. Comparative critics also note the registry and Core-Socialist-Values mandate (Arts. 17, 4) entrench political-speech control and chill open-weight release, while others argue the iterative model lets China bind real applications faster than rights-based regimes 6.
Implementation and trajectory
Implementation has centred on the Art. 17 filing pipeline operated through the CAC. The registry expanded rapidly: the CAC's published domestic filing lists reached 346 registered generative AI services by 31 March 2025 and roughly 748 nationally-filed services by late 2025, with the broader algorithm registry holding several thousand generative algorithmic tools (Bird & Bird 2026). Flagship models — Baidu's Ernie Bot and later DeepSeek — completed filing as a launch precondition, confirming that registration operates as a de facto market-access gate rather than a paper formality. The framework continues to be built out iteratively: supporting technical standards under TC260 and, most consequentially, the Measures for Labeling of AI-Generated Synthetic Content together with the mandatory national standard GB 45438-2025, finalised 2025-03-14 and effective 2025-09-01, which impose dual explicit (visible watermark) and implicit (embedded metadata) labelling on service and content-distribution providers, operationalising the Art. 12 cross-reference to the Deep Synthesis regime 1. China's early bet on mandatory watermarking is notable against empirical audits elsewhere finding that only ~38% of image generators implement adequate watermarking and 18% deepfake labelling, exposing a wide compliance gap under comparable transparency rules 7; public-perception work likewise finds blurred real/fake boundaries driving demand for law-enforced AI-content labelling and provenance 8. The trajectory points toward consolidation: the Interim Measures are widely read as a transitional vertical instrument pending a comprehensive national AI Law. The "interim" label and the explicit "inclusive and prudent, tiered and classified" supervision principle (Art. 3, Art. 16) signal an expectation of replacement or absorption as China migrates from sectoral rules toward horizontal legislation 3.
Enforcement & impact
Enforcement record
Documented enforcement actions catalogued against Interim Measures for Generative AI Service Management (or against rules that this instrument now subsumes).
- CAC Doubao deep-synthesis enforcementCN · 2024–2024Cyberspace Administration of China (CAC) v. ByteDance (Doubao) — Doubao deployed deepfake-generation feature without prior CAC algorithm registration; failed to embed mandatory deep-synthesis content-provenance label per Deep Synthesis Provisions Art. 16. CAC requested feature removal pending registration.Lesson: First named CN-GENAI-2023 enforcement against a frontier-tier Chinese AI developer. Demonstrates: (1) CN registration regime applies pre-deployment + has bite even against domestic champions; (2) cross-instrument enforcement (GenAI rules + Deep Synthesis rules) is operative; (3) remediation is rapid (weeks not years) but private — no consent decree text published.
- CN CAC algorithm-recommendation rectification campaignCN · 2022–2023Cyberspace Administration of China (CAC) v. Multiple platforms: Douyin, Kuaishou, Xiaohongshu, Weibo, Taobao (named in CAC public action) — Unregistered or non-compliant algorithm-recommendation systems. Failure to provide opt-out mechanisms. Failure to register algorithms with CAC under the Algorithm Recommendation Provisions.Lesson: First operational implementation of pre-deployment AI registration regime. Demonstrated that CAC has enforcement bandwidth + technical capability to audit recommender algorithms at scale. Platforms responded by significantly altering algorithm transparency + opt-out flows. Cited as the working counter-example to the 'registration regimes are unenforceable' claim.
Cross-jurisdiction comparison
How peer instruments treat the topics Interim Measures for Generative AI Service Management governs.
| Topic | EU-AIA-2024 | US-EO-14110 | US-EO-14179 | UK-WHITEPAPER-2023 | G7-HIROSHIMA | OECD-AI-PRIN | COE-AI-CONV | UN-RES-2024 | NIST-AI-RMF | BLETCHLEY-2023 | SEOUL-2024 | NIST-AI-RMF-GENAI | CA-SB-1047 | IN-DPDP-2023 | BR-AIBILL-2024 | ASEAN-AI-GUIDE-2024 | AU-AI-STRATEGY-2024 | ANTHROPIC-RSP-2024° | OPENAI-PREPAREDNESS-2023° | DEEPMIND-FSF-2024° | META-FRONTIER-2024° | UK-US-AISI-MOU-2024 | WH-VOLUNTARY-2023 | SG-MODEL-AI-2024 | JP-METI-AI-2024 | EU-GDPR-2016 | EU-GPAI-COP-2025 | OMB-M-24-10 | GSA-AI-GUIDE-2024 | DOD-RAI-2022 | FEDRAMP-AI-2024 | DFARS-252-204 | CA-SB-53 | CA-SB-243 | CA-SB-942 | EU-PLD-2024 | UNESCO-AI-ETHICS-2021 | EU-PWD-2024 | CN-DEEPSYN-2022 | NY-RAISE-2025 | US-TAKEITDOWN-2025 | IT-AILAW-2025 | JP-AIPROMO-2025 | UN-GDC-2024 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Foundation Models / GPAI | governs | governs | silent | implicit | governs | implicit | implicit | silent | governs | governs | governs | governs | governs | implicit | governs | implicit | silent | governs | governs | governs | governs | governs | governs | governs | governs | silent | governs | implicit | governs | implicit | implicit | implicit | governs | silent | implicit | silent | silent | silent | silent | governs | silent | silent | implicit | implicit |
