NIST AI RMF Generative AI Profile
NIST-AI-RMF-GENAI · US
Companion to NIST AI 100-1 covering GenAI-specific risks: CBRN information uplift, confabulation, data privacy, environmental impacts, harmful bias, dangerous information, IP misuse, obscene/abusive/violent content, information security, information integrity, human-AI configuration, value chain and component integration. Voluntary. Currency (2026-06-21): pursuant to America's AI Action Plan (Jul 2025), NIST is revising the AI RMF and its Profiles to remove references to misinformation, DEI, and climate change — directly implicating this Profile's harmful-bias and environmental-impacts risk categories; the Jul 2024 Profile remains the active version pending that revision.
Background & scope
NIST AI RMF Generative AI Profile addresses 8 contested AI-governance topics explicitly, 1 via general principles.
Provisions & coverage
- governsFoundation Models / GPAIEntire NIST AI 600-1 scope is GPAI / GenAI[15]
- governsDeepfakes / Synthetic ContentNIST AI 600-1 §3.11 Confabulation + §3.10 Information Integrity (synthetic content)[15]
- governsTransparency ObligationsGovern + Map cross-cutting documentation requirements applied to GenAI[15]
- implicitIndividual RedressAccountability characteristic from base RMF; not GenAI-specific text[15]
- governsTraining-Data RightsNIST AI 600-1 §3.4 Data Privacy + §3.7 Intellectual Property[15]
- governsCatastrophic & Existential RiskNIST AI 600-1 §3.1 CBRN Information Uplift; §3.3 Dangerous, Violent, or Hateful Content[15]
- governsAgentic AI GovernanceNIST AI 600-1 names Value Chain + Component Integration as risk category covering agentic / tool-use deployments[15]
- governsSynthetic Content ProvenanceNIST AI 600-1 — Information Integrity is one of 12 named GenAI risk categories; covers synthetic-content labelling + provenance[15]
- governsEnvironmental Impact of AI TrainingNIST AI 600-1 — Environmental Impacts is one of 12 named GenAI risk categories[15]
Operative Mechanics: A Risk Taxonomy, Not a Rule
NIST AI 600-1 (Jul 2024) is a cross-sectoral companion Profile to the base AI RMF (NIST AI 100-1), structured around twelve named GenAI-specific risk categories catalogued in §2 — including CBRN information uplift (§2.1), confabulation (§2.2), data privacy (§2.4), intellectual property (§2.10), information integrity (§2.8), environmental impacts (§2.5), and value-chain/component integration (§2.12). Rather than prescribing conduct, §3 maps each risk onto the RMF's four functions (Govern, Map, Measure, Manage) and offers a menu of suggested actions keyed to roles across the value chain. Its agentic-AI hook is the value-chain category, capturing tool-use and component-composition risks that single-model controls miss — a concern formalised in the governance literature 12. The Profile defines no thresholds, audits, or sanctions; it is an organising vocabulary.
Standing Relative to Binding Law
The Profile is explicitly voluntary and confers no legal obligation; its force is reputational and incorporative. This contrasts sharply with the EU AI Act (Regulation (EU) 2024/1689), whose Article 50 imposes binding synthetic-content marking and deepfake-disclosure duties — duties an empirical audit found widely unmet, with only 38% of image generators watermarking adequately 3. Where NIST treats information integrity as a risk to be measured, the Act treats it as a compliance command, though even its deepfake definition invites narrowing interpretation 4. The Profile's data-privacy and IP categories likewise have no operative teeth comparable to the GDPR's memorisation problem 5 or TDM copyright exceptions 6. It functions as soft-law scaffolding that firms map onto hard-law regimes elsewhere.
Key Fault-Lines and Gaps
Three critiques recur. First, taxonomic breadth without operationalisation: naming CBRN uplift (§2.1) does not specify evaluation methods, leaving the catastrophic-bio interface — a fast-moving dual-use threat 7 — governed by suggested actions rather than benchmarks. Second, the value-chain category gestures at agentic risk but lacks infrastructure for action attribution or multi-agent failure modes like collusion and miscoordination 82. Third, definitional instability: 'generative AI' and 'GPAI' remain unstable legal categories across regimes 910, and the Profile's voluntariness means its information-integrity guidance does little to cure the fragmented US deepfake patchwork 1112.
Implementation Trajectory and Political Headwinds
As of June 2026 the July 2024 Profile remains the active version, but its trajectory is unsettled. Pursuant to America's AI Action Plan (Jul 2025), NIST has been directed to revise the AI RMF and its Profiles to remove references to misinformation, DEI, and climate change — language that directly implicates the harmful-bias and environmental-impacts risk categories. A scoped-down successor would weaken the Profile's already-soft footing precisely where binding regimes are tightening, e.g. AI Act and Energy Efficiency Directive data-centre disclosure levers analysed by Ebert et al. 13. The audio-deepfake liability gap pinned on foundation-model providers 14 further illustrates how voluntary US guidance lags structural-liability debates abroad. The Profile's enduring value may lie less as live policy than as a shared risk lexicon outliving its contested categories.
