?asOf= parameter to see the current catalog state.Obligations specific to general-purpose / foundation models above certain capability thresholds.
Abstract
Foundation-model governance turns on whether the category maps to a coherent capability tier or is a regulatory convenience, and on where any threshold should sit — set by compute or by behaviour. (One strand of the debate further asks whether obligations should attach to the model itself or only to its applications.) Across the catalogued instruments, most treat general-purpose or foundation models with direct or implicit obligations and a few are silent, while the field's consensus on the right approach is contested. This article sets out, with primary-source citations, each instrument's treatment of foundation models: which govern them directly, which reach them only implicitly, and which are silent.
Explainer
Foundation models — the large, general-purpose systems that can be adapted to many downstream tasks — pose a question the catalogued instruments answer in incompatible ways: should regulation attach to the model itself, and if so, at what threshold? Policy Window records the field's empirical consensus on this as contested. The term itself comes from Bommasani and colleagues' 2021 survey, which warned that because downstream systems inherit a foundation model's defects, concentrating capability in a few models concentrates risk.
The instruments that govern foundation models directly disagree on where to draw the line. The EU AI Act presumes a model carries 'systemic risk' once the compute used to train it exceeds 10^25 floating-point operations (Article 51), triggering obligations such as red-teaming and incident reporting. The United States' Executive Order 14110 used a higher 10^26-FLOP trigger for pre-deployment reporting, but Executive Order 14148 rescinded that reporting framework (EO 14179 set the deregulatory posture) without a binding replacement. China's 2023 Generative AI Measures take a different route again, applying obligations by behaviour — whether a service is offered to the public — rather than by compute, and the vetoed California SB-1047 had proposed a dual trigger of compute or training cost.
Where binding rules stop, voluntary commitments fill in: frontier developers' own scaling and preparedness frameworks, the Bletchley Declaration, the Seoul Frontier AI Safety Commitments, and standards such as the NIST AI Risk Management Framework's generative-AI profile all address foundation models without the force of law. The scholarship maps onto this divide. Hacker, Engel and Mauer (2023) argue regulation should target concrete high-risk applications rather than the pre-trained model; Anderljung and colleagues (2023) counter that frontier models need government standards, registration and reporting beyond self-regulation.
Across the full catalogue, most instruments treat general-purpose or foundation models with direct or implicit obligations and only a few are silent — but 'governs' spans a wide range here, from the EU's binding compute-threshold regime to non-binding voluntary codes, and jurisdictions disagree on the threshold that should trigger any of it. The coverage table below sets out, instrument by instrument and with primary-source citations, which regimes impose obligations on foundation models directly, which reach them only implicitly, and which remain silent.
Definition & scope
The cross-jurisdiction picture below shows how each of 45 tracked instruments treats this topic. The patterns vary substantially — and 11 regimes are silent, leaving gaps that future policy work could address.
Coverage across jurisdictions
Historical primacy & cross-jurisdiction tension
First addressed by OECD AI Principles (Recommendation) on (implicit). Subsequent regimes have either codified, diverged from, or remained silent on this baseline.
- Forum-shoppingEU AI Act↔Executive Order 14179 — Removing Barriers to American Leadership in AI
- Forum-shoppingExecutive Order 14110 on Safe, Secure, Trustworthy AI↔UN GA Resolution on Safe, Secure, Trustworthy AI
- Forum-shoppingInterim Measures for Generative AI Service Management↔African Union Continental AI Strategy
Compare jurisdictions: EU vs US · EU vs UK · EU vs CN
Enforcement & impact
Silent regimes — gap signal
Instruments that do not address Foundation Models / GPAI — candidates for future policy work.
- Executive Order 14179 — Removing Barriers to American Leadership in AIUS
- UN GA Resolution on Safe, Secure, Trustworthy AIUN
- African Union Continental AI StrategyAfrican_Union
- General Data Protection Regulation (GDPR)EU
- California SB 243: Companion ChatbotsUS
- Revised Product Liability Directive (Directive (EU) 2024/2853)EU
- UNESCO Recommendation on the Ethics of Artificial IntelligenceUNESCO
- Directive (EU) 2024/2831 on improving working conditions in platform workEU
- Provisions on the Administration of Deep Synthesis of Internet Information ServicesCN
- TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act)US
- Italy Law No. 132/2025 on Artificial Intelligence (Legge 23 settembre 2025, n. 132)IT
See also
Further reading
40 academic & grey-literature sources bearing on this topic — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
- GPTs are GPTs: Labor market impact potential of LLMs Peer-reviewed✦ AIFinds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies".
- Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity Peer-reviewed✦ AIExamines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements.
