Risk-based framework. Prohibited practices (Art. 5) effective 2 February 2025; general-purpose AI obligations (Arts. 51-55) 2 August 2025; high-risk system obligations (Title III) 2 August 2026. Staggered 6/12/24-month application timeline from 1 August 2024 entry-into-force per Regulation (EU) 2024/1689 Art. 113.
What obligations does the EU AI Act impose on a deployer of a high-risk AI system, and when do they take effect?
Deployers of Annex III high-risk systems must conduct a Fundamental Rights Impact Assessment (Art. 27), monitor system operation (Art. 26(5)), retain logs (Art. 26(6)), inform affected workers (Art. 26(7)), and ensure human oversight (Art. 26(2)). Obligations apply from 2 August 2026; the prohibited-practices regime (Art. 5) is already in force since February 2025, and the general-purpose AI obligations (Art. 51-55) since August 2025.High confidence
First binding cross-sectoral AI regulation; Art. 5 prohibits social scoring and untargeted biometric scraping; Art. 26 obligates deployers; staged effectiveness 2025-2027.
“Practices that pose unacceptable risks to safety, livelihoods, and fundamental rights are prohibited (Art. 5(1)).”
art:5(1) · Primary source
Background & scope
EU AI Act addresses 13 contested AI-governance topics explicitly, 5 via general principles.
Provisions & coverage
- governsFoundation Models / GPAI
Art. 51(1)[10] - governsBiometric Identification
Art. 5(1)(h)[10] - governsDeepfakes / Synthetic Content
Art. 50(4)[10] - governsAI in Employment
Annex III §4[10] - governsAI in Healthcare
Annex III §5(a)[10] - governsAI in Criminal Justice
Annex III §6[10] - governsAI in Education
Annex III §3(a)[10] - governsCompute-Threshold Reporting
Art. 51(2)[10] - governsTransparency Obligations
Art. 50(1)[10] - governsIndividual Redress
Art. 85[10] - implicitTraining-Data Rights
Art. 53(1)(d)[10] - implicitCatastrophic & Existential Risk
Art. 3(65)[10] - implicitTechnological Sovereignty
Art. 1(1)[10] - implicitAgentic AI Governance
Art. 26(1)[10] - governsOpen-Weight Frontier Release
Art. 53(2)[10] - governsSynthetic Content Provenance
Art. 50(2)[10] - implicitEnvironmental Impact of AI Training
Art. 95(2)[10] - governs
Operative mechanics: a risk-tiered, product-safety architecture
Regulation (EU) 2024/1689 structures obligations around an escalating risk taxonomy rather than a sectoral or technology-specific frame. At the apex, Art. 5(1) prohibits a closed list of practices deemed to pose unacceptable risk — including social scoring (Art. 5(1)(c)), untargeted scraping of facial images to build recognition databases (Art. 5(1)(e)), emotion inference in workplaces and education (Art. 5(1)(f)), and (subject to narrow law-enforcement carve-outs) real-time remote biometric identification in publicly accessible spaces (Art. 5(1)(h)). The bulk of the regime governs 'high-risk' systems, classified via Art. 6 by reference to Annex I product-safety legislation and the Annex III use-case list (e.g. biometrics, critical infrastructure, employment, essential services). Providers of such systems carry the heaviest burden: a risk-management system (Art. 9), data-governance duties (Art. 10), technical documentation (Art. 11), logging (Art. 12), transparency and instructions for use (Art. 13), human oversight by design (Art. 14), and accuracy/robustness/cybersecurity (Art. 15), all funnelled through ex-ante conformity assessment and CE-marking (Arts. 16, 43). Deployers face a lighter but distinct set, including human oversight in operation (Art. 26(2)), log retention (Art. 26(6)), worker information (Art. 26(7)), and — for public bodies and certain private deployers — a Fundamental Rights Impact Assessment (Art. 27). A separate transparency tier (Art. 50) requires disclosure for chatbots, deepfakes, and synthetic-media labelling — though an empirical audit of generative tools finds adoption of these labelling duties remains partial, with only 38% implementing adequate watermarking and 18% deepfake labelling 1. General-purpose AI (GPAI) is governed by a parallel Chapter V regime: baseline documentation and copyright/training-data obligations (Art. 53) escalate to model evaluation, systemic-risk assessment, adversarial testing, incident reporting, and cybersecurity (Art. 55) once a model is classified as posing 'systemic risk' under Art. 51 — presumptively triggered when cumulative training compute exceeds 10^25 floating-point operations (Art. 51(2)), a bright-line whose robustness is contested given enhancement techniques that cut measured training compute while preserving capability 2. Enforcement bites through Art. 99's tiered administrative fines: up to EUR 35 million or 7% of worldwide annual turnover for prohibited-practice breaches, EUR 15 million / 3% for most other operator obligations, and EUR 7.5 million / 1% for supplying incorrect information.
Cross-jurisdiction position: the only binding horizontal regime
The Act is the first binding, cross-sectoral ('horizontal') AI statute, a status that distinguishes it sharply from peer instruments and underpins claims of a 'Brussels effect' extraterritorial pull (Reg. (EU) 2024/1689 applies via Art. 2 to providers placing systems on the EU market regardless of establishment). China's regime is binding but vertical and rolled out piecemeal — the Interim Measures for the Management of Generative AI Services (effective 15 August 2023) target public-facing generative services with content-control and security-assessment duties, and scholarship reads them partly as a pro-growth signalling device rather than a comprehensive risk framework 3. The United States lacks a federal counterpart: a market-led posture was reinforced when the January 2025 executive order rescinded prior safeguards, and the December 2025 'national policy framework' order directed agencies to contest divergent state laws (90 Fed. Reg. 58499). State experimentation has likewise pivoted away from the EU template — Colorado's 2024 AI Act, the closest US analogue with its developer/deployer split and impact-assessment duties, was reworked in 2026 toward a transparency-and-recordkeeping model rather than EU-style conformity assessment (Mayer Brown 2026). The Council of Europe's Framework Convention on AI (CETS No. 225, opened for signature 5 September 2024) is binding by ratification but principles-based and rights-focused, lacking the Act's granular conformity machinery (Council of Europe 2024, CETS No. 225). Comparative scholarship situates these as three distinct 'rulebooks' — rights-based (EU), state-control (China), and market-driven (US) — competing for influence 4, with the Act's compute-threshold approach to GPAI (Art. 51(2)) now the most-emulated technical mechanism abroad.
Key fault lines: enforcement architecture and rights redress
Scholarly and practitioner critiques cluster around the Act's reliance on a product-safety, standards-mediated model imported from goods regulation. Veale and Zuiderveen Borgesius argue the draft leaned on '1980s product safety regulation' and delegated substantive content to standardisation bodies 'with no fundamental rights experience', warning that key protections turn on essential-requirements text operationalised through CEN-CENELEC harmonised standards rather than legislative specification 5. A related concern is the redress gap: the original proposal offered affected persons no individual complaint or judicial remedy, a deficiency only partially addressed in the final text via the Art. 85 right to lodge complaints with a market-surveillance authority and the Art. 86 right to explanation of individual decisions — remedies critics still view as thin relative to GDPR-style enforcement. Commentators also flag the self-assessment default for most Annex III systems (Art. 43 permits internal conformity assessment for many categories, reserving third-party bodies for biometrics), the breadth and contestability of the Art. 51 systemic-risk presumption, and the dependence of the entire high-risk regime on harmonised standards that were not finalised on schedule. Almada and Petit frame the Act as a hybrid that yokes two divergent EU traditions — product safety and fundamental-rights protection — and argue the combination strains where their structural logics diverge 6, while related work asks whether fundamental-rights protection can be meaningfully embedded in technical standardisation processes at all 7, and whether maximum harmonisation pre-empts legitimate national AI policy (Veale & Zuiderveen Borgesius 2021). These debates frame the Act less as settled law than as a contested experiment in regulating a moving technological target through static conformity instruments.
Implementation and trajectory: staggered timeline and the Digital Omnibus
The Act entered into force on 1 August 2024 (twenty days after Official Journal publication of Reg. (EU) 2024/1689 on 12 July 2024) and applies on a staggered schedule under Art. 113: prohibited practices (Art. 5) from 2 February 2025, GPAI obligations (Chapter V) from 2 August 2025, and high-risk obligations from 2 August 2026 (Annex III use-cases) and 2 August 2027 (Annex I product-regulated systems). Implementation infrastructure followed the timeline unevenly: the European Commission's AI Office was established to supervise GPAI, and a voluntary GPAI Code of Practice (published by the AI Office on 10 July 2025) with accompanying Commission scope guidelines (published 18 July 2025) was issued to bridge the gap until harmonised standards exist — guidance that had to stabilise still-contested boundaries between the Act's 'AI system', 'general-purpose AI model', and 'foundation model' categories 8. By late 2025 the standards pipeline and supporting tools were visibly behind schedule, prompting the Commission to table the 'Digital Omnibus on AI' on 19 November 2025 as part of a broader simplification drive (European Commission 2025). A provisional inter-institutional agreement reached on 7 May 2026 deferred the high-risk deadlines — Annex III obligations from 2 August 2026 to 2 December 2027 (a 16-month slip tied to standards availability), and Annex I obligations from 2 August 2027 to 2 August 2028 — while adding targeted measures such as a ban on 'nudifier' applications (European Parliament press release, 23 March 2026). Early enforcement has nonetheless begun under the in-force prohibition and GPAI tiers, with reported market-surveillance scrutiny of large platforms (Council of the EU press release, 7 May 2026). The net trajectory is one of phased, standards-contingent application in which the EU pursues AI governance through interlocking law and policy 9: the rights-protective core remains binding, but the operative high-risk machinery now hinges on whether the deferred harmonised-standards and tooling milestones are met before the revised 2027-2028 dates.
