DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
DFARS-252-204 · US
Defense-acquisition-specific information-security regulation. Core clauses: (1) DFARS 252.204-7012 (adopted 2015, current consolidated 2020) — requires contractors handling Covered Defense Information (CDI) on covered contractor information systems to implement NIST SP 800-171 r2 security controls + report cyber incidents to DoD within 72 hours; (2) DFARS 252.204-7019 / -7020 / -7021 (CMMC interim rule Nov 2020) — implements the Cybersecurity Maturity Model Certification framework requiring increasingly stringent third-party attestation of NIST 800-171 implementation by contract tier. AI relevance: (a) AI-system source code, model weights, training data, and architecture documentation produced or stored on contractor systems fall within CDI when the underlying contract is so designated; (b) cyber-incident reporting in 252.204-7012(c) applies equally to AI-system compromise events (training-data exfiltration, model-weight theft, prompt-injection-based credential exposure); (c) supply-chain risk-management linkages with FAR Part 4 Subpart 4.21 + the DoD RAI S&IP supply-chain tenet. Distinct from AI-specific DFARS clauses under consideration as part of DoD Acquisition Innovation initiatives — none of which have been finalised at the catalog-write date.
DoD information-security regulation; NIST 800-171 + CMMC implementation; AI source/weights/training data fall within Covered Defense Information when contract designates.
“Contractor shall provide adequate security on all covered contractor information systems by implementing NIST Special Publication 800-171 (252.204-7012(b)(2)(i)).”
sec:252.204-7012(b)(2)(i) · Primary source
Background & scope
DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) addresses 2 contested AI-governance topics explicitly, 2 via general principles.
Provisions & coverage
- implicitFoundation Models / GPAI252.204-7012 — AI-system source code, model weights, training data fall within Covered Defense Information scope when the underlying contract designates these as CDI; foundation-model artefacts are CDI through the standard contract designation pathway[11]
- implicitCompute-Threshold ReportingCyber-incident reporting under 252.204-7012(c) — 72-hour DoD notification covers AI-system compromise events including model-weight theft + prompt-injection-based credential exposure; broader AI-use disclosure flows through M-24-10 not DFARS[11]
- governsTraining-Data Rights
Art. 252.204-7012(c)[11] - governsNational Security Carveouts in AI Regulation
Art. 252.204-7012(b)[11]
Operative Mechanics: CDI Safeguarding and 72-Hour Incident Reporting
DFARS Subpart 204.73 operates through two layered clause families, both currently in force. Clause 252.204-7012(b) imposes the substantive duty: contractors must "provide adequate security on all covered contractor information systems … by implementing NIST Special Publication 800-171" (revision 2). Clause 252.204-7012(c) adds the reactive obligation, requiring contractors to "rapidly report cyber incidents to DoD … within 72 hours of discovery." The 2020 CMMC interim rule layered attestation on top via 252.204-7019/-7020/-7021, scaling third-party certification of 800-171 implementation by contract tier — a posture that treats verifiable inputs as the governance lever, echoing arguments that compute is uniquely regulable because it is "detectable, excludable, and quantifiable" 1 and that input metrics work best to flag, not to score, risk 2. For AI work these mechanics attach not because the artefact is "AI" but because the contract designates model weights, training data, or architecture documentation as Covered Defense Information — the regime governs by data classification, not technology type.
AI Coverage as a Designation Artefact, Not a Technology Rule
The instrument's AI relevance is entirely derivative: it reaches foundation-model artefacts only when the underlying contract marks them as CDI (252.204-7012 implicit coverage for foundation_models). This is a structurally different posture from purpose-built AI law, where autonomous content generation "challenges legal categories of authorship, accountability" and forces bespoke risk tiers 3. Training-data sets stored on covered systems pull in full NIST 800-171 controls and, on exfiltration, the 72-hour clock under 252.204-7012(c) (training_data, governs). The data-leakage concern is acute precisely because, as Ruschemeier shows, generative models "memorize and leak pieces of training data" and so resist treatment as anonymous 4. Yet DFARS regulates the system-of-record, not the model's emergent disclosure behaviour — a spilled training corpus is reportable, but inference-time leakage from a deployed weight set sits awkwardly outside the incident taxonomy the clause was drafted around, a generative-AI cybersecurity gap also flagged in EU-law analyses 5.
