California SB 942: AI Transparency Act
CA-SB-942 · US
SB 942 (the 'California AI Transparency Act'), Chapter 291, Statutes of 2024, adds §§ 22757–22757.4 to the California Business and Professions Code — a generative-AI provenance-and-disclosure law regulating 'covered providers' (a person that produces a publicly-accessible GenAI system with over 1,000,000 monthly visitors or users). Covered providers must: make available a free, public AI-detection tool (§ 22757.2(a)); offer users the option of a human-perceptible 'manifest' disclosure marking content as AI-generated (§ 22757.3(a)); and embed a machine-readable 'latent' disclosure in AI-generated image/video/audio content conveying provenance metadata — provider name, GenAI system name and version, creation/alteration time, and a unique identifier (§ 22757.3(b)). AB 853 (Chapter 674, Statutes of 2025) amended the act — most importantly DEFERRING the operative date from Jan. 1, 2026 to Aug. 2, 2026 — and added phased duties for 'large online platforms' and 'GenAI hosting platforms' that make model weights/source code available for download (§§ 22757.3.1–.3.2, operative Jan. 1, 2027) and 'capture device manufacturers' (§ 22757.3.3, operative Jan. 1, 2028). Enforcement is government-only: a $5,000-per-violation civil penalty in an action by the Attorney General, a city attorney, or a county counsel (§ 22757.4) — NO private right of action, distinct from SB 243's private action (§ 22605). Status adopted_not_in_force: enacted, but the covered-provider duties are not operative until Aug. 2, 2026.
Adopted but not yet in force
Coverage cells below reflect this instrument's operative content once it enters into force. Time-sensitive policy briefs should also cite the source document directly and check for amendments. PW does not track legislative-progress updates within a single catalog snapshot.
Background & scope
California SB 942: AI Transparency Act addresses 3 contested AI-governance topics explicitly, 2 via general principles.
Provisions & coverage
- implicitFoundation Models / GPAINo operative provision regulates foundation models as a class; the regulated party ('covered provider', § 22757.1) is defined by an output/scale hook — a producer of a publicly-accessible GenAI system with over 1,000,000 monthly users — so a foundation-model producer is reached only incidentally via the § 22757.2–.3 output-disclosure duties, not by any model-level obligation[10]
- implicitDeepfakes / Synthetic Content'Deepfake' appears only in the SB 942 Legislative Counsel's Digest (a recital about a separate law), never in operative §§ 22757.1–22757.4; a deepfake produced by a covered provider's GenAI system is nonetheless a subset of the AI-generated image/video/audio reached by the § 22757.3(b) latent-disclosure and § 22757.2 detection duties[10]
- governsTransparency Obligations
Art. 22757.2(a)[10] - governsOpen-Weight Frontier Release
Art. 22757.3(c)(1)[10] - governsSynthetic Content Provenance
Art. 22757.3(b)[10]
Operative Mechanics: A Provenance-and-Disclosure Triad
SB 942, the California AI Transparency Act (Cal. Stats. 2024, ch. 291), adds §§ 22757–22757.4 to the Business and Professions Code but is adopted-not-in-force: AB 853 (Cal. Stats. 2025, ch. 674) deferred the operative date for covered-provider duties to August 2, 2026. The statute regulates a 'covered provider' (§ 22757.1) by an output-and-scale hook — a publicly accessible GenAI system exceeding one million monthly users. Three obligations interlock: a free public AI-detection tool (§ 22757.2(a)); an optional human-perceptible 'manifest' disclosure (§ 22757.3(a)); and a mandatory machine-readable 'latent' disclosure embedding provider name, system name and version, timestamp, and a unique identifier in AI-generated image, video, or audio (§ 22757.3(b)). Enforcement is government-only — a $5,000-per-violation civil penalty pursued by the Attorney General, a city attorney, or a county counsel (§ 22757.4), with no private right of action.
