Frontier-Tier AI
frontier-tier · Risk classification
A categorical classification of AI models above certain capability or compute thresholds, indicating heightened regulatory scrutiny.
Definition & scope
Frontier-tier classification varies by jurisdiction. The EU AI Act presumes 'systemic risk' at ≥10²⁵ FLOPs training compute OR ≥45M EU monthly active users. The US EO 14110 used 10²⁶ FLOPs as the reporting trigger. Industry frameworks (Anthropic ASL, OpenAI Preparedness, DeepMind FSF) use capability-based rather than pure-compute frontier markers. The term 'frontier' has no single canonical definition; it is operationalized differently across regulators and developers.
Locus of dispute: Does 'frontier' have a coherent definition across regulators + industry, or is it a contextual term whose meaning shifts with jurisdiction? Compute-threshold (EU/US) vs behavioural-tier (Anthropic/OpenAI/DeepMind) split is unresolved.
Mechanism: two ways a model is sorted into the frontier tier
Frontier-tiering operates through two structurally different mechanisms that the existing definition names but does not develop. The first is the ex-ante compute trigger: a model is sorted into the tier the moment its cumulative training compute crosses a fixed line, independently of any behavioural test. Under the EU AI Act this is a *rebuttable presumption* of systemic risk at >10^25 FLOP (Art. 51(2)), with Annex XIII listing additional indicators (parameters, dataset size, modalities, benchmarks, business-user reach) the Commission may weigh; US EO 14110 used 10^26 FLOP purely as a reporting trigger. The mechanism's appeal is that compute is, as Sastry, Heim et al. 1 argue, 'detectable, excludable, and quantifiable' and produced through a concentrated supply chain, making the boundary administrable before a model is even deployed; Heim & Koessler 2 similarly call training compute 'the most suitable metric to identify GPAI models' while cautioning that a threshold should only trigger further scrutiny, not measure risk on its own.
The second mechanism is ex-post and capability-gated: 'if-then commitments' in developer frameworks (Anthropic RSP, OpenAI Preparedness, DeepMind Frontier Safety Framework). Here membership is not set by a compute number but by a four-part protocol — defined capability thresholds, a commitment to evaluate for them, pre-specified safeguards that engage *if* a threshold is reached, and a pause commitment if those safeguards cannot be implemented (the 'if-then commitment' framing follows Karnofsky 2024, Carnegie Endowment; the four-part protocol is set out in the developer frameworks themselves). What such evaluation can detect today is itself a research frontier: Phuong et al. 3 pilot dangerous-capability evaluations and report 'early warning signs' but no strong present danger. The tier is thus a moving, test-determined status rather than a fixed gate. The two mechanisms can disagree about the same model, which is the source of the compute-vs-behaviour split the article flags.
History: from neutral usage to a governance category (2018–2024)
As a *governance* category the term is recent, though the word predates it. The earliest attestations are neutral: a March 2018 China Daily report quotes Minister Wan Gang on 'frontier AI-related science issues', and Scopus records a first academic use in 2019 (etymology traced in Nottingham's *Making Science Public*, 'Frontier AI: Tracing the origin of a concept', 2023). The borrowing draws on the economics notion of a technological/production-possibility frontier — the outer edge of what is currently achievable.
The regulatory sense crystallised in mid-2023. On 6 July 2023 Anderljung, Barnhart et al. posted 'Frontier AI Regulation: Managing Emerging Risks to Public Safety' 4, deliberately choosing 'frontier' over 'general-purpose AI' to mark a *narrower* class of highly capable models with potentially dangerous capabilities; a Centre for the Governance of AI blog post refined the definition on 10 July. Industry institutionalised the term on 26 July 2023 when Anthropic, Google, Microsoft and OpenAI launched the Frontier Model Forum (Microsoft, 'Anthropic, Google, Microsoft, OpenAI launch Frontier Model Forum', 26 July 2023). The UK then adopted it officially at the Bletchley Park AI Safety Summit (1–2 November 2023), defining frontier AI as 'highly capable general-purpose AI models' matching or exceeding today's most advanced systems (UK Government, Bletchley Declaration, 2023). The binding-law instantiation followed with the EU AI Act's systemic-risk regime (Regulation (EU) 2024/1689, Art. 51) in 2024 — a settling that masked real terminological churn, since Fernández-Llorca et al. 5 trace how the Act's text shifted across versions between 'AI system, general purpose AI system, foundation model, and generative AI' before the final agreement.
Relation to adjacent concepts: frontier vs GPAI, foundation model, and systemic risk
'Frontier-tier' is routinely conflated with three neighbours, but each draws its boundary differently. A *foundation model* 6 is defined by training method and adaptability — a model trained on broad data and adaptable to many downstream tasks — and says nothing about capability level; most foundation models are not frontier. *General-purpose AI (GPAI)*, the EU AI Act's operative term, is similarly breadth-defined and deliberately broad; Anderljung et al. 4 coined 'frontier' precisely to mark a *narrower* subset — the most capable, capability-novel models — and to avoid being read into the wider GPAI legal category. That the GPAI line itself is contested is shown by Gutierrez et al. 7, who find existing GPAIS definitions 'do not provide sufficient guidance' and propose a functional one to make the category governable.