Enforcement & impact
Cross-jurisdiction comparison
How peer instruments treat the topics NIST AI RMF Generative AI Profile governs.
| Topic | EU-AIA-2024 | US-EO-14110 | US-EO-14179 | UK-WHITEPAPER-2023 | CN-GENAI-2023 | G7-HIROSHIMA | OECD-AI-PRIN | COE-AI-CONV | UN-RES-2024 | NIST-AI-RMF | BLETCHLEY-2023 | SEOUL-2024 | CA-SB-1047 | IN-DPDP-2023 | BR-AIBILL-2024 | ASEAN-AI-GUIDE-2024 | AU-AI-STRATEGY-2024 | ANTHROPIC-RSP-2024° | OPENAI-PREPAREDNESS-2023° | DEEPMIND-FSF-2024° | META-FRONTIER-2024° | UK-US-AISI-MOU-2024 | WH-VOLUNTARY-2023 | SG-MODEL-AI-2024 | JP-METI-AI-2024 | EU-GDPR-2016 | EU-GPAI-COP-2025 | OMB-M-24-10 | GSA-AI-GUIDE-2024 | DOD-RAI-2022 | FEDRAMP-AI-2024 | DFARS-252-204 | CA-SB-53 | CA-SB-243 | CA-SB-942 | EU-PLD-2024 | UNESCO-AI-ETHICS-2021 | EU-PWD-2024 | CN-DEEPSYN-2022 | NY-RAISE-2025 | US-TAKEITDOWN-2025 | IT-AILAW-2025 | JP-AIPROMO-2025 | UN-GDC-2024 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Foundation Models / GPAI | governs | governs | silent | implicit | governs | governs | implicit | implicit | silent | governs | governs | governs | governs | implicit | governs | implicit | silent | governs | governs | governs | governs | governs | governs | governs | governs | silent | governs | implicit | governs | implicit | implicit | implicit | governs | silent | implicit | silent | silent | silent | silent | governs | silent | silent | implicit | implicit |
| Deepfakes / Synthetic Content | governs | governs | silent | silent | governs | governs | silent | silent | implicit | implicit | silent | silent | silent | governs | silent | silent | silent | silent | silent | silent | silent | silent | governs | governs | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | governs | silent | governs | governs | silent | silent |
| Transparency Obligations | governs | implicit | silent | implicit | conflicts | governs | governs | governs | implicit | governs | implicit | governs | implicit | implicit | governs | governs | silent | governs | implicit | implicit | governs | implicit | governs | governs | governs | governs | governs | governs | governs | governs | governs | silent | governs | governs | governs | implicit | governs | governs | governs | governs | silent | governs | governs | governs |
| Training-Data Rights | implicit | silent | silent | silent | governs | silent | silent | implicit | silent | implicit | silent | silent | silent | governs | implicit | silent | implicit | silent | silent | silent | implicit | silent | silent | silent | implicit | governs | governs | silent | implicit | silent | implicit | governs | silent | silent | silent | silent | governs | silent | governs | silent | silent | governs | implicit | implicit |
| Catastrophic & Existential Risk | implicit | governs | silent | implicit | silent | governs | silent | silent | implicit | implicit | governs | governs | governs | silent | governs | silent | silent | governs | governs | governs | governs | implicit | implicit | silent | silent | silent | governs | silent | silent | implicit | silent | silent | governs | silent | silent | silent | silent | silent | silent | governs | silent | silent | silent | implicit |
| Agentic AI Governance | implicit | silent | silent | silent | implicit | implicit | silent | implicit | silent | implicit | implicit | governs | silent | silent | implicit | silent | silent | governs | governs | governs | implicit | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | silent | silent | implicit | silent | implicit | silent | implicit | silent | silent | silent | silent |
| Synthetic Content Provenance | governs | governs | silent | silent | governs | governs | silent | silent | implicit | implicit | silent | silent | silent | silent | implicit | silent | silent | implicit | silent | silent | silent | silent | governs | governs | implicit | silent | implicit | silent | silent | silent | silent | silent | silent | silent | governs | silent | silent | silent | governs | silent | silent | implicit | silent | governs |
| Environmental Impact of AI Training | implicit | implicit | silent | silent | silent | implicit | implicit | implicit | implicit | silent | silent | silent | silent | silent | silent | implicit | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | governs | silent | silent | silent | silent | implicit | silent | implicit |
°= industry self-imposed voluntary framework. Comparing a voluntary code's "governs" tint with a binding regulation's "governs" tint flattens the legal-force distinction; use the instrument-page banner for the operative status of each.
See also
Per-audience views
- Provisions →Article-by-article obligation breakdown for procurement + RFP authors.
- Disclosure form →Vendor-disclosure questionnaire derived from this instrument's operative obligations.
- Harm narratives →Documented harms relevant to this instrument's topics, for civil-society advocacy.
- Briefing pack →Journalist-ready summary with quotes + dates + primary-source links.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Further reading
139 academic & grey-literature sources on the topics this instrument addresses (not commentary on the instrument itself) — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Missing the Mark: Adoption of Watermarking for Generative AI Systems in Practice and Implications Under the New EU AI Act Peer-reviewed✦ AIEmpirical audit finds only 38% of AI image generators implement adequate watermarking and 18% deepfake labelling, exposing a compliance gap under EU AI Act Article 50.
- Artificial intelligence and synthetic biology: biosecurity risks, dual-use concerns, and governance pathways Peer-reviewed✦ AIReviews biosecurity and dual-use risks at the AI-synthetic-biology interface and maps governance pathways for emerging catastrophic threats.