| Deepfakes / Synthetic Content | governs | governs | silent | silent | governs | silent | silent | implicit | implicit | silent | silent | governs | silent | governs | silent | silent | silent | silent | silent | silent | silent | silent | governs | governs | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | governs | silent | governs | governs | silent | silent |
| Individual Redress | governs | silent | silent | implicit | silent | governs | governs | silent | implicit | silent | silent | implicit | implicit | governs | governs | silent | silent | silent | silent | silent | silent | silent | silent | implicit | implicit | governs | silent | governs | implicit | implicit | implicit | silent | implicit | governs | silent | governs | governs | governs | governs | silent | implicit | implicit | implicit | implicit |
| Training-Data Rights | implicit | silent | silent | silent | silent | silent | implicit | silent | implicit | silent | silent | governs | silent | governs | implicit | silent | implicit | silent | silent | silent | implicit | silent | silent | silent | implicit | governs | governs | silent | implicit | silent | implicit | governs | silent | silent | silent | silent | governs | silent | governs | silent | silent | governs | implicit | implicit |
| Sovereign AI Doctrine | silent | governs | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | implicit | implicit | silent |
| Technological Sovereignty | implicit | governs | silent | implicit | implicit | silent | silent | implicit | silent | silent | silent | silent | silent | silent | silent | implicit | governs | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | governs | implicit | silent |
| Synthetic Content Provenance | governs | governs | silent | silent | governs | silent | silent | implicit | implicit | silent | silent | governs | silent | silent | implicit | silent | silent | implicit | silent | silent | silent | silent | governs | governs | implicit | silent | implicit | silent | silent | silent | silent | silent | silent | silent | governs | silent | silent | silent | governs | silent | silent | implicit | silent | governs |
°= industry self-imposed voluntary framework. Comparing a voluntary code's "governs" tint with a binding regulation's "governs" tint flattens the legal-force distinction; use the instrument-page banner for the operative status of each.
See also
Per-audience views
- Provisions →Article-by-article obligation breakdown for procurement + RFP authors.
- Disclosure form →Vendor-disclosure questionnaire derived from this instrument's operative obligations.
- Harm narratives →Documented harms relevant to this instrument's topics, for civil-society advocacy.
- Briefing pack →Journalist-ready summary with quotes + dates + primary-source links.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Further reading
157 academic & grey-literature sources on the topics this instrument addresses (not commentary on the instrument itself) — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Missing the Mark: Adoption of Watermarking for Generative AI Systems in Practice and Implications Under the New EU AI Act Peer-reviewed✦ AIEmpirical audit finds only 38% of AI image generators implement adequate watermarking and 18% deepfake labelling, exposing a compliance gap under EU AI Act Article 50.
- Open Foundation Models and TDM Exceptions to Copyright – Building Blocks for an AI Ecosystem Peer-reviewed✦ AIArgues Art. 3 CDSM Directive's scientific-research TDM exception 'does not grant rightsholders any control' and can be a 'safe harbor' for training openly released foundation models without licensing data.
- Geopolitical ecologies of cloud capitalism: Territorial restructuring and the making of national computing power in the U.S. and China Peer-reviewed✦ AIUS and Chinese drives for sovereign AI/cloud dominance depend on reorganizing land, energy and regulatory systems to sustain large-scale national computing power.
- European ambitions captured by American clouds: digital sovereignty through Gaia-X? Peer-reviewed✦ AIShows Gaia-X paradoxically incorporates dominant US cloud providers, undermining the very European digital sovereignty it was meant to advance.
- A Framework for Evaluating Global AI Governance Initiatives Peer-reviewed✦ AIOffers a framework to evaluate global AI governance initiatives, recommending capacity-building so Global South states can meaningfully participate in standard-setting.
- Large language models reflect the ideology of their creators Peer-reviewed✦ AIEmpirically shows LLMs encode their creators' ideologies, supporting policy incentives for home-grown models reflecting local cultural views, especially in low-resource-language regions.
- Governing AI Agents Preprint✦ AIUses "agency law and theory to identify and characterize problems arising from AI agents" and proposes governance infrastructure built on inclusivity, visibility, and liability.
- Infrastructure for AI Agents Peer-reviewed✦ AIProposes "agent infrastructure": external technical systems for attributing actions "to specific agents, their users, or other actors," shaping interactions, and remediating harms.
- Multi-Agent Risks from Advanced AI Research institute✦ AIIdentifies three failure modes of advanced multi-agent systems — "miscoordination, conflict, and collusion" — plus seven risk factors, posing challenges distinct from single-agent AI.
