Obligations specific to general-purpose / foundation models above certain capability thresholds.
Abstract
Foundation-model governance turns on whether the category maps to a coherent capability tier or is a regulatory convenience, and on where any threshold should sit — set by compute or by behaviour. (One strand of the debate further asks whether obligations should attach to the model itself or only to its applications.) Across the catalogued instruments, most treat general-purpose or foundation models with direct or implicit obligations and a few are silent, while the field's consensus on the right approach is contested. This article sets out, with primary-source citations, each instrument's treatment of foundation models: which govern them directly, which reach them only implicitly, and which are silent.
Explainer
Foundation models — the large, general-purpose systems that can be adapted to many downstream tasks — pose a question the catalogued instruments answer in incompatible ways: should regulation attach to the model itself, and if so, at what threshold? Policy Window records the field's empirical consensus on this as contested. The term itself comes from Bommasani and colleagues' 2021 survey, which warned that because downstream systems inherit a foundation model's defects, concentrating capability in a few models concentrates risk.
The instruments that govern foundation models directly disagree on where to draw the line. The EU AI Act presumes a model carries 'systemic risk' once the compute used to train it exceeds 10^25 floating-point operations (Article 51), triggering obligations such as red-teaming and incident reporting. The United States' Executive Order 14110 used a higher 10^26-FLOP trigger for pre-deployment reporting, but Executive Order 14148 rescinded that reporting framework (EO 14179 set the deregulatory posture) without a binding replacement. China's 2023 Generative AI Measures take a different route again, applying obligations by behaviour — whether a service is offered to the public — rather than by compute, and the vetoed California SB-1047 had proposed a dual trigger of compute or training cost.
Where binding rules stop, voluntary commitments fill in: frontier developers' own scaling and preparedness frameworks, the Bletchley Declaration, the Seoul Frontier AI Safety Commitments, and standards such as the NIST AI Risk Management Framework's generative-AI profile all address foundation models without the force of law. The scholarship maps onto this divide. Hacker, Engel and Mauer (2023) argue regulation should target concrete high-risk applications rather than the pre-trained model; Anderljung and colleagues (2023) counter that frontier models need government standards, registration and reporting beyond self-regulation.
Across the full catalogue, most instruments treat general-purpose or foundation models with direct or implicit obligations and only a few are silent — but 'governs' spans a wide range here, from the EU's binding compute-threshold regime to non-binding voluntary codes, and jurisdictions disagree on the threshold that should trigger any of it. The coverage table below sets out, instrument by instrument and with primary-source citations, which regimes impose obligations on foundation models directly, which reach them only implicitly, and which remain silent.
What baseline obligations apply to foundation models (GPAI) above the regulatory capability thresholds in 2026, and how do those thresholds differ across jurisdictions?
Three thresholding regimes operate concurrently: the EU AI Act (Art. 51) uses a 10²⁵ FLOP compute floor to designate 'systemic-risk' GPAI with mandatory red-teaming, incident reporting, and energy-use disclosure; the US executive order regime (now superseded by EO 14179) used a 10²⁶ FLOP compute trigger for pre-deployment notification; China's Generative AI Measures (Aug 2023) apply behavioural triggers (public-facing service) rather than compute. Frontier-lab voluntary codes (Anthropic RSP, OpenAI Preparedness, DeepMind Frontier Safety Framework) layer on top with capability-evaluation gates. Convergence on baseline obligations is contested.Medium confidence
Definition & scope
The cross-jurisdiction picture below shows how each of 45 tracked instruments treats this topic. The patterns vary substantially — and 11 regimes are silent, leaving gaps that future policy work could address.