The sharpest contrast is with *systemic risk* as used in the EU AI Act. Frontier-tier is a descriptive claim about where a model sits on the capability/compute frontier; 'GPAI with systemic risk' is the Act's legal *consequence* attached to models presumed above 10^25 FLOP or designated under Art. 51 + Annex XIII, triggering Art. 55 obligations. One is a capability description, the other a regulatory status — they coincide by design but are not synonyms. Finally, Anthropic's ASL tiers (and analogous if-then thresholds) are *behavioural* gradations *within* the frontier set, defined by demonstrated dangerous-capability evaluations rather than by the compute or breadth boundary that defines frontier membership itself. Editorial composite: these distinctions are Policy Window's synthesis of the cited definitional sources, not a single source's taxonomy.
Contestation: is the compute boundary the right line at all?
The frontier tier's defining mechanism is openly disputed. The central fault-line is whether a fixed compute threshold can durably mark the frontier. Pistillo & Villalobos 8 document 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', so a model can stay below the >10^25 FLOP line (Art. 51(2)) yet match systems above it — a legal loophole that decouples compute from capability. Heim & Koessler 2 concede the point in principle, arguing a compute threshold should only *trigger scrutiny* rather than measure risk, which implies the boundary cannot by itself settle tier membership.
A second dispute is distributional rather than technical. Lehdonvirta, Wú & Hawkins 9 show that the compute that defines and is needed to govern the frontier is geographically concentrated in a 'Compute North', leaving a 'Compute South' that can neither train frontier models nor easily wield compute-based oversight — so the tier encodes who holds power, not just a capability fact. A third strand questions the line's premise from the other direction: Anderljung et al. 4 argue 'industry self-regulation is an important first step' but that 'government intervention will be needed', while the capability-gated alternative depends on evaluations that Phuong et al. 3 show are still early-stage and detect only 'early warning signs'. The open question the article inherits is whether the frontier is best fixed ex ante by compute, gated ex post by behaviour, or — as critics imply — neither alone.
Use in governance
How instruments operationalise this concept
| Instrument | Jurisdiction | Status |
|---|---|---|
| EU AI Act | EU | in force |
| Executive Order 14110 on Safe, Secure, Trustworthy AI | US | partial |
| UK Pro-Innovation Approach to AI Regulation (White Paper) | UK | in force |
| G7 Hiroshima AI Process Code of Conduct | G7 | in force |
| Anthropic Responsible Scaling Policy (RSP) v2 | US | in force |
| OpenAI Preparedness Framework | US | in force |
| Google DeepMind Frontier Safety Framework | US | in force |
| Meta Frontier AI Framework | US | in force |
| UK-US AI Safety Institute Memorandum of Understanding | global | in force |
| White House Voluntary AI Commitments | US | in force |
| Singapore Model AI Governance Framework for Generative AI | SG | in force |
| Japan METI AI Guidelines for Business | JP | in force |
| EU General-Purpose AI Code of Practice | EU | in force |
Appears in topic articles
Editorial note
When a wiki article references 'frontier' without jurisdictional qualifier, defer to the EU AIA Art. 51 definition as the most widely cited binding text.
See also
Further reading
Sources on the broader topics this concept relates to — complementing, not standing in for, the primary sources cited inline above. 56 academic & grey-literature sources; catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
- Defending Compute Thresholds Against Legal Loopholes Preprint✦ AIIdentifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds.
- GPTs are GPTs: Labor market impact potential of LLMs Peer-reviewed✦ AIFinds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies".
- Computing Power and the Governance of Artificial Intelligence Preprint✦ AIArgues compute is a uniquely governable lever because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain".
- Training Compute Thresholds: Features and Functions in AI Regulation Preprint✦ AIFinds "training compute currently is the most suitable metric to identify GPAI models", but thresholds should only trigger further scrutiny, not determine risk measures alone.
- Compute North vs. Compute South: The Uneven Possibilities of Compute-based AI Governance Around the Globe Peer-reviewed✦ AICensus of hyperscale cloud regions shows a divide between "Compute North" states hosting training-relevant compute and a Compute South, shaping who can wield compute-based governance.
- Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity Peer-reviewed✦ AIExamines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements.
- Evaluating Frontier Models for Dangerous Capabilities Preprint✦ AIPilots dangerous-capability evaluations (persuasion, cyber, self-proliferation) on frontier models, finding 'early warning signs' but no strong present danger — grounding evaluation-based gating.
- Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation Preprint✦ AIArgues 'compute providers should have legal obligations' to secure infrastructure, keep records, verify activity and report frontier training as regulatory intermediaries.
- Verification methods for international AI agreements Preprint✦ AISurveys '10 verification methods that could detect... unauthorized AI training... and unauthorized data centers', mapping the technical basis for compute-disclosure regimes.