Cross-Jurisdiction Position: A Watermarking Convergence
SB 942's latent-disclosure mandate (§ 22757.3(b)) places California within a global drift toward provenance-by-watermark, but its design diverges in instructive ways. The EU AI Act's Article 50 imposes machine-readable marking duties on generative-AI providers and deployers; Fernández-Llorca et al. trace how that regime's underlying categories — 'AI system, general purpose AI system, foundation model, and generative AI' — remained definitionally unstable through drafting 1. China's 2022 deep-synthesis and 2023 generative-AI rules pioneered mandatory labelling of synthetic content as a provenance model 2. Crucially, empirical audit casts doubt on whether such mandates bite: Rijsbosch et al. find only 38% of image generators implement adequate watermarking and 18% deepfake labelling under the analogous EU framework 3, suggesting California's technical obligations may outrun present practice.
Key Fault Lines: Scope Hooks, Foundation-Model Silence, and Detection Fragility
Three critiques shadow SB 942. First, the scope hook is output-and-scale, not model-level: the provisions reach a foundation-model producer only incidentally through § 22757.2–.3 output duties, never imposing a model-class obligation — leaving the 'landlords of creativity' (foundation-model providers) under-regulated, the precise gap Chau and He identify for audio deepfakes 4. Second, the word 'deepfake' never appears in operative §§ 22757.1–22757.4, surviving only in the Counsel's Digest; this echoes Łabuz's warning that definitional narrowness can exclude synthetic media from transparency duties 5. Third, the § 22757.2 detection tool faces a perception problem — Groh et al. show humans discern audio-visual deepfakes better than transcripts 6, so a tool's accuracy, not its mere existence, governs efficacy. The US patchwork Ugwuoke and Sanfilippo document 7 compounds this fragility.
Implementation Trajectory: A Phased, Deferred Rollout
Because SB 942 is adopted-not-in-force, its trajectory is staged. AB 853 (§§ 22757.3.1–22757.3.3) layered new duties atop the deferred core: large online platforms and GenAI hosting platforms become operative January 1, 2027 — § 22757.3.1 barring knowing removal of provenance data and § 22757.3.2 barring hosting platforms from distributing non-disclosing systems — while capture-device manufacturers (§ 22757.3.3) follow January 1, 2028. The licensing-discipline provision (§ 22757.3(c)) compels contractual preservation of disclosure capability and 96-hour license revocation, extending obligations into open-distribution channels. Whether this bites on downloadable weights is contested: Kapoor et al. argue evidence remains 'insufficient to effectively characterize the marginal risk of open foundation models' 8. With LLMs poised to affect roughly 80% of the workforce's tasks 9, the deferral buys compliance lead time against high stakes.
Enforcement & impact
Cross-jurisdiction comparison
How peer instruments treat the topics California SB 942: AI Transparency Act governs.
| Topic | EU-AIA-2024 | US-EO-14110 | US-EO-14179 | UK-WHITEPAPER-2023 | CN-GENAI-2023 | G7-HIROSHIMA | OECD-AI-PRIN | COE-AI-CONV | UN-RES-2024 | NIST-AI-RMF | BLETCHLEY-2023 | SEOUL-2024 | NIST-AI-RMF-GENAI | CA-SB-1047 | IN-DPDP-2023 | BR-AIBILL-2024 | ASEAN-AI-GUIDE-2024 | AU-AI-STRATEGY-2024 | ANTHROPIC-RSP-2024° | OPENAI-PREPAREDNESS-2023° | DEEPMIND-FSF-2024° | META-FRONTIER-2024° | UK-US-AISI-MOU-2024 | WH-VOLUNTARY-2023 | SG-MODEL-AI-2024 | JP-METI-AI-2024 | EU-GDPR-2016 | EU-GPAI-COP-2025 | OMB-M-24-10 | GSA-AI-GUIDE-2024 | DOD-RAI-2022 | FEDRAMP-AI-2024 | DFARS-252-204 | CA-SB-53 | CA-SB-243 | EU-PLD-2024 | UNESCO-AI-ETHICS-2021 | EU-PWD-2024 | CN-DEEPSYN-2022 | NY-RAISE-2025 | US-TAKEITDOWN-2025 | IT-AILAW-2025 | JP-AIPROMO-2025 | UN-GDC-2024 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Transparency Obligations | governs | implicit | silent | implicit | conflicts | governs | governs | governs | implicit | governs | implicit | governs | governs | implicit | implicit | governs | governs | silent | governs | implicit | implicit | governs | implicit | governs | governs | governs | governs | governs | governs | governs | governs | governs | silent | governs | governs | implicit | governs | governs | governs | governs | silent | governs | governs | governs |
| Open-Weight Frontier Release | governs | implicit | silent | silent | implicit | silent | silent | silent | silent | silent | silent | implicit | silent | governs | silent | silent | silent | implicit | implicit | implicit | implicit | governs | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit |
| Synthetic Content Provenance | governs | governs | silent | silent | governs | governs | silent | silent | implicit | implicit | silent | silent | governs | silent | silent | implicit | silent | silent | implicit | silent | silent | silent | silent | governs | governs | implicit | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | governs | silent | silent | implicit | silent | governs |
°= industry self-imposed voluntary framework. Comparing a voluntary code's "governs" tint with a binding regulation's "governs" tint flattens the legal-force distinction; use the instrument-page banner for the operative status of each.