The Subpart as a National-Security Overlay Regime
For national_security_carveouts the catalog records that 252.204-7012 plus the CMMC clauses "ARE the carveout regime" — the operative national-security overlay for defence-acquisition information security (governs, 252.204-7012(b)). This inverts the European pattern. Where EU instruments bolt security exemptions onto a general AI law — producing what Palmiotto calls "double standards for fundamental rights protection" 6 and what Yazici flags as military/defence exclusions leaving surveillance under-regulated 7 — DFARS is itself the security-specific floor, not an exception carved from a broader regime. Statewatch's account of exemptions making supervision "extremely difficult" 8 describes the rights-displacement risk; the DFARS analogue is opacity through classification, where CDI designation can shield AI systems from the transparency a civil instrument would demand.
Fault Lines and Implementation Trajectory
Three fault lines stand out. First, scope is contractor-discretionary: AI artefacts escape coverage if a contracting officer never designates them CDI, so the regime under-captures by drafting omission. Second, the incident taxonomy in 252.204-7012(c) was built for data-spill events, not AI-native harms like prompt-injection credential exposure or compute-evasion — and the compute_reporting dimension is only implicit, with broader AI-use disclosure flowing through OMB M-24-10 rather than DFARS. Pistillo and Villalobos show how "enhancement techniques … decreasing training compute" defeat threshold-based reporting 9, a loophole DFARS does not address at all. Third, definitional drift dogs any AI overlay: Fernández-Llorca et al. trace instability across "AI system, general purpose AI system, foundation model" 10, and Hulok similarly finds foundation models straining settled legal categories 3. The trajectory points toward dedicated AI DFARS clauses under DoD Acquisition Innovation initiatives — none finalised at catalog-write date, leaving CDI designation the sole live hook.
Enforcement & impact
Cross-jurisdiction comparison
How peer instruments treat the topics DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) governs.
| Topic | EU-AIA-2024 | US-EO-14110 | US-EO-14179 | UK-WHITEPAPER-2023 | CN-GENAI-2023 | G7-HIROSHIMA | OECD-AI-PRIN | COE-AI-CONV | UN-RES-2024 | NIST-AI-RMF | BLETCHLEY-2023 | SEOUL-2024 | NIST-AI-RMF-GENAI | CA-SB-1047 | IN-DPDP-2023 | BR-AIBILL-2024 | ASEAN-AI-GUIDE-2024 | AU-AI-STRATEGY-2024 | ANTHROPIC-RSP-2024° | OPENAI-PREPAREDNESS-2023° | DEEPMIND-FSF-2024° | META-FRONTIER-2024° | UK-US-AISI-MOU-2024 | WH-VOLUNTARY-2023 | SG-MODEL-AI-2024 | JP-METI-AI-2024 | EU-GDPR-2016 | EU-GPAI-COP-2025 | OMB-M-24-10 | GSA-AI-GUIDE-2024 | DOD-RAI-2022 | FEDRAMP-AI-2024 | CA-SB-53 | CA-SB-243 | CA-SB-942 | EU-PLD-2024 | UNESCO-AI-ETHICS-2021 | EU-PWD-2024 | CN-DEEPSYN-2022 | NY-RAISE-2025 | US-TAKEITDOWN-2025 | IT-AILAW-2025 | JP-AIPROMO-2025 | UN-GDC-2024 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Training-Data Rights | implicit | silent | silent | silent | governs | silent | silent | implicit | silent | implicit | silent | silent | governs | silent | governs | implicit | silent | implicit | silent | silent | silent | implicit | silent | silent | silent | implicit | governs | governs | silent | implicit | silent | implicit | silent | silent | silent | silent | governs | silent | governs | silent | silent | governs | implicit | implicit |
| National Security Carveouts in AI Regulation | governs | governs | silent | implicit | silent | silent | silent | governs | silent | silent | silent | silent | silent | silent | implicit | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | silent | implicit | governs | implicit | silent | silent | silent | silent | silent | silent | implicit | silent | silent | governs | implicit | silent |
°= industry self-imposed voluntary framework. Comparing a voluntary code's "governs" tint with a binding regulation's "governs" tint flattens the legal-force distinction; use the instrument-page banner for the operative status of each.
