Council of Europe Framework Convention on AI
COE-AI-CONV · council_of_europe
First legally-binding international treaty on AI. Opened for signature Sep 2024. Enters into force three months after five ratifications including three CoE members. Currency (2026-06-21): secondary trackers report the entry-into-force threshold was met (reported in force 1 November 2025, EU ratification reported 15 May 2026), but this could NOT be confirmed against the Council of Europe treaty-office primary source (which blocks automated retrieval) and Wikipedia did not corroborate a ratification count meeting the threshold — so status is HELD as adopted-not-in-force pending primary-source confirmation by a named editor.
Adopted but not yet in force
Coverage cells below reflect this instrument's operative content once it enters into force. Time-sensitive policy briefs should also cite the source document directly and check for amendments. PW does not track legislative-progress updates within a single catalog snapshot.
Background & scope
Council of Europe Framework Convention on AI addresses 4 contested AI-governance topics explicitly, 7 via general principles.
Provisions & coverage
- implicitFoundation Models / GPAIApplies to AI throughout lifecycle (Art. 3)[9]
- implicitBiometric IdentificationArts. 10-11 (privacy + non-discrimination)[9]
- implicitAI in EmploymentNon-discrimination + dignity provisions[9]
- governsAI in Criminal JusticeArt. 14 (procedural safeguards)[9]
- governsTransparency ObligationsArt. 8 (transparency + oversight)[9]
- governsIndividual RedressArts. 14-15 (procedural safeguards + remedies)[9]
- implicitTraining-Data RightsArt. 11 (privacy + data protection)[9]
- implicitDevelopment-Rights FramingsRights-based framing partly overlaps with development-rights doctrine but not explicitly[9]
- implicitAgentic AI GovernanceGeneral-AI scope (Art. 3) covers agent systems; no agent-specific provision[9]
- implicitEnvironmental Impact of AI TrainingArt. 7 sustainability principle; environmental impact subsumed[9]
- governsNational Security Carveouts in AI RegulationArt. 3 — does not apply to AI used for national security / defence[9]
Operative mechanics
The Framework Convention (CETS No. 225) is structured as a principles-based instrument rather than a regulation: it binds Parties to outcomes across the AI "lifecycle" (Art. 2 definitional clause) while leaving the means to domestic law. Substantive obligations are framed as duties to "adopt or maintain measures" to protect human dignity and individual autonomy (Art. 7), to ensure transparency and oversight including the identification of AI-generated content (Art. 8), to ensure accountability and responsibility for adverse impacts (Art. 9), equality and non-discrimination including gender equality (Art. 10), and privacy and personal-data protection (Art. 11). On the remedial side Parties must make available accessible and effective remedies for human-rights violations (Art. 14) and procedural safeguards — notably notifying persons that they are interacting with an AI system rather than a human (Art. 15). What makes such remedies "effective" is itself contested empirical terrain: work on meaningful contestability shows that decision subjects need more than a formal appeal route for redress to function 1, and the design of those channels splits across judicial vs non-judicial and individual vs collective routes for public-sector AI 2. The instrument's engine is its risk-and-impact machinery (Art. 16): Parties must "identify, assess, prevent and mitigate" risks and adopt a graduated approach, expressly contemplating, where appropriate, "moratoria, bans or other appropriate measures" for AI uses incompatible with human-rights standards (Art. 16, as summarized by CAIDP, caidp.org/resources/coe-ai-treaty/). Compliance is policed not by a court but by a domestic "effective oversight mechanism" (Art. 26) and an inter-state follow-up body, the Conference of the Parties (Art. 23–24), which interprets and monitors implementation. The Convention's scope clause (Art. 3) is itself operative: Art. 3(1)(a) covers public authorities and private actors acting on their behalf, while Art. 3(1)(b) lets Parties choose how to address private-sector activity (Babická & Giacomin, Opinio Juris, 5 Nov 2024).
Cross-jurisdiction position
CETS No. 225 occupies a distinct niche from the EU's Regulation (EU) 2024/1689 (the AI Act): the Convention is a public-international-law treaty open beyond Europe, whereas the AI Act is directly-applicable supranational regulation. The two diverge structurally. The AI Act builds tiered, enumerated risk categories (unacceptable/high/limited/minimal) and directly regulates private providers and deployers; the Convention "deliberately omits explicit risk categories," operating at a "high level of abstraction" and leaving private-sector application to Party discretion under Art. 3(1)(b) 3. The global reach is real: non-Council-of-Europe states including the United States, Israel, Canada and Japan participated in the Committee on AI (CAI) negotiations, and the US, Israel and the EU are among signatories alongside CoE members (coe.int/en/web/artificial-intelligence). That breadth raises the question of whether a high-abstraction floor can deliver consistent protection where domestic baselines diverge — comparative work on a single contested use, facial recognition for arrests, finds national frameworks "inconsistent and unclear" across democracies 4, and frameworks for evaluating global AI governance initiatives warn that wide accession can mask limited real impact unless an initiative carries genuine authority and contextual fit, so the live test is whether acceding Parties can meaningfully implement rather than merely sign on 5. This breadth is double-edged — Stoyanova documents that US and observer-state influence "diluted the safeguards" relative to the directly-binding private-actor obligations of the early "Zero Drafts." Against China's algorithm-registration and generative-AI rules — which are state-control-oriented rather than rights-framed — the Convention is explicitly anchored in the ECHR tradition and rule-of-law conditionality. The EU's own ratification (reported 15 May 2026, coe.int) positions the AI Act as the EU's chief instrument of compliance, making the Convention a normative floor rather than a parallel regime; commentators frame it as a potential "anchor" for interoperability among non-EU jurisdictions lacking an AI Act equivalent (ENSURED policy brief, ensuredeurope.eu).