See also
Per-audience views
- Provisions →Article-by-article obligation breakdown for procurement + RFP authors.
- Disclosure form →Vendor-disclosure questionnaire derived from this instrument's operative obligations.
- Harm narratives →Documented harms relevant to this instrument's topics, for civil-society advocacy.
- Briefing pack →Journalist-ready summary with quotes + dates + primary-source links.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Further reading
90 academic & grey-literature sources on the topics this instrument addresses (not commentary on the instrument itself) — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Missing the Mark: Adoption of Watermarking for Generative AI Systems in Practice and Implications Under the New EU AI Act Peer-reviewed✦ AIEmpirical audit finds only 38% of AI image generators implement adequate watermarking and 18% deepfake labelling, exposing a compliance gap under EU AI Act Article 50.
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
- The Current Landscape of Deepfake Legislation in the United States Peer-reviewed✦ AIThematic analysis of 319 state deepfake bills (2019-2024) finds a fragmented patchwork concentrated on political and sexually-explicit content.
- Reimagining U.S. Tort Law for Deepfake Harms: Comparative Insights from China and Singapore Peer-reviewed✦ AIArgues fragmented US tort doctrines (defamation, publicity, IIED) are ill-suited to deepfake harms and draws remedial lessons from Chinese and Singaporean law.
- A Teleological Interpretation of the Definition of DeepFakes in the EU Artificial Intelligence Act—A Purpose-Based Approach to Potential Problems With the Word 'Existing' Peer-reviewed✦ AIWarns a narrow reading of 'existing' in the AI Act's deepfake definition could exclude synthetic media from transparency duties, urging a teleological interpretation.
- Audio deepfakes and the regulation of the landlords of creativity Peer-reviewed✦ AIArgues US, EU and Chinese regimes fail to assign audio-deepfake liability to 'landlords of creativity' (foundation-model providers) and proposes holding them accountable.
- Navigating China's regulatory approach to generative artificial intelligence and large language models Peer-reviewed✦ AIAnalyses China's 2022 deep-synthesis and 2023 generative-AI rules, including mandatory labelling/watermarking of synthetic content as a provenance-governance model.
- 'Sora is incredible and scary': public perceptions and governance challenges of text-to-video generative AI models Peer-reviewed✦ AIQualitative analysis of public commentary on Sora finds blurred real/fake boundaries drive demand for law-enforced AI-content labelling and provenance.
- Human detection of political speech deepfakes across transcripts, audio, and video Peer-reviewed✦ AIExperiments show "audio and visual information enables more accurate discernment than text alone" — humans rely more on how something is said than on transcript content.
- GPTs are GPTs: Labor market impact potential of LLMs Peer-reviewed✦ AIFinds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies".