Enforcement & impact
Enforcement record
Documented enforcement actions catalogued against EU AI Act (or against rules that this instrument now subsumes).
- New York Times v. OpenAI + MicrosoftUS · 2023 · ongoingNew York Times Company (private civil litigation) v. OpenAI Inc. + Microsoft Corp. — Unauthorised reproduction of NYT-copyrighted articles in GPT training corpora; output of substantially similar text on prompted query; removal of copyright-management information.Lesson: First major frontier-foundation-model copyright lawsuit by a primary news source. Discovery has surfaced disclosure of training-data composition that the EU AIA Art. 53 transparency requirements would have surfaced ex-ante. The case is the highest-stakes ex-post-liability action testing whether US sectoral approach can substitute for ex-ante regulation on training-data rights — outcome will inform 2025-2027 regulatory debates.
- Mobley v. Workday (US AI-hiring class action)US · 2023 · ongoingMobley v. Workday, Inc., No. 3:23-cv-00770 (N.D. Cal.)Private civil class action; EEOC amicus participation v. Workday Inc. — Workday's algorithmic hiring tools allegedly screened out applicants on disability, age, and race. Class action seeks to certify Workday as an 'employment agency' under Title VII so disparate-impact theory applies to the algorithm's outputs rather than only its developers.Lesson: First major US AI-hiring class action with EEOC amicus support. If Workday is certified as an 'employment agency', US sectoral approach (EEOC + Title VII) substantially expands AI-hiring liability without requiring an AI statute. This is the load-bearing test of whether US 'principles + ex-post liability' approach can substitute for EU AIA Annex III §4 (high-risk employment AI obligations).Source record →regulator landing
- EDPB ChatGPT TaskforceEU · 2023–2024European Data Protection Board (EDPB) — coordinated DPA action v. OpenAI — Italian Garante temporarily banned ChatGPT (Mar-Apr 2023) over alleged lack of legal basis for training-data processing, missing age-verification, and inability to honour data-subject rights. EDPB convened taskforce to coordinate DPA responses.Lesson: First EU-wide AI enforcement coordination predating the EU AIA. Established that GDPR applies fully to LLM training + deployment + that DPAs would coordinate via EDPB rather than fragment. ChatGPT resumed Italian service after age-verification + Article-15 right-of-access endpoint additions. Direct precedent for EU AIA Art. 53 implementation timeline.
- Italian DPA — Clearview AIEU · 2021–2022Garante per la protezione dei dati personali (Italian DPA) v. Clearview AI Inc. — Mass scraping of publicly-available facial images + biometric processing without legal basis under GDPR. Provision of services to Italian users without GDPR-compliant data-processing arrangements.Lesson: €20M fine + mandatory deletion of Italian-resident facial-recognition data. Established that GDPR provides binding enforcement authority for biometric-AI applications even where no AI-specific instrument exists. Replicated in France (2022) + UK (2022) + Greece (2022) — the only successful cross-jurisdictional AI enforcement so far.
- France CNIL — Clearview AIEU · 2020–2023Commission nationale de l'informatique et des libertés (CNIL) v. Clearview AI Inc. — Mass scraping of facial images of French residents + biometric processing without lawful basis. CNIL imposed €20M fine + 5x €100k/day penalty for non-compliance with deletion order.Lesson: Parallel to Italian Garante action; both fined identical €20M amount within 6 months. CNIL added 5x €100k/day non-compliance penalty when Clearview refused deletion — escalation pattern that EU AIA Art. 99 (penalties up to 7% global turnover) extends. Multi-DPA replication confirms GDPR is enforceable against US-based AI providers serving EU residents.
Cross-jurisdiction comparison
How peer instruments treat the topics EU AI Act governs.
| Topic | US-EO-14110 | US-EO-14179 | UK-WHITEPAPER-2023 | CN-GENAI-2023 | G7-HIROSHIMA | OECD-AI-PRIN | COE-AI-CONV | UN-RES-2024 | NIST-AI-RMF | BLETCHLEY-2023 | SEOUL-2024 | NIST-AI-RMF-GENAI | CA-SB-1047 | IN-DPDP-2023 | BR-AIBILL-2024 | ASEAN-AI-GUIDE-2024 | AU-AI-STRATEGY-2024 | ANTHROPIC-RSP-2024° | OPENAI-PREPAREDNESS-2023° | DEEPMIND-FSF-2024° | META-FRONTIER-2024° | UK-US-AISI-MOU-2024 | WH-VOLUNTARY-2023 | SG-MODEL-AI-2024 | JP-METI-AI-2024 | EU-GDPR-2016 | EU-GPAI-COP-2025 | OMB-M-24-10 | GSA-AI-GUIDE-2024 | DOD-RAI-2022 | FEDRAMP-AI-2024 | DFARS-252-204 | CA-SB-53 | CA-SB-243 | CA-SB-942 | EU-PLD-2024 | UNESCO-AI-ETHICS-2021 | EU-PWD-2024 | CN-DEEPSYN-2022 | NY-RAISE-2025 | US-TAKEITDOWN-2025 | IT-AILAW-2025 | JP-AIPROMO-2025 | UN-GDC-2024 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Foundation Models / GPAI | governs | silent | implicit | governs | governs | implicit | implicit | silent | governs | governs | governs | governs | governs | implicit | governs | implicit | silent | governs | governs | governs | governs | governs | governs | governs | governs | silent | governs | implicit | governs | implicit | implicit | implicit | governs | silent | implicit | silent | silent | silent | silent | governs | silent | silent | implicit | implicit |
| Biometric Identification | implicit | silent | implicit | silent | silent | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | governs | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | governs | governs | silent | silent | silent | silent | silent |
| Deepfakes / Synthetic Content | governs | silent | silent | governs | governs | silent | silent | implicit | implicit | silent | silent | governs | silent | governs | silent | silent | silent | silent | silent | silent | silent | silent | governs | governs | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | governs | silent | governs | governs | silent | silent |
| AI in Employment | implicit | silent | implicit | silent | silent | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | governs | governs | silent | silent | silent | governs | silent | silent |
| AI in Healthcare | implicit | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | silent | silent | implicit | silent | silent | governs | silent | silent | silent | silent | governs | silent | silent |
| AI in Criminal Justice | governs | silent | implicit | silent | silent | silent | governs | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | silent | governs | silent | silent |
| AI in Education | implicit | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | governs | silent | silent | silent | silent | implicit | silent | silent |
| Compute-Threshold Reporting | governs | silent | silent | silent | silent | silent | silent | silent | silent | implicit | implicit | silent | governs | silent | silent | silent | silent | implicit | implicit | silent | silent | silent | implicit | silent | silent | silent | silent | governs | governs | implicit | implicit | implicit | implicit | silent | silent | silent | silent | silent | silent | implicit | silent | silent | implicit | silent |
| Transparency Obligations | implicit | silent | implicit | conflicts | governs | governs | governs | implicit | governs | implicit | governs | governs | implicit | implicit | governs | governs | silent | governs | implicit | implicit | governs | implicit | governs | governs | governs | governs | governs | governs | governs | governs | governs | silent | governs | governs | governs | implicit | governs | governs | governs | governs | silent | governs | governs | governs |
| Individual Redress | silent | silent | implicit | governs | silent | governs | governs | silent | implicit | silent | silent | implicit | implicit | governs | governs | silent | silent | silent | silent | silent | silent | silent | silent | implicit | implicit | governs | silent | governs | implicit | implicit | implicit | silent | implicit | governs | silent | governs | governs | governs | governs | silent | implicit | implicit | implicit | implicit |
| Open-Weight Frontier Release | implicit | silent | silent | implicit | silent | silent | silent | silent | silent | silent | implicit | silent | governs | silent | silent | silent | implicit | implicit | implicit | implicit | governs | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | governs | silent | silent | silent | silent | silent | silent | silent | silent | implicit |
| Synthetic Content Provenance | governs | silent | silent | governs | governs | silent | silent | implicit | implicit | silent | silent | governs | silent | silent | implicit | silent | silent | implicit | silent | silent | silent | silent | governs | governs | implicit | silent | implicit | silent | silent | silent | silent | silent | silent | silent | governs | silent | silent | silent | governs | silent | silent | implicit | silent | governs |
| National Security Carveouts in AI Regulation | governs | silent | implicit | silent | silent | silent | governs | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | governs | implicit | governs | silent | silent | silent | silent | silent | silent | implicit | silent | silent | governs | implicit | silent |
°= industry self-imposed voluntary framework. Comparing a voluntary code's "governs" tint with a binding regulation's "governs" tint flattens the legal-force distinction; use the instrument-page banner for the operative status of each.
See also
Child instruments — implementing acts, delegated acts, transpositions
Rows in the catalog that name EU AI Act as their parent via the parent→child schema. Includes drafts when they are tracked in the catalog; see /wiki/regulators for the cross-parent implementing-acts feed.
- Delegated actEU AI Act — delegated act on GPAI classification thresholds (Art. 51)draft — not yet publishedimplements Art. 51, Art. 52, Annex XIIIdraft
Per-audience views
- Provisions →Article-by-article obligation breakdown for procurement + RFP authors.
- Disclosure form →Vendor-disclosure questionnaire derived from this instrument's operative obligations.