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
+ 145 more across this instrument's topics — see the literature index.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Mimi Zou and Lu Zhang (2025) Navigating China's regulatory approach to generative artificial intelligence and large language models, Cambridge Forum on AI: Law and Governance. 10.1017/cfl.2024.4 — Analyses China's 2022 deep-synthesis and 2023 generative-AI rules, including mandatory labelling/watermarking of synthetic content as a provenance-governance model. ↩
- Hannah Ruschemeier (2025) Generative AI and data protection, Cambridge Forum on AI: Law and Governance. 10.1017/cfl.2024.2 — Examines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous. ↩
- arXiv:2410.21279 ↩
- Maarten Buyl, Alexander Rogiers, Sander Noels, et al. (2026) Large language models reflect the ideology of their creators, npj Artificial Intelligence. 10.1038/s44387-025-00048-0 — Empirically shows LLMs encode their creators' ideologies, supporting policy incentives for home-grown models reflecting local cultural views, especially in low-resource-language regions. ↩
- Bao Kham Chau and George He (2025) Audio deepfakes and the regulation of the landlords of creativity, Cambridge Forum on AI: Law and Governance. 10.1017/cfl.2025.10011 — Argues US, EU and Chinese regimes fail to assign audio-deepfake liability to 'landlords of creativity' (foundation-model providers) and proposes holding them accountable. ↩
- arXiv:2401.02799 ↩
- Bram Rijsbosch, Gijs van Dijck, and Konrad Kollnig (2026) Missing the Mark: Adoption of Watermarking for Generative AI Systems in Practice and Implications Under the New EU AI Act, Policy & Internet. 10.1002/poi3.70041 — Empirical audit finds only 38% of AI image generators implement adequate watermarking and 18% deepfake labelling, exposing a compliance gap under EU AI Act Article 50. ↩
- Kyrie Zhixuan Zhou, Abhinav Choudhry, Ece Gumusel, and Madelyn Rose Sanfilippo (2025) 'Sora is incredible and scary': public perceptions and governance challenges of text-to-video generative AI models, Information Research (iConference 2025 proceedings). 10.47989/ir30iconf47290 — Qualitative analysis of public commentary on Sora finds blurred real/fake boundaries drive demand for law-enforced AI-content labelling and provenance. ↩
- CAC Order No. 15
- Art. 2 (applies to GenAI services regardless of size)
- Art. 12 (labelling) + Deep Synthesis Rules
- Art. 4 + Algorithm Recommendation Rules — disclosure to CAC, not public; conflicts with EU public-disclosure model
- Art. 15 (complaint channels)
- Art. 7 (legal source + IP requirements)
- Art. 17 (registration + algorithm filing)
- Art. 4 + national-strategy alignment; domestic-AI doctrine explicit
- PRC has invoked development rights in UN AI debates (2024 GA)
- Arts. 4, 8 (service-provision scope) — agent-like generative services fall within registration + safety-assessment obligations
- Art. 8 — registration / safety assessment applies regardless of weight release modality
- Art. 12 — mandatory marking of generative-AI output; aligns with Deep Synthesis Rules (2022) tagging requirements
How to cite this article
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/china-genai-measures — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Does this instrument’s approach work? — the social-science evidence
Aggregated over the 10 topics this instrument governs: whether each harm is empirically real, and whether the peer-reviewed evidence shows governance reduces it. The badge is the epistemic status of the evidence— “thin”/“absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
Of the 10 governed topics with a social-science evidence review, evidence that governance reduces the harm is established for 0, contested for 0, thin for 2, and absent for 8 — for most, no replicated study yet shows this instrument's approach works (the "second silence").
Agentic AI Governance
The capability that agentic governance targets — autonomous multi-step action — is real and rapidly, measurably advancing: METR finds the task length AI agents complete at 50% reliability has doubled roughly every seven months for the past six years (about 50 minutes for frontier 2025 models), and the UK AI Security Institute's first Frontier AI Trends Report (Dec 2025, >30 systems) reports models now finish hour-long software tasks >40% of the time versus <5% in late 2023. The distinct realized HARM from agency (as opposed to the underlying model) is, however, thinly documented: on consequential real-world tasks agents still fail the majority — Gemini 2.5 Pro completed only 30.3% of TheAgentCompany's 175 professional tasks (OpenHands scaffold, project leaderboard) — so the agency-specific harm magnitude is early and context-dependent rather than established at scale.
Sources: Kwa, West, Becker et al. 2025 (METR; arXiv:2503.14499, 'Measuring AI Ability to Complete Long Tasks'); UK AI Security Institute 2025 (Frontier AI Trends Report, Dec 2025); Xu, Song, Zhou et al. 2024 (TheAgentCompany, arXiv:2412.14161); 30.3% figure per TheAgentCompany leaderboard (OpenHands)
There is no impact-evaluation evidence that agent-specific governance reduces agentic harm: the operative regimes — the EU GPAI Code of Practice (published July 2025, voluntary/non-binding), the Seoul Frontier AI Safety Commitments (2024, voluntary), and AISI agent evaluations — are 2024-25 vintage and have never been measured against an outcome. The scholarship itself has not settled the contested unit of regulation: Kolt (2025) argues for governing the agentic relationship via principal-agent and agency-law tools, while Chan, Ezell, Kaufmann et al. (2024) propose agent-specific visibility mechanisms (identifiers, real-time monitoring, activity logging) that remain proposal-stage and unevaluated — meaning the field has design proposals but, as with most frontier-AI rules, the evidence that any of them works is absent rather than merely thin.