Key fault lines and critiques
The dominant scholarly and civil-society critique targets the Convention's carve-outs. Art. 3(2) excludes "all activities within the lifecycle of artificial intelligence systems related to the protection of national interests / national security," Art. 3(3) excludes pre-deployment research and development, and Art. 3(4) excludes national-defence activities (Babická & Giacomin, Opinio Juris, 5 Nov 2024). Critics — including the European Data Protection Supervisor and digital-rights organisations — argue the national-security exemption is a blanket one untethered from the ECHR's necessity-and-proportionality test, and could "aid authoritarian governments" and shield unchecked AI use, while the defence exclusion creates a protection gap over autonomous-weapons development despite the continued applicability of international human-rights and humanitarian law (CAIDP, caidp.org). That fear is not abstract: parallel analysis of the AI Act's own security exemptions shows how they, combined with police powers to restrict information-sharing, make meaningful supervision of policing and migration AI "extremely difficult" 6, and the data-protection literature warns that controller-based routes for applying EU law to national-security surveillance "create significant legal uncertainties" 7. The second fault line is the private-sector compromise: Art. 3(1)(b)'s opt-in/"other appropriate measures" mechanism replaced the direct private-actor regulation of the Zero Drafts, which Stoyanova 3 reads as conferring "wider discretion" and reduced concrete protection relative to the AI Act. A third critique is definitional vagueness: Stoyanova identifies conceptual confusion across "risks," "adverse impacts" and "potential to interfere," and undefined significance thresholds ("significantly affect," "substantially informed"), yielding "obligations of result" without measurable benchmarks — a gap that bites hardest in high-stakes domains such as predictive policing and predictive justice, where accountability and oversight remain weakly specified 8. The thinness of enforcement — no individual complaint mechanism, reliance on a peer Conference of the Parties (Art. 23–24) and self-designated domestic oversight (Art. 26) — feeds the recurring charge that the treaty's "global reach" came at the cost of harmonisation and bite (Free Group analysis, free-group.eu, 6 May 2024).
Implementation and trajectory
The Convention was adopted by the Committee of Ministers on 17 May 2024 and opened for signature in Vilnius on 5 September 2024, drawing inaugural signatures from CoE members and non-members including the United States, the United Kingdom, the EU and Israel (coe.int/en/web/artificial-intelligence; eucrim anniversary note, 30 Sep 2025). Under Art. 30, entry into force requires five ratifications including at least three CoE member states, taking effect on the first day of the month after a three-month period. Secondary trackers report the threshold was met in 2025 with entry into force on 1 November 2025 — ratifications attributed to the United Kingdom, France, Norway and others — and the European Union depositing its ratification on 15 May 2026 (coe.int; CAIDP). Note a currency caveat: as of this review the Council of Europe Treaty Office chart for Treaty 225 could not be independently confirmed via automated retrieval (the primary source blocks crawlers), so the in-force status is reported here on secondary-source authority pending named-editor confirmation against the official chart (coe.int/en/web/Conventions/full-list, treatynum=225). Implementation tooling is advancing in parallel: the CoE has published the HUDERIA methodology (Human Rights, Democracy and the Rule of Law Impact Assessment) to operationalise the Art. 16 risk-and-impact duty into measurable practice, and established a new follow-up committee (CDNET) to support the Conference of the Parties. Whether such tooling produces real accountability depends on under-developed connective tissue between explanation and redress in public-sector AI 2, and on whether evaluation frameworks for global governance initiatives are applied to track Parties' actual capacity to implement 5. The near-term trajectory turns on how Parties exercise the Art. 3(1)(b) private-sector choice and on whether the EU's reliance on Regulation (EU) 2024/1689 as its compliance vehicle sets a template that non-EU Parties emulate (eucrim; coe.int).
Enforcement & impact
Enforcement record
Documented enforcement actions catalogued against Council of Europe Framework Convention on AI (or against rules that this instrument now subsumes).
- Italian DPA — Clearview AIEU · 2021–2022Garante per la protezione dei dati personali (Italian DPA) v. Clearview AI Inc. — Mass scraping of publicly-available facial images + biometric processing without legal basis under GDPR. Provision of services to Italian users without GDPR-compliant data-processing arrangements.Lesson: €20M fine + mandatory deletion of Italian-resident facial-recognition data. Established that GDPR provides binding enforcement authority for biometric-AI applications even where no AI-specific instrument exists. Replicated in France (2022) + UK (2022) + Greece (2022) — the only successful cross-jurisdictional AI enforcement so far.
Cross-jurisdiction comparison
How peer instruments treat the topics Council of Europe Framework Convention on AI governs.
| Topic | EU-AIA-2024 | US-EO-14110 | US-EO-14179 | UK-WHITEPAPER-2023 | CN-GENAI-2023 | G7-HIROSHIMA | OECD-AI-PRIN | UN-RES-2024 | NIST-AI-RMF | BLETCHLEY-2023 | SEOUL-2024 | NIST-AI-RMF-GENAI | CA-SB-1047 | IN-DPDP-2023 | BR-AIBILL-2024 | ASEAN-AI-GUIDE-2024 | AU-AI-STRATEGY-2024 | ANTHROPIC-RSP-2024° | OPENAI-PREPAREDNESS-2023° | DEEPMIND-FSF-2024° | META-FRONTIER-2024° | UK-US-AISI-MOU-2024 | WH-VOLUNTARY-2023 | SG-MODEL-AI-2024 | JP-METI-AI-2024 | EU-GDPR-2016 | EU-GPAI-COP-2025 | OMB-M-24-10 | GSA-AI-GUIDE-2024 | DOD-RAI-2022 | FEDRAMP-AI-2024 | DFARS-252-204 | CA-SB-53 | CA-SB-243 | CA-SB-942 | EU-PLD-2024 | UNESCO-AI-ETHICS-2021 | EU-PWD-2024 | CN-DEEPSYN-2022 | NY-RAISE-2025 | US-TAKEITDOWN-2025 | IT-AILAW-2025 | JP-AIPROMO-2025 | UN-GDC-2024 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AI in Criminal Justice | governs | governs | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | silent | governs | silent | silent |
| Transparency Obligations | governs | implicit | silent | implicit | conflicts | governs | governs | implicit | governs | implicit | governs | governs | implicit | implicit | governs | governs | silent | governs | implicit | implicit | governs | implicit | governs | governs | governs | governs | governs | governs | governs | governs | governs | silent | governs | governs | governs | implicit | governs | governs | governs | governs | silent | governs | governs | governs |
| Individual Redress | governs | silent | silent | implicit | governs | silent | governs | silent | implicit | silent | silent | implicit | implicit | governs | governs | silent | silent | silent | silent | silent | silent | silent | silent | implicit | implicit | governs | silent | governs | implicit | implicit | implicit | silent | implicit | governs | silent | governs | governs | governs | governs | silent | implicit | implicit | implicit | implicit |
| National Security Carveouts in AI Regulation | governs | governs | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | governs | implicit | governs | silent | silent | silent | silent | silent | silent | implicit | silent | silent | governs | implicit | silent |
°= industry self-imposed voluntary framework. Comparing a voluntary code's "governs" tint with a binding regulation's "governs" tint flattens the legal-force distinction; use the instrument-page banner for the operative status of each.