- Harm narratives →Documented harms relevant to this instrument's topics, for civil-society advocacy.
- Briefing pack →Journalist-ready summary with quotes + dates + primary-source links.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Further reading
243 academic & grey-literature sources on the topics this instrument addresses (not commentary on the instrument itself) — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Facial recognition technology in law enforcement: a scoping review of existing empirical studies Peer-reviewed✦ AIScoping review mapping the empirical evidence base on law-enforcement FRT, identifying gaps in research on real-world identification use and its governance.
- Machines of justice: A systematic review of AI applications in policing and criminal justice Peer-reviewed✦ AISynthesises a decade of AI-in-criminal-justice research, flagging "algorithmic bias, opacity, and due process" and recommending safeguards for equity and accountability.
- Missing the Mark: Adoption of Watermarking for Generative AI Systems in Practice and Implications Under the New EU AI Act Peer-reviewed✦ AIEmpirical audit finds only 38% of AI image generators implement adequate watermarking and 18% deepfake labelling, exposing a compliance gap under EU AI Act Article 50.
- Current state of Food and Drug Administration-approved artificial intelligence/machine learning medical devices: pathways, transparency, and evidence gaps Peer-reviewed✦ AIDocuments that most FDA AI/ML devices clear via the 510(k) pathway with limited clinical validation and poor transparency, exposing regulatory evidence gaps.
- Artificial intelligence and synthetic biology: biosecurity risks, dual-use concerns, and governance pathways Peer-reviewed✦ AIReviews biosecurity and dual-use risks at the AI-synthetic-biology interface and maps governance pathways for emerging catastrophic threats.
- Open Foundation Models and TDM Exceptions to Copyright – Building Blocks for an AI Ecosystem Peer-reviewed✦ AIArgues Art. 3 CDSM Directive's scientific-research TDM exception 'does not grant rightsholders any control' and can be a 'safe harbor' for training openly released foundation models without licensing data.
- European ambitions captured by American clouds: digital sovereignty through Gaia-X? Peer-reviewed✦ AIShows Gaia-X paradoxically incorporates dominant US cloud providers, undermining the very European digital sovereignty it was meant to advance.
- Predictive policing and predictive justice: Ethics, data protection, and the AI act Peer-reviewed✦ AIExamines how predictive-policing and predictive-justice systems interact with data-protection law and the AI Act's law-enforcement provisions, exposing accountability and oversight shortfalls.
- AI, Climate, and Regulation: From Data Centers to the AI Act Peer-reviewed✦ AIAnalyses the legal levers (AI Act energy-reporting duties, Energy Efficiency Directive data-centre KPIs, sustainability reporting) for governing AI's climate footprint and their disclosure gaps.
- National Security and New Forms of Surveillance: From the Data Retention Saga to a Data Subject Centred Approach Peer-reviewed✦ AIArgues the CJEU's controller-based route for applying EU law to national-security surveillance 'creates significant legal uncertainties,' proposing a data-subject-focused scope instead.
- Cop out: security exemptions in the Artificial Intelligence Act (in: Automating Authority — AI in European police and border regimes) Civil society✦ AIDocuments how AI Act security exemptions plus police powers to restrict supervisory information-sharing will make meaningful supervision of policing and migration AI 'extremely difficult.'
- Governing AI Agents Preprint✦ AIUses "agency law and theory to identify and characterize problems arising from AI agents" and proposes governance infrastructure built on inclusivity, visibility, and liability.
+ 231 more across this instrument's topics — see the literature index.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Bram Rijsbosch, Gijs van Dijck, and Konrad Kollnig (2026) Missing the Mark: Adoption of Watermarking for Generative AI Systems in Practice and Implications Under the New EU AI Act, Policy & Internet. 10.1002/poi3.70041 — Empirical audit finds only 38% of AI image generators implement adequate watermarking and 18% deepfake labelling, exposing a compliance gap under EU AI Act Article 50. ↩
- Matteo Pistillo, Pablo Villalobos (2025) Defending Compute Thresholds Against Legal Loopholes, arXiv (cs.CY). arXiv:2502.00003 — Identifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds. ↩
- 10.1016/j.clsr.2024.105985 ↩
- 10.1080/17579961.2021.1898300 ↩
- arXiv:2107.03721 ↩
- 10.54648/cola2025004 ↩
- arXiv:2402.16869 ↩
- David Fernández-Llorca, Emilia Gómez, Ignacio Sánchez, Gabriele Mazzini (2025) An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI, Artificial Intelligence and Law. 10.1007/s10506-024-09412-y — Traces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime. ↩
- Martina Hulok (2025) The EU model of AI governance: regulating artificial intelligence through law and policy, ERA Forum. 10.1007/s12027-025-00869-1 — Analyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'. ↩
- Regulation (EU) 2024/1689
- Arts. 51-55 (general-purpose AI + systemic risk)
- Art. 5(1)(h) prohibition + Art. 26(10) post-hoc rules
- Art. 50(4) (disclosure obligation for deep fakes)
- Annex III §4 (high-risk: employment management)
- Annex III §5(a) (high-risk: essential services) + MDR overlap
- Annex III §6 (high-risk: law enforcement)
- Annex III §3 (high-risk: educational access)
- Art. 51(2) + Annex XIII (10²⁵ FLOP presumption)
- Arts. 13, 50 (transparency obligations)
- Art. 85 (right to lodge complaints)
- Recital 105; CDSM Directive provides primary copyright framework
- Art. 51 + Recital 32 — systemic risk overlaps with but does not fully cover catastrophic-risk framing
- Recitals 1-5 + EU competence framing; AI Office establishes EU capacity
- Arts. 26-29 deployer obligations apply to agent operators; Arts. 51-55 GPAI obligations capture the underlying model
- Art. 53(2) + Recital 102/104 — explicit open-source GPAI exemption (with caveats for systemic-risk models)
- Art. 50(2) — provider machine-readable marking obligation; Art. 50(4) — deployer disclosure for deep fakes (distinct from the `deepfakes` topic which focuses on misuse-harms)
- Art. 95 voluntary codes of conduct include environmental sustainability; Recital 142 references energy efficiency reporting for GPAI
- Art. 2(3) explicitly excludes AI systems used exclusively for military, defence, or national-security purposes
How to cite this article
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/eu-ai-act — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Reviewed by Editorial board (in formation) (Policy Window) · · Editorial board
Does this instrument’s approach work? — the social-science evidence
Aggregated over the 18 topics this instrument governs: whether each harm is empirically real, and whether the peer-reviewed evidence shows governance reduces it. The badge is the epistemic status of the evidence— “thin”/“absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
Of the 18 governed topics with a social-science evidence review, evidence that governance reduces the harm is established for 0, contested for 0, thin for 5, and absent for 13 — for most, no replicated study yet shows this instrument's approach works (the "second silence").
Agentic AI Governance
The capability that agentic governance targets — autonomous multi-step action — is real and rapidly, measurably advancing: METR finds the task length AI agents complete at 50% reliability has doubled roughly every seven months for the past six years (about 50 minutes for frontier 2025 models), and the UK AI Security Institute's first Frontier AI Trends Report (Dec 2025, >30 systems) reports models now finish hour-long software tasks >40% of the time versus <5% in late 2023. The distinct realized HARM from agency (as opposed to the underlying model) is, however, thinly documented: on consequential real-world tasks agents still fail the majority — Gemini 2.5 Pro completed only 30.3% of TheAgentCompany's 175 professional tasks (OpenHands scaffold, project leaderboard) — so the agency-specific harm magnitude is early and context-dependent rather than established at scale.
Sources: Kwa, West, Becker et al. 2025 (METR; arXiv:2503.14499, 'Measuring AI Ability to Complete Long Tasks'); UK AI Security Institute 2025 (Frontier AI Trends Report, Dec 2025); Xu, Song, Zhou et al. 2024 (TheAgentCompany, arXiv:2412.14161); 30.3% figure per TheAgentCompany leaderboard (OpenHands)
There is no impact-evaluation evidence that agent-specific governance reduces agentic harm: the operative regimes — the EU GPAI Code of Practice (published July 2025, voluntary/non-binding), the Seoul Frontier AI Safety Commitments (2024, voluntary), and AISI agent evaluations — are 2024-25 vintage and have never been measured against an outcome. The scholarship itself has not settled the contested unit of regulation: Kolt (2025) argues for governing the agentic relationship via principal-agent and agency-law tools, while Chan, Ezell, Kaufmann et al. (2024) propose agent-specific visibility mechanisms (identifiers, real-time monitoring, activity logging) that remain proposal-stage and unevaluated — meaning the field has design proposals but, as with most frontier-AI rules, the evidence that any of them works is absent rather than merely thin.
Sources: Kolt 2025 ('Governing AI Agents', 101 Notre Dame L. Rev., forthcoming; arXiv:2501.07913); Chan, Ezell, Kaufmann et al. 2024 ('Visibility into AI Agents', ACM FAccT 2024, pp. 958-973; DOI 10.1145/3630106.3658948); EU AI Office 2025 (GPAI Code of Practice, July 2025); Seoul Frontier AI Safety Commitments 2024
Biometric Identification
Demographic accuracy disparities in facial recognition are robust and replicated. NIST's Face Recognition Vendor Test (189 algorithms, 18.27M images) found one-to-one false-positive rates for Asian and African-American faces elevated 10-100x over white males, with the highest one-to-many false positives for African-American women; Buolamwini & Gebru's Gender Shades found commercial gender-classification error up to 34.7% for darker-skinned women vs 0.8% for lighter-skinned men. Documented downstream harm includes at least 8-15 US wrongful arrests, nearly all of Black people. Honest caveat: magnitude is highly algorithm-dependent — the most accurate algorithms show small or statistically undetectable differentials — so the harm is real but not uniform across systems.