Sources: Kolt 2025 ('Governing AI Agents', 101 Notre Dame L. Rev., forthcoming; arXiv:2501.07913); Chan, Ezell, Kaufmann et al. 2024 ('Visibility into AI Agents', ACM FAccT 2024, pp. 958-973; DOI 10.1145/3630106.3658948); EU AI Office 2025 (GPAI Code of Practice, July 2025); Seoul Frontier AI Safety Commitments 2024
Deepfakes / Synthetic Content
The flagship harm — non-consensual sexual deepfakes — is empirically real and sharply gendered: content audits find ~96-98% of deepfake videos online are non-consensual pornography overwhelmingly depicting women, and a pre-registered 10-country survey (>16,000 people) found 2.2% reporting victimization and 1.8% perpetration of synthetic intimate imagery, with documented mental-health, career, and participation harms. By contrast, the parallel claim that political/informational deepfakes UNIQUELY deceive is contested-to-refuted: experiments find deepfakes about as (not more) credible than equivalent text/audio fakes, and a 56-paper meta-analysis (k=137, N=86,155) puts unaided human detection near chance — implying a detection problem more than an exceptional-persuasion one.
Sources: Umbach, Henry, Beard & Berryessa 2024 (CHI '24, 'Non-Consensual Synthetic Intimate Imagery ... in 10 Countries'); Diel et al. 2024 (Computers in Human Behavior Reports 16:100538, deepfake-detection meta-analysis of 56 papers); Barari, Lucas & Munger 2025 (Journal of Politics 87(2), 'Political Deepfakes Are as Credible as Other Fake Media'); Flynn et al. 2022 (British Journal of Criminology, multi-country image-based sexual abuse study)
Direct impact evidence that deepfake governance reduces the targeted harm is sparse and, where it exists, discouraging: the one quasi-experimental evaluation (Cuevas & Horta Ribeiro 2025, synthetic-control across three platforms) found the U.S. TAKE IT DOWN Act's passage plus the MrDeepfakes shutdown did NOT suppress synthetic non-consensual imagery — posting rose above counterfactual baselines and displaced elsewhere. Technical enforcement is likewise unreliable: detectors fail to generalize to unseen generators (notably diffusion models) and are vulnerable to adversarial evasion, with in-the-wild accuracy well below benchmark figures. No rigorous evaluation yet shows a deepfake-specific law, takedown mandate, or watermarking scheme producing a sustained reduction in prevalence or harm.
Sources: Cuevas & Horta Ribeiro 2025 ('Deepfake Pornography is Resilient to Regulatory and Platform Shocks', arXiv:2602.02754); 'Adversarial Reality for Evading Deepfake Image Detectors' (ICCVW 2025); TAKE IT DOWN Act, S.146 / Pub. L. 119-12 (2025); CRS Legal Sidebar LSB11314
Development-Rights Framings
Development-rights framing is a normative/doctrinal frame, so its empirical status splits: the underlying North-South asymmetry it responds to is real and documented, but the claim that a development-rights diagnosis is the correct one is contested doctrine, not a settled finding. The strongest empirical anchor is the exploitative-data-labour evidence — Miceli & Posada's (2022) multi-method qualitative study of Latin American annotation work (Foucauldian dispositif analysis of 210 instruction documents, 55 interviews, plus participant observation) found workers paid cents-per-task with strict surveillance and whose worldviews are subordinated to requesters' — which substantiates the extraction the frame names, building on the data-colonialism thesis (Couldry & Mejias 2019), and extended by comparative political-economy work on AI annotation 'data empires' (Wu, Muldoon & Xia 2025). Honest caveat: whether 'digital self-determination' or 'Global-South sovereignty' is the right operational response (and whether it conflicts with the EU AIA's rights-based design) is a conceptual/legal question with essentially no empirical evidence base — the frame is established as a critique, thin as a tested governance prescription.
Sources: Miceli & Posada 2022, 'The Data-Production Dispositif' (Proc. ACM Hum.-Comput. Interact. 6, CSCW2, Art. 460:1-37); Couldry & Mejias 2019, 'Data Colonialism' (Television & New Media 20(4):336-349); Wu, Muldoon & Xia 2025, 'Global data empires' (Big Data & Society 12(2))
There is no rigorous impact evaluation showing that development-rights / digital-self-determination / sovereignty governance achieves its stated developmental or self-determination aims — the evidence that the frame 'works' as policy is itself missing, largely because the frame is recent, heterogeneous, and rarely instantiated in a single measurable instrument. The closest empirical literature studies one common operational proxy (data localization) and measures economic cost rather than the frame's goals: Ferracane, Kren & van der Marel's (2020) firm/industry productivity analysis finds data-policy restrictiveness associated with lower TFP in data-intensive downstream sectors, Ferracane & van der Marel's (2021) gravity analysis finds data restrictions inhibit trade in digital services, and Bauer, Lee-Makiyama, van der Marel & Verschelde's (2014) GTAP general-equilibrium estimates project GDP losses from localization across seven jurisdictions including Brazil and India. None tests whether sovereignty framing reduces extractive asymmetry or advances local AI capability — so claims on both the benefit and cost sides rest on weak or indirect evidence.