Regulatory approaches: the concrete mechanisms
Beyond which instruments govern foundation models, jurisdictions diverge sharply in the regulatory *modality* they use. The EU AI Act imposes a two-tier mechanism set whose very object — distinguishing 'AI system, general purpose AI system, foundation model, and generative AI' — shifted across drafting versions and remains definitionally unstable 1. Every general-purpose AI model provider owes four baseline duties under Article 53(1): maintain technical documentation (Annex XI), supply downstream integrators with information to meet their own obligations, adopt a policy to comply with Union copyright law including the Directive (EU) 2019/790 text-and-data-mining opt-out, and publish a 'sufficiently detailed summary' of training content on an AI Office template (Art. 53(1)(a)-(d)). Models presumed to carry systemic risk (the 10^25-FLOP tier, Art. 51) additionally owe model evaluation with adversarial testing, systemic-risk assessment and mitigation, serious-incident reporting to the AI Office 'without undue delay', and cybersecurity protection of model and weights (Art. 55(1)(a)-(d)) — duties that map onto the gaps Novelli et al. trace across the Act, liability, GDPR, copyright and cybersecurity regimes for generative AI 2. The General-Purpose AI Code of Practice, endorsed as adequate by the AI Office on 1 August 2025 (the Arts. 53/55 obligations applying from 2 August), operationalises these as the presumptive compliance route (European Commission 2025). China instead relies on a registration-and-labelling modality: Article 17 of the 2023 Interim Measures requires services 'with public-opinion attributes or social-mobilisation capacity' to file algorithms and pass a security assessment, and the Labelling Measures effective 1 September 2025 mandate explicit and implicit (watermark) labels on AI-generated content. The US relies chiefly on transparency/reporting and ex-post liability.
Key fault lines
Four design questions drive the cross-jurisdiction divergence, and each is genuinely unsettled. First is the *threshold metric*. The EU and California legislate compute floors (10^25 FLOP for EU systemic risk, Art. 51; 10^26 FLOP for a California 'frontier model', Cal. Bus. & Prof. Code §22757.11), but China conditions obligations on *behaviour* — whether a service is public-facing (Interim Measures Art. 2) — sidestepping compute entirely. Critics argue the compute proxy is brittle because compute does not reliably track capability or risk 3; the scaling-law and compute-optimal literature both underwrites and complicates such floors, with Kaplan et al. showing loss 'scales as a power-law' with model size, data and compute 4 while the Chinchilla result that 'model size and the number of training tokens should be scaled equally' undercuts compute-only counting 5. Second is the *regulatory locus*: should duties attach to the pre-trained model, or only to downstream high-risk applications? Hacker, Engel & Mauer (2023) urge targeting 'concrete high-risk applications, and not the pre-trained model itself' 6, while Anderljung et al. (2023) argue frontier models need model-level standards, registration and reporting 7. Third is the *governance form* — ex-ante categorisation (EU AI Act), delegated principles (UK White Paper; OECD), or ex-post liability and litigation (the US sectoral path, exemplified by FTC §5 and the NYT v. OpenAI copyright suit). Fourth is *open-weight treatment*: the EU AI Act exempts open-source GPAI from several Article 53 documentation duties unless the model carries systemic risk (Recital 102-104), leaving contested whether open release should attract lighter or heavier scrutiny — the unresolved question behind the open-vs-closed frontier debate. California's vetoed SB-1047 illustrates the threshold instability further, defining a 'covered model' conjunctively - above 10^26 operations and more than $100M in training cost (Cal. SB-1047 §22602) - pairing a compute floor with a dollar-cost trigger absent from the EU, China, and surviving California tests.