Sources: Grother, Ngan & Hanaoka 2019 (NISTIR 8280, FRVT Part 3: Demographic Effects); Buolamwini & Gebru 2018 (Gender Shades, PMLR 81); Hill 2020 / Williams v. City of Detroit (ACLU 2021)
Rigorous evidence that GOVERNANCE of biometric ID reduces the documented harms is sparse. The one quantitative impact evaluation of police facial-recognition policy (Johnson et al. 2024, difference-in-differences across 268 US cities) studies effects on violent crime — a crime-control outcome, not misidentification harm — from a single research group, and does not establish that any safeguard regime curbs wrongful identification. Direct evidence on procedural safeguards points the other way: in the known wrongful-arrest cases police are reported to have bypassed required corroboration/probable-cause standards, and the strongest documented enforcement levers are private-sector biometric-privacy laws — Illinois BIPA (e.g. Meta's $650M settlement) and the separate Texas CUBI law (a $1.4B Meta settlement) — which govern private actors, not the law-enforcement context where the arrests occur. No replicated study shows a specific regulatory regime measurably reduces demographic misidentification harm.
Sources: Johnson et al. 2024 (Cities, 'Police facial recognition applications and violent crime control in U.S. cities'); Harwell & Schaffer 2025 (Washington Post, 'Arrested by AI'); Illinois BIPA (Rosenbach v. Six Flags 2019; Meta $650M settlement 2021); Texas CUBI (Meta $1.4B settlement 2024)
Catastrophic & Existential Risk
The catastrophic-uplift premise is genuinely contested: the empirical uplift studies that exist find current frontier models add little. RAND's red-team study found no statistically significant difference in the viability of bioweapon-attack plans produced with vs. without LLMs (Mouton, Lucas & Guest 2024), and OpenAI's 100-participant trial found GPT-4 gave at most a mild, non-significant accuracy uplift (mean +0.88 out of 10 for PhD experts, +0.25 for students; Patwardhan et al. 2024). Honest caveat: the harm is forward-looking, not yet observed — expert opinion on the catastrophic tail is sharply split (median AI researcher puts ~5% on extremely-bad/extinction outcomes, mean ~9-16% across differently-framed questions, n=2,778; Grace et al. 2024), and forecasters underestimated how fast risk-relevant capabilities (e.g. virology troubleshooting) actually arrived (Forecasting Research Institute 2025), so the relevant capabilities are a moving target rather than a settled magnitude.
Sources: Mouton, Lucas & Guest 2024 (RAND RR-A2977-2, Operational Risks of AI in Large-Scale Biological Attacks: Results of a Red-Team Study); Patwardhan et al. 2024 (OpenAI, Building an Early Warning System for LLM-aided Biological Threat Creation); Grace et al. 2024 (Thousands of AI Authors on the Future of AI, arXiv:2401.02843); Forecasting Research Institute 2025 (Forecasting LLM-enabled Biorisk and the Efficacy of Safeguards)
There is essentially no impact evidence that catastrophic-risk governance reduces catastrophic risk, and structurally there cannot yet be: the harm is a low-probability civilisational tail event, so no controlled trial or before/after evaluation of a realised catastrophe is possible. The dominant instruments are recent, voluntary developer frameworks (Anthropic's Responsible Scaling Policy 2023; OpenAI's Preparedness Framework 2023) built on if-then capability thresholds the developers themselves describe as speculative and qualitative rather than validated risk thresholds. The closest evidence is adjacent and indirect: trained-in deceptive behaviours can persist through standard safety training (Hubinger et al. 2024) — a demonstration that current mitigation may be insufficient, not that any governance regime works — and Anthropic's documented loosening of earlier commitments (RSP 2025 dropped the original pledge to define higher-tier ASL evaluations before developing the corresponding models) illustrates that even the strongest voluntary regimes lack external enforcement or measured efficacy.
Sources: Anthropic 2023 (Responsible Scaling Policy); OpenAI 2023 (Preparedness Framework); Hubinger et al. 2024 (Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training, arXiv:2401.05566); Hendrycks, Mazeika & Woodside 2023 (An Overview of Catastrophic AI Risks, arXiv:2306.12001)
Compute-Threshold Reporting
Whether training-compute (FLOP) is a defensible proxy for governance-relevant capability is genuinely contested in the literature. The strongest empirical pressure against it is algorithmic efficiency: Ho, Besiroglu, Erdil et al. (2024) estimate the compute needed to reach a fixed language-model performance level has halved roughly every eight months (95% CI ~5-14 months, i.e. ~3x/year), so any static FLOP-to-capability mapping decays quickly; Hooker (2024) argues FLOP measures operations rather than end-performance, since techniques such as fine-tuning, retrieval, chain-of-thought and tool use can add large capability gains without proportional training compute, and Ord (2025) shows inference-time scaling further decouples deployed capability from training compute. Honest caveat: defenders (Heim & Koessler 2024; Pilz, Heim & Brown 2025) note compute remains the most quantifiable, externally verifiable, and ex-ante measurable correlate of frontier capability currently available, while themselves conceding it is an imperfect proxy that should not be used in isolation — the disagreement is about durability and precision, not whether any correlation exists.
Sources: Ho, Besiroglu, Erdil, Owen, Rahman, Guo, Atkinson, Thompson & Sevilla 2024, Algorithmic progress in language models, NeurIPS 2024 (arXiv:2403.05812; Epoch AI); Hooker 2024, On the Limitations of Compute Thresholds as a Governance Strategy (arXiv:2407.05694); Ord 2025, Inference Scaling Reshapes AI Governance (arXiv:2503.05705); Heim & Koessler 2024, Training Compute Thresholds: Features and Functions in AI Regulation (arXiv:2405.10799); Pilz, Heim & Brown 2025, Increased Compute Efficiency and the Diffusion of AI Capabilities (AAAI 2025; arXiv:2311.15377)
There is no rigorous evidence that compute-threshold reporting reduces harm or achieves its stated aim, because the regimes have not produced an evaluable record. The US 10^26-FLOP reporting obligation (Executive Order 14110, invoking the Defense Production Act) was revoked on 20 January 2025 (by EO 14148) before its recurring binding reporting rule was finalized — the implementing BIS notice of proposed rulemaking (Sept 2024) never took effect, so no durable reporting record materialized; and the EU AI Act's 10^25-FLOP systemic-risk obligations for general-purpose models only became applicable on 2 August 2025 (with transitional periods into 2027), so no outcome evaluation yet exists. Moreover the 10^25 figure is a rebuttable presumption sitting alongside qualitative high-impact criteria (Art. 51(1)(a) and (2), rebuttable under Art. 52(2)), not a validated risk cutoff. The closest analogue is the broader regulatory-disclosure-mandate literature (Fung, Graham & Weil 2007), which documents that transparency policies' effects on outcomes are highly heterogeneous and frequently ineffective or counterproductive absent enforcement and downstream use — implying that the reporting trigger working as intended is an open empirical question, not a documented result.
Sources: U.S. Executive Order 14110 (2023), Sec. 4.2 (10^26 FLOP, Defense Production Act); revoked by Executive Order 14148 (Jan 20, 2025); EU AI Act, Reg. (EU) 2024/1689, Art. 51 (10^25 FLOP systemic-risk rebuttable presumption; applicable Aug 2, 2025); Fung, Graham & Weil 2007, Full Disclosure: The Perils and Promise of Transparency (Cambridge University Press)
AI in Criminal Justice
Whether algorithmic risk assessment reproduces racial disparity is a genuine, partly mathematically irreducible dispute rather than merely an unresolved measurement question. ProPublica's analysis of COMPAS in Broward County found Black defendants who did not reoffend were nearly twice as likely to be flagged high-risk as comparable white defendants (44.9% vs 23.5% false-positive rate; Angwin et al. 2016), and Dressel & Farid (2018) showed COMPAS is no more accurate (65.2%) than untrained laypeople (67.0%); the developer's reanalysis (Flores, Bechtel & Lowenkamp 2016) found the same tool satisfies predictive parity and calibration across race. Honest caveat: Chouldechova (2017) proved both sides can be correct simultaneously — when recidivism base rates differ across groups, equal calibration and equal error rates cannot both hold, so the disagreement is partly definitional, not merely a data dispute to be settled.
Sources: Angwin, Larson, Mattu & Kirchner 2016 (ProPublica, 'Machine Bias'); Dressel & Farid 2018 (Science Advances 4:eaao5580); Flores, Bechtel & Lowenkamp 2016 (Federal Probation 80(2):38); Chouldechova 2017 (Big Data 5(2):153)
Rigorous evidence that governing criminal-justice algorithms — mandating, auditing, or adopting risk tools — reduces the racial-disparity harm that motivates the rules is essentially absent. The leading real-world impact evaluation, Stevenson's (2018) study of Kentucky's mandatory pretrial risk-assessment law (>1M cases), found only a small increase in pretrial release that eroded as judges reverted to prior habits, with no reduction in racial disparities in pretrial detention. The closest analogue evaluations measure operational crime outcomes, not equity, and are largely null: Chicago's Strategic Subjects List had no effect on victimization (Saunders, Hunt & Hollywood 2016) and the only randomized predictive-policing trials tested crime reduction, not disparate impact (Mohler et al. 2015) — so the evidence that any governance regime measurably reduces algorithmic racial disparity is itself missing.