See also
Per-audience views
- Provisions →Article-by-article obligation breakdown for procurement + RFP authors.
- Disclosure form →Vendor-disclosure questionnaire derived from this instrument's operative obligations.
- Harm narratives →Documented harms relevant to this instrument's topics, for civil-society advocacy.
- Briefing pack →Journalist-ready summary with quotes + dates + primary-source links.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
Further reading
83 academic & grey-literature sources on the topics this instrument addresses (not commentary on the instrument itself) — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Open Foundation Models and TDM Exceptions to Copyright – Building Blocks for an AI Ecosystem Peer-reviewed✦ AIArgues Art. 3 CDSM Directive's scientific-research TDM exception 'does not grant rightsholders any control' and can be a 'safe harbor' for training openly released foundation models without licensing data.
- Predictive policing and predictive justice: Ethics, data protection, and the AI act Peer-reviewed✦ AIExamines how predictive-policing and predictive-justice systems interact with data-protection law and the AI Act's law-enforcement provisions, exposing accountability and oversight shortfalls.
- National Security and New Forms of Surveillance: From the Data Retention Saga to a Data Subject Centred Approach Peer-reviewed✦ AIArgues the CJEU's controller-based route for applying EU law to national-security surveillance 'creates significant legal uncertainties,' proposing a data-subject-focused scope instead.
- Cop out: security exemptions in the Artificial Intelligence Act (in: Automating Authority — AI in European police and border regimes) Civil society✦ AIDocuments how AI Act security exemptions plus police powers to restrict supervisory information-sharing will make meaningful supervision of policing and migration AI 'extremely difficult.'
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
- Defending Compute Thresholds Against Legal Loopholes Preprint✦ AIIdentifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds.
- Copyright and AI in the UK: Opting-In or Opting-Out? Peer-reviewed✦ AIContends the UK opt-in/opt-out framing is a 'missed opportunity'; a broadened research exception plus market-entry transparency and creator remuneration would better serve both innovation and rightsholders.
- Technical Challenges of Rightsholders' Opt-out From Gen AI Training after Robert Kneschke v. LAION Peer-reviewed✦ AIExamines post-LAION practical obstacles to the EU TDM opt-out (robots.txt, machine-readability, memorisation): 'While the TDM exceptions may seem workable in theory, implementing them in practice presents a variety of practical…
- The AI Act Roller Coaster: The Evolution of Fundamental Rights Protection in the Legislative Process and the Future of the Regulation Peer-reviewed✦ AITraces how the AI Act's law-enforcement and national-security exceptions widened during negotiations, producing 'double standards for fundamental rights protection' and gaps in the regulatory framework.
- Toward a global standard for ethical AI regulation: addressing gaps in AI-driven biometric and high-resolution satellite imaging in the EU AI Act Peer-reviewed✦ AIIdentifies how the AI Act's military, defence and national-security exclusions leave biometric and satellite-imaging surveillance under-regulated, arguing for a global standard to close these gaps.