Trajectory: what is changing
Foundation-model rules are in rapid flux, and several 2025-2026 developments postdate the coverage table's verdicts. The economic stakes sharpen the urgency: Eloundou et al. estimate roughly 80% of the US workforce 'could have at least 10% of their work tasks affected' by LLMs, which display 'traits of general-purpose technologies' 8. In the EU, the substantive turning point was 2 August 2025: the GPAI provisions (Arts. 53, 55) became binding, the day after the AI Office endorsed the Code of Practice (1 August), with full Commission enforcement powers — fines up to EUR 15 million or 3% of worldwide turnover under Article 101 — scheduled to begin 2 August 2026; whether the Act's risk tiers adequately govern models whose 'autonomous content generation challenges legal categories of authorship, accountability' remains contested 9. The Commission's Digital Omnibus on AI, published 19 November 2025 and reaching provisional trilogue agreement on 7 May 2026, deferred the *high-risk* (Annex III) deadline from August 2026 to 2 December 2027 but left the GPAI obligations and their August 2025 start date intact. In the United States, the trajectory ran the other way: Executive Order 14110's 10^26-operation reporting trigger was rescinded by Executive Order 14148 (20 January 2025), with Executive Order 14179 (23 January 2025) setting the deregulatory posture — removing the federal model-level reporting framework without a binding replacement (90 Fed. Reg. 8741; 90 Fed. Reg. 8237). California then partially filled the gap: Governor Newsom signed SB-53, the Transparency in Frontier Artificial Intelligence Act, on 29 September 2025 (effective 1 January 2026), requiring frontier developers to publish a safety framework, post pre-deployment reports, and report critical safety incidents (Office of Governor Newsom 2025). The net effect is widening divergence — binding EU model-tier duties, a retreating US federal floor, and sub-federal and behaviour-based regimes filling in.
Coverage across jurisdictions
Historical primacy & cross-jurisdiction tension
First addressed by OECD AI Principles (Recommendation) on (implicit). Subsequent regimes have either codified, diverged from, or remained silent on this baseline.
- Forum-shoppingEU AI Act↔Executive Order 14179 — Removing Barriers to American Leadership in AI
- Forum-shoppingExecutive Order 14110 on Safe, Secure, Trustworthy AI↔UN GA Resolution on Safe, Secure, Trustworthy AI
- Forum-shoppingInterim Measures for Generative AI Service Management↔African Union Continental AI Strategy
Compare jurisdictions: EU vs US · EU vs UK · EU vs CN
Enforcement & impact
Silent regimes — gap signal
Instruments that do not address Foundation Models / GPAI — candidates for future policy work.
- Executive Order 14179 — Removing Barriers to American Leadership in AIUS
- UN GA Resolution on Safe, Secure, Trustworthy AIUN
- African Union Continental AI StrategyAfrican_Union
- General Data Protection Regulation (GDPR)EU
- California SB 243: Companion ChatbotsUS
- Revised Product Liability Directive (Directive (EU) 2024/2853)EU
- UNESCO Recommendation on the Ethics of Artificial IntelligenceUNESCO
- Directive (EU) 2024/2831 on improving working conditions in platform workEU
- Provisions on the Administration of Deep Synthesis of Internet Information ServicesCN
- TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act)US
- Italy Law No. 132/2025 on Artificial Intelligence (Legge 23 settembre 2025, n. 132)IT
See also
Further reading
40 academic & grey-literature sources bearing on this topic — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
- GPTs are GPTs: Labor market impact potential of LLMs Peer-reviewed✦ AIFinds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies".
- Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity Peer-reviewed✦ AIExamines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements.
- Evaluating Frontier Models for Dangerous Capabilities Preprint✦ AIPilots dangerous-capability evaluations (persuasion, cyber, self-proliferation) on frontier models, finding 'early warning signs' but no strong present danger — grounding evaluation-based gating.
- Frontier AI Regulation: Managing Emerging Risks to Public Safety Preprint✦ AIArgues "industry self-regulation is an important first step" but "government intervention will be needed", proposing safety standards, registration and reporting, and compliance mechanisms.
- Regulating ChatGPT and other Large Generative AI Models Peer-reviewed✦ AIArgues AI regulation "has primarily focused on conventional AI models, not LGAIMs" and should target "concrete high-risk applications, and not the pre-trained model itself".
- A Proposal for a Definition of General Purpose Artificial Intelligence Systems Peer-reviewed✦ AIFinds existing GPAIS definitions "do not provide sufficient guidance" and proposes "a functional definition of the term that facilitates its governance within the EU".
- Foundation Models and Fair Use Peer-reviewed✦ AIShows foundation models "are trained on copyrighted material" and warns "fair use is not guaranteed", urging technical mitigations to keep training and deployment within fair use.