Sources: Ferracane, Kren & van der Marel 2020, 'Do data policy restrictions impact the productivity performance of firms and industries?' (Review of International Economics 28(3):676-722); Ferracane & van der Marel 2021, 'Do data policy restrictions inhibit trade in services?' (Review of World Economics 157(4):727-776); Bauer, Lee-Makiyama, van der Marel & Verschelde 2014, 'The Costs of Data Localisation: Friendly Fire on Economic Recovery' (ECIPE Occasional Paper 3/2014)
Foundation Models / GPAI
Whether the foundation-model category maps to a coherent capability/risk tier is genuinely contested. The original case rests on scale-driven 'emergent abilities' that appear unpredictably above a size threshold (Wei et al. 2022; Ganguli et al. 2022 documented capabilities that are smoothly predictable in aggregate loss yet locally surprising), but Schaeffer, Miranda & Koyejo (2023, a NeurIPS Outstanding Paper) showed many 'emergent' jumps are artefacts of discontinuous metrics and dissolve under linear/continuous scoring — implying capability scales more smoothly than a sharp tier would suggest. Honest caveat: this is a live empirical disagreement about measurement, not a settled finding either way, and compute (the regulatory proxy) is an imperfect stand-in for capability or risk regardless of which side is right.
Sources: Wei et al. 2022 (Emergent Abilities of Large Language Models, TMLR; arXiv:2206.07682); Schaeffer, Miranda & Koyejo 2023 (Are Emergent Abilities of Large Language Models a Mirage?, NeurIPS 2023, Outstanding Paper; arXiv:2304.15004); Ganguli et al. 2022 (Predictability and Surprise in Large Generative Models, ACM FAccT; DOI 10.1145/3531146.3533229)
There is no impact evaluation showing that GPAI/foundation-model governance reduces harm — the rules are too new (EU AI Act GPAI obligations and the 10^25-FLOP systemic-risk presumption only began binding on 2 August 2025) and the central regulatory lever is itself contested: Hooker (2024) argues compute thresholds are a shortsighted proxy because compute does not reliably track capability or risk, and the thresholds already diverge across jurisdictions (EU 10^25 vs. the now-rescinded US EO 14110's 10^26 operations, rescinded 20 January 2025). The mandated mitigation methods also lack validated efficacy: model evaluation and red-teaming face well-documented coverage limits and an 'audit gap' in the survey/position literature (behavioural testing cannot establish the absence of untested failure modes), and adversarial red-teaming repeatedly defeats deployed safeguards — the UK AI Safety Institute reports finding universal jailbreaks for every frontier system it has tested, and a large public agent-injection competition elicited policy violations across all 22 frontier models tested from ~1.8M attacks (Zou et al. 2025). Even compliant evaluation therefore cannot yet certify the safety the rules demand. (Caveat: this is an absence-of-evidence claim — no efficacy study has been done — not evidence the rules are ineffective.)
Sources: Hooker 2024 (On the Limitations of Compute Thresholds as a Governance Strategy, arXiv:2407.05694); EU AI Act Arts. 51 & 55 (GPAI systemic-risk presumption, 10^25 FLOP; binding 2 Aug 2025); US EO 14110 (10^26-operation reporting threshold, rescinded 20 Jan 2025 by EO 14148); Zou et al. 2025 (Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition / Gray Swan Arena, arXiv:2507.20526 — 22 frontier agents, ~1.8M attacks); UK AI Safety/Security Institute, Frontier AI Trends Report (universal jailbreaks for every system tested); METR, Common Elements of Frontier AI Safety Policies (2024)
Open-Weight Frontier Release
The empirical picture splits into two well-separated questions. (1) The MECHANISM that distinguishes open-weight release — that safety guardrails can be cheaply and irreversibly stripped once weights are public — is established: Qi et al. (2024) removed GPT-3.5 Turbo safety alignment by fine-tuning on only ~10 adversarially designed examples for under $0.20 (and the attack generalizes to Llama-2), and even purpose-built tamper-resistant safeguards (Tamirisa et al. 2025, TAR) were subsequently shown to be defeatable by adaptive fine-tuning (Qi et al. 2024, durability critique). (2) Whether this mechanism produces real-world CATASTROPHIC uplift is genuinely contested and, for the headline biosecurity case, currently unsupported: RAND's red-team study found no statistically significant difference in the viability of bioweapon attack plans produced with versus without LLM assistance (Mouton, Lucas & Guest 2024), and OpenAI's 100-participant trial found at most mild uplift over an internet baseline (Patwardhan et al. 2024). Honest caveat: these null/mild results are time-stamped to 2023-2024 frontier capability and to biothreats specifically; the marginal-risk framework (Kapoor, Bommasani et al. 2024) concludes the evidence base is too thin to characterize marginal risk across most misuse vectors, so 'no measured harm yet' is not 'no harm.'