- Open Foundation Models and TDM Exceptions to Copyright – Building Blocks for an AI Ecosystem Peer-reviewed✦ AIArgues Art. 3 CDSM Directive's scientific-research TDM exception 'does not grant rightsholders any control' and can be a 'safe harbor' for training openly released foundation models without licensing data.
- AI, Climate, and Regulation: From Data Centers to the AI Act Peer-reviewed✦ AIAnalyses the legal levers (AI Act energy-reporting duties, Energy Efficiency Directive data-centre KPIs, sustainability reporting) for governing AI's climate footprint and their disclosure gaps.
- Governing AI Agents Preprint✦ AIUses "agency law and theory to identify and characterize problems arising from AI agents" and proposes governance infrastructure built on inclusivity, visibility, and liability.
- Infrastructure for AI Agents Peer-reviewed✦ AIProposes "agent infrastructure": external technical systems for attributing actions "to specific agents, their users, or other actors," shaping interactions, and remediating harms.
- Multi-Agent Risks from Advanced AI Research institute✦ AIIdentifies three failure modes of advanced multi-agent systems — "miscoordination, conflict, and collusion" — plus seven risk factors, posing challenges distinct from single-agent AI.
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
- The Current Landscape of Deepfake Legislation in the United States Peer-reviewed✦ AIThematic analysis of 319 state deepfake bills (2019-2024) finds a fragmented patchwork concentrated on political and sexually-explicit content.
- Reimagining U.S. Tort Law for Deepfake Harms: Comparative Insights from China and Singapore Peer-reviewed✦ AIArgues fragmented US tort doctrines (defamation, publicity, IIED) are ill-suited to deepfake harms and draws remedial lessons from Chinese and Singaporean law.
+ 127 more across this instrument's topics — see the literature index.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Noam Kolt (2025) Governing AI Agents, Notre Dame Law Review (forthcoming). arXiv:2501.07913 — Uses "agency law and theory to identify and characterize problems arising from AI agents" and proposes governance infrastructure built on inclusivity, visibility, and liability. ↩
- Alan Chan, Kevin Wei, Sihao Huang, Nitarshan Rajkumar, Elija Perrier, Seth Lazar, Gillian K. Hadfield, Markus Anderljung (2025) Infrastructure for AI Agents, Transactions on Machine Learning Research. arXiv:2501.10114 — Proposes "agent infrastructure": external technical systems for attributing actions "to specific agents, their users, or other actors," shaping interactions, and remediating harms. ↩
- Bram Rijsbosch, Gijs van Dijck, and Konrad Kollnig (2026) Missing the Mark: Adoption of Watermarking for Generative AI Systems in Practice and Implications Under the New EU AI Act, Policy & Internet. 10.1002/poi3.70041 — Empirical audit finds only 38% of AI image generators implement adequate watermarking and 18% deepfake labelling, exposing a compliance gap under EU AI Act Article 50. ↩
- Mateusz Łabuz (2025) A Teleological Interpretation of the Definition of DeepFakes in the EU Artificial Intelligence Act—A Purpose-Based Approach to Potential Problems With the Word 'Existing', Policy & Internet. 10.1002/poi3.435 — Warns a narrow reading of 'existing' in the AI Act's deepfake definition could exclude synthetic media from transparency duties, urging a teleological interpretation. ↩
- Hannah Ruschemeier (2025) Generative AI and data protection, Cambridge Forum on AI: Law and Governance. 10.1017/cfl.2024.2 — Examines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous. ↩
- Arne Radeisen (2026) Open Foundation Models and TDM Exceptions to Copyright – Building Blocks for an AI Ecosystem, GRUR International. 10.1093/grurint/ikag002 — Argues Art. 3 CDSM Directive's scientific-research TDM exception 'does not grant rightsholders any control' and can be a 'safe harbor' for training openly released foundation models without licensing data. ↩
- Kirolos Eskandar (2026) Artificial intelligence and synthetic biology: biosecurity risks, dual-use concerns, and governance pathways, AI and Ethics (Springer). 10.1007/s43681-025-00872-9 — Reviews biosecurity and dual-use risks at the AI-synthetic-biology interface and maps governance pathways for emerging catastrophic threats. ↩
- Lewis Hammond, Alan Chan, Jesse Clifton, et al. (Cooperative AI Foundation) (2025) Multi-Agent Risks from Advanced AI, Cooperative AI Foundation. arXiv:2502.14143 — Identifies three failure modes of advanced multi-agent systems — "miscoordination, conflict, and collusion" — plus seven risk factors, posing challenges distinct from single-agent AI. ↩
- David Fernández-Llorca, Emilia Gómez, Ignacio Sánchez, Gabriele Mazzini (2025) An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI, Artificial Intelligence and Law. 10.1007/s10506-024-09412-y — Traces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime. ↩
- Martina Hulok (2025) The EU model of AI governance: regulating artificial intelligence through law and policy, ERA Forum. 10.1007/s12027-025-00869-1 — Analyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'. ↩
- Valentine Ugwuoke and Madelyn Rose Sanfilippo (2025) The Current Landscape of Deepfake Legislation in the United States, Journal of Information Policy. 10.5325/jinfopoli.15.2025.0004 — Thematic analysis of 319 state deepfake bills (2019-2024) finds a fragmented patchwork concentrated on political and sexually-explicit content. ↩
- Huijuan Peng and Pey-Woan Lee (2025) Reimagining U.S. Tort Law for Deepfake Harms: Comparative Insights from China and Singapore, Journal of Tort Law. 10.1515/jtl-2025-0028 — Argues fragmented US tort doctrines (defamation, publicity, IIED) are ill-suited to deepfake harms and draws remedial lessons from Chinese and Singaporean law. ↩