- The risks of risk-based AI regulation: taking liability seriously Preprint✦ AIArgues the AI Act's ex-ante risk tiers under-govern foundation models and that 'taking liability seriously as the key regulatory mechanism' is a more effective lever.
- Market Concentration Implications of Foundation Models Preprint✦ AIArgues foundation models tend toward 'natural monopoly' and that regulators must ensure 'the contestability of the market by tackling strategic behavior'.
- Emergent Abilities of Large Language Models Preprint✦ AIDocuments 'emergent abilities' that appear only above a scale threshold and 'would not have been directly predicted by extrapolating' smaller models — a core governance unpredictability problem.
- Training Compute-Optimal Large Language Models Preprint✦ AIThe 'Chinchilla' study shows 'model size and the number of training tokens should be scaled equally', complicating compute-only regulatory thresholds.
- Structured access: an emerging paradigm for safe AI deployment Preprint✦ AIProposes controlled, cloud-mediated 'structured access' to 'prevent dangerous AI capabilities from being widely accessible, whilst preserving access to AI capabilities that can be used safely'.
- On the Opportunities and Risks of Foundation Models Preprint✦ AIDefines foundation models and warns homogenization "demands caution, as the defects of the foundation model are inherited by all the adapted models downstream".
- Scaling Laws for Neural Language Models Preprint✦ AIEstablishes that model 'loss scales as a power-law with model size, dataset size, and the amount of compute', the empirical basis for compute-threshold regulation of foundation models.
- Model Card PreprintMitchell et al. (2019), 'Model Cards for Model Reporting,' FAccT '19
- Deceptive Alignment PreprintHubinger, E., et al. (2019), 'Risks from Learned Optimization in Advanced Machine Learning Systems.'
- Mesa-Optimization PreprintHubinger, E., et al. (2019), 'Risks from Learned Optimization in Advanced Machine Learning Systems.'
- Scalable Oversight PreprintChristiano, P., Shlegeris, B., Amodei, D. (2018), 'Supervising Strong Learners by Amplifying Weak Experts.'
- Capability Elicitation PreprintQi, X., Zeng, Y., Xie, T., Chen, P.-Y., Jia, R., Mittal, P., Henderson, P. (2023), 'Fine-tuning Aligned Language Models Compromises Safety, Even When Users Do Not Intend To!'
- Dual-Use Research Norms (DURC for AI) PreprintSolaiman, I., et al. (2019), 'Release Strategies and the Social Impacts of Language Models' — the canonical articulation of structured-access norms for foundation models.
- Policy Instrument Peer-reviewedLascoumes, P. & Le Galès, P. (2007). Introduction: Understanding Public Policy through Its Instruments — From the Nature of Instruments to the Sociology of Public Policy Instrumentation. Governance 20(1): 1-21. See also Hood (1983) The Tools of Government, ch. 1-2; Salamon (2002) The Tools of Government: A Guide to the New Governance, pp. 1-47; Howlett (2011) Designing Public Policies, ch. 3-5.
- Prompt Injection PreprintGreshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., Fritz, M. (2023), 'Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection.'
- Agentic AI System PreprintYao, S., Zhao, J., Yu, D., Du, N., Shafran, I., Narasimhan, K., Cao, Y. (2022), 'ReAct: Synergizing Reasoning and Acting in Language Models.'
- Tool-Use Safety PreprintWallace, E., et al. (2024), 'The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions' (OpenAI) — the canonical industry articulation of instruction-channel hierarchy as a tool-use-safety defence.
- Multi-Turn Evaluation PreprintZheng, L., et al. (2023), 'Judging LLM-as-a-Judge with MT-Bench and Chatbot Arena' — operationalises the multi-turn evaluation protocol for foundation models.
- Data Poisoning PreprintCarlini, N., et al. (2024), 'Poisoning Web-Scale Training Datasets is Practical' — establishes practical feasibility of poisoning frontier-model training corpora.
- Model Distillation Risk PreprintHinton, G., Vinyals, O., Dean, J. (2015), 'Distilling the Knowledge in a Neural Network' — the foundational distillation paper; the governance-relevant adaptation runs through Alpaca/Vicuna (2023) and DeepSeek-R1 (2025).