- Evaluating Frontier Models for Dangerous Capabilities Preprint✦ AIPilots dangerous-capability evaluations (persuasion, cyber, self-proliferation) on frontier models, finding 'early warning signs' but no strong present danger — grounding evaluation-based gating.
- Frontier AI Regulation: Managing Emerging Risks to Public Safety Preprint✦ AIArgues "industry self-regulation is an important first step" but "government intervention will be needed", proposing safety standards, registration and reporting, and compliance mechanisms.
- Regulating ChatGPT and other Large Generative AI Models Peer-reviewed✦ AIArgues AI regulation "has primarily focused on conventional AI models, not LGAIMs" and should target "concrete high-risk applications, and not the pre-trained model itself".
- A Proposal for a Definition of General Purpose Artificial Intelligence Systems Peer-reviewed✦ AIFinds existing GPAIS definitions "do not provide sufficient guidance" and proposes "a functional definition of the term that facilitates its governance within the EU".
- Foundation Models and Fair Use Peer-reviewed✦ AIShows foundation models "are trained on copyrighted material" and warns "fair use is not guaranteed", urging technical mitigations to keep training and deployment within fair use.
- The risks of risk-based AI regulation: taking liability seriously Preprint✦ AIArgues the AI Act's ex-ante risk tiers under-govern foundation models and that 'taking liability seriously as the key regulatory mechanism' is a more effective lever.
- Market Concentration Implications of Foundation Models Preprint✦ AIArgues foundation models tend toward 'natural monopoly' and that regulators must ensure 'the contestability of the market by tackling strategic behavior'.
- Emergent Abilities of Large Language Models Preprint✦ AIDocuments 'emergent abilities' that appear only above a scale threshold and 'would not have been directly predicted by extrapolating' smaller models — a core governance unpredictability problem.
- Training Compute-Optimal Large Language Models Preprint✦ AIThe 'Chinchilla' study shows 'model size and the number of training tokens should be scaled equally', complicating compute-only regulatory thresholds.
- Structured access: an emerging paradigm for safe AI deployment Preprint✦ AIProposes controlled, cloud-mediated 'structured access' to 'prevent dangerous AI capabilities from being widely accessible, whilst preserving access to AI capabilities that can be used safely'.
- On the Opportunities and Risks of Foundation Models Preprint✦ AIDefines foundation models and warns homogenization "demands caution, as the defects of the foundation model are inherited by all the adapted models downstream".
- Scaling Laws for Neural Language Models Preprint✦ AIEstablishes that model 'loss scales as a power-law with model size, dataset size, and the amount of compute', the empirical basis for compute-threshold regulation of foundation models.
- Model Card PreprintMitchell et al. (2019), 'Model Cards for Model Reporting,' FAccT '19
- Deceptive Alignment PreprintHubinger, E., et al. (2019), 'Risks from Learned Optimization in Advanced Machine Learning Systems.'
- Mesa-Optimization PreprintHubinger, E., et al. (2019), 'Risks from Learned Optimization in Advanced Machine Learning Systems.'
- Scalable Oversight PreprintChristiano, P., Shlegeris, B., Amodei, D. (2018), 'Supervising Strong Learners by Amplifying Weak Experts.'
- Capability Elicitation PreprintQi, X., Zeng, Y., Xie, T., Chen, P.-Y., Jia, R., Mittal, P., Henderson, P. (2023), 'Fine-tuning Aligned Language Models Compromises Safety, Even When Users Do Not Intend To!'
- Dual-Use Research Norms (DURC for AI) PreprintSolaiman, I., et al. (2019), 'Release Strategies and the Social Impacts of Language Models' — the canonical articulation of structured-access norms for foundation models.
- Policy Instrument Peer-reviewedLascoumes, P. & Le Galès, P. (2007). Introduction: Understanding Public Policy through Its Instruments — From the Nature of Instruments to the Sociology of Public Policy Instrumentation. Governance 20(1): 1-21. See also Hood (1983) The Tools of Government, ch. 1-2; Salamon (2002) The Tools of Government: A Guide to the New Governance, pp. 1-47; Howlett (2011) Designing Public Policies, ch. 3-5.
- Prompt Injection PreprintGreshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., Fritz, M. (2023), 'Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection.'
- Agentic AI System PreprintYao, S., Zhao, J., Yu, D., Du, N., Shafran, I., Narasimhan, K., Cao, Y. (2022), 'ReAct: Synergizing Reasoning and Acting in Language Models.'
- Tool-Use Safety PreprintWallace, E., et al. (2024), 'The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions' (OpenAI) — the canonical industry articulation of instruction-channel hierarchy as a tool-use-safety defence.