+ 78 more across this instrument's topics — see the literature index.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- David Fernández-Llorca, Emilia Gómez, Ignacio Sánchez, Gabriele Mazzini (2025) An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI, Artificial Intelligence and Law. 10.1007/s10506-024-09412-y — Traces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime. ↩
- Mimi Zou and Lu Zhang (2025) Navigating China's regulatory approach to generative artificial intelligence and large language models, Cambridge Forum on AI: Law and Governance. 10.1017/cfl.2024.4 — Analyses China's 2022 deep-synthesis and 2023 generative-AI rules, including mandatory labelling/watermarking of synthetic content as a provenance-governance model. ↩
- Bram Rijsbosch, Gijs van Dijck, and Konrad Kollnig (2026) Missing the Mark: Adoption of Watermarking for Generative AI Systems in Practice and Implications Under the New EU AI Act, Policy & Internet. 10.1002/poi3.70041 — Empirical audit finds only 38% of AI image generators implement adequate watermarking and 18% deepfake labelling, exposing a compliance gap under EU AI Act Article 50. ↩
- Bao Kham Chau and George He (2025) Audio deepfakes and the regulation of the landlords of creativity, Cambridge Forum on AI: Law and Governance. 10.1017/cfl.2025.10011 — Argues US, EU and Chinese regimes fail to assign audio-deepfake liability to 'landlords of creativity' (foundation-model providers) and proposes holding them accountable. ↩
- Mateusz Łabuz (2025) A Teleological Interpretation of the Definition of DeepFakes in the EU Artificial Intelligence Act—A Purpose-Based Approach to Potential Problems With the Word 'Existing', Policy & Internet. 10.1002/poi3.435 — Warns a narrow reading of 'existing' in the AI Act's deepfake definition could exclude synthetic media from transparency duties, urging a teleological interpretation. ↩
- Groh, Sankaranarayanan, Singh, Kim, Lippman, Picard (2024) Human detection of political speech deepfakes across transcripts, audio, and video, Nature Communications. 10.1038/s41467-024-51998-z — Experiments show "audio and visual information enables more accurate discernment than text alone" — humans rely more on how something is said than on transcript content. ↩
- Valentine Ugwuoke and Madelyn Rose Sanfilippo (2025) The Current Landscape of Deepfake Legislation in the United States, Journal of Information Policy. 10.5325/jinfopoli.15.2025.0004 — Thematic analysis of 319 state deepfake bills (2019-2024) finds a fragmented patchwork concentrated on political and sexually-explicit content. ↩
- Sayash Kapoor, Rishi Bommasani, Kevin Klyman, Shayne Longpre, et al. (2024) On the Societal Impact of Open Foundation Models, arXiv. arXiv:2403.07918 — Proposes a marginal-risk framework, finding current research "insufficient to effectively characterize the marginal risk of open foundation models relative to pre-existing technologies." ↩
- Eloundou, Manning, Mishkin, Rock (2024) GPTs are GPTs: Labor market impact potential of LLMs, Science. 10.1126/science.adj0998 — Finds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies". ↩
- California AI Transparency Act, SB 942, Cal. Stats. 2024, ch. 291; Cal. Bus. & Prof. Code §§ 22757–22757.4 (added by SB 942, approved by Governor Sept. 19, 2024), as amended by AB 853, Cal. Stats. 2025, ch. 674 (approved Oct. 13, 2025) — operative date deferred to Aug. 2, 2026, and §§ 22757.3.1–22757.3.3 added
- No operative provision regulates foundation models as a class; the regulated party ('covered provider', § 22757.1) is defined by an output/scale hook — a producer of a publicly-accessible GenAI system with over 1,000,000 monthly users — so a foundation-model producer is reached only incidentally via the § 22757.2–.3 output-disclosure duties, not by any model-level obligation
- 'Deepfake' appears only in the SB 942 Legislative Counsel's Digest (a recital about a separate law), never in operative §§ 22757.1–22757.4; a deepfake produced by a covered provider's GenAI system is nonetheless a subset of the AI-generated image/video/audio reached by the § 22757.3(b) latent-disclosure and § 22757.2 detection duties