See also
Per-audience views
- Provisions →Article-by-article obligation breakdown for procurement + RFP authors.
- Disclosure form →Vendor-disclosure questionnaire derived from this instrument's operative obligations.
- Harm narratives →Documented harms relevant to this instrument's topics, for civil-society advocacy.
- Briefing pack →Journalist-ready summary with quotes + dates + primary-source links.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Further reading
177 academic & grey-literature sources on the topics this instrument addresses (not commentary on the instrument itself) — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Facial recognition technology in law enforcement: a scoping review of existing empirical studies Peer-reviewed✦ AIScoping review mapping the empirical evidence base on law-enforcement FRT, identifying gaps in research on real-world identification use and its governance.
- Machines of justice: A systematic review of AI applications in policing and criminal justice Peer-reviewed✦ AISynthesises a decade of AI-in-criminal-justice research, flagging "algorithmic bias, opacity, and due process" and recommending safeguards for equity and accountability.
- Open Foundation Models and TDM Exceptions to Copyright – Building Blocks for an AI Ecosystem Peer-reviewed✦ AIArgues Art. 3 CDSM Directive's scientific-research TDM exception 'does not grant rightsholders any control' and can be a 'safe harbor' for training openly released foundation models without licensing data.
- A Framework for Evaluating Global AI Governance Initiatives Peer-reviewed✦ AIOffers a framework to evaluate global AI governance initiatives, recommending capacity-building so Global South states can meaningfully participate in standard-setting.
- Large language models reflect the ideology of their creators Peer-reviewed✦ AIEmpirically shows LLMs encode their creators' ideologies, supporting policy incentives for home-grown models reflecting local cultural views, especially in low-resource-language regions.
- Predictive policing and predictive justice: Ethics, data protection, and the AI act Peer-reviewed✦ AIExamines how predictive-policing and predictive-justice systems interact with data-protection law and the AI Act's law-enforcement provisions, exposing accountability and oversight shortfalls.
- AI, Climate, and Regulation: From Data Centers to the AI Act Peer-reviewed✦ AIAnalyses the legal levers (AI Act energy-reporting duties, Energy Efficiency Directive data-centre KPIs, sustainability reporting) for governing AI's climate footprint and their disclosure gaps.
- National Security and New Forms of Surveillance: From the Data Retention Saga to a Data Subject Centred Approach Peer-reviewed✦ AIArgues the CJEU's controller-based route for applying EU law to national-security surveillance 'creates significant legal uncertainties,' proposing a data-subject-focused scope instead.
- Cop out: security exemptions in the Artificial Intelligence Act (in: Automating Authority — AI in European police and border regimes) Civil society✦ AIDocuments how AI Act security exemptions plus police powers to restrict supervisory information-sharing will make meaningful supervision of policing and migration AI 'extremely difficult.'
- Governing AI Agents Preprint✦ AIUses "agency law and theory to identify and characterize problems arising from AI agents" and proposes governance infrastructure built on inclusivity, visibility, and liability.
- Infrastructure for AI Agents Peer-reviewed✦ AIProposes "agent infrastructure": external technical systems for attributing actions "to specific agents, their users, or other actors," shaping interactions, and remediating harms.
- Multi-Agent Risks from Advanced AI Research institute✦ AIIdentifies three failure modes of advanced multi-agent systems — "miscoordination, conflict, and collusion" — plus seven risk factors, posing challenges distinct from single-agent AI.
+ 165 more across this instrument's topics — see the literature index.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Mireia Yurrita, Himanshu Verma, Agathe Balayn, Kars Alfrink, Ujwal Gadiraju, and Alessandro Bozzon (2025) Identifying Algorithmic Decision Subjects' Needs for Meaningful Contestability, Proceedings of the ACM on Human-Computer Interaction (CSCW). 10.1145/3757415 — Empirically elicits what decision subjects need for contestation to be 'meaningful', informing the design of effective remedies and appeal mechanisms for ADM. ↩
- arXiv:2504.18236 ↩
- 10.1017/err.2025.10070 ↩
- Pedro Robles, Daniel J. Mallinson, Eric Best, Cheryl Devaney, Lauren Azevedo (2025) Global perspectives on regulating facial recognition technology utilization for criminal justice arrests, Global Public Policy and Governance. 10.1007/s43508-025-00117-9 — Comparative study of facial-recognition regulation for arrests across democracies finds frameworks are inconsistent and unclear, raising privacy and civil-liberties risks. ↩
- Huw Roberts, Mariarosaria Taddeo, Luciano Floridi (2026) A Framework for Evaluating Global AI Governance Initiatives, Global Policy. 10.1111/1758-5899.70164 — Offers a framework to evaluate global AI governance initiatives, recommending capacity-building so Global South states can meaningfully participate in standard-setting. ↩
- Chris Jones, Romain Lanneau (Statewatch) (2025) Cop out: security exemptions in the Artificial Intelligence Act (in: Automating Authority — AI in European police and border regimes), Statewatch. source — Documents how AI Act security exemptions plus police powers to restrict supervisory information-sharing will make meaningful supervision of policing and migration AI 'extremely difficult.' ↩
- Maria Tzanou, Plixavra Vogiatzoglou (2025) National Security and New Forms of Surveillance: From the Data Retention Saga to a Data Subject Centred Approach, European Papers. source — Argues the CJEU's controller-based route for applying EU law to national-security surveillance 'creates significant legal uncertainties,' proposing a data-subject-focused scope instead. ↩
- Chiara Gallese (2026) Predictive policing and predictive justice: Ethics, data protection, and the AI act, Computer Law & Security Review. 10.1016/j.clsr.2026.106282 — Examines how predictive-policing and predictive-justice systems interact with data-protection law and the AI Act's law-enforcement provisions, exposing accountability and oversight shortfalls. ↩
- CETS No. 225
- Applies to AI throughout lifecycle (Art. 3)
- Arts. 10-11 (privacy + non-discrimination)
- Non-discrimination + dignity provisions
- Art. 14 (procedural safeguards)
- Art. 8 (transparency + oversight)
- Arts. 14-15 (procedural safeguards + remedies)
- Art. 11 (privacy + data protection)
- Rights-based framing partly overlaps with development-rights doctrine but not explicitly
- General-AI scope (Art. 3) covers agent systems; no agent-specific provision
- Art. 7 sustainability principle; environmental impact subsumed
- Art. 3 — does not apply to AI used for national security / defence
How to cite this article
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/coe-ai-convention — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Does this instrument’s approach work? — the social-science evidence
Aggregated over the 11 topics this instrument governs: whether each harm is empirically real, and whether the peer-reviewed evidence shows governance reduces it. The badge is the epistemic status of the evidence— “thin”/“absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
Of the 11 governed topics with a social-science evidence review, evidence that governance reduces the harm is established for 0, contested for 0, thin for 2, and absent for 9 — for most, no replicated study yet shows this instrument's approach works (the "second silence").