Sources: Stevenson 2018 (Minnesota Law Review 103:303); Saunders, Hunt & Hollywood 2016 (Journal of Experimental Criminology 12(3):347); Mohler et al. 2015 (JASA 110(512):1399)
Deepfakes / Synthetic Content
The flagship harm — non-consensual sexual deepfakes — is empirically real and sharply gendered: content audits find ~96-98% of deepfake videos online are non-consensual pornography overwhelmingly depicting women, and a pre-registered 10-country survey (>16,000 people) found 2.2% reporting victimization and 1.8% perpetration of synthetic intimate imagery, with documented mental-health, career, and participation harms. By contrast, the parallel claim that political/informational deepfakes UNIQUELY deceive is contested-to-refuted: experiments find deepfakes about as (not more) credible than equivalent text/audio fakes, and a 56-paper meta-analysis (k=137, N=86,155) puts unaided human detection near chance — implying a detection problem more than an exceptional-persuasion one.
Sources: Umbach, Henry, Beard & Berryessa 2024 (CHI '24, 'Non-Consensual Synthetic Intimate Imagery ... in 10 Countries'); Diel et al. 2024 (Computers in Human Behavior Reports 16:100538, deepfake-detection meta-analysis of 56 papers); Barari, Lucas & Munger 2025 (Journal of Politics 87(2), 'Political Deepfakes Are as Credible as Other Fake Media'); Flynn et al. 2022 (British Journal of Criminology, multi-country image-based sexual abuse study)
Direct impact evidence that deepfake governance reduces the targeted harm is sparse and, where it exists, discouraging: the one quasi-experimental evaluation (Cuevas & Horta Ribeiro 2025, synthetic-control across three platforms) found the U.S. TAKE IT DOWN Act's passage plus the MrDeepfakes shutdown did NOT suppress synthetic non-consensual imagery — posting rose above counterfactual baselines and displaced elsewhere. Technical enforcement is likewise unreliable: detectors fail to generalize to unseen generators (notably diffusion models) and are vulnerable to adversarial evasion, with in-the-wild accuracy well below benchmark figures. No rigorous evaluation yet shows a deepfake-specific law, takedown mandate, or watermarking scheme producing a sustained reduction in prevalence or harm.
Sources: Cuevas & Horta Ribeiro 2025 ('Deepfake Pornography is Resilient to Regulatory and Platform Shocks', arXiv:2602.02754); 'Adversarial Reality for Evading Deepfake Image Detectors' (ICCVW 2025); TAKE IT DOWN Act, S.146 / Pub. L. 119-12 (2025); CRS Legal Sidebar LSB11314
AI in Education
The documented harms of educational AI are empirically real and, for proctoring, replicated: a controlled audit of a proctoring tool used by at least ~1,500 institutions found significantly higher facial-detection failure (the trigger for 'suspicious' flags) for darker-skinned and female test-takers (Yoder-Himes et al. 2022), and a technical audit of 164 government-endorsed pandemic learning products found 89% engaged in data practices that risk or infringe children's rights, with most monitoring happening without the child's knowledge or consent (Human Rights Watch 2022). Honest caveat: the benefit side is genuine but highly sensitive to how outcomes are measured rather than uniform — Kulik & Fletcher's meta-analysis of 50 intelligent-tutoring evaluations found an overall median effect of 0.66 SD, but the average effect was 0.73 SD on locally-developed tests versus only 0.13 SD on standardized tests, so much of AI education's apparent value depends on the outcome measure used.
Sources: Yoder-Himes et al. 2022, 'Racial, skin tone, and sex disparities in automated proctoring software', Frontiers in Education 7:881449; Human Rights Watch 2022, 'How Dare They Peep into My Private Life?' (164 EdTech products endorsed by 49 governments; 89% risked/infringed children's rights); Kulik & Fletcher 2016, 'Effectiveness of Intelligent Tutoring Systems: A Meta-Analytic Review', Review of Educational Research 86(1):42-78
There are essentially no rigorous impact evaluations showing that purpose-built governance of educational AI reduces the documented harms. The student-specific regime — California's SOPIPA (SB 1177, 2014, a model that more than 20 states adopted and ~33 considered) and the FTC's May 2022 COPPA ed-tech policy statement (which the agency itself said did not change existing requirements) — has near-zero documented enforcement and no published before/after evaluation of whether it changed vendor data practices or bias outcomes. The only documented remedies came not from education-specific rules but from generic legal levers: a $6.25M biometric-privacy class settlement under Illinois BIPA (Veiga v. Respondus, 2023) and a constitutional ruling that proctoring room-scans are an unreasonable search (Ogletree v. Cleveland State University, N.D. Ohio 2022, Calabrese J.) — neither of which is a replicable evaluation, and both reach private/state actors rather than the underlying demographic-bias harm.
Sources: California SOPIPA (SB 1177, 2014); FTC Policy Statement on Education Technology and COPPA (adopted May 19, 2022); Veiga v. Respondus, Inc. ($6.25M BIPA class settlement, 2023; covers Illinois Respondus Monitor users Nov. 2015–June 2023); Ogletree v. Cleveland State University (N.D. Ohio 2022, Calabrese J., room-scan Fourth Amendment ruling)
AI in Employment
Discrimination and adverse outcomes in employment decisions are empirically well-established, and AI systems demonstrably reproduce them. The foundational field-experiment literature shows robust human baseline discrimination (Bertrand & Mullainathan 2004 found White-sounding names received 50% more callbacks), and AI-specific audits confirm the pattern: Amazon scrapped a recruiting tool that penalized resumes containing 'women's' (Dastin 2018), and a controlled resume-screening audit of language-model retrieval found systems favored White-associated names ~85% of the time and never preferred Black male-associated over White male-associated names (Wilson & Caliskan 2024). On the monitoring side, a meta-analysis (k=94, N≈23,461) found electronic performance monitoring reliably raises worker stress with no evidence of improved performance (Ravid et al. 2023). Honest caveat: measured disparities are highly model-, prompt-, and context-dependent, and most evidence comes from controlled audits and one firm's internal test rather than measured outcomes in live, at-scale hiring pipelines.
Sources: Bertrand & Mullainathan 2004 (American Economic Review 94(4):991-1013); Wilson & Caliskan 2024 (AAAI/ACM AIES; 'Gender, Race, and Intersectional Bias in Resume Screening via Language Model Retrieval'); Dastin 2018 (Reuters, 'Amazon scraps secret AI recruiting tool that showed bias against women'); Ravid, White, Tomczak & Behrend 2023 (Personnel Psychology 76:5-40)
There is no rigorous evidence that governing AI in employment reduces the documented harms; the central evaluated regime appears to fail at the compliance stage before any impact on bias can occur. NYC Local Law 144 — the first jurisdiction worldwide to mandate independent bias audits and public posting for automated employment decision tools — was directly studied across 391 employers and found to produce 'null compliance': the law's discretion makes it impossible to tell whether firms comply, with very few posting the required audits (Wright et al. 2024). Parallel qualitative work shows the audits themselves are undermined by missing demographic data, opaque aggregation, and 'test data' that does not reflect real use (Groves et al. 2024). No study links any AI-employment rule to a measured reduction in discriminatory hiring outcomes — the evidence that the rule works is itself missing, largely because mandated transparency artifacts (audit reports) are sparse, non-standardized, and unenforced.
Sources: Wright, Muenster, Vecchione, Metcalf & Matias et al. 2024 ('Null Compliance: NYC Local Law 144 and the Challenges of Algorithm Accountability', ACM FAccT '24); Groves, Metcalf, Kennedy, Vecchione & Strait 2024 ('Auditing Work: Exploring the New York City algorithmic bias audit regime', ACM FAccT '24); Ravid, White, Tomczak & Behrend 2023 (Personnel Psychology 76:5-40, on monitoring outcomes as the closest analogue evaluation evidence)
Environmental Impact of AI Training
The resource demands of AI compute are empirically documented at the model level: Strubell et al. (2019) quantified large-NLP training energy/carbon, Luccioni et al. (2023) estimated BLOOM's training at ~24.7 tCO2eq (dynamic power) rising to ~50.5 tCO2eq with manufacturing and deployment, Li et al. (2023) estimated GPT-3-scale training in US datacenters can evaporate on the order of hundreds of thousands of litres of freshwater (their central figure ~700,000 L), and Luccioni, Jernite & Strubell (2024) showed generative inference is markedly more energy-intensive per query than task-specific models; at the macro scale the IEA (2024) and de Vries (2023) document rapidly rising datacenter electricity demand. Honest caveat: absolute estimates vary by up to orders of magnitude with grid carbon intensity, hardware, utilisation and accounting boundaries, and cleanly attributing the AI-specific increment (versus general datacenter and crypto growth) remains genuinely contested — the IEA itself bundles AI with datacenters and crypto — so the existence of the footprint is established while its magnitude and trajectory are not.