- Cal. Bus. & Prof. Code § 22757.2(a) (added by SB 942) — a covered provider must make available, free and publicly accessible, an AI detection tool that lets a user assess whether image/video/audio content was created or altered by that provider's GenAI system; reinforced by § 22757.3(a) manifest-disclosure user option
- Cal. Bus. & Prof. Code § 22757.3(c) (added by SB 942, operative Aug. 2, 2026) — a covered provider that LICENSES its GenAI system to a third party must require by contract that the licensee preserve the § 22757.3(b) disclosure capability, and must revoke the license within 96 hours if the licensee disables it; reinforced by § 22757.3.2 (added by AB 853, operative Jan. 1, 2027), which bars a GenAI hosting platform distributing a system's source code or model weights from knowingly hosting a non-disclosing system
- Cal. Bus. & Prof. Code § 22757.3(b) (added by SB 942) — a covered provider must embed a machine-readable 'latent' disclosure in AI-generated image/video/audio conveying provenance metadata: provider name, GenAI system name and version, creation/alteration time, and a unique identifier; reinforced by § 22757.3.1 (AB 853, operative 2027) barring large online platforms from knowingly stripping system provenance data
How to cite this article
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/ca-sb-942 — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Does this instrument’s approach work? — the social-science evidence
Aggregated over the 5 topics this instrument governs: whether each harm is empirically real, and whether the peer-reviewed evidence shows governance reduces it. The badge is the epistemic status of the evidence— “thin”/“absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
Of the 5 governed topics with a social-science evidence review, evidence that governance reduces the harm is established for 0, contested for 0, thin for 2, and absent for 3 — for most, no replicated study yet shows this instrument's approach works (the "second silence").
Deepfakes / Synthetic Content
The flagship harm — non-consensual sexual deepfakes — is empirically real and sharply gendered: content audits find ~96-98% of deepfake videos online are non-consensual pornography overwhelmingly depicting women, and a pre-registered 10-country survey (>16,000 people) found 2.2% reporting victimization and 1.8% perpetration of synthetic intimate imagery, with documented mental-health, career, and participation harms. By contrast, the parallel claim that political/informational deepfakes UNIQUELY deceive is contested-to-refuted: experiments find deepfakes about as (not more) credible than equivalent text/audio fakes, and a 56-paper meta-analysis (k=137, N=86,155) puts unaided human detection near chance — implying a detection problem more than an exceptional-persuasion one.
Sources: Umbach, Henry, Beard & Berryessa 2024 (CHI '24, 'Non-Consensual Synthetic Intimate Imagery ... in 10 Countries'); Diel et al. 2024 (Computers in Human Behavior Reports 16:100538, deepfake-detection meta-analysis of 56 papers); Barari, Lucas & Munger 2025 (Journal of Politics 87(2), 'Political Deepfakes Are as Credible as Other Fake Media'); Flynn et al. 2022 (British Journal of Criminology, multi-country image-based sexual abuse study)
Direct impact evidence that deepfake governance reduces the targeted harm is sparse and, where it exists, discouraging: the one quasi-experimental evaluation (Cuevas & Horta Ribeiro 2025, synthetic-control across three platforms) found the U.S. TAKE IT DOWN Act's passage plus the MrDeepfakes shutdown did NOT suppress synthetic non-consensual imagery — posting rose above counterfactual baselines and displaced elsewhere. Technical enforcement is likewise unreliable: detectors fail to generalize to unseen generators (notably diffusion models) and are vulnerable to adversarial evasion, with in-the-wild accuracy well below benchmark figures. No rigorous evaluation yet shows a deepfake-specific law, takedown mandate, or watermarking scheme producing a sustained reduction in prevalence or harm.