+ 71 more across this instrument's topics — see the literature index.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Sastry, Heim, Belfield, Anderljung, Brundage, et al. (2024) Computing Power and the Governance of Artificial Intelligence, arXiv. arXiv:2402.08797 — Argues compute is a uniquely governable lever because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain". ↩
- Heim & Koessler (2024) Training Compute Thresholds: Features and Functions in AI Regulation, arXiv. arXiv:2405.10799 — Finds "training compute currently is the most suitable metric to identify GPAI models", but thresholds should only trigger further scrutiny, not determine risk measures alone. ↩
- Martina Hulok (2025) The EU model of AI governance: regulating artificial intelligence through law and policy, ERA Forum. 10.1007/s12027-025-00869-1 — Analyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'. ↩
- Hannah Ruschemeier (2025) Generative AI and data protection, Cambridge Forum on AI: Law and Governance. 10.1017/cfl.2024.2 — Examines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous. ↩
- Novelli, Casolari, Hacker, Spedicato & Floridi (2024) Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity, Computer Law & Security Review. 10.1016/j.clsr.2024.106066 — Examines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements. ↩
- Francesca Palmiotto (2025) The AI Act Roller Coaster: The Evolution of Fundamental Rights Protection in the Legislative Process and the Future of the Regulation, European Journal of Risk Regulation. 10.1017/err.2024.97 — Traces how the AI Act's law-enforcement and national-security exceptions widened during negotiations, producing 'double standards for fundamental rights protection' and gaps in the regulatory framework. ↩
- Ezgi Yazici (2025) Toward a global standard for ethical AI regulation: addressing gaps in AI-driven biometric and high-resolution satellite imaging in the EU AI Act, Law, Innovation and Technology. 10.1080/17579961.2025.2470589 — Identifies how the AI Act's military, defence and national-security exclusions leave biometric and satellite-imaging surveillance under-regulated, arguing for a global standard to close these gaps. ↩
- Chris Jones, Romain Lanneau (Statewatch) (2025) Cop out: security exemptions in the Artificial Intelligence Act (in: Automating Authority — AI in European police and border regimes), Statewatch. source — Documents how AI Act security exemptions plus police powers to restrict supervisory information-sharing will make meaningful supervision of policing and migration AI 'extremely difficult.' ↩
- Matteo Pistillo, Pablo Villalobos (2025) Defending Compute Thresholds Against Legal Loopholes, arXiv (cs.CY). arXiv:2502.00003 — Identifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds. ↩
- David Fernández-Llorca, Emilia Gómez, Ignacio Sánchez, Gabriele Mazzini (2025) An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI, Artificial Intelligence and Law. 10.1007/s10506-024-09412-y — Traces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime. ↩
- Defense Federal Acquisition Regulation Supplement, Subpart 204.73 + clauses 252.204-7012 (Safeguarding Covered Defense Information), 252.204-7019/-7020/-7021 (CMMC) (48 C.F.R. ch. 2). Current consolidated subpart per the DoD Procurement Toolbox + acquisition.gov.
- 252.204-7012 — AI-system source code, model weights, training data fall within Covered Defense Information scope when the underlying contract designates these as CDI; foundation-model artefacts are CDI through the standard contract designation pathway
- Cyber-incident reporting under 252.204-7012(c) — 72-hour DoD notification covers AI-system compromise events including model-weight theft + prompt-injection-based credential exposure; broader AI-use disclosure flows through M-24-10 not DFARS
- 252.204-7012 — training-data sets stored on covered contractor information systems require NIST SP 800-171 implementation when designated CDI; data-spill / exfiltration events trigger 72-hour cyber-incident reporting under 252.204-7012(c)
- 252.204-7012 + CMMC clauses (-7019/-7020/-7021) are the operative national-security-overlay framework for defence-acquisition information security; the subpart IS the carveout regime
How to cite this article
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/dfars-252-204 — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Reviewed by Editorial board (in formation) (Policy Window) · · Editorial board
Does this instrument’s approach work? — the social-science evidence
Aggregated over the 4 topics this instrument governs: whether each harm is empirically real, and whether the peer-reviewed evidence shows governance reduces it. The badge is the epistemic status of the evidence— “thin”/“absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
Of the 4 governed topics with a social-science evidence review, evidence that governance reduces the harm is established for 0, contested for 0, thin for 0, and absent for 4 — for most, no replicated study yet shows this instrument's approach works (the "second silence").