Sources: Strubell, Ganesh & McCallum 2019 (ACL Anthology P19-1355; 'Energy and Policy Considerations for Deep Learning in NLP'); Luccioni, Viguier & Ligozat 2023 (JMLR 24; BLOOM 176B carbon footprint, 24.7/50.5 tCO2eq; arXiv:2211.02001); Li, Yang, Islam & Ren 2023 (arXiv:2304.03271, 'Making AI Less Thirsty', later Comm. ACM 2025); Luccioni, Jernite & Strubell 2024 (ACM FAccT '24, 'Power Hungry Processing', DOI 10.1145/3630106.3658542); de Vries 2023 (Joule 7(10):2191-2194, DOI 10.1016/j.joule.2023.09.004); IEA 2024 (Electricity 2024)
There is no impact evaluation showing that any AI-specific environmental-governance instrument reduces energy, water or carbon use, because every named instrument is voluntary or non-binding and very recent: EU AI Act Art. 95 codes of conduct are explicitly optional with no sanctions, and NIST AI 600-1 and the G7 Hiroshima Code are guidance, not enforceable caps. The closest analogue evaluation literature is divided in a way that disfavours the voluntary form chosen here: rigorous reviews find voluntary environmental programs generally fail to produce significant abatement beyond business-as-usual (Koehler 2007; Morgenstern & Pizer 2007), whereas the one form with credible positive evidence is mandatory disclosure (Downar et al. 2021 found a UK carbon-reporting mandate cut emissions ~8% versus a control group) which the AI instruments do not yet impose, leaving the proposition that AI environmental governance works essentially untested.
Sources: EU AI Act Art. 95 / Recital 142 (Reg. (EU) 2024/1689); NIST AI 600-1 (2024, GenAI Profile); G7 Hiroshima Process International Code of Conduct (30 Oct 2023); Koehler 2007 (Policy Studies Journal 35(4):689-722); Morgenstern & Pizer (eds.) 2007 (Reality Check, RFF Press); Downar, Ernstberger, Reichelstein, Schwenen & Zaklan 2021 (Review of Accounting Studies 26(3):1137-1175)
Foundation Models / GPAI
Whether the foundation-model category maps to a coherent capability/risk tier is genuinely contested. The original case rests on scale-driven 'emergent abilities' that appear unpredictably above a size threshold (Wei et al. 2022; Ganguli et al. 2022 documented capabilities that are smoothly predictable in aggregate loss yet locally surprising), but Schaeffer, Miranda & Koyejo (2023, a NeurIPS Outstanding Paper) showed many 'emergent' jumps are artefacts of discontinuous metrics and dissolve under linear/continuous scoring — implying capability scales more smoothly than a sharp tier would suggest. Honest caveat: this is a live empirical disagreement about measurement, not a settled finding either way, and compute (the regulatory proxy) is an imperfect stand-in for capability or risk regardless of which side is right.
Sources: Wei et al. 2022 (Emergent Abilities of Large Language Models, TMLR; arXiv:2206.07682); Schaeffer, Miranda & Koyejo 2023 (Are Emergent Abilities of Large Language Models a Mirage?, NeurIPS 2023, Outstanding Paper; arXiv:2304.15004); Ganguli et al. 2022 (Predictability and Surprise in Large Generative Models, ACM FAccT; DOI 10.1145/3531146.3533229)
There is no impact evaluation showing that GPAI/foundation-model governance reduces harm — the rules are too new (EU AI Act GPAI obligations and the 10^25-FLOP systemic-risk presumption only began binding on 2 August 2025) and the central regulatory lever is itself contested: Hooker (2024) argues compute thresholds are a shortsighted proxy because compute does not reliably track capability or risk, and the thresholds already diverge across jurisdictions (EU 10^25 vs. the now-rescinded US EO 14110's 10^26 operations, rescinded 20 January 2025). The mandated mitigation methods also lack validated efficacy: model evaluation and red-teaming face well-documented coverage limits and an 'audit gap' in the survey/position literature (behavioural testing cannot establish the absence of untested failure modes), and adversarial red-teaming repeatedly defeats deployed safeguards — the UK AI Safety Institute reports finding universal jailbreaks for every frontier system it has tested, and a large public agent-injection competition elicited policy violations across all 22 frontier models tested from ~1.8M attacks (Zou et al. 2025). Even compliant evaluation therefore cannot yet certify the safety the rules demand. (Caveat: this is an absence-of-evidence claim — no efficacy study has been done — not evidence the rules are ineffective.)
Sources: Hooker 2024 (On the Limitations of Compute Thresholds as a Governance Strategy, arXiv:2407.05694); EU AI Act Arts. 51 & 55 (GPAI systemic-risk presumption, 10^25 FLOP; binding 2 Aug 2025); US EO 14110 (10^26-operation reporting threshold, rescinded 20 Jan 2025 by EO 14148); Zou et al. 2025 (Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition / Gray Swan Arena, arXiv:2507.20526 — 22 frontier agents, ~1.8M attacks); UK AI Safety/Security Institute, Frontier AI Trends Report (universal jailbreaks for every system tested); METR, Common Elements of Frontier AI Safety Policies (2024)
AI in Healthcare
Both the benefit and the harm of clinical AI are empirically real and well-documented, but outcomes are highly deployment-dependent. Rigorous prospective studies show genuine clinical value in narrow tasks — the MASAI RCT (>100,000 women) found AI-supported mammography detected ~20% more cancers (6.1 vs 5.1 per 1000 screened) at comparable recall rates (Lang et al. 2023, Lancet Oncology), and IDx-DR's pivotal trial achieved 87.2% sensitivity / 90.7% specificity for diabetic retinopathy (Abramoff et al. 2018, npj Digital Medicine) — yet widely deployed models can fail or harm: the Epic Sepsis Model, live at hundreds of US hospitals, scored AUC 0.63 with 33% sensitivity on external validation (Wong et al. 2021, JAMA Internal Medicine), and a population-health algorithm covering ~200M people understated Black patients' illness because it predicted cost not need (Obermeyer et al. 2019, Science). Honest caveat: there is no single 'AI in healthcare' effect — performance ranges from life-saving to dangerous depending on task, calibration, and whether the model was prospectively validated.
Sources: Lang K, Josefsson V, Larsson A-M, et al. 2023 (Lancet Oncology 24(8):936-944, MASAI trial clinical safety analysis; AI-supported screening detected 6.1 vs 5.1 cancers per 1000, ~20% higher, similar recall rates); Abramoff MD, Lavin PT, Birch M, Shah N, Folk JC. 2018 (npj Digital Medicine 1:39, IDx-DR pivotal trial; 87.2% sensitivity / 90.7% specificity); Wong A, Otles E, Donnelly JP, et al. 2021 (JAMA Internal Medicine 181(8):1065-1070, Epic Sepsis Model external validation; AUC 0.63, 33% sensitivity); Obermeyer Z, Powers B, Vogeli C, Mullainathan S. 2019 (Science 366(6464):447-453, racial bias from cost-as-proxy)
There is essentially no impact-evaluation evidence that the prevailing governance regime for medical AI — FDA authorization, predominantly via the 510(k) substantial-equivalence pathway — measurably reduces patient harm or improves outcomes. Analyses of authorized AI devices find that clinical validation is frequently absent or non-prospective (of 521 FDA-authorized AI devices, ~43% had no published clinical-validation data and only ~28% were prospectively validated; Chouffani El Fassi & Henderson et al. 2024) and that demographic performance is almost never reported (race/ethnicity in 3.6%, and only 9.0% of 692 510(k)/cleared AI devices carried a prospective post-market-surveillance study; Muralidharan et al. 2024). Earlier analysis of 130 cleared devices likewise found 97% were evaluated only retrospectively (Wu et al. 2021). The closest analogue evidence on the pathway itself is discouraging: the Institute of Medicine (2011) concluded the 510(k) process was not designed to assess safety and effectiveness — i.e., no direct study establishes that the rule, as written, prevents the harms it targets. Caveat: this is an absence of impact evaluation plus reporting-gap and design-critique evidence, not a study showing the regime fails to reduce harm.
Sources: Chouffani El Fassi S, Abdullah A, Fang Y, ... Henderson GE, et al. 2024 (Nature Medicine, 'Not all AI health tools with regulatory authorization are clinically validated', s41591-024-03203-3; 521 devices, ~43% no clinical validation, ~28% prospectively validated); Muralidharan V, Adewale BA, Huang CJ, et al. 2024 (npj Digital Medicine 7:273, scoping review of reporting gaps in 692 FDA-approved AI medical devices; race/ethnicity 3.6%, prospective post-market surveillance 9.0%); Wu E, Wu K, Daneshjou R, Ouyang D, Ho DE, Zou J. 2021 (Nature Medicine 27:582-584, analysis of 130 FDA approvals; 97% retrospective-only evaluation); Institute of Medicine 2011 (Medical Devices and the Public's Health: The FDA 510(k) Clearance Process at 35 Years)
National Security Carveouts in AI Regulation
That civilian AI-governance instruments carve out national-security uses is black-letter and undisputed (EU AIA Art. 2(3); CoE Framework Convention Art. 3(2) on national-security activities, distinct from Art. 3(4) on national defence; US NSM-25 (Oct. 2024) as the national-security-track instrument fulfilling §4.8 of EO 14110); civil-society legal analysis argues a blanket exclusion is harder to square with a necessity-and-proportionality approach than a qualified one (Korff/ECNL 2022; Vogiatzoglou 2024). But whether the carveout itself produces concrete unredressed harm is empirically under-observed almost by construction — the secrecy it confers suppresses the very evidence needed to measure it. The closest analogue, national-security deference in the courts, shows the mechanism is real (the FISC granted all but eleven of 33,900 applications 1979-2012, a 99.97% approval rate; Sinnar 2022 documents downstream harms to securitized communities), yet Clarke (2014) shows that lopsided ex parte approval rates alone do not prove rubber-stamping, because rational case selection and pre-vetting produce similar rates in ordinary Title III wiretaps (99.93%) and delayed-notice warrants (99.6-99.8%) — so the magnitude of harm attributable to the carveout, as opposed to the legitimate secrecy of the domain, remains genuinely contested.