Sources: Cuevas & Horta Ribeiro 2025 ('Deepfake Pornography is Resilient to Regulatory and Platform Shocks', arXiv:2602.02754); 'Adversarial Reality for Evading Deepfake Image Detectors' (ICCVW 2025); TAKE IT DOWN Act, S.146 / Pub. L. 119-12 (2025); CRS Legal Sidebar LSB11314
Foundation Models / GPAI
Whether the foundation-model category maps to a coherent capability/risk tier is genuinely contested. The original case rests on scale-driven 'emergent abilities' that appear unpredictably above a size threshold (Wei et al. 2022; Ganguli et al. 2022 documented capabilities that are smoothly predictable in aggregate loss yet locally surprising), but Schaeffer, Miranda & Koyejo (2023, a NeurIPS Outstanding Paper) showed many 'emergent' jumps are artefacts of discontinuous metrics and dissolve under linear/continuous scoring — implying capability scales more smoothly than a sharp tier would suggest. Honest caveat: this is a live empirical disagreement about measurement, not a settled finding either way, and compute (the regulatory proxy) is an imperfect stand-in for capability or risk regardless of which side is right.
Sources: Wei et al. 2022 (Emergent Abilities of Large Language Models, TMLR; arXiv:2206.07682); Schaeffer, Miranda & Koyejo 2023 (Are Emergent Abilities of Large Language Models a Mirage?, NeurIPS 2023, Outstanding Paper; arXiv:2304.15004); Ganguli et al. 2022 (Predictability and Surprise in Large Generative Models, ACM FAccT; DOI 10.1145/3531146.3533229)
There is no impact evaluation showing that GPAI/foundation-model governance reduces harm — the rules are too new (EU AI Act GPAI obligations and the 10^25-FLOP systemic-risk presumption only began binding on 2 August 2025) and the central regulatory lever is itself contested: Hooker (2024) argues compute thresholds are a shortsighted proxy because compute does not reliably track capability or risk, and the thresholds already diverge across jurisdictions (EU 10^25 vs. the now-rescinded US EO 14110's 10^26 operations, rescinded 20 January 2025). The mandated mitigation methods also lack validated efficacy: model evaluation and red-teaming face well-documented coverage limits and an 'audit gap' in the survey/position literature (behavioural testing cannot establish the absence of untested failure modes), and adversarial red-teaming repeatedly defeats deployed safeguards — the UK AI Safety Institute reports finding universal jailbreaks for every frontier system it has tested, and a large public agent-injection competition elicited policy violations across all 22 frontier models tested from ~1.8M attacks (Zou et al. 2025). Even compliant evaluation therefore cannot yet certify the safety the rules demand. (Caveat: this is an absence-of-evidence claim — no efficacy study has been done — not evidence the rules are ineffective.)
Sources: Hooker 2024 (On the Limitations of Compute Thresholds as a Governance Strategy, arXiv:2407.05694); EU AI Act Arts. 51 & 55 (GPAI systemic-risk presumption, 10^25 FLOP; binding 2 Aug 2025); US EO 14110 (10^26-operation reporting threshold, rescinded 20 Jan 2025 by EO 14148); Zou et al. 2025 (Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition / Gray Swan Arena, arXiv:2507.20526 — 22 frontier agents, ~1.8M attacks); UK AI Safety/Security Institute, Frontier AI Trends Report (universal jailbreaks for every system tested); METR, Common Elements of Frontier AI Safety Policies (2024)
Open-Weight Frontier Release
The empirical picture splits into two well-separated questions. (1) The MECHANISM that distinguishes open-weight release — that safety guardrails can be cheaply and irreversibly stripped once weights are public — is established: Qi et al. (2024) removed GPT-3.5 Turbo safety alignment by fine-tuning on only ~10 adversarially designed examples for under $0.20 (and the attack generalizes to Llama-2), and even purpose-built tamper-resistant safeguards (Tamirisa et al. 2025, TAR) were subsequently shown to be defeatable by adaptive fine-tuning (Qi et al. 2024, durability critique). (2) Whether this mechanism produces real-world CATASTROPHIC uplift is genuinely contested and, for the headline biosecurity case, currently unsupported: RAND's red-team study found no statistically significant difference in the viability of bioweapon attack plans produced with versus without LLM assistance (Mouton, Lucas & Guest 2024), and OpenAI's 100-participant trial found at most mild uplift over an internet baseline (Patwardhan et al. 2024). Honest caveat: these null/mild results are time-stamped to 2023-2024 frontier capability and to biothreats specifically; the marginal-risk framework (Kapoor, Bommasani et al. 2024) concludes the evidence base is too thin to characterize marginal risk across most misuse vectors, so 'no measured harm yet' is not 'no harm.'