Sources: Kapoor, Bommasani, Klyman, Longpre et al. 2024, 'Position: On the Societal Impact of Open Foundation Models', PMLR 235 / ICML 2024 (arXiv 2403.07918); Mouton, Lucas & Guest 2024, RAND RR-A2977-2, 'The Operational Risks of AI in Large-Scale Biological Attacks: Results of a Red-Team Study'; Qi, Zeng, Xie, Chen, Jia, Mittal & Henderson 2024, 'Fine-tuning Aligned Language Models Compromises Safety', ICLR 2024 (arXiv 2310.03693); Tamirisa et al. 2025, 'Tamper-Resistant Safeguards for Open-Weight LLMs', ICLR 2025 (arXiv 2408.00761); Qi, Wei, Carlini, Huang, Xie, He, Jagielski, Nasr, Mittal & Henderson 2024, 'On Evaluating the Durability of Safeguards for Open-Weight LLMs' (arXiv 2412.07097); Patwardhan et al. 2024, 'Building an early warning system for LLM-aided biological threat creation', OpenAI
There is no impact evaluation showing that any specific weight-release governance regime reduces downstream harm, because no binding regime has been implemented and measured: California SB-1047's release-conditioning framework was vetoed in September 2024, and the EU AI Act's open-source carve-outs (Recital 102, Art. 53(2)) exempt most open-weight models (those below the systemic-risk compute threshold) from the documentation obligations that would generate evaluable conduct. The structural obstacle is also documented: Kapoor, Bommasani et al. (2024) characterize open-weight release as effectively irreversible and poorly monitorable once weights are public, so post-release governance has little to act on. The closest analogue evidence — technology export controls — is mixed and points to circumvention: commentators argue blanket export controls on freely copyable open-source models cannot work (Just Security 2024), and independent analyses of the post-2022 semiconductor controls document displacement to less-regulated channels (smuggling, threshold-tuned chip variants, cloud access) rather than disappearance of activity (e.g., CSIS, FPRI 2024), suggesting recipient-restriction regimes face the same leakage problem for weights. (Caveat: this is analogical, not direct evidence about weight-release governance, which remains unmeasured.)
Sources: Kapoor, Bommasani, Klyman, Longpre et al. 2024, 'Position: On the Societal Impact of Open Foundation Models', PMLR 235 (arXiv 2403.07918); California SB-1047 (2024, vetoed by Gov. Newsom 29 Sep 2024); EU AI Act Regulation (EU) 2024/1689, Recital 102 & Art. 53(2) open-source exemptions; Just Security 2024, 'Export Controls on Open-Source Models Will Not Win the AI Race'; CSIS, 'The Limits of Chip Export Controls in Meeting the China Challenge' and FPRI 2024, 'Breaking the Circuit: US-China Semiconductor Controls' (export-control circumvention analogue)
Individual Redress
The premise behind redress — that affected people lack meaningful recourse against automated decisions — is real, but the flagship instrument is weaker than commonly assumed. Wachter, Mittelstadt & Floridi (2017) show GDPR creates only a limited 'right to be informed,' not a binding 'right to explanation' of specific decisions; and controlled work finds the explanations actually delivered do not measurably improve lay decision accuracy over showing the bare AI prediction (Alufaisan et al. 2021; and a 2022 meta-analysis by Schemmer et al. — screening 393 articles down to 9 in the final analysis — reports 'no effect of explanations on users' performance compared to sole AI predictions,' even though XAI overall had a positive effect). Honest caveat: the legitimacy/dignity value of being heard is empirically well established in the procedural-justice tradition even where outcome accuracy is unchanged, so 'redress fails' depends on which aim is measured.
Sources: Wachter, Mittelstadt & Floridi 2017 (International Data Privacy Law 7(2):76); Alufaisan, Marusich, Bakdash, Zhou & Kantarcioglu 2021 (Proceedings of the AAAI Conference on AI 35(8):6618); Schemmer, Hemmer, Nitsche, Kühl & Vössing 2022 (AAAI/ACM AIES '22, meta-analysis)
There is no rigorous impact evaluation showing that mandated redress mechanisms (right-to-explanation, appeal, human-in-the-loop review) actually reduce erroneous or unfair automated decisions — the evidence that the rule works is itself missing. The closest experimental analogues are discouraging: explanations increase humans' acceptance of AI recommendations regardless of correctness (Bansal et al. 2021), and algorithm-in-the-loop oversight can introduce racial disparities and exhibit automation bias rather than reliably catching model errors (Green & Chen 2019). The procedural-justice literature (Tyler 1990; Lind & Tyler 1988) robustly supports a legitimacy and compliance benefit of fair process, but it measures perceived fairness, not reduction of the substantive decision harm redress is meant to cure.
Sources: Bansal, Wu, Zhou, Fok, Nushi, Kamar, Ribeiro & Weld 2021 (CHI '21); Green & Chen 2019 (Disparate Interactions, ACM FAT* '19); Tyler 1990 (Why People Obey the Law, Yale Univ. Press); Lind & Tyler 1988 (The Social Psychology of Procedural Justice, Plenum Press)
Sovereign AI Doctrine
Sovereign-AI doctrine is post-2023 and largely aspirational, so its core empirical premise — that frontier model deployment can be meaningfully bound to a national jurisdiction — is only just beginning to be tested. What IS measurable is the underlying compute geography the doctrine reacts to: an audit of 775 non-U.S. data-center projects estimates U.S. companies operate ~48% of them when weighted by investment value (a proxy for compute capacity, and explicitly an initial public-data approximation), implying 'in-territory' hardware is frequently still subject to foreign corporate/legal control (Richardson et al. 2025). Honest caveat: there is no peer-reviewed evidence base establishing whether jurisdiction-bound frontier deployment is technically feasible at scale — the descriptive dependency (foreign operation of locally-sited hardware) is documented, but the doctrine's central feasibility claim is thin and early.