Sources: Korff 2022 (ECNL Opinion on the implications of the exclusion of national security from AI legislation, Oct. 2022); Sinnar 2022 (Harvard Law Review Forum 136:59, 'A Label Covering a "Multitude of Sins": The Harm of National Security Deference'); Clarke 2014 (Stanford Law Review Online 66:125, 'Is the Foreign Intelligence Surveillance Court Really a Rubber Stamp?'); EPIC FISC statistics 1979-2012
There is no impact evaluation showing that any specific design of the national-security carveout — categorical exclusion versus parallel governance track versus civilian-compliance-with-override — measurably improves oversight or reduces harm relative to the alternatives; the question is argued doctrinally (Vogiatzoglou 2024; Korff/ECNL 2022) but has never been tested empirically. The closest analogue evaluation literature is on the parallel-track model already in use for intelligence surveillance (the FISC / FISA oversight regime), and even there the evidence that the mechanism delivers effective scrutiny is itself contested rather than established (Clarke 2014; Sinnar 2022). No direct evaluation exists because the carveouts are recent (EU AIA 2024, CoE Framework Convention 2024, US NSM-25 2024), enforcement actions are by design non-public, and private parties typically lack standing to challenge a specific exempt deployment — the structural features that make the harm hard to observe also make the governance impossible to evaluate.
Sources: Vogiatzoglou 2024 (Verfassungsblog, 'The AI Act National Security Exception: room for manoeuvres?', 9 Dec. 2024); Korff 2022 (ECNL Opinion, exclusion of national security from AI legislation); Clarke 2014 (Stanford Law Review Online 66:125); Sinnar 2022 (Harvard Law Review Forum 136:59)
Open-Weight Frontier Release
The empirical picture splits into two well-separated questions. (1) The MECHANISM that distinguishes open-weight release — that safety guardrails can be cheaply and irreversibly stripped once weights are public — is established: Qi et al. (2024) removed GPT-3.5 Turbo safety alignment by fine-tuning on only ~10 adversarially designed examples for under $0.20 (and the attack generalizes to Llama-2), and even purpose-built tamper-resistant safeguards (Tamirisa et al. 2025, TAR) were subsequently shown to be defeatable by adaptive fine-tuning (Qi et al. 2024, durability critique). (2) Whether this mechanism produces real-world CATASTROPHIC uplift is genuinely contested and, for the headline biosecurity case, currently unsupported: RAND's red-team study found no statistically significant difference in the viability of bioweapon attack plans produced with versus without LLM assistance (Mouton, Lucas & Guest 2024), and OpenAI's 100-participant trial found at most mild uplift over an internet baseline (Patwardhan et al. 2024). Honest caveat: these null/mild results are time-stamped to 2023-2024 frontier capability and to biothreats specifically; the marginal-risk framework (Kapoor, Bommasani et al. 2024) concludes the evidence base is too thin to characterize marginal risk across most misuse vectors, so 'no measured harm yet' is not 'no harm.'
Sources: Kapoor, Bommasani, Klyman, Longpre et al. 2024, 'Position: On the Societal Impact of Open Foundation Models', PMLR 235 / ICML 2024 (arXiv 2403.07918); Mouton, Lucas & Guest 2024, RAND RR-A2977-2, 'The Operational Risks of AI in Large-Scale Biological Attacks: Results of a Red-Team Study'; Qi, Zeng, Xie, Chen, Jia, Mittal & Henderson 2024, 'Fine-tuning Aligned Language Models Compromises Safety', ICLR 2024 (arXiv 2310.03693); Tamirisa et al. 2025, 'Tamper-Resistant Safeguards for Open-Weight LLMs', ICLR 2025 (arXiv 2408.00761); Qi, Wei, Carlini, Huang, Xie, He, Jagielski, Nasr, Mittal & Henderson 2024, 'On Evaluating the Durability of Safeguards for Open-Weight LLMs' (arXiv 2412.07097); Patwardhan et al. 2024, 'Building an early warning system for LLM-aided biological threat creation', OpenAI
There is no impact evaluation showing that any specific weight-release governance regime reduces downstream harm, because no binding regime has been implemented and measured: California SB-1047's release-conditioning framework was vetoed in September 2024, and the EU AI Act's open-source carve-outs (Recital 102, Art. 53(2)) exempt most open-weight models (those below the systemic-risk compute threshold) from the documentation obligations that would generate evaluable conduct. The structural obstacle is also documented: Kapoor, Bommasani et al. (2024) characterize open-weight release as effectively irreversible and poorly monitorable once weights are public, so post-release governance has little to act on. The closest analogue evidence — technology export controls — is mixed and points to circumvention: commentators argue blanket export controls on freely copyable open-source models cannot work (Just Security 2024), and independent analyses of the post-2022 semiconductor controls document displacement to less-regulated channels (smuggling, threshold-tuned chip variants, cloud access) rather than disappearance of activity (e.g., CSIS, FPRI 2024), suggesting recipient-restriction regimes face the same leakage problem for weights. (Caveat: this is analogical, not direct evidence about weight-release governance, which remains unmeasured.)
Sources: Kapoor, Bommasani, Klyman, Longpre et al. 2024, 'Position: On the Societal Impact of Open Foundation Models', PMLR 235 (arXiv 2403.07918); California SB-1047 (2024, vetoed by Gov. Newsom 29 Sep 2024); EU AI Act Regulation (EU) 2024/1689, Recital 102 & Art. 53(2) open-source exemptions; Just Security 2024, 'Export Controls on Open-Source Models Will Not Win the AI Race'; CSIS, 'The Limits of Chip Export Controls in Meeting the China Challenge' and FPRI 2024, 'Breaking the Circuit: US-China Semiconductor Controls' (export-control circumvention analogue)
Individual Redress
The premise behind redress — that affected people lack meaningful recourse against automated decisions — is real, but the flagship instrument is weaker than commonly assumed. Wachter, Mittelstadt & Floridi (2017) show GDPR creates only a limited 'right to be informed,' not a binding 'right to explanation' of specific decisions; and controlled work finds the explanations actually delivered do not measurably improve lay decision accuracy over showing the bare AI prediction (Alufaisan et al. 2021; and a 2022 meta-analysis by Schemmer et al. — screening 393 articles down to 9 in the final analysis — reports 'no effect of explanations on users' performance compared to sole AI predictions,' even though XAI overall had a positive effect). Honest caveat: the legitimacy/dignity value of being heard is empirically well established in the procedural-justice tradition even where outcome accuracy is unchanged, so 'redress fails' depends on which aim is measured.
Sources: Wachter, Mittelstadt & Floridi 2017 (International Data Privacy Law 7(2):76); Alufaisan, Marusich, Bakdash, Zhou & Kantarcioglu 2021 (Proceedings of the AAAI Conference on AI 35(8):6618); Schemmer, Hemmer, Nitsche, Kühl & Vössing 2022 (AAAI/ACM AIES '22, meta-analysis)
There is no rigorous impact evaluation showing that mandated redress mechanisms (right-to-explanation, appeal, human-in-the-loop review) actually reduce erroneous or unfair automated decisions — the evidence that the rule works is itself missing. The closest experimental analogues are discouraging: explanations increase humans' acceptance of AI recommendations regardless of correctness (Bansal et al. 2021), and algorithm-in-the-loop oversight can introduce racial disparities and exhibit automation bias rather than reliably catching model errors (Green & Chen 2019). The procedural-justice literature (Tyler 1990; Lind & Tyler 1988) robustly supports a legitimacy and compliance benefit of fair process, but it measures perceived fairness, not reduction of the substantive decision harm redress is meant to cure.
Sources: Bansal, Wu, Zhou, Fok, Nushi, Kamar, Ribeiro & Weld 2021 (CHI '21); Green & Chen 2019 (Disparate Interactions, ACM FAT* '19); Tyler 1990 (Why People Obey the Law, Yale Univ. Press); Lind & Tyler 1988 (The Social Psychology of Procedural Justice, Plenum Press)
Synthetic Content Provenance
The harm provenance targets is real but concentrated, and the technical premise that the mandated signal survives is itself empirically shaky. Synthetic-media harm is well documented in two domains: non-consensual intimate imagery (Ajder et al.'s 2019 Deeptrace audit found 96% of deepfake videos were pornographic and effectively 100% targeted women) and impersonation fraud (the Arup case, ~US$25.6M / HK$200M lost via a deepfake video call). The honest caveat is twofold: a feared broad political-misinformation harm is not yet demonstrated at scale, and CS work shows invisible watermarks are removable in practice (Jiang, Zhang & Gong 2023, WEvade, evade detection via adversarial perturbation; Zhao et al. 2024 prove pixel-level watermarks are provably removable via regeneration attacks), so the provenance signal a rule would mandate is itself contested.
Sources: Ajder, Patrini, Cavalli & Cullen 2019 (Deeptrace, 'The State of Deepfakes: Landscape, Threats, and Impact'); Jiang, Zhang & Gong 2023 ('Evading Watermark based Detection of AI-Generated Content', ACM CCS 2023); Zhao et al. 2024 (NeurIPS, 'Invisible Image Watermarks Are Provably Removable Using Generative AI'); Arup deepfake fraud (CNN Business, 2024-05-16, US$25.6M)
There is no impact evaluation showing that mandated provenance/labeling reduces synthetic-media harm; the major mandates (China's GenAI labeling Measures, effective 2025-09-01; EU AIA Art. 50, machine-readable marking) are too new and unevaluated, and the delivery layer is leaky: the C2PA spec's own Security Considerations document the strip-and-repost threat, and platform audits report C2PA/Content-Credentials metadata is stripped by essentially all major social platforms on upload (consistent with Imatag's 2018 finding that ~80% of uploaded images lose metadata, only ~15% retaining it). The closest analogue evaluation literature — Pennycook, Bear, Collins & Rand (2020), the 'implied truth effect' — gives reason for caution rather than confidence: labeling only some content can make unlabeled false content seem more credible, so a partial-coverage provenance regime could backfire.