- André Ebert, Joseph Alder, Ralf Herbrich, Philipp Hacker (2026) AI, Climate, and Regulation: From Data Centers to the AI Act, Computer Law & Security Review. 10.1016/j.clsr.2026.106326 — Analyses the legal levers (AI Act energy-reporting duties, Energy Efficiency Directive data-centre KPIs, sustainability reporting) for governing AI's climate footprint and their disclosure gaps. ↩
- Bao Kham Chau and George He (2025) Audio deepfakes and the regulation of the landlords of creativity, Cambridge Forum on AI: Law and Governance. 10.1017/cfl.2025.10011 — Argues US, EU and Chinese regimes fail to assign audio-deepfake liability to 'landlords of creativity' (foundation-model providers) and proposes holding them accountable. ↩
- NIST AI 600-1 (Jul 2024)
- Entire NIST AI 600-1 scope is GPAI / GenAI
- NIST AI 600-1 §3.11 Confabulation + §3.10 Information Integrity (synthetic content)
- Govern + Map cross-cutting documentation requirements applied to GenAI
- Accountability characteristic from base RMF; not GenAI-specific text
- NIST AI 600-1 §3.4 Data Privacy + §3.7 Intellectual Property
- NIST AI 600-1 §3.1 CBRN Information Uplift; §3.3 Dangerous, Violent, or Hateful Content
- NIST AI 600-1 names Value Chain + Component Integration as risk category covering agentic / tool-use deployments
- NIST AI 600-1 — Information Integrity is one of 12 named GenAI risk categories; covers synthetic-content labelling + provenance
- NIST AI 600-1 — Environmental Impacts is one of 12 named GenAI risk categories
How to cite this article
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/nist-ai-rmf-genai-profile — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Does this instrument’s approach work? — the social-science evidence
Aggregated over the 9 topics this instrument governs: whether each harm is empirically real, and whether the peer-reviewed evidence shows governance reduces it. The badge is the epistemic status of the evidence— “thin”/“absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
Of the 9 governed topics with a social-science evidence review, evidence that governance reduces the harm is established for 0, contested for 0, thin for 2, and absent for 7 — for most, no replicated study yet shows this instrument's approach works (the "second silence").
Agentic AI Governance
The capability that agentic governance targets — autonomous multi-step action — is real and rapidly, measurably advancing: METR finds the task length AI agents complete at 50% reliability has doubled roughly every seven months for the past six years (about 50 minutes for frontier 2025 models), and the UK AI Security Institute's first Frontier AI Trends Report (Dec 2025, >30 systems) reports models now finish hour-long software tasks >40% of the time versus <5% in late 2023. The distinct realized HARM from agency (as opposed to the underlying model) is, however, thinly documented: on consequential real-world tasks agents still fail the majority — Gemini 2.5 Pro completed only 30.3% of TheAgentCompany's 175 professional tasks (OpenHands scaffold, project leaderboard) — so the agency-specific harm magnitude is early and context-dependent rather than established at scale.
Sources: Kwa, West, Becker et al. 2025 (METR; arXiv:2503.14499, 'Measuring AI Ability to Complete Long Tasks'); UK AI Security Institute 2025 (Frontier AI Trends Report, Dec 2025); Xu, Song, Zhou et al. 2024 (TheAgentCompany, arXiv:2412.14161); 30.3% figure per TheAgentCompany leaderboard (OpenHands)
There is no impact-evaluation evidence that agent-specific governance reduces agentic harm: the operative regimes — the EU GPAI Code of Practice (published July 2025, voluntary/non-binding), the Seoul Frontier AI Safety Commitments (2024, voluntary), and AISI agent evaluations — are 2024-25 vintage and have never been measured against an outcome. The scholarship itself has not settled the contested unit of regulation: Kolt (2025) argues for governing the agentic relationship via principal-agent and agency-law tools, while Chan, Ezell, Kaufmann et al. (2024) propose agent-specific visibility mechanisms (identifiers, real-time monitoring, activity logging) that remain proposal-stage and unevaluated — meaning the field has design proposals but, as with most frontier-AI rules, the evidence that any of them works is absent rather than merely thin.
Sources: Kolt 2025 ('Governing AI Agents', 101 Notre Dame L. Rev., forthcoming; arXiv:2501.07913); Chan, Ezell, Kaufmann et al. 2024 ('Visibility into AI Agents', ACM FAccT 2024, pp. 958-973; DOI 10.1145/3630106.3658948); EU AI Office 2025 (GPAI Code of Practice, July 2025); Seoul Frontier AI Safety Commitments 2024
Catastrophic & Existential Risk
The catastrophic-uplift premise is genuinely contested: the empirical uplift studies that exist find current frontier models add little. RAND's red-team study found no statistically significant difference in the viability of bioweapon-attack plans produced with vs. without LLMs (Mouton, Lucas & Guest 2024), and OpenAI's 100-participant trial found GPT-4 gave at most a mild, non-significant accuracy uplift (mean +0.88 out of 10 for PhD experts, +0.25 for students; Patwardhan et al. 2024). Honest caveat: the harm is forward-looking, not yet observed — expert opinion on the catastrophic tail is sharply split (median AI researcher puts ~5% on extremely-bad/extinction outcomes, mean ~9-16% across differently-framed questions, n=2,778; Grace et al. 2024), and forecasters underestimated how fast risk-relevant capabilities (e.g. virology troubleshooting) actually arrived (Forecasting Research Institute 2025), so the relevant capabilities are a moving target rather than a settled magnitude.