- Jailbreak Resistance PreprintZou, A., Wang, Z., Kolter, J. Z., Fredrikson, M. (2023), 'Universal and Transferable Adversarial Attacks on Aligned Language Models' — the canonical demonstration that gradient-based suffix attacks transfer across aligned LLMs.
- Model-Merging Risk PreprintBhardwaj, R., et al. (2024), 'Language Models are Homer Simpson! Safety Re-Alignment of Fine-tuned Language Models through Task Arithmetic' — canonical demonstration that safety training is not preserved under task arithmetic / merging.
- Inference-Time Compute PreprintSnell, C., Lee, J., Xu, K., Kumar, A. (2024), 'Scaling LLM Test-Time Compute Optimally can be More Effective than Scaling Model Parameters' — establishes inference-time-compute scaling as a first-class capability lever.
- Sandbagging Preprintvan der Weij, T., Hofstätter, F., Jaffe, O., Brown, S., Ward, F. (2024), 'AI Sandbagging: Language Models can Strategically Underperform on Evaluations.'
- Hallucination PreprintJi, Z., et al. (2023), 'Survey of Hallucination in Natural Language Generation,' ACM Computing Surveys 55(12): 1-38.
- In-Context Learning PreprintBrown, T., et al. (2020), 'Language Models are Few-Shot Learners' (GPT-3 paper) — the canonical articulation of in-context learning as an emergent capability.
- Retrieval-Augmented Generation (RAG) PreprintLewis, P., et al. (2020), 'Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks,' NeurIPS — the canonical articulation of RAG.
- Chain-of-Thought Monitoring PreprintKorbak, T., Balesni, M., Barnes, E., Bengio, Y., et al. (2025), 'Chain of Thought Monitorability: A New and Fragile Opportunity for AI Safety.' arXiv:2507.11473.
- Artificial Intelligence Research institute✦ AIUS National Academies' AI consensus-study hub.
- A comprehensive review of Artificial Intelligence regulation: Weighing ethical principles and innovation Peer-reviewed✦ AIA 60-reference review weighing AI innovation and economic competitiveness against ethical safeguards.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- David Fernández-Llorca, Emilia Gómez, Ignacio Sánchez, Gabriele Mazzini (2025) An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI, Artificial Intelligence and Law. 10.1007/s10506-024-09412-y — Traces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime. ↩
- Novelli, Casolari, Hacker, Spedicato & Floridi (2024) Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity, Computer Law & Security Review. 10.1016/j.clsr.2024.106066 — Examines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements. ↩
- arXiv:2407.05694 ↩
- Jared Kaplan, Sam McCandlish, Tom Henighan, Tom B. Brown, Benjamin Chess, Rewon Child, Scott Gray, Alec Radford, Jeffrey Wu, Dario Amodei (2020) Scaling Laws for Neural Language Models, arXiv (cs.LG). arXiv:2001.08361 — Establishes that model 'loss scales as a power-law with model size, dataset size, and the amount of compute', the empirical basis for compute-threshold regulation of foundation models. ↩
- Jordan Hoffmann, Sebastian Borgeaud, Arthur Mensch, et al. (DeepMind) (2022) Training Compute-Optimal Large Language Models, arXiv (cs.CL); NeurIPS 2022. arXiv:2203.15556 — The 'Chinchilla' study shows 'model size and the number of training tokens should be scaled equally', complicating compute-only regulatory thresholds. ↩
- Hacker, Engel & Mauer (2023) Regulating ChatGPT and other Large Generative AI Models, ACM FAccT '23. 10.1145/3593013.3594067 — Argues AI regulation "has primarily focused on conventional AI models, not LGAIMs" and should target "concrete high-risk applications, and not the pre-trained model itself". ↩
- Anderljung, Barnhart, Korinek, et al. (2023) Frontier AI Regulation: Managing Emerging Risks to Public Safety, arXiv. arXiv:2307.03718 — Argues "industry self-regulation is an important first step" but "government intervention will be needed", proposing safety standards, registration and reporting, and compliance mechanisms. ↩
- Eloundou, Manning, Mishkin, Rock (2024) GPTs are GPTs: Labor market impact potential of LLMs, Science. 10.1126/science.adj0998 — Finds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies". ↩