Sources: Richardson et al. 2025 (arXiv:2508.00932, 'How Sovereign Is Sovereign Compute? A Review of 775 Non-U.S. Data Centers'); Gupta, Walker & Reddie 2024 (arXiv:2411.14425, 'Whack-a-Chip: The Futility of Hardware-Centric Export Controls', UC Berkeley Risk & Security Lab)
There is no rigorous impact evaluation showing that sovereign-AI governance achieves its stated aim of secure, contained national AI capability. The closest direct levers have measurable but mostly adverse or contested evidence: ex-ante simulations of the closest analogue — data-localization mandates — project GDP losses (EU GDP −0.4% under proposed/GDPR-style measures rising to −1.1% under economy-wide localization; Bauer, Lee-Makiyama, van der Marel & Verschelde 2014, ECIPE Occasional Paper No. 3/2014) yet quantify no realized sovereignty benefit, and chip export controls — the other main instrument — show contested efficacy: one cross-firm study finds no innovation harm to 30 leading semiconductor firms (Schumacher 2024, CSIS) while case evidence documents systematic circumvention via software/efficiency gains and chip exfiltration/smuggling (Gupta, Walker & Reddie 2024). No replicated study demonstrates that any sovereign-AI regime measurably delivers the jurisdictional control it asserts.
Sources: Bauer, Lee-Makiyama, van der Marel & Verschelde 2014 (ECIPE Occasional Paper No. 3/2014, 'The Costs of Data Localisation: Friendly Fire on Economic Recovery'); Schumacher 2024 (CSIS, 'Did U.S. Semiconductor Export Controls Harm Innovation?'); Gupta, Walker & Reddie 2024 (arXiv:2411.14425, 'Whack-a-Chip: The Futility of Hardware-Centric Export Controls')
Synthetic Content Provenance
The harm provenance targets is real but concentrated, and the technical premise that the mandated signal survives is itself empirically shaky. Synthetic-media harm is well documented in two domains: non-consensual intimate imagery (Ajder et al.'s 2019 Deeptrace audit found 96% of deepfake videos were pornographic and effectively 100% targeted women) and impersonation fraud (the Arup case, ~US$25.6M / HK$200M lost via a deepfake video call). The honest caveat is twofold: a feared broad political-misinformation harm is not yet demonstrated at scale, and CS work shows invisible watermarks are removable in practice (Jiang, Zhang & Gong 2023, WEvade, evade detection via adversarial perturbation; Zhao et al. 2024 prove pixel-level watermarks are provably removable via regeneration attacks), so the provenance signal a rule would mandate is itself contested.
Sources: Ajder, Patrini, Cavalli & Cullen 2019 (Deeptrace, 'The State of Deepfakes: Landscape, Threats, and Impact'); Jiang, Zhang & Gong 2023 ('Evading Watermark based Detection of AI-Generated Content', ACM CCS 2023); Zhao et al. 2024 (NeurIPS, 'Invisible Image Watermarks Are Provably Removable Using Generative AI'); Arup deepfake fraud (CNN Business, 2024-05-16, US$25.6M)
There is no impact evaluation showing that mandated provenance/labeling reduces synthetic-media harm; the major mandates (China's GenAI labeling Measures, effective 2025-09-01; EU AIA Art. 50, machine-readable marking) are too new and unevaluated, and the delivery layer is leaky: the C2PA spec's own Security Considerations document the strip-and-repost threat, and platform audits report C2PA/Content-Credentials metadata is stripped by essentially all major social platforms on upload (consistent with Imatag's 2018 finding that ~80% of uploaded images lose metadata, only ~15% retaining it). The closest analogue evaluation literature — Pennycook, Bear, Collins & Rand (2020), the 'implied truth effect' — gives reason for caution rather than confidence: labeling only some content can make unlabeled false content seem more credible, so a partial-coverage provenance regime could backfire.
Sources: Pennycook, Bear, Collins & Rand 2020 (Management Science 66(11):4944-4957, 'The Implied Truth Effect'); China Measures for Labeling AI-Generated Synthetic Content (eff. 2025-09-01); EU AI Act Art. 50; Imatag 2018 metadata-stripping study (~80%); C2PA Security Considerations (spec.c2pa.org) on manifest removal
Technological Sovereignty
The structural fact that compute capacity is geographically concentrated is well-measured: Lehdonvirta, Wú & Hawkins find only ~33 countries host facilities with AI-accelerator hardware and roughly 24 have the capacity to train full-scale foundation models, the Stanford AI Index 2026 reports low-income countries collectively hold ~0.1% of global data-centre compute (the US hosting >10x any other nation), and Cottier et al. document amortized frontier-training cost rising 2.4x/year (95% CI 2.0-3.1x) toward $1B+ models by 2027. But this is a political-economy FRAME, not a documented harm, and the core contested claim of the topic, that the cost curve locks mid-sized economies OUT of capability, is empirically cut both ways: a feasibility study of Brazil and Mexico (Malagon et al. 2025) estimates usable (non-frontier) 10-trillion-token sovereign models are fiscally viable at roughly $8-14M on H100 hardware, and DeepSeek-style efficiency gains (V3 trained for ~$5.5M, ~11x less compute than Llama 3 405B) show frontier-adjacent performance at a fraction of prior compute, so whether domestic frontier-tier capability is foreclosed for middle powers remains genuinely unsettled.