Sources: Mouton, Lucas & Guest 2024 (RAND RR-A2977-2, Operational Risks of AI in Large-Scale Biological Attacks: Results of a Red-Team Study); Patwardhan et al. 2024 (OpenAI, Building an Early Warning System for LLM-aided Biological Threat Creation); Grace et al. 2024 (Thousands of AI Authors on the Future of AI, arXiv:2401.02843); Forecasting Research Institute 2025 (Forecasting LLM-enabled Biorisk and the Efficacy of Safeguards)
There is essentially no impact evidence that catastrophic-risk governance reduces catastrophic risk, and structurally there cannot yet be: the harm is a low-probability civilisational tail event, so no controlled trial or before/after evaluation of a realised catastrophe is possible. The dominant instruments are recent, voluntary developer frameworks (Anthropic's Responsible Scaling Policy 2023; OpenAI's Preparedness Framework 2023) built on if-then capability thresholds the developers themselves describe as speculative and qualitative rather than validated risk thresholds. The closest evidence is adjacent and indirect: trained-in deceptive behaviours can persist through standard safety training (Hubinger et al. 2024) — a demonstration that current mitigation may be insufficient, not that any governance regime works — and Anthropic's documented loosening of earlier commitments (RSP 2025 dropped the original pledge to define higher-tier ASL evaluations before developing the corresponding models) illustrates that even the strongest voluntary regimes lack external enforcement or measured efficacy.
Sources: Anthropic 2023 (Responsible Scaling Policy); OpenAI 2023 (Preparedness Framework); Hubinger et al. 2024 (Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training, arXiv:2401.05566); Hendrycks, Mazeika & Woodside 2023 (An Overview of Catastrophic AI Risks, arXiv:2306.12001)
Deepfakes / Synthetic Content
The flagship harm — non-consensual sexual deepfakes — is empirically real and sharply gendered: content audits find ~96-98% of deepfake videos online are non-consensual pornography overwhelmingly depicting women, and a pre-registered 10-country survey (>16,000 people) found 2.2% reporting victimization and 1.8% perpetration of synthetic intimate imagery, with documented mental-health, career, and participation harms. By contrast, the parallel claim that political/informational deepfakes UNIQUELY deceive is contested-to-refuted: experiments find deepfakes about as (not more) credible than equivalent text/audio fakes, and a 56-paper meta-analysis (k=137, N=86,155) puts unaided human detection near chance — implying a detection problem more than an exceptional-persuasion one.
Sources: Umbach, Henry, Beard & Berryessa 2024 (CHI '24, 'Non-Consensual Synthetic Intimate Imagery ... in 10 Countries'); Diel et al. 2024 (Computers in Human Behavior Reports 16:100538, deepfake-detection meta-analysis of 56 papers); Barari, Lucas & Munger 2025 (Journal of Politics 87(2), 'Political Deepfakes Are as Credible as Other Fake Media'); Flynn et al. 2022 (British Journal of Criminology, multi-country image-based sexual abuse study)
Direct impact evidence that deepfake governance reduces the targeted harm is sparse and, where it exists, discouraging: the one quasi-experimental evaluation (Cuevas & Horta Ribeiro 2025, synthetic-control across three platforms) found the U.S. TAKE IT DOWN Act's passage plus the MrDeepfakes shutdown did NOT suppress synthetic non-consensual imagery — posting rose above counterfactual baselines and displaced elsewhere. Technical enforcement is likewise unreliable: detectors fail to generalize to unseen generators (notably diffusion models) and are vulnerable to adversarial evasion, with in-the-wild accuracy well below benchmark figures. No rigorous evaluation yet shows a deepfake-specific law, takedown mandate, or watermarking scheme producing a sustained reduction in prevalence or harm.
Sources: Cuevas & Horta Ribeiro 2025 ('Deepfake Pornography is Resilient to Regulatory and Platform Shocks', arXiv:2602.02754); 'Adversarial Reality for Evading Deepfake Image Detectors' (ICCVW 2025); TAKE IT DOWN Act, S.146 / Pub. L. 119-12 (2025); CRS Legal Sidebar LSB11314
Environmental Impact of AI Training
The resource demands of AI compute are empirically documented at the model level: Strubell et al. (2019) quantified large-NLP training energy/carbon, Luccioni et al. (2023) estimated BLOOM's training at ~24.7 tCO2eq (dynamic power) rising to ~50.5 tCO2eq with manufacturing and deployment, Li et al. (2023) estimated GPT-3-scale training in US datacenters can evaporate on the order of hundreds of thousands of litres of freshwater (their central figure ~700,000 L), and Luccioni, Jernite & Strubell (2024) showed generative inference is markedly more energy-intensive per query than task-specific models; at the macro scale the IEA (2024) and de Vries (2023) document rapidly rising datacenter electricity demand. Honest caveat: absolute estimates vary by up to orders of magnitude with grid carbon intensity, hardware, utilisation and accounting boundaries, and cleanly attributing the AI-specific increment (versus general datacenter and crypto growth) remains genuinely contested — the IEA itself bundles AI with datacenters and crypto — so the existence of the footprint is established while its magnitude and trajectory are not.