Sources: Kapoor, Bommasani, Klyman, Longpre et al. 2024, 'Position: On the Societal Impact of Open Foundation Models', PMLR 235 / ICML 2024 (arXiv 2403.07918); Mouton, Lucas & Guest 2024, RAND RR-A2977-2, 'The Operational Risks of AI in Large-Scale Biological Attacks: Results of a Red-Team Study'; Qi, Zeng, Xie, Chen, Jia, Mittal & Henderson 2024, 'Fine-tuning Aligned Language Models Compromises Safety', ICLR 2024 (arXiv 2310.03693); Tamirisa et al. 2025, 'Tamper-Resistant Safeguards for Open-Weight LLMs', ICLR 2025 (arXiv 2408.00761); Qi, Wei, Carlini, Huang, Xie, He, Jagielski, Nasr, Mittal & Henderson 2024, 'On Evaluating the Durability of Safeguards for Open-Weight LLMs' (arXiv 2412.07097); Patwardhan et al. 2024, 'Building an early warning system for LLM-aided biological threat creation', OpenAI
There is no impact evaluation showing that any specific weight-release governance regime reduces downstream harm, because no binding regime has been implemented and measured: California SB-1047's release-conditioning framework was vetoed in September 2024, and the EU AI Act's open-source carve-outs (Recital 102, Art. 53(2)) exempt most open-weight models (those below the systemic-risk compute threshold) from the documentation obligations that would generate evaluable conduct. The structural obstacle is also documented: Kapoor, Bommasani et al. (2024) characterize open-weight release as effectively irreversible and poorly monitorable once weights are public, so post-release governance has little to act on. The closest analogue evidence — technology export controls — is mixed and points to circumvention: commentators argue blanket export controls on freely copyable open-source models cannot work (Just Security 2024), and independent analyses of the post-2022 semiconductor controls document displacement to less-regulated channels (smuggling, threshold-tuned chip variants, cloud access) rather than disappearance of activity (e.g., CSIS, FPRI 2024), suggesting recipient-restriction regimes face the same leakage problem for weights. (Caveat: this is analogical, not direct evidence about weight-release governance, which remains unmeasured.)
Sources: Kapoor, Bommasani, Klyman, Longpre et al. 2024, 'Position: On the Societal Impact of Open Foundation Models', PMLR 235 (arXiv 2403.07918); California SB-1047 (2024, vetoed by Gov. Newsom 29 Sep 2024); EU AI Act Regulation (EU) 2024/1689, Recital 102 & Art. 53(2) open-source exemptions; Just Security 2024, 'Export Controls on Open-Source Models Will Not Win the AI Race'; CSIS, 'The Limits of Chip Export Controls in Meeting the China Challenge' and FPRI 2024, 'Breaking the Circuit: US-China Semiconductor Controls' (export-control circumvention analogue)
Synthetic Content Provenance
The harm provenance targets is real but concentrated, and the technical premise that the mandated signal survives is itself empirically shaky. Synthetic-media harm is well documented in two domains: non-consensual intimate imagery (Ajder et al.'s 2019 Deeptrace audit found 96% of deepfake videos were pornographic and effectively 100% targeted women) and impersonation fraud (the Arup case, ~US$25.6M / HK$200M lost via a deepfake video call). The honest caveat is twofold: a feared broad political-misinformation harm is not yet demonstrated at scale, and CS work shows invisible watermarks are removable in practice (Jiang, Zhang & Gong 2023, WEvade, evade detection via adversarial perturbation; Zhao et al. 2024 prove pixel-level watermarks are provably removable via regeneration attacks), so the provenance signal a rule would mandate is itself contested.