Agentic AI Governance
The capability that agentic governance targets — autonomous multi-step action — is real and rapidly, measurably advancing: METR finds the task length AI agents complete at 50% reliability has doubled roughly every seven months for the past six years (about 50 minutes for frontier 2025 models), and the UK AI Security Institute's first Frontier AI Trends Report (Dec 2025, >30 systems) reports models now finish hour-long software tasks >40% of the time versus <5% in late 2023. The distinct realized HARM from agency (as opposed to the underlying model) is, however, thinly documented: on consequential real-world tasks agents still fail the majority — Gemini 2.5 Pro completed only 30.3% of TheAgentCompany's 175 professional tasks (OpenHands scaffold, project leaderboard) — so the agency-specific harm magnitude is early and context-dependent rather than established at scale.
Sources: Kwa, West, Becker et al. 2025 (METR; arXiv:2503.14499, 'Measuring AI Ability to Complete Long Tasks'); UK AI Security Institute 2025 (Frontier AI Trends Report, Dec 2025); Xu, Song, Zhou et al. 2024 (TheAgentCompany, arXiv:2412.14161); 30.3% figure per TheAgentCompany leaderboard (OpenHands)
There is no impact-evaluation evidence that agent-specific governance reduces agentic harm: the operative regimes — the EU GPAI Code of Practice (published July 2025, voluntary/non-binding), the Seoul Frontier AI Safety Commitments (2024, voluntary), and AISI agent evaluations — are 2024-25 vintage and have never been measured against an outcome. The scholarship itself has not settled the contested unit of regulation: Kolt (2025) argues for governing the agentic relationship via principal-agent and agency-law tools, while Chan, Ezell, Kaufmann et al. (2024) propose agent-specific visibility mechanisms (identifiers, real-time monitoring, activity logging) that remain proposal-stage and unevaluated — meaning the field has design proposals but, as with most frontier-AI rules, the evidence that any of them works is absent rather than merely thin.
Sources: Kolt 2025 ('Governing AI Agents', 101 Notre Dame L. Rev., forthcoming; arXiv:2501.07913); Chan, Ezell, Kaufmann et al. 2024 ('Visibility into AI Agents', ACM FAccT 2024, pp. 958-973; DOI 10.1145/3630106.3658948); EU AI Office 2025 (GPAI Code of Practice, July 2025); Seoul Frontier AI Safety Commitments 2024
Biometric Identification
Demographic accuracy disparities in facial recognition are robust and replicated. NIST's Face Recognition Vendor Test (189 algorithms, 18.27M images) found one-to-one false-positive rates for Asian and African-American faces elevated 10-100x over white males, with the highest one-to-many false positives for African-American women; Buolamwini & Gebru's Gender Shades found commercial gender-classification error up to 34.7% for darker-skinned women vs 0.8% for lighter-skinned men. Documented downstream harm includes at least 8-15 US wrongful arrests, nearly all of Black people. Honest caveat: magnitude is highly algorithm-dependent — the most accurate algorithms show small or statistically undetectable differentials — so the harm is real but not uniform across systems.
Sources: Grother, Ngan & Hanaoka 2019 (NISTIR 8280, FRVT Part 3: Demographic Effects); Buolamwini & Gebru 2018 (Gender Shades, PMLR 81); Hill 2020 / Williams v. City of Detroit (ACLU 2021)
Rigorous evidence that GOVERNANCE of biometric ID reduces the documented harms is sparse. The one quantitative impact evaluation of police facial-recognition policy (Johnson et al. 2024, difference-in-differences across 268 US cities) studies effects on violent crime — a crime-control outcome, not misidentification harm — from a single research group, and does not establish that any safeguard regime curbs wrongful identification. Direct evidence on procedural safeguards points the other way: in the known wrongful-arrest cases police are reported to have bypassed required corroboration/probable-cause standards, and the strongest documented enforcement levers are private-sector biometric-privacy laws — Illinois BIPA (e.g. Meta's $650M settlement) and the separate Texas CUBI law (a $1.4B Meta settlement) — which govern private actors, not the law-enforcement context where the arrests occur. No replicated study shows a specific regulatory regime measurably reduces demographic misidentification harm.