Sources: Lehdonvirta, Wú & Hawkins 2024 (Compute North vs. Compute South, Proceedings of the 2024 AAAI/ACM Conference on AI, Ethics & Society 7:828-838); Cottier, Rahman, Fattorini, Maslej & Owen 2024 (The Rising Costs of Training Frontier AI Models, arXiv:2405.21015); Stanford AI Index 2026 (Maslej et al., Stanford HAI); Malagon, Ulloa Ruiz, Sandoval Plaza, Rosario Bolívar, García Mesa & Alvarado Morales 2025 (The Feasibility of Training Sovereign Language Models in the Global South: A Study of Brazil and Mexico, arXiv:2510.19801)
There is no rigorous impact evaluation showing that technological-sovereignty policies (on-shore compute mandates, national foundation-model champions, talent-retention schemes such as EuroHPC AI Factories or India's IndiaAI Mission) actually deliver sustained domestic capability or strategic autonomy; these programs are recent, utilization and cost-per-GPU-hour are largely unpublished, and no counterfactual study exists. The closest analogue evidence base, the industrial-policy literature synthesized by Juhász, Lane & Rodrik, finds that properly-identified studies are more favorable than older correlational work suggested but that outcomes depend heavily on instrument design and structural context, and the older national-champion record warns of subsidized 'zombie' firms and government capture, so the closest analogue is mixed and the direct evidence that the sovereignty rule works is simply missing.
Sources: Juhász, Lane & Rodrik 2024 (The New Economics of Industrial Policy, Annual Review of Economics 16:213-242); Ahmed & Wahed 2020 (The De-democratization of AI: Deep Learning and the Compute Divide in Artificial Intelligence Research, arXiv:2010.15581); IndiaAI Mission (Indian Cabinet, March 2024); EuroHPC Joint Undertaking AI Factories (2024 regulation amendment; no published impact evaluation)
Training-Data Rights
That foundation models ingest copyrighted and personal works without consent is undisputed; whether that ingestion produces legally cognizable reproduction harm is genuinely contested. The CS evidence that models can memorize and emit verbatim training text is robust and replicated — Carlini et al. (2021) extracted hundreds of verbatim sequences (including PII) from GPT-2, and follow-up work (Carlini et al., Quantifying Memorization, ICLR 2023) showed extraction scales log-linearly with model size and with example duplication. Honest caveat: verbatim reproduction is the exception, not the norm — the UK High Court held that Stable Diffusion's model weights never stored copies of the training images (defeating the secondary-infringement theory), and Getty abandoned its primary training-infringement claim at trial for lack of evidence, so whether the empirical phenomenon amounts to actionable harm (rather than transient, non-expressive use) remains the open question driving NYT v. OpenAI and parallel regimes.
Sources: Carlini, Tramèr, Wallace, Jagielski, Herbert-Voss, Lee, Roberts, Brown, Song, Erlingsson, Oprea & Raffel 2021 (Extracting Training Data from Large Language Models, 30th USENIX Security Symposium); Carlini, Ippolito, Jagielski, Lee, Tramèr & Zhang 2023 (Quantifying Memorization Across Neural Language Models, ICLR 2023; arXiv:2202.07646); Getty Images (US) Inc & ors v Stability AI Ltd [2025] EWHC 2863 (Ch) (UK High Court, 4 Nov 2025 — no secondary infringement; primary training claim abandoned at trial); The New York Times Co. v. Microsoft Corp. & OpenAI (S.D.N.Y., No. 1:23-cv-11195; consolidated In re OpenAI Copyright Infringement Litigation, Apr. 2025; ongoing 2025-2026)
There is no impact evaluation showing that the CDSM Directive Article 4 TDM exception plus its Article 4(3) opt-out reservation regime actually reduces unlicensed ingestion or channels compensation to rightsholders — the evidence that the rule works as designed is itself missing. The only available evidence is early case law and doctrinal scholarship, which document the mechanism's contested operation rather than its success: in Kneschke v. LAION the Hamburg Higher Regional Court (on appeal, 10 Dec 2025) held that a rights reservation in natural language did NOT satisfy Article 4(3)'s machine-readability requirement, invalidating the opt-out (note: the first-instance Regional Court had left the Article 4 question largely open and the case ultimately turned on the Article 3 scientific-research exception, so this machine-readability holding is appellate and not yet settled — a further appeal to the Federal Court of Justice was permitted). Legal scholars characterize the Article 4 opt-out as practically difficult and unharmonized, with no observed market in TDM licences or systematic enforcement to evaluate.
Sources: Kneschke v. LAION (Hamburg Regional Court, 27 Sept 2024, 310 O 227/23; on appeal Hamburg Higher Regional Court, 10 Dec 2025, 5 U 104/24 — opt-out held not machine-readable; further appeal to BGH permitted); Margoni & Kretschmer 2022 (A Deeper Look into the EU Text and Data Mining Exceptions, GRUR International 71(8):685-701); Quintais 2025 (Generative AI, Copyright and the AI Act, Computer Law & Security Review 56:106107)