Compute-Threshold Reporting
Whether training-compute (FLOP) is a defensible proxy for governance-relevant capability is genuinely contested in the literature. The strongest empirical pressure against it is algorithmic efficiency: Ho, Besiroglu, Erdil et al. (2024) estimate the compute needed to reach a fixed language-model performance level has halved roughly every eight months (95% CI ~5-14 months, i.e. ~3x/year), so any static FLOP-to-capability mapping decays quickly; Hooker (2024) argues FLOP measures operations rather than end-performance, since techniques such as fine-tuning, retrieval, chain-of-thought and tool use can add large capability gains without proportional training compute, and Ord (2025) shows inference-time scaling further decouples deployed capability from training compute. Honest caveat: defenders (Heim & Koessler 2024; Pilz, Heim & Brown 2025) note compute remains the most quantifiable, externally verifiable, and ex-ante measurable correlate of frontier capability currently available, while themselves conceding it is an imperfect proxy that should not be used in isolation — the disagreement is about durability and precision, not whether any correlation exists.
Sources: Ho, Besiroglu, Erdil, Owen, Rahman, Guo, Atkinson, Thompson & Sevilla 2024, Algorithmic progress in language models, NeurIPS 2024 (arXiv:2403.05812; Epoch AI); Hooker 2024, On the Limitations of Compute Thresholds as a Governance Strategy (arXiv:2407.05694); Ord 2025, Inference Scaling Reshapes AI Governance (arXiv:2503.05705); Heim & Koessler 2024, Training Compute Thresholds: Features and Functions in AI Regulation (arXiv:2405.10799); Pilz, Heim & Brown 2025, Increased Compute Efficiency and the Diffusion of AI Capabilities (AAAI 2025; arXiv:2311.15377)
There is no rigorous evidence that compute-threshold reporting reduces harm or achieves its stated aim, because the regimes have not produced an evaluable record. The US 10^26-FLOP reporting obligation (Executive Order 14110, invoking the Defense Production Act) was revoked on 20 January 2025 (by EO 14148) before its recurring binding reporting rule was finalized — the implementing BIS notice of proposed rulemaking (Sept 2024) never took effect, so no durable reporting record materialized; and the EU AI Act's 10^25-FLOP systemic-risk obligations for general-purpose models only became applicable on 2 August 2025 (with transitional periods into 2027), so no outcome evaluation yet exists. Moreover the 10^25 figure is a rebuttable presumption sitting alongside qualitative high-impact criteria (Art. 51(1)(a) and (2), rebuttable under Art. 52(2)), not a validated risk cutoff. The closest analogue is the broader regulatory-disclosure-mandate literature (Fung, Graham & Weil 2007), which documents that transparency policies' effects on outcomes are highly heterogeneous and frequently ineffective or counterproductive absent enforcement and downstream use — implying that the reporting trigger working as intended is an open empirical question, not a documented result.
Sources: U.S. Executive Order 14110 (2023), Sec. 4.2 (10^26 FLOP, Defense Production Act); revoked by Executive Order 14148 (Jan 20, 2025); EU AI Act, Reg. (EU) 2024/1689, Art. 51 (10^25 FLOP systemic-risk rebuttable presumption; applicable Aug 2, 2025); Fung, Graham & Weil 2007, Full Disclosure: The Perils and Promise of Transparency (Cambridge University Press)
Foundation Models / GPAI
Whether the foundation-model category maps to a coherent capability/risk tier is genuinely contested. The original case rests on scale-driven 'emergent abilities' that appear unpredictably above a size threshold (Wei et al. 2022; Ganguli et al. 2022 documented capabilities that are smoothly predictable in aggregate loss yet locally surprising), but Schaeffer, Miranda & Koyejo (2023, a NeurIPS Outstanding Paper) showed many 'emergent' jumps are artefacts of discontinuous metrics and dissolve under linear/continuous scoring — implying capability scales more smoothly than a sharp tier would suggest. Honest caveat: this is a live empirical disagreement about measurement, not a settled finding either way, and compute (the regulatory proxy) is an imperfect stand-in for capability or risk regardless of which side is right.