Sources: Johnson et al. 2024 (Cities, 'Police facial recognition applications and violent crime control in U.S. cities'); Harwell & Schaffer 2025 (Washington Post, 'Arrested by AI'); Illinois BIPA (Rosenbach v. Six Flags 2019; Meta $650M settlement 2021); Texas CUBI (Meta $1.4B settlement 2024)
AI in Criminal Justice
Whether algorithmic risk assessment reproduces racial disparity is a genuine, partly mathematically irreducible dispute rather than merely an unresolved measurement question. ProPublica's analysis of COMPAS in Broward County found Black defendants who did not reoffend were nearly twice as likely to be flagged high-risk as comparable white defendants (44.9% vs 23.5% false-positive rate; Angwin et al. 2016), and Dressel & Farid (2018) showed COMPAS is no more accurate (65.2%) than untrained laypeople (67.0%); the developer's reanalysis (Flores, Bechtel & Lowenkamp 2016) found the same tool satisfies predictive parity and calibration across race. Honest caveat: Chouldechova (2017) proved both sides can be correct simultaneously — when recidivism base rates differ across groups, equal calibration and equal error rates cannot both hold, so the disagreement is partly definitional, not merely a data dispute to be settled.
Sources: Angwin, Larson, Mattu & Kirchner 2016 (ProPublica, 'Machine Bias'); Dressel & Farid 2018 (Science Advances 4:eaao5580); Flores, Bechtel & Lowenkamp 2016 (Federal Probation 80(2):38); Chouldechova 2017 (Big Data 5(2):153)
Rigorous evidence that governing criminal-justice algorithms — mandating, auditing, or adopting risk tools — reduces the racial-disparity harm that motivates the rules is essentially absent. The leading real-world impact evaluation, Stevenson's (2018) study of Kentucky's mandatory pretrial risk-assessment law (>1M cases), found only a small increase in pretrial release that eroded as judges reverted to prior habits, with no reduction in racial disparities in pretrial detention. The closest analogue evaluations measure operational crime outcomes, not equity, and are largely null: Chicago's Strategic Subjects List had no effect on victimization (Saunders, Hunt & Hollywood 2016) and the only randomized predictive-policing trials tested crime reduction, not disparate impact (Mohler et al. 2015) — so the evidence that any governance regime measurably reduces algorithmic racial disparity is itself missing.
Sources: Stevenson 2018 (Minnesota Law Review 103:303); Saunders, Hunt & Hollywood 2016 (Journal of Experimental Criminology 12(3):347); Mohler et al. 2015 (JASA 110(512):1399)
Development-Rights Framings
Development-rights framing is a normative/doctrinal frame, so its empirical status splits: the underlying North-South asymmetry it responds to is real and documented, but the claim that a development-rights diagnosis is the correct one is contested doctrine, not a settled finding. The strongest empirical anchor is the exploitative-data-labour evidence — Miceli & Posada's (2022) multi-method qualitative study of Latin American annotation work (Foucauldian dispositif analysis of 210 instruction documents, 55 interviews, plus participant observation) found workers paid cents-per-task with strict surveillance and whose worldviews are subordinated to requesters' — which substantiates the extraction the frame names, building on the data-colonialism thesis (Couldry & Mejias 2019), and extended by comparative political-economy work on AI annotation 'data empires' (Wu, Muldoon & Xia 2025). Honest caveat: whether 'digital self-determination' or 'Global-South sovereignty' is the right operational response (and whether it conflicts with the EU AIA's rights-based design) is a conceptual/legal question with essentially no empirical evidence base — the frame is established as a critique, thin as a tested governance prescription.
Sources: Miceli & Posada 2022, 'The Data-Production Dispositif' (Proc. ACM Hum.-Comput. Interact. 6, CSCW2, Art. 460:1-37); Couldry & Mejias 2019, 'Data Colonialism' (Television & New Media 20(4):336-349); Wu, Muldoon & Xia 2025, 'Global data empires' (Big Data & Society 12(2))
There is no rigorous impact evaluation showing that development-rights / digital-self-determination / sovereignty governance achieves its stated developmental or self-determination aims — the evidence that the frame 'works' as policy is itself missing, largely because the frame is recent, heterogeneous, and rarely instantiated in a single measurable instrument. The closest empirical literature studies one common operational proxy (data localization) and measures economic cost rather than the frame's goals: Ferracane, Kren & van der Marel's (2020) firm/industry productivity analysis finds data-policy restrictiveness associated with lower TFP in data-intensive downstream sectors, Ferracane & van der Marel's (2021) gravity analysis finds data restrictions inhibit trade in digital services, and Bauer, Lee-Makiyama, van der Marel & Verschelde's (2014) GTAP general-equilibrium estimates project GDP losses from localization across seven jurisdictions including Brazil and India. None tests whether sovereignty framing reduces extractive asymmetry or advances local AI capability — so claims on both the benefit and cost sides rest on weak or indirect evidence.
Sources: Ferracane, Kren & van der Marel 2020, 'Do data policy restrictions impact the productivity performance of firms and industries?' (Review of International Economics 28(3):676-722); Ferracane & van der Marel 2021, 'Do data policy restrictions inhibit trade in services?' (Review of World Economics 157(4):727-776); Bauer, Lee-Makiyama, van der Marel & Verschelde 2014, 'The Costs of Data Localisation: Friendly Fire on Economic Recovery' (ECIPE Occasional Paper 3/2014)
AI in Employment
Discrimination and adverse outcomes in employment decisions are empirically well-established, and AI systems demonstrably reproduce them. The foundational field-experiment literature shows robust human baseline discrimination (Bertrand & Mullainathan 2004 found White-sounding names received 50% more callbacks), and AI-specific audits confirm the pattern: Amazon scrapped a recruiting tool that penalized resumes containing 'women's' (Dastin 2018), and a controlled resume-screening audit of language-model retrieval found systems favored White-associated names ~85% of the time and never preferred Black male-associated over White male-associated names (Wilson & Caliskan 2024). On the monitoring side, a meta-analysis (k=94, N≈23,461) found electronic performance monitoring reliably raises worker stress with no evidence of improved performance (Ravid et al. 2023). Honest caveat: measured disparities are highly model-, prompt-, and context-dependent, and most evidence comes from controlled audits and one firm's internal test rather than measured outcomes in live, at-scale hiring pipelines.