Sources: Strubell, Ganesh & McCallum 2019 (ACL Anthology P19-1355; 'Energy and Policy Considerations for Deep Learning in NLP'); Luccioni, Viguier & Ligozat 2023 (JMLR 24; BLOOM 176B carbon footprint, 24.7/50.5 tCO2eq; arXiv:2211.02001); Li, Yang, Islam & Ren 2023 (arXiv:2304.03271, 'Making AI Less Thirsty', later Comm. ACM 2025); Luccioni, Jernite & Strubell 2024 (ACM FAccT '24, 'Power Hungry Processing', DOI 10.1145/3630106.3658542); de Vries 2023 (Joule 7(10):2191-2194, DOI 10.1016/j.joule.2023.09.004); IEA 2024 (Electricity 2024)
There is no impact evaluation showing that any AI-specific environmental-governance instrument reduces energy, water or carbon use, because every named instrument is voluntary or non-binding and very recent: EU AI Act Art. 95 codes of conduct are explicitly optional with no sanctions, and NIST AI 600-1 and the G7 Hiroshima Code are guidance, not enforceable caps. The closest analogue evaluation literature is divided in a way that disfavours the voluntary form chosen here: rigorous reviews find voluntary environmental programs generally fail to produce significant abatement beyond business-as-usual (Koehler 2007; Morgenstern & Pizer 2007), whereas the one form with credible positive evidence is mandatory disclosure (Downar et al. 2021 found a UK carbon-reporting mandate cut emissions ~8% versus a control group) which the AI instruments do not yet impose, leaving the proposition that AI environmental governance works essentially untested.
Sources: EU AI Act Art. 95 / Recital 142 (Reg. (EU) 2024/1689); NIST AI 600-1 (2024, GenAI Profile); G7 Hiroshima Process International Code of Conduct (30 Oct 2023); Koehler 2007 (Policy Studies Journal 35(4):689-722); Morgenstern & Pizer (eds.) 2007 (Reality Check, RFF Press); Downar, Ernstberger, Reichelstein, Schwenen & Zaklan 2021 (Review of Accounting Studies 26(3):1137-1175)
Foundation Models / GPAI
Whether the foundation-model category maps to a coherent capability/risk tier is genuinely contested. The original case rests on scale-driven 'emergent abilities' that appear unpredictably above a size threshold (Wei et al. 2022; Ganguli et al. 2022 documented capabilities that are smoothly predictable in aggregate loss yet locally surprising), but Schaeffer, Miranda & Koyejo (2023, a NeurIPS Outstanding Paper) showed many 'emergent' jumps are artefacts of discontinuous metrics and dissolve under linear/continuous scoring — implying capability scales more smoothly than a sharp tier would suggest. Honest caveat: this is a live empirical disagreement about measurement, not a settled finding either way, and compute (the regulatory proxy) is an imperfect stand-in for capability or risk regardless of which side is right.
Sources: Wei et al. 2022 (Emergent Abilities of Large Language Models, TMLR; arXiv:2206.07682); Schaeffer, Miranda & Koyejo 2023 (Are Emergent Abilities of Large Language Models a Mirage?, NeurIPS 2023, Outstanding Paper; arXiv:2304.15004); Ganguli et al. 2022 (Predictability and Surprise in Large Generative Models, ACM FAccT; DOI 10.1145/3531146.3533229)
There is no impact evaluation showing that GPAI/foundation-model governance reduces harm — the rules are too new (EU AI Act GPAI obligations and the 10^25-FLOP systemic-risk presumption only began binding on 2 August 2025) and the central regulatory lever is itself contested: Hooker (2024) argues compute thresholds are a shortsighted proxy because compute does not reliably track capability or risk, and the thresholds already diverge across jurisdictions (EU 10^25 vs. the now-rescinded US EO 14110's 10^26 operations, rescinded 20 January 2025). The mandated mitigation methods also lack validated efficacy: model evaluation and red-teaming face well-documented coverage limits and an 'audit gap' in the survey/position literature (behavioural testing cannot establish the absence of untested failure modes), and adversarial red-teaming repeatedly defeats deployed safeguards — the UK AI Safety Institute reports finding universal jailbreaks for every frontier system it has tested, and a large public agent-injection competition elicited policy violations across all 22 frontier models tested from ~1.8M attacks (Zou et al. 2025). Even compliant evaluation therefore cannot yet certify the safety the rules demand. (Caveat: this is an absence-of-evidence claim — no efficacy study has been done — not evidence the rules are ineffective.)