Sources: Pennycook, Bear, Collins & Rand 2020 (Management Science 66(11):4944-4957, 'The Implied Truth Effect'); China Measures for Labeling AI-Generated Synthetic Content (eff. 2025-09-01); EU AI Act Art. 50; Imatag 2018 metadata-stripping study (~80%); C2PA Security Considerations (spec.c2pa.org) on manifest removal
Technological Sovereignty
The structural fact that compute capacity is geographically concentrated is well-measured: Lehdonvirta, Wú & Hawkins find only ~33 countries host facilities with AI-accelerator hardware and roughly 24 have the capacity to train full-scale foundation models, the Stanford AI Index 2026 reports low-income countries collectively hold ~0.1% of global data-centre compute (the US hosting >10x any other nation), and Cottier et al. document amortized frontier-training cost rising 2.4x/year (95% CI 2.0-3.1x) toward $1B+ models by 2027. But this is a political-economy FRAME, not a documented harm, and the core contested claim of the topic, that the cost curve locks mid-sized economies OUT of capability, is empirically cut both ways: a feasibility study of Brazil and Mexico (Malagon et al. 2025) estimates usable (non-frontier) 10-trillion-token sovereign models are fiscally viable at roughly $8-14M on H100 hardware, and DeepSeek-style efficiency gains (V3 trained for ~$5.5M, ~11x less compute than Llama 3 405B) show frontier-adjacent performance at a fraction of prior compute, so whether domestic frontier-tier capability is foreclosed for middle powers remains genuinely unsettled.
Sources: Lehdonvirta, Wú & Hawkins 2024 (Compute North vs. Compute South, Proceedings of the 2024 AAAI/ACM Conference on AI, Ethics & Society 7:828-838); Cottier, Rahman, Fattorini, Maslej & Owen 2024 (The Rising Costs of Training Frontier AI Models, arXiv:2405.21015); Stanford AI Index 2026 (Maslej et al., Stanford HAI); Malagon, Ulloa Ruiz, Sandoval Plaza, Rosario Bolívar, García Mesa & Alvarado Morales 2025 (The Feasibility of Training Sovereign Language Models in the Global South: A Study of Brazil and Mexico, arXiv:2510.19801)
There is no rigorous impact evaluation showing that technological-sovereignty policies (on-shore compute mandates, national foundation-model champions, talent-retention schemes such as EuroHPC AI Factories or India's IndiaAI Mission) actually deliver sustained domestic capability or strategic autonomy; these programs are recent, utilization and cost-per-GPU-hour are largely unpublished, and no counterfactual study exists. The closest analogue evidence base, the industrial-policy literature synthesized by Juhász, Lane & Rodrik, finds that properly-identified studies are more favorable than older correlational work suggested but that outcomes depend heavily on instrument design and structural context, and the older national-champion record warns of subsidized 'zombie' firms and government capture, so the closest analogue is mixed and the direct evidence that the sovereignty rule works is simply missing.
Sources: Juhász, Lane & Rodrik 2024 (The New Economics of Industrial Policy, Annual Review of Economics 16:213-242); Ahmed & Wahed 2020 (The De-democratization of AI: Deep Learning and the Compute Divide in Artificial Intelligence Research, arXiv:2010.15581); IndiaAI Mission (Indian Cabinet, March 2024); EuroHPC Joint Undertaking AI Factories (2024 regulation amendment; no published impact evaluation)
Training-Data Rights
That foundation models ingest copyrighted and personal works without consent is undisputed; whether that ingestion produces legally cognizable reproduction harm is genuinely contested. The CS evidence that models can memorize and emit verbatim training text is robust and replicated — Carlini et al. (2021) extracted hundreds of verbatim sequences (including PII) from GPT-2, and follow-up work (Carlini et al., Quantifying Memorization, ICLR 2023) showed extraction scales log-linearly with model size and with example duplication. Honest caveat: verbatim reproduction is the exception, not the norm — the UK High Court held that Stable Diffusion's model weights never stored copies of the training images (defeating the secondary-infringement theory), and Getty abandoned its primary training-infringement claim at trial for lack of evidence, so whether the empirical phenomenon amounts to actionable harm (rather than transient, non-expressive use) remains the open question driving NYT v. OpenAI and parallel regimes.
Sources: Carlini, Tramèr, Wallace, Jagielski, Herbert-Voss, Lee, Roberts, Brown, Song, Erlingsson, Oprea & Raffel 2021 (Extracting Training Data from Large Language Models, 30th USENIX Security Symposium); Carlini, Ippolito, Jagielski, Lee, Tramèr & Zhang 2023 (Quantifying Memorization Across Neural Language Models, ICLR 2023; arXiv:2202.07646); Getty Images (US) Inc & ors v Stability AI Ltd [2025] EWHC 2863 (Ch) (UK High Court, 4 Nov 2025 — no secondary infringement; primary training claim abandoned at trial); The New York Times Co. v. Microsoft Corp. & OpenAI (S.D.N.Y., No. 1:23-cv-11195; consolidated In re OpenAI Copyright Infringement Litigation, Apr. 2025; ongoing 2025-2026)
There is no impact evaluation showing that the CDSM Directive Article 4 TDM exception plus its Article 4(3) opt-out reservation regime actually reduces unlicensed ingestion or channels compensation to rightsholders — the evidence that the rule works as designed is itself missing. The only available evidence is early case law and doctrinal scholarship, which document the mechanism's contested operation rather than its success: in Kneschke v. LAION the Hamburg Higher Regional Court (on appeal, 10 Dec 2025) held that a rights reservation in natural language did NOT satisfy Article 4(3)'s machine-readability requirement, invalidating the opt-out (note: the first-instance Regional Court had left the Article 4 question largely open and the case ultimately turned on the Article 3 scientific-research exception, so this machine-readability holding is appellate and not yet settled — a further appeal to the Federal Court of Justice was permitted). Legal scholars characterize the Article 4 opt-out as practically difficult and unharmonized, with no observed market in TDM licences or systematic enforcement to evaluate.
Sources: Kneschke v. LAION (Hamburg Regional Court, 27 Sept 2024, 310 O 227/23; on appeal Hamburg Higher Regional Court, 10 Dec 2025, 5 U 104/24 — opt-out held not machine-readable; further appeal to BGH permitted); Margoni & Kretschmer 2022 (A Deeper Look into the EU Text and Data Mining Exceptions, GRUR International 71(8):685-701); Quintais 2025 (Generative AI, Copyright and the AI Act, Computer Law & Security Review 56:106107)
Transparency Obligations
Documentation artifacts (model cards, datasheets) are well-specified as proposals and are genuinely adopted, but the empirical premise that mandated disclosure produces meaningful transparency is contested. Selbst & Barocas (2018) argue inscrutability and non-intuitiveness are distinct problems and that disclosing rules does not resolve the latter, and large-scale audits find documentation is sparsely and unevenly completed: a systematic analysis of 32,111 Hugging Face model cards (Liang et al. 2024) found environmental-impact, limitations and evaluation sections least often filled, and Bhat et al. (2023, 45 practitioners) found a substantial gap between the documentation proposal and actual practice. Honest caveat: the documentation frameworks themselves are real and adopted, so the dispute is about whether disclosure conveys decision-relevant information, not whether the artifacts exist.
Sources: Selbst & Barocas 2018 (Fordham Law Review 87:1085-1139); Liang et al. 2024 (Nature Machine Intelligence, s42256-024-00857-z, 'Systematic analysis of 32,111 AI model cards'); Bhat et al. 2023 (CHI '23, 'Aspirations and Practice of ML Model Documentation', DOI 10.1145/3544548.3581518); Mitchell et al. 2019 (FAccT, Model Cards for Model Reporting); Gebru et al. 2021 (CACM 64(12):86-92, Datasheets for Datasets)
There is no rigorous impact evaluation showing that AI transparency mandates (model cards, training-data summaries) measurably reduce bias, misuse or accidents — the central regulatory assumption is empirically untested, partly because flagship mandates like EU AI Act Art. 53(1)(d) GPAI training-data summaries are only subject to AI Office enforcement/verification from 2 August 2026 (the obligation itself began 2 August 2025 for new models). The closest analogue, mandated consumer disclosure, shows small and context-dependent effects: Bollinger, Leslie & Sorensen (2011) found mandatory calorie posting cut average calories per transaction by about 6%, while Loewenstein, Sunstein & Golman (2014) review evidence that disclosure effects are frequently diminished or even reversed by limited attention and often change provider rather than recipient behavior. These are analogues, not AI studies; no study demonstrates that AI transparency disclosure achieves its stated downstream safety aims.
Sources: Bollinger, Leslie & Sorensen 2011 (AEJ: Economic Policy 3(1):91-128); Loewenstein, Sunstein & Golman 2014 (Annual Review of Economics 6:391-419, 'Disclosure: Psychology Changes Everything'); EU AI Act Art. 53(1)(d) GPAI training-data summary (obligation from 2 Aug 2025; AI Office enforcement from 2 Aug 2026)