Sources: Bertrand & Mullainathan 2004 (American Economic Review 94(4):991-1013); Wilson & Caliskan 2024 (AAAI/ACM AIES; 'Gender, Race, and Intersectional Bias in Resume Screening via Language Model Retrieval'); Dastin 2018 (Reuters, 'Amazon scraps secret AI recruiting tool that showed bias against women'); Ravid, White, Tomczak & Behrend 2023 (Personnel Psychology 76:5-40)
There is no rigorous evidence that governing AI in employment reduces the documented harms; the central evaluated regime appears to fail at the compliance stage before any impact on bias can occur. NYC Local Law 144 — the first jurisdiction worldwide to mandate independent bias audits and public posting for automated employment decision tools — was directly studied across 391 employers and found to produce 'null compliance': the law's discretion makes it impossible to tell whether firms comply, with very few posting the required audits (Wright et al. 2024). Parallel qualitative work shows the audits themselves are undermined by missing demographic data, opaque aggregation, and 'test data' that does not reflect real use (Groves et al. 2024). No study links any AI-employment rule to a measured reduction in discriminatory hiring outcomes — the evidence that the rule works is itself missing, largely because mandated transparency artifacts (audit reports) are sparse, non-standardized, and unenforced.
Sources: Wright, Muenster, Vecchione, Metcalf & Matias et al. 2024 ('Null Compliance: NYC Local Law 144 and the Challenges of Algorithm Accountability', ACM FAccT '24); Groves, Metcalf, Kennedy, Vecchione & Strait 2024 ('Auditing Work: Exploring the New York City algorithmic bias audit regime', ACM FAccT '24); Ravid, White, Tomczak & Behrend 2023 (Personnel Psychology 76:5-40, on monitoring outcomes as the closest analogue evaluation evidence)
Environmental Impact of AI Training
The resource demands of AI compute are empirically documented at the model level: Strubell et al. (2019) quantified large-NLP training energy/carbon, Luccioni et al. (2023) estimated BLOOM's training at ~24.7 tCO2eq (dynamic power) rising to ~50.5 tCO2eq with manufacturing and deployment, Li et al. (2023) estimated GPT-3-scale training in US datacenters can evaporate on the order of hundreds of thousands of litres of freshwater (their central figure ~700,000 L), and Luccioni, Jernite & Strubell (2024) showed generative inference is markedly more energy-intensive per query than task-specific models; at the macro scale the IEA (2024) and de Vries (2023) document rapidly rising datacenter electricity demand. Honest caveat: absolute estimates vary by up to orders of magnitude with grid carbon intensity, hardware, utilisation and accounting boundaries, and cleanly attributing the AI-specific increment (versus general datacenter and crypto growth) remains genuinely contested — the IEA itself bundles AI with datacenters and crypto — so the existence of the footprint is established while its magnitude and trajectory are not.
Sources: Strubell, Ganesh & McCallum 2019 (ACL Anthology P19-1355; 'Energy and Policy Considerations for Deep Learning in NLP'); Luccioni, Viguier & Ligozat 2023 (JMLR 24; BLOOM 176B carbon footprint, 24.7/50.5 tCO2eq; arXiv:2211.02001); Li, Yang, Islam & Ren 2023 (arXiv:2304.03271, 'Making AI Less Thirsty', later Comm. ACM 2025); Luccioni, Jernite & Strubell 2024 (ACM FAccT '24, 'Power Hungry Processing', DOI 10.1145/3630106.3658542); de Vries 2023 (Joule 7(10):2191-2194, DOI 10.1016/j.joule.2023.09.004); IEA 2024 (Electricity 2024)
There is no impact evaluation showing that any AI-specific environmental-governance instrument reduces energy, water or carbon use, because every named instrument is voluntary or non-binding and very recent: EU AI Act Art. 95 codes of conduct are explicitly optional with no sanctions, and NIST AI 600-1 and the G7 Hiroshima Code are guidance, not enforceable caps. The closest analogue evaluation literature is divided in a way that disfavours the voluntary form chosen here: rigorous reviews find voluntary environmental programs generally fail to produce significant abatement beyond business-as-usual (Koehler 2007; Morgenstern & Pizer 2007), whereas the one form with credible positive evidence is mandatory disclosure (Downar et al. 2021 found a UK carbon-reporting mandate cut emissions ~8% versus a control group) which the AI instruments do not yet impose, leaving the proposition that AI environmental governance works essentially untested.
Sources: EU AI Act Art. 95 / Recital 142 (Reg. (EU) 2024/1689); NIST AI 600-1 (2024, GenAI Profile); G7 Hiroshima Process International Code of Conduct (30 Oct 2023); Koehler 2007 (Policy Studies Journal 35(4):689-722); Morgenstern & Pizer (eds.) 2007 (Reality Check, RFF Press); Downar, Ernstberger, Reichelstein, Schwenen & Zaklan 2021 (Review of Accounting Studies 26(3):1137-1175)
Foundation Models / GPAI
Whether the foundation-model category maps to a coherent capability/risk tier is genuinely contested. The original case rests on scale-driven 'emergent abilities' that appear unpredictably above a size threshold (Wei et al. 2022; Ganguli et al. 2022 documented capabilities that are smoothly predictable in aggregate loss yet locally surprising), but Schaeffer, Miranda & Koyejo (2023, a NeurIPS Outstanding Paper) showed many 'emergent' jumps are artefacts of discontinuous metrics and dissolve under linear/continuous scoring — implying capability scales more smoothly than a sharp tier would suggest. Honest caveat: this is a live empirical disagreement about measurement, not a settled finding either way, and compute (the regulatory proxy) is an imperfect stand-in for capability or risk regardless of which side is right.
Sources: Wei et al. 2022 (Emergent Abilities of Large Language Models, TMLR; arXiv:2206.07682); Schaeffer, Miranda & Koyejo 2023 (Are Emergent Abilities of Large Language Models a Mirage?, NeurIPS 2023, Outstanding Paper; arXiv:2304.15004); Ganguli et al. 2022 (Predictability and Surprise in Large Generative Models, ACM FAccT; DOI 10.1145/3531146.3533229)
There is no impact evaluation showing that GPAI/foundation-model governance reduces harm — the rules are too new (EU AI Act GPAI obligations and the 10^25-FLOP systemic-risk presumption only began binding on 2 August 2025) and the central regulatory lever is itself contested: Hooker (2024) argues compute thresholds are a shortsighted proxy because compute does not reliably track capability or risk, and the thresholds already diverge across jurisdictions (EU 10^25 vs. the now-rescinded US EO 14110's 10^26 operations, rescinded 20 January 2025). The mandated mitigation methods also lack validated efficacy: model evaluation and red-teaming face well-documented coverage limits and an 'audit gap' in the survey/position literature (behavioural testing cannot establish the absence of untested failure modes), and adversarial red-teaming repeatedly defeats deployed safeguards — the UK AI Safety Institute reports finding universal jailbreaks for every frontier system it has tested, and a large public agent-injection competition elicited policy violations across all 22 frontier models tested from ~1.8M attacks (Zou et al. 2025). Even compliant evaluation therefore cannot yet certify the safety the rules demand. (Caveat: this is an absence-of-evidence claim — no efficacy study has been done — not evidence the rules are ineffective.)