Sources: Wei et al. 2022 (Emergent Abilities of Large Language Models, TMLR; arXiv:2206.07682); Schaeffer, Miranda & Koyejo 2023 (Are Emergent Abilities of Large Language Models a Mirage?, NeurIPS 2023, Outstanding Paper; arXiv:2304.15004); Ganguli et al. 2022 (Predictability and Surprise in Large Generative Models, ACM FAccT; DOI 10.1145/3531146.3533229)
There is no impact evaluation showing that GPAI/foundation-model governance reduces harm — the rules are too new (EU AI Act GPAI obligations and the 10^25-FLOP systemic-risk presumption only began binding on 2 August 2025) and the central regulatory lever is itself contested: Hooker (2024) argues compute thresholds are a shortsighted proxy because compute does not reliably track capability or risk, and the thresholds already diverge across jurisdictions (EU 10^25 vs. the now-rescinded US EO 14110's 10^26 operations, rescinded 20 January 2025). The mandated mitigation methods also lack validated efficacy: model evaluation and red-teaming face well-documented coverage limits and an 'audit gap' in the survey/position literature (behavioural testing cannot establish the absence of untested failure modes), and adversarial red-teaming repeatedly defeats deployed safeguards — the UK AI Safety Institute reports finding universal jailbreaks for every frontier system it has tested, and a large public agent-injection competition elicited policy violations across all 22 frontier models tested from ~1.8M attacks (Zou et al. 2025). Even compliant evaluation therefore cannot yet certify the safety the rules demand. (Caveat: this is an absence-of-evidence claim — no efficacy study has been done — not evidence the rules are ineffective.)
Sources: Hooker 2024 (On the Limitations of Compute Thresholds as a Governance Strategy, arXiv:2407.05694); EU AI Act Arts. 51 & 55 (GPAI systemic-risk presumption, 10^25 FLOP; binding 2 Aug 2025); US EO 14110 (10^26-operation reporting threshold, rescinded 20 Jan 2025 by EO 14148); Zou et al. 2025 (Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition / Gray Swan Arena, arXiv:2507.20526 — 22 frontier agents, ~1.8M attacks); UK AI Safety/Security Institute, Frontier AI Trends Report (universal jailbreaks for every system tested); METR, Common Elements of Frontier AI Safety Policies (2024)
National Security Carveouts in AI Regulation
That civilian AI-governance instruments carve out national-security uses is black-letter and undisputed (EU AIA Art. 2(3); CoE Framework Convention Art. 3(2) on national-security activities, distinct from Art. 3(4) on national defence; US NSM-25 (Oct. 2024) as the national-security-track instrument fulfilling §4.8 of EO 14110); civil-society legal analysis argues a blanket exclusion is harder to square with a necessity-and-proportionality approach than a qualified one (Korff/ECNL 2022; Vogiatzoglou 2024). But whether the carveout itself produces concrete unredressed harm is empirically under-observed almost by construction — the secrecy it confers suppresses the very evidence needed to measure it. The closest analogue, national-security deference in the courts, shows the mechanism is real (the FISC granted all but eleven of 33,900 applications 1979-2012, a 99.97% approval rate; Sinnar 2022 documents downstream harms to securitized communities), yet Clarke (2014) shows that lopsided ex parte approval rates alone do not prove rubber-stamping, because rational case selection and pre-vetting produce similar rates in ordinary Title III wiretaps (99.93%) and delayed-notice warrants (99.6-99.8%) — so the magnitude of harm attributable to the carveout, as opposed to the legitimate secrecy of the domain, remains genuinely contested.
Sources: Korff 2022 (ECNL Opinion on the implications of the exclusion of national security from AI legislation, Oct. 2022); Sinnar 2022 (Harvard Law Review Forum 136:59, 'A Label Covering a "Multitude of Sins": The Harm of National Security Deference'); Clarke 2014 (Stanford Law Review Online 66:125, 'Is the Foreign Intelligence Surveillance Court Really a Rubber Stamp?'); EPIC FISC statistics 1979-2012
There is no impact evaluation showing that any specific design of the national-security carveout — categorical exclusion versus parallel governance track versus civilian-compliance-with-override — measurably improves oversight or reduces harm relative to the alternatives; the question is argued doctrinally (Vogiatzoglou 2024; Korff/ECNL 2022) but has never been tested empirically. The closest analogue evaluation literature is on the parallel-track model already in use for intelligence surveillance (the FISC / FISA oversight regime), and even there the evidence that the mechanism delivers effective scrutiny is itself contested rather than established (Clarke 2014; Sinnar 2022). No direct evaluation exists because the carveouts are recent (EU AIA 2024, CoE Framework Convention 2024, US NSM-25 2024), enforcement actions are by design non-public, and private parties typically lack standing to challenge a specific exempt deployment — the structural features that make the harm hard to observe also make the governance impossible to evaluate.