+ 44 more across this concept's topics — see the literature index.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Sastry, Heim, Belfield, Anderljung, Brundage, et al. (2024) Computing Power and the Governance of Artificial Intelligence, arXiv. arXiv:2402.08797 — Argues compute is a uniquely governable lever because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain". ↩
- Heim & Koessler (2024) Training Compute Thresholds: Features and Functions in AI Regulation, arXiv. arXiv:2405.10799 — Finds "training compute currently is the most suitable metric to identify GPAI models", but thresholds should only trigger further scrutiny, not determine risk measures alone. ↩
- Mary Phuong, Matthew Aitchison, Elliot Catt, et al. (Google DeepMind) (2024) Evaluating Frontier Models for Dangerous Capabilities, arXiv (cs.LG). arXiv:2403.13793 — Pilots dangerous-capability evaluations (persuasion, cyber, self-proliferation) on frontier models, finding 'early warning signs' but no strong present danger — grounding evaluation-based gating. ↩
- Anderljung, Barnhart, Korinek, et al. (2023) Frontier AI Regulation: Managing Emerging Risks to Public Safety, arXiv. arXiv:2307.03718 — Argues "industry self-regulation is an important first step" but "government intervention will be needed", proposing safety standards, registration and reporting, and compliance mechanisms. ↩
- David Fernández-Llorca, Emilia Gómez, Ignacio Sánchez, Gabriele Mazzini (2025) An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI, Artificial Intelligence and Law. 10.1007/s10506-024-09412-y — Traces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime. ↩
- Bommasani et al. (2021) On the Opportunities and Risks of Foundation Models, arXiv. arXiv:2108.07258 — Defines foundation models and warns homogenization "demands caution, as the defects of the foundation model are inherited by all the adapted models downstream". ↩
- Gutierrez, Aguirre, Uuk, Boine & Franklin (2023) A Proposal for a Definition of General Purpose Artificial Intelligence Systems, Digital Society. 10.1007/s44206-023-00068-w — Finds existing GPAIS definitions "do not provide sufficient guidance" and proposes "a functional definition of the term that facilitates its governance within the EU". ↩
- Matteo Pistillo, Pablo Villalobos (2025) Defending Compute Thresholds Against Legal Loopholes, arXiv (cs.CY). arXiv:2502.00003 — Identifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds. ↩
- Lehdonvirta, Wú & Hawkins (2024) Compute North vs. Compute South: The Uneven Possibilities of Compute-based AI Governance Around the Globe, AIES Proceedings. 10.1609/aies.v7i1.31683 — Census of hyperscale cloud regions shows a divide between "Compute North" states hosting training-relevant compute and a Compute South, shaping who can wield compute-based governance. ↩
- EU AI Act Art. 51 + Annex XIII (the closest binding definition)
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/frontier-tier — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Social-science evidence — the “so-what”
What the peer-reviewed social science shows: whether the harm this concept addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
The 'frontier' category names something real — the most capable foundation models do exhibit emergent, hard-to-anticipate dangerous capabilities (Anderljung et al. 2023) — but the term lacks a coherent, consistent definition across jurisdictions and over time. Regulators operationalize it via training-compute proxies that already diverge: the EU AI Act presumes systemic-risk GPAI above 10^25 FLOP (Art. 51, a rebuttable presumption), while US EO 14110, California's SB-53 (Transparency in Frontier AI Act), and New York's separate RAISE Act all use 10^26 FLOP. These thresholds are widely argued to be poor proxies for capability/risk: FLOP has no standardized measurement, ignores inference-time/post-training compute and algorithmic-efficiency gains, and is gameable (Hooker 2024). Caveat: the underlying phenomenon (frontier capability) is real, but its categorical boundary is contested and time-unstable, not a fixed property.
Sources: Anderljung, Barnhart et al. 2023 (Frontier AI Regulation: Managing Emerging Risks to Public Safety, arXiv:2307.03718); Hooker 2024 (On the Limitations of Compute Thresholds as a Governance Strategy, arXiv:2407.05694); EU AI Act Art. 51 (10^25 FLOP systemic-risk presumption); US Executive Order 14110, California SB-53, and New York RAISE Act (10^26 FLOP)
There is no impact evaluation showing that classifying models as 'frontier' (and attaching heightened scrutiny) measurably reduces downstream harm; the regime is too new and the proxy itself is critiqued as gameable and capability-misaligned. Hooker 2024 argues hard-coded compute thresholds are likely to fail because algorithmic-efficiency gains let a given capability fall below a fixed line over time, thresholds exclude inference-time/post-training compute, FLOP measurement is unstandardized, and developers can structure training to evade the threshold. The registration/reporting building blocks proposed by Anderljung et al. 2023 are explicitly proposals, not empirically tested harm-reduction levers. The evidence that frontier-tiering works is essentially absent.
Sources: Hooker 2024 (On the Limitations of Compute Thresholds as a Governance Strategy, arXiv:2407.05694); Anderljung, Barnhart et al. 2023 (Frontier AI Regulation, arXiv:2307.03718)