Sources: Hooker 2024 (On the Limitations of Compute Thresholds as a Governance Strategy, arXiv:2407.05694); EU AI Act Arts. 51 & 55 (GPAI systemic-risk presumption, 10^25 FLOP; binding 2 Aug 2025); US EO 14110 (10^26-operation reporting threshold, rescinded 20 Jan 2025 by EO 14148); Zou et al. 2025 (Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition / Gray Swan Arena, arXiv:2507.20526 — 22 frontier agents, ~1.8M attacks); UK AI Safety/Security Institute, Frontier AI Trends Report (universal jailbreaks for every system tested); METR, Common Elements of Frontier AI Safety Policies (2024)
National Security Carveouts in AI Regulation
That civilian AI-governance instruments carve out national-security uses is black-letter and undisputed (EU AIA Art. 2(3); CoE Framework Convention Art. 3(2) on national-security activities, distinct from Art. 3(4) on national defence; US NSM-25 (Oct. 2024) as the national-security-track instrument fulfilling §4.8 of EO 14110); civil-society legal analysis argues a blanket exclusion is harder to square with a necessity-and-proportionality approach than a qualified one (Korff/ECNL 2022; Vogiatzoglou 2024). But whether the carveout itself produces concrete unredressed harm is empirically under-observed almost by construction — the secrecy it confers suppresses the very evidence needed to measure it. The closest analogue, national-security deference in the courts, shows the mechanism is real (the FISC granted all but eleven of 33,900 applications 1979-2012, a 99.97% approval rate; Sinnar 2022 documents downstream harms to securitized communities), yet Clarke (2014) shows that lopsided ex parte approval rates alone do not prove rubber-stamping, because rational case selection and pre-vetting produce similar rates in ordinary Title III wiretaps (99.93%) and delayed-notice warrants (99.6-99.8%) — so the magnitude of harm attributable to the carveout, as opposed to the legitimate secrecy of the domain, remains genuinely contested.
Sources: Korff 2022 (ECNL Opinion on the implications of the exclusion of national security from AI legislation, Oct. 2022); Sinnar 2022 (Harvard Law Review Forum 136:59, 'A Label Covering a "Multitude of Sins": The Harm of National Security Deference'); Clarke 2014 (Stanford Law Review Online 66:125, 'Is the Foreign Intelligence Surveillance Court Really a Rubber Stamp?'); EPIC FISC statistics 1979-2012
There is no impact evaluation showing that any specific design of the national-security carveout — categorical exclusion versus parallel governance track versus civilian-compliance-with-override — measurably improves oversight or reduces harm relative to the alternatives; the question is argued doctrinally (Vogiatzoglou 2024; Korff/ECNL 2022) but has never been tested empirically. The closest analogue evaluation literature is on the parallel-track model already in use for intelligence surveillance (the FISC / FISA oversight regime), and even there the evidence that the mechanism delivers effective scrutiny is itself contested rather than established (Clarke 2014; Sinnar 2022). No direct evaluation exists because the carveouts are recent (EU AIA 2024, CoE Framework Convention 2024, US NSM-25 2024), enforcement actions are by design non-public, and private parties typically lack standing to challenge a specific exempt deployment — the structural features that make the harm hard to observe also make the governance impossible to evaluate.
Sources: Vogiatzoglou 2024 (Verfassungsblog, 'The AI Act National Security Exception: room for manoeuvres?', 9 Dec. 2024); Korff 2022 (ECNL Opinion, exclusion of national security from AI legislation); Clarke 2014 (Stanford Law Review Online 66:125); Sinnar 2022 (Harvard Law Review Forum 136:59)
Individual Redress
The premise behind redress — that affected people lack meaningful recourse against automated decisions — is real, but the flagship instrument is weaker than commonly assumed. Wachter, Mittelstadt & Floridi (2017) show GDPR creates only a limited 'right to be informed,' not a binding 'right to explanation' of specific decisions; and controlled work finds the explanations actually delivered do not measurably improve lay decision accuracy over showing the bare AI prediction (Alufaisan et al. 2021; and a 2022 meta-analysis by Schemmer et al. — screening 393 articles down to 9 in the final analysis — reports 'no effect of explanations on users' performance compared to sole AI predictions,' even though XAI overall had a positive effect). Honest caveat: the legitimacy/dignity value of being heard is empirically well established in the procedural-justice tradition even where outcome accuracy is unchanged, so 'redress fails' depends on which aim is measured.
Sources: Wachter, Mittelstadt & Floridi 2017 (International Data Privacy Law 7(2):76); Alufaisan, Marusich, Bakdash, Zhou & Kantarcioglu 2021 (Proceedings of the AAAI Conference on AI 35(8):6618); Schemmer, Hemmer, Nitsche, Kühl & Vössing 2022 (AAAI/ACM AIES '22, meta-analysis)
There is no rigorous impact evaluation showing that mandated redress mechanisms (right-to-explanation, appeal, human-in-the-loop review) actually reduce erroneous or unfair automated decisions — the evidence that the rule works is itself missing. The closest experimental analogues are discouraging: explanations increase humans' acceptance of AI recommendations regardless of correctness (Bansal et al. 2021), and algorithm-in-the-loop oversight can introduce racial disparities and exhibit automation bias rather than reliably catching model errors (Green & Chen 2019). The procedural-justice literature (Tyler 1990; Lind & Tyler 1988) robustly supports a legitimacy and compliance benefit of fair process, but it measures perceived fairness, not reduction of the substantive decision harm redress is meant to cure.