- Martina Hulok (2025) The EU model of AI governance: regulating artificial intelligence through law and policy, ERA Forum. 10.1007/s12027-025-00869-1 — Analyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'. ↩
- EU-AIA-2024: Arts. 51-55 (general-purpose AI + systemic risk)
- US-EO-14110: §4.2(a) — Defense Production Act reporting
- UK-WHITEPAPER-2023: Cross-cutting principles; sector regulators apply
- CN-GENAI-2023: Art. 2 (applies to GenAI services regardless of size)
- G7-HIROSHIMA: Code applies to advanced AI
- OECD-AI-PRIN: 2024 update clarifies GPAI scope
- COE-AI-CONV: Applies to AI throughout lifecycle (Art. 3)
- NIST-AI-RMF: GenAI Profile (NIST AI 600-1, 2024)
- BLETCHLEY-2023: Declaration §1-2 (frontier AI defined as the subject)
- SEOUL-2024: Declaration + accompanying Frontier AI Safety Commitments (16 signatory companies)
- NIST-AI-RMF-GENAI: Entire NIST AI 600-1 scope is GPAI / GenAI
- CA-SB-1047: Cal. SB-1047 §22602 — 'covered model' = trained with >10^26 operations AND >$100M cost (or fine-tuning >$10M); vetoed 29 Sep 2024
- IN-DPDP-2023: MEITY Apr-2024 advisory walked back the Mar-2024 pre-deployment-approval requirement; current approach is post-deployment incident reporting
- BR-AIBILL-2024: PL 2338/2023 Arts. 17-19 (general-purpose AI systemic-risk obligations)
- ASEAN-AI-GUIDE-2024: Guide §6 covers GenAI but with flexible implementation expectations
- ANTHROPIC-RSP-2024: RSP v2 §2 — ASL framework applies to frontier model releases
- OPENAI-PREPAREDNESS-2023: Preparedness Framework §1-2 — applies to all OpenAI frontier-model releases
- DEEPMIND-FSF-2024: FSF applies to Google DeepMind frontier-model releases
- META-FRONTIER-2024: Framework applies to Meta frontier-model releases (Llama family)
- UK-US-AISI-MOU-2024: MoU scope is frontier AI evaluation
- WH-VOLUNTARY-2023: Commitments §1-2 — internal + external security testing of frontier models
- SG-MODEL-AI-2024: Framework Dimension 3 (Trusted Development + Deployment) explicitly covers GenAI models
- JP-METI-AI-2024: Guidelines Part 3 — covers AI providers including foundation-model developers
- EU-GPAI-COP-2025: Chapter 3 (Safety & Security) operationalises Art. 55 systemic-risk-tier obligations for GPAI providers
- OMB-M-24-10: §5 + Attachment 1 — minimum practices apply to safety- + rights-impacting AI regardless of foundation-model classification; no compute-threshold trigger
- GSA-AI-GUIDE-2024: Sections posing generative-AI vendor-evaluation + model-provenance due-diligence questions for contracting officers
- DOD-RAI-2022: Tenet 3 (AI Product and Acquisition Lifecycle) + Tenet 5 (Responsible AI Ecosystem) — RAI integration applies regardless of model architecture; foundation-model-specific obligations flow through CDAO RAI Toolkit guidance
- FEDRAMP-AI-2024: GenAI-specific control tailoring guidance addresses model-specific risks (training-data exposure, prompt-injection, output disclosure) within SSP + NIST SP 800-53 control overlay selection
- DFARS-252-204: 252.204-7012 — AI-system source code, model weights, training data fall within Covered Defense Information scope when the underlying contract designates these as CDI; foundation-model artefacts are CDI through the standard contract designation pathway
- CA-SB-53: Bus. & Prof. Code § 22757.11 — defines 'foundation model' + 'frontier model' (>10^26 FLOP) as the regulated class
- CA-SB-942: No operative provision regulates foundation models as a class; the regulated party ('covered provider', § 22757.1) is defined by an output/scale hook — a producer of a publicly-accessible GenAI system with over 1,000,000 monthly users — so a foundation-model producer is reached only incidentally via the § 22757.2–.3 output-disclosure duties, not by any model-level obligation
- NY-RAISE-2025: N.Y. Gen. Bus. Law § 1420(6) defines 'frontier model' (>10^26 FLOP, >$100M compute) + § 1421 imposes operative pre-deployment duties on large frontier-model developers
- JP-AIPROMO-2025: Act No. 53 of 2025, Arts. 2 & 12
- UN-GDC-2024: GDC Objective 5 (A/RES/79/1, Annex I)
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/foundation-models — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
34 instruments tracked.