Sources: Ajder, Patrini, Cavalli & Cullen 2019 (Deeptrace, 'The State of Deepfakes: Landscape, Threats, and Impact'); Jiang, Zhang & Gong 2023 ('Evading Watermark based Detection of AI-Generated Content', ACM CCS 2023); Zhao et al. 2024 (NeurIPS, 'Invisible Image Watermarks Are Provably Removable Using Generative AI'); Arup deepfake fraud (CNN Business, 2024-05-16, US$25.6M)
There is no impact evaluation showing that mandated provenance/labeling reduces synthetic-media harm; the major mandates (China's GenAI labeling Measures, effective 2025-09-01; EU AIA Art. 50, machine-readable marking) are too new and unevaluated, and the delivery layer is leaky: the C2PA spec's own Security Considerations document the strip-and-repost threat, and platform audits report C2PA/Content-Credentials metadata is stripped by essentially all major social platforms on upload (consistent with Imatag's 2018 finding that ~80% of uploaded images lose metadata, only ~15% retaining it). The closest analogue evaluation literature — Pennycook, Bear, Collins & Rand (2020), the 'implied truth effect' — gives reason for caution rather than confidence: labeling only some content can make unlabeled false content seem more credible, so a partial-coverage provenance regime could backfire.
Sources: Pennycook, Bear, Collins & Rand 2020 (Management Science 66(11):4944-4957, 'The Implied Truth Effect'); China Measures for Labeling AI-Generated Synthetic Content (eff. 2025-09-01); EU AI Act Art. 50; Imatag 2018 metadata-stripping study (~80%); C2PA Security Considerations (spec.c2pa.org) on manifest removal
Transparency Obligations
Documentation artifacts (model cards, datasheets) are well-specified as proposals and are genuinely adopted, but the empirical premise that mandated disclosure produces meaningful transparency is contested. Selbst & Barocas (2018) argue inscrutability and non-intuitiveness are distinct problems and that disclosing rules does not resolve the latter, and large-scale audits find documentation is sparsely and unevenly completed: a systematic analysis of 32,111 Hugging Face model cards (Liang et al. 2024) found environmental-impact, limitations and evaluation sections least often filled, and Bhat et al. (2023, 45 practitioners) found a substantial gap between the documentation proposal and actual practice. Honest caveat: the documentation frameworks themselves are real and adopted, so the dispute is about whether disclosure conveys decision-relevant information, not whether the artifacts exist.
Sources: Selbst & Barocas 2018 (Fordham Law Review 87:1085-1139); Liang et al. 2024 (Nature Machine Intelligence, s42256-024-00857-z, 'Systematic analysis of 32,111 AI model cards'); Bhat et al. 2023 (CHI '23, 'Aspirations and Practice of ML Model Documentation', DOI 10.1145/3544548.3581518); Mitchell et al. 2019 (FAccT, Model Cards for Model Reporting); Gebru et al. 2021 (CACM 64(12):86-92, Datasheets for Datasets)
There is no rigorous impact evaluation showing that AI transparency mandates (model cards, training-data summaries) measurably reduce bias, misuse or accidents — the central regulatory assumption is empirically untested, partly because flagship mandates like EU AI Act Art. 53(1)(d) GPAI training-data summaries are only subject to AI Office enforcement/verification from 2 August 2026 (the obligation itself began 2 August 2025 for new models). The closest analogue, mandated consumer disclosure, shows small and context-dependent effects: Bollinger, Leslie & Sorensen (2011) found mandatory calorie posting cut average calories per transaction by about 6%, while Loewenstein, Sunstein & Golman (2014) review evidence that disclosure effects are frequently diminished or even reversed by limited attention and often change provider rather than recipient behavior. These are analogues, not AI studies; no study demonstrates that AI transparency disclosure achieves its stated downstream safety aims.
Sources: Bollinger, Leslie & Sorensen 2011 (AEJ: Economic Policy 3(1):91-128); Loewenstein, Sunstein & Golman 2014 (Annual Review of Economics 6:391-419, 'Disclosure: Psychology Changes Everything'); EU AI Act Art. 53(1)(d) GPAI training-data summary (obligation from 2 Aug 2025; AI Office enforcement from 2 Aug 2026)