Sources: Hooker 2024 (On the Limitations of Compute Thresholds as a Governance Strategy, arXiv:2407.05694); EU AI Act Arts. 51 & 55 (GPAI systemic-risk presumption, 10^25 FLOP; binding 2 Aug 2025); US EO 14110 (10^26-operation reporting threshold, rescinded 20 Jan 2025 by EO 14148); Zou et al. 2025 (Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition / Gray Swan Arena, arXiv:2507.20526 — 22 frontier agents, ~1.8M attacks); UK AI Safety/Security Institute, Frontier AI Trends Report (universal jailbreaks for every system tested); METR, Common Elements of Frontier AI Safety Policies (2024)
Individual Redress
The premise behind redress — that affected people lack meaningful recourse against automated decisions — is real, but the flagship instrument is weaker than commonly assumed. Wachter, Mittelstadt & Floridi (2017) show GDPR creates only a limited 'right to be informed,' not a binding 'right to explanation' of specific decisions; and controlled work finds the explanations actually delivered do not measurably improve lay decision accuracy over showing the bare AI prediction (Alufaisan et al. 2021; and a 2022 meta-analysis by Schemmer et al. — screening 393 articles down to 9 in the final analysis — reports 'no effect of explanations on users' performance compared to sole AI predictions,' even though XAI overall had a positive effect). Honest caveat: the legitimacy/dignity value of being heard is empirically well established in the procedural-justice tradition even where outcome accuracy is unchanged, so 'redress fails' depends on which aim is measured.
Sources: Wachter, Mittelstadt & Floridi 2017 (International Data Privacy Law 7(2):76); Alufaisan, Marusich, Bakdash, Zhou & Kantarcioglu 2021 (Proceedings of the AAAI Conference on AI 35(8):6618); Schemmer, Hemmer, Nitsche, Kühl & Vössing 2022 (AAAI/ACM AIES '22, meta-analysis)
There is no rigorous impact evaluation showing that mandated redress mechanisms (right-to-explanation, appeal, human-in-the-loop review) actually reduce erroneous or unfair automated decisions — the evidence that the rule works is itself missing. The closest experimental analogues are discouraging: explanations increase humans' acceptance of AI recommendations regardless of correctness (Bansal et al. 2021), and algorithm-in-the-loop oversight can introduce racial disparities and exhibit automation bias rather than reliably catching model errors (Green & Chen 2019). The procedural-justice literature (Tyler 1990; Lind & Tyler 1988) robustly supports a legitimacy and compliance benefit of fair process, but it measures perceived fairness, not reduction of the substantive decision harm redress is meant to cure.
Sources: Bansal, Wu, Zhou, Fok, Nushi, Kamar, Ribeiro & Weld 2021 (CHI '21); Green & Chen 2019 (Disparate Interactions, ACM FAT* '19); Tyler 1990 (Why People Obey the Law, Yale Univ. Press); Lind & Tyler 1988 (The Social Psychology of Procedural Justice, Plenum Press)
Synthetic Content Provenance
The harm provenance targets is real but concentrated, and the technical premise that the mandated signal survives is itself empirically shaky. Synthetic-media harm is well documented in two domains: non-consensual intimate imagery (Ajder et al.'s 2019 Deeptrace audit found 96% of deepfake videos were pornographic and effectively 100% targeted women) and impersonation fraud (the Arup case, ~US$25.6M / HK$200M lost via a deepfake video call). The honest caveat is twofold: a feared broad political-misinformation harm is not yet demonstrated at scale, and CS work shows invisible watermarks are removable in practice (Jiang, Zhang & Gong 2023, WEvade, evade detection via adversarial perturbation; Zhao et al. 2024 prove pixel-level watermarks are provably removable via regeneration attacks), so the provenance signal a rule would mandate is itself contested.
Sources: Ajder, Patrini, Cavalli & Cullen 2019 (Deeptrace, 'The State of Deepfakes: Landscape, Threats, and Impact'); Jiang, Zhang & Gong 2023 ('Evading Watermark based Detection of AI-Generated Content', ACM CCS 2023); Zhao et al. 2024 (NeurIPS, 'Invisible Image Watermarks Are Provably Removable Using Generative AI'); Arup deepfake fraud (CNN Business, 2024-05-16, US$25.6M)
There is no impact evaluation showing that mandated provenance/labeling reduces synthetic-media harm; the major mandates (China's GenAI labeling Measures, effective 2025-09-01; EU AIA Art. 50, machine-readable marking) are too new and unevaluated, and the delivery layer is leaky: the C2PA spec's own Security Considerations document the strip-and-repost threat, and platform audits report C2PA/Content-Credentials metadata is stripped by essentially all major social platforms on upload (consistent with Imatag's 2018 finding that ~80% of uploaded images lose metadata, only ~15% retaining it). The closest analogue evaluation literature — Pennycook, Bear, Collins & Rand (2020), the 'implied truth effect' — gives reason for caution rather than confidence: labeling only some content can make unlabeled false content seem more credible, so a partial-coverage provenance regime could backfire.
Sources: Pennycook, Bear, Collins & Rand 2020 (Management Science 66(11):4944-4957, 'The Implied Truth Effect'); China Measures for Labeling AI-Generated Synthetic Content (eff. 2025-09-01); EU AI Act Art. 50; Imatag 2018 metadata-stripping study (~80%); C2PA Security Considerations (spec.c2pa.org) on manifest removal
Training-Data Rights
That foundation models ingest copyrighted and personal works without consent is undisputed; whether that ingestion produces legally cognizable reproduction harm is genuinely contested. The CS evidence that models can memorize and emit verbatim training text is robust and replicated — Carlini et al. (2021) extracted hundreds of verbatim sequences (including PII) from GPT-2, and follow-up work (Carlini et al., Quantifying Memorization, ICLR 2023) showed extraction scales log-linearly with model size and with example duplication. Honest caveat: verbatim reproduction is the exception, not the norm — the UK High Court held that Stable Diffusion's model weights never stored copies of the training images (defeating the secondary-infringement theory), and Getty abandoned its primary training-infringement claim at trial for lack of evidence, so whether the empirical phenomenon amounts to actionable harm (rather than transient, non-expressive use) remains the open question driving NYT v. OpenAI and parallel regimes.