Sources: Bansal, Wu, Zhou, Fok, Nushi, Kamar, Ribeiro & Weld 2021 (CHI '21); Green & Chen 2019 (Disparate Interactions, ACM FAT* '19); Tyler 1990 (Why People Obey the Law, Yale Univ. Press); Lind & Tyler 1988 (The Social Psychology of Procedural Justice, Plenum Press)
Training-Data Rights
That foundation models ingest copyrighted and personal works without consent is undisputed; whether that ingestion produces legally cognizable reproduction harm is genuinely contested. The CS evidence that models can memorize and emit verbatim training text is robust and replicated — Carlini et al. (2021) extracted hundreds of verbatim sequences (including PII) from GPT-2, and follow-up work (Carlini et al., Quantifying Memorization, ICLR 2023) showed extraction scales log-linearly with model size and with example duplication. Honest caveat: verbatim reproduction is the exception, not the norm — the UK High Court held that Stable Diffusion's model weights never stored copies of the training images (defeating the secondary-infringement theory), and Getty abandoned its primary training-infringement claim at trial for lack of evidence, so whether the empirical phenomenon amounts to actionable harm (rather than transient, non-expressive use) remains the open question driving NYT v. OpenAI and parallel regimes.
Sources: Carlini, Tramèr, Wallace, Jagielski, Herbert-Voss, Lee, Roberts, Brown, Song, Erlingsson, Oprea & Raffel 2021 (Extracting Training Data from Large Language Models, 30th USENIX Security Symposium); Carlini, Ippolito, Jagielski, Lee, Tramèr & Zhang 2023 (Quantifying Memorization Across Neural Language Models, ICLR 2023; arXiv:2202.07646); Getty Images (US) Inc & ors v Stability AI Ltd [2025] EWHC 2863 (Ch) (UK High Court, 4 Nov 2025 — no secondary infringement; primary training claim abandoned at trial); The New York Times Co. v. Microsoft Corp. & OpenAI (S.D.N.Y., No. 1:23-cv-11195; consolidated In re OpenAI Copyright Infringement Litigation, Apr. 2025; ongoing 2025-2026)
There is no impact evaluation showing that the CDSM Directive Article 4 TDM exception plus its Article 4(3) opt-out reservation regime actually reduces unlicensed ingestion or channels compensation to rightsholders — the evidence that the rule works as designed is itself missing. The only available evidence is early case law and doctrinal scholarship, which document the mechanism's contested operation rather than its success: in Kneschke v. LAION the Hamburg Higher Regional Court (on appeal, 10 Dec 2025) held that a rights reservation in natural language did NOT satisfy Article 4(3)'s machine-readability requirement, invalidating the opt-out (note: the first-instance Regional Court had left the Article 4 question largely open and the case ultimately turned on the Article 3 scientific-research exception, so this machine-readability holding is appellate and not yet settled — a further appeal to the Federal Court of Justice was permitted). Legal scholars characterize the Article 4 opt-out as practically difficult and unharmonized, with no observed market in TDM licences or systematic enforcement to evaluate.
Sources: Kneschke v. LAION (Hamburg Regional Court, 27 Sept 2024, 310 O 227/23; on appeal Hamburg Higher Regional Court, 10 Dec 2025, 5 U 104/24 — opt-out held not machine-readable; further appeal to BGH permitted); Margoni & Kretschmer 2022 (A Deeper Look into the EU Text and Data Mining Exceptions, GRUR International 71(8):685-701); Quintais 2025 (Generative AI, Copyright and the AI Act, Computer Law & Security Review 56:106107)
Transparency Obligations
Documentation artifacts (model cards, datasheets) are well-specified as proposals and are genuinely adopted, but the empirical premise that mandated disclosure produces meaningful transparency is contested. Selbst & Barocas (2018) argue inscrutability and non-intuitiveness are distinct problems and that disclosing rules does not resolve the latter, and large-scale audits find documentation is sparsely and unevenly completed: a systematic analysis of 32,111 Hugging Face model cards (Liang et al. 2024) found environmental-impact, limitations and evaluation sections least often filled, and Bhat et al. (2023, 45 practitioners) found a substantial gap between the documentation proposal and actual practice. Honest caveat: the documentation frameworks themselves are real and adopted, so the dispute is about whether disclosure conveys decision-relevant information, not whether the artifacts exist.
Sources: Selbst & Barocas 2018 (Fordham Law Review 87:1085-1139); Liang et al. 2024 (Nature Machine Intelligence, s42256-024-00857-z, 'Systematic analysis of 32,111 AI model cards'); Bhat et al. 2023 (CHI '23, 'Aspirations and Practice of ML Model Documentation', DOI 10.1145/3544548.3581518); Mitchell et al. 2019 (FAccT, Model Cards for Model Reporting); Gebru et al. 2021 (CACM 64(12):86-92, Datasheets for Datasets)
There is no rigorous impact evaluation showing that AI transparency mandates (model cards, training-data summaries) measurably reduce bias, misuse or accidents — the central regulatory assumption is empirically untested, partly because flagship mandates like EU AI Act Art. 53(1)(d) GPAI training-data summaries are only subject to AI Office enforcement/verification from 2 August 2026 (the obligation itself began 2 August 2025 for new models). The closest analogue, mandated consumer disclosure, shows small and context-dependent effects: Bollinger, Leslie & Sorensen (2011) found mandatory calorie posting cut average calories per transaction by about 6%, while Loewenstein, Sunstein & Golman (2014) review evidence that disclosure effects are frequently diminished or even reversed by limited attention and often change provider rather than recipient behavior. These are analogues, not AI studies; no study demonstrates that AI transparency disclosure achieves its stated downstream safety aims.
Sources: Bollinger, Leslie & Sorensen 2011 (AEJ: Economic Policy 3(1):91-128); Loewenstein, Sunstein & Golman 2014 (Annual Review of Economics 6:391-419, 'Disclosure: Psychology Changes Everything'); EU AI Act Art. 53(1)(d) GPAI training-data summary (obligation from 2 Aug 2025; AI Office enforcement from 2 Aug 2026)