Sources: Vogiatzoglou 2024 (Verfassungsblog, 'The AI Act National Security Exception: room for manoeuvres?', 9 Dec. 2024); Korff 2022 (ECNL Opinion, exclusion of national security from AI legislation); Clarke 2014 (Stanford Law Review Online 66:125); Sinnar 2022 (Harvard Law Review Forum 136:59)
Training-Data Rights
That foundation models ingest copyrighted and personal works without consent is undisputed; whether that ingestion produces legally cognizable reproduction harm is genuinely contested. The CS evidence that models can memorize and emit verbatim training text is robust and replicated — Carlini et al. (2021) extracted hundreds of verbatim sequences (including PII) from GPT-2, and follow-up work (Carlini et al., Quantifying Memorization, ICLR 2023) showed extraction scales log-linearly with model size and with example duplication. Honest caveat: verbatim reproduction is the exception, not the norm — the UK High Court held that Stable Diffusion's model weights never stored copies of the training images (defeating the secondary-infringement theory), and Getty abandoned its primary training-infringement claim at trial for lack of evidence, so whether the empirical phenomenon amounts to actionable harm (rather than transient, non-expressive use) remains the open question driving NYT v. OpenAI and parallel regimes.
Sources: Carlini, Tramèr, Wallace, Jagielski, Herbert-Voss, Lee, Roberts, Brown, Song, Erlingsson, Oprea & Raffel 2021 (Extracting Training Data from Large Language Models, 30th USENIX Security Symposium); Carlini, Ippolito, Jagielski, Lee, Tramèr & Zhang 2023 (Quantifying Memorization Across Neural Language Models, ICLR 2023; arXiv:2202.07646); Getty Images (US) Inc & ors v Stability AI Ltd [2025] EWHC 2863 (Ch) (UK High Court, 4 Nov 2025 — no secondary infringement; primary training claim abandoned at trial); The New York Times Co. v. Microsoft Corp. & OpenAI (S.D.N.Y., No. 1:23-cv-11195; consolidated In re OpenAI Copyright Infringement Litigation, Apr. 2025; ongoing 2025-2026)
There is no impact evaluation showing that the CDSM Directive Article 4 TDM exception plus its Article 4(3) opt-out reservation regime actually reduces unlicensed ingestion or channels compensation to rightsholders — the evidence that the rule works as designed is itself missing. The only available evidence is early case law and doctrinal scholarship, which document the mechanism's contested operation rather than its success: in Kneschke v. LAION the Hamburg Higher Regional Court (on appeal, 10 Dec 2025) held that a rights reservation in natural language did NOT satisfy Article 4(3)'s machine-readability requirement, invalidating the opt-out (note: the first-instance Regional Court had left the Article 4 question largely open and the case ultimately turned on the Article 3 scientific-research exception, so this machine-readability holding is appellate and not yet settled — a further appeal to the Federal Court of Justice was permitted). Legal scholars characterize the Article 4 opt-out as practically difficult and unharmonized, with no observed market in TDM licences or systematic enforcement to evaluate.
Sources: Kneschke v. LAION (Hamburg Regional Court, 27 Sept 2024, 310 O 227/23; on appeal Hamburg Higher Regional Court, 10 Dec 2025, 5 U 104/24 — opt-out held not machine-readable; further appeal to BGH permitted); Margoni & Kretschmer 2022 (A Deeper Look into the EU Text and Data Mining Exceptions, GRUR International 71(8):685-701); Quintais 2025 (Generative AI, Copyright and the AI Act, Computer Law & Security Review 56:106107)