Sources: Carlini, Tramèr, Wallace, Jagielski, Herbert-Voss, Lee, Roberts, Brown, Song, Erlingsson, Oprea & Raffel 2021 (Extracting Training Data from Large Language Models, 30th USENIX Security Symposium); Carlini, Ippolito, Jagielski, Lee, Tramèr & Zhang 2023 (Quantifying Memorization Across Neural Language Models, ICLR 2023; arXiv:2202.07646); Getty Images (US) Inc & ors v Stability AI Ltd [2025] EWHC 2863 (Ch) (UK High Court, 4 Nov 2025 — no secondary infringement; primary training claim abandoned at trial); The New York Times Co. v. Microsoft Corp. & OpenAI (S.D.N.Y., No. 1:23-cv-11195; consolidated In re OpenAI Copyright Infringement Litigation, Apr. 2025; ongoing 2025-2026)
There is no impact evaluation showing that the CDSM Directive Article 4 TDM exception plus its Article 4(3) opt-out reservation regime actually reduces unlicensed ingestion or channels compensation to rightsholders — the evidence that the rule works as designed is itself missing. The only available evidence is early case law and doctrinal scholarship, which document the mechanism's contested operation rather than its success: in Kneschke v. LAION the Hamburg Higher Regional Court (on appeal, 10 Dec 2025) held that a rights reservation in natural language did NOT satisfy Article 4(3)'s machine-readability requirement, invalidating the opt-out (note: the first-instance Regional Court had left the Article 4 question largely open and the case ultimately turned on the Article 3 scientific-research exception, so this machine-readability holding is appellate and not yet settled — a further appeal to the Federal Court of Justice was permitted). Legal scholars characterize the Article 4 opt-out as practically difficult and unharmonized, with no observed market in TDM licences or systematic enforcement to evaluate.
Sources: Kneschke v. LAION (Hamburg Regional Court, 27 Sept 2024, 310 O 227/23; on appeal Hamburg Higher Regional Court, 10 Dec 2025, 5 U 104/24 — opt-out held not machine-readable; further appeal to BGH permitted); Margoni & Kretschmer 2022 (A Deeper Look into the EU Text and Data Mining Exceptions, GRUR International 71(8):685-701); Quintais 2025 (Generative AI, Copyright and the AI Act, Computer Law & Security Review 56:106107)
Transparency Obligations
Documentation artifacts (model cards, datasheets) are well-specified as proposals and are genuinely adopted, but the empirical premise that mandated disclosure produces meaningful transparency is contested. Selbst & Barocas (2018) argue inscrutability and non-intuitiveness are distinct problems and that disclosing rules does not resolve the latter, and large-scale audits find documentation is sparsely and unevenly completed: a systematic analysis of 32,111 Hugging Face model cards (Liang et al. 2024) found environmental-impact, limitations and evaluation sections least often filled, and Bhat et al. (2023, 45 practitioners) found a substantial gap between the documentation proposal and actual practice. Honest caveat: the documentation frameworks themselves are real and adopted, so the dispute is about whether disclosure conveys decision-relevant information, not whether the artifacts exist.
Sources: Selbst & Barocas 2018 (Fordham Law Review 87:1085-1139); Liang et al. 2024 (Nature Machine Intelligence, s42256-024-00857-z, 'Systematic analysis of 32,111 AI model cards'); Bhat et al. 2023 (CHI '23, 'Aspirations and Practice of ML Model Documentation', DOI 10.1145/3544548.3581518); Mitchell et al. 2019 (FAccT, Model Cards for Model Reporting); Gebru et al. 2021 (CACM 64(12):86-92, Datasheets for Datasets)
There is no rigorous impact evaluation showing that AI transparency mandates (model cards, training-data summaries) measurably reduce bias, misuse or accidents — the central regulatory assumption is empirically untested, partly because flagship mandates like EU AI Act Art. 53(1)(d) GPAI training-data summaries are only subject to AI Office enforcement/verification from 2 August 2026 (the obligation itself began 2 August 2025 for new models). The closest analogue, mandated consumer disclosure, shows small and context-dependent effects: Bollinger, Leslie & Sorensen (2011) found mandatory calorie posting cut average calories per transaction by about 6%, while Loewenstein, Sunstein & Golman (2014) review evidence that disclosure effects are frequently diminished or even reversed by limited attention and often change provider rather than recipient behavior. These are analogues, not AI studies; no study demonstrates that AI transparency disclosure achieves its stated downstream safety aims.
Sources: Bollinger, Leslie & Sorensen 2011 (AEJ: Economic Policy 3(1):91-128); Loewenstein, Sunstein & Golman 2014 (Annual Review of Economics 6:391-419, 'Disclosure: Psychology Changes Everything'); EU AI Act Art. 53(1)(d) GPAI training-data summary (obligation from 2 Aug 2025; AI Office enforcement from 2 Aug 2026)