Does governance work? — the social-science evidence
What the peer-reviewed social science shows: whether the harm this topic addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
Whether the foundation-model category maps to a coherent capability/risk tier is genuinely contested. The original case rests on scale-driven 'emergent abilities' that appear unpredictably above a size threshold (Wei et al. 2022; Ganguli et al. 2022 documented capabilities that are smoothly predictable in aggregate loss yet locally surprising), but Schaeffer, Miranda & Koyejo (2023, a NeurIPS Outstanding Paper) showed many 'emergent' jumps are artefacts of discontinuous metrics and dissolve under linear/continuous scoring — implying capability scales more smoothly than a sharp tier would suggest. Honest caveat: this is a live empirical disagreement about measurement, not a settled finding either way, and compute (the regulatory proxy) is an imperfect stand-in for capability or risk regardless of which side is right.
Sources: Wei et al. 2022 (Emergent Abilities of Large Language Models, TMLR; arXiv:2206.07682); Schaeffer, Miranda & Koyejo 2023 (Are Emergent Abilities of Large Language Models a Mirage?, NeurIPS 2023, Outstanding Paper; arXiv:2304.15004); Ganguli et al. 2022 (Predictability and Surprise in Large Generative Models, ACM FAccT; DOI 10.1145/3531146.3533229)
There is no impact evaluation showing that GPAI/foundation-model governance reduces harm — the rules are too new (EU AI Act GPAI obligations and the 10^25-FLOP systemic-risk presumption only began binding on 2 August 2025) and the central regulatory lever is itself contested: Hooker (2024) argues compute thresholds are a shortsighted proxy because compute does not reliably track capability or risk, and the thresholds already diverge across jurisdictions (EU 10^25 vs. the now-rescinded US EO 14110's 10^26 operations, rescinded 20 January 2025). The mandated mitigation methods also lack validated efficacy: model evaluation and red-teaming face well-documented coverage limits and an 'audit gap' in the survey/position literature (behavioural testing cannot establish the absence of untested failure modes), and adversarial red-teaming repeatedly defeats deployed safeguards — the UK AI Safety Institute reports finding universal jailbreaks for every frontier system it has tested, and a large public agent-injection competition elicited policy violations across all 22 frontier models tested from ~1.8M attacks (Zou et al. 2025). Even compliant evaluation therefore cannot yet certify the safety the rules demand. (Caveat: this is an absence-of-evidence claim — no efficacy study has been done — not evidence the rules are ineffective.)
Sources: Hooker 2024 (On the Limitations of Compute Thresholds as a Governance Strategy, arXiv:2407.05694); EU AI Act Arts. 51 & 55 (GPAI systemic-risk presumption, 10^25 FLOP; binding 2 Aug 2025); US EO 14110 (10^26-operation reporting threshold, rescinded 20 Jan 2025 by EO 14148); Zou et al. 2025 (Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition / Gray Swan Arena, arXiv:2507.20526 — 22 frontier agents, ~1.8M attacks); UK AI Safety/Security Institute, Frontier AI Trends Report (universal jailbreaks for every system tested); METR, Common Elements of Frontier AI Safety Policies (2024)