- Multi-Turn Evaluation PreprintZheng, L., et al. (2023), 'Judging LLM-as-a-Judge with MT-Bench and Chatbot Arena' — operationalises the multi-turn evaluation protocol for foundation models.
- Data Poisoning PreprintCarlini, N., et al. (2024), 'Poisoning Web-Scale Training Datasets is Practical' — establishes practical feasibility of poisoning frontier-model training corpora.
- Model Distillation Risk PreprintHinton, G., Vinyals, O., Dean, J. (2015), 'Distilling the Knowledge in a Neural Network' — the foundational distillation paper; the governance-relevant adaptation runs through Alpaca/Vicuna (2023) and DeepSeek-R1 (2025).
- Jailbreak Resistance PreprintZou, A., Wang, Z., Kolter, J. Z., Fredrikson, M. (2023), 'Universal and Transferable Adversarial Attacks on Aligned Language Models' — the canonical demonstration that gradient-based suffix attacks transfer across aligned LLMs.
- Model-Merging Risk PreprintBhardwaj, R., et al. (2024), 'Language Models are Homer Simpson! Safety Re-Alignment of Fine-tuned Language Models through Task Arithmetic' — canonical demonstration that safety training is not preserved under task arithmetic / merging.
- Inference-Time Compute PreprintSnell, C., Lee, J., Xu, K., Kumar, A. (2024), 'Scaling LLM Test-Time Compute Optimally can be More Effective than Scaling Model Parameters' — establishes inference-time-compute scaling as a first-class capability lever.
- Sandbagging Preprintvan der Weij, T., Hofstätter, F., Jaffe, O., Brown, S., Ward, F. (2024), 'AI Sandbagging: Language Models can Strategically Underperform on Evaluations.'
- Hallucination PreprintJi, Z., et al. (2023), 'Survey of Hallucination in Natural Language Generation,' ACM Computing Surveys 55(12): 1-38.
- In-Context Learning PreprintBrown, T., et al. (2020), 'Language Models are Few-Shot Learners' (GPT-3 paper) — the canonical articulation of in-context learning as an emergent capability.
- Retrieval-Augmented Generation (RAG) PreprintLewis, P., et al. (2020), 'Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks,' NeurIPS — the canonical articulation of RAG.
- Chain-of-Thought Monitoring PreprintKorbak, T., Balesni, M., Barnes, E., Bengio, Y., et al. (2025), 'Chain of Thought Monitorability: A New and Fragile Opportunity for AI Safety.' arXiv:2507.11473.
- Artificial Intelligence Research institute✦ AIUS National Academies' AI consensus-study hub.
- A comprehensive review of Artificial Intelligence regulation: Weighing ethical principles and innovation Peer-reviewed✦ AIA 60-reference review weighing AI innovation and economic competitiveness against ethical safeguards.
References
The primary instrument sources behind the article's classifications.
- EU-AIA-2024: Arts. 51-55 (general-purpose AI + systemic risk)
- US-EO-14110: §4.2(a) — Defense Production Act reporting
- UK-WHITEPAPER-2023: Cross-cutting principles; sector regulators apply
- CN-GENAI-2023: Art. 2 (applies to GenAI services regardless of size)
- G7-HIROSHIMA: Code applies to advanced AI
- OECD-AI-PRIN: 2024 update clarifies GPAI scope
- COE-AI-CONV: Applies to AI throughout lifecycle (Art. 3)
- NIST-AI-RMF: GenAI Profile (NIST AI 600-1, 2024)
- BLETCHLEY-2023: Declaration §1-2 (frontier AI defined as the subject)
- SEOUL-2024: Declaration + accompanying Frontier AI Safety Commitments (16 signatory companies)
- NIST-AI-RMF-GENAI: Entire NIST AI 600-1 scope is GPAI / GenAI
- CA-SB-1047: Cal. SB-1047 §22602 — 'covered model' = trained with >10^26 operations AND >$100M cost (or fine-tuning >$10M); vetoed 29 Sep 2024
- IN-DPDP-2023: MEITY Apr-2024 advisory walked back the Mar-2024 pre-deployment-approval requirement; current approach is post-deployment incident reporting
- BR-AIBILL-2024: PL 2338/2023 Arts. 17-19 (general-purpose AI systemic-risk obligations)
- ASEAN-AI-GUIDE-2024: Guide §6 covers GenAI but with flexible implementation expectations
- ANTHROPIC-RSP-2024: RSP v2 §2 — ASL framework applies to frontier model releases
- OPENAI-PREPAREDNESS-2023: Preparedness Framework §1-2 — applies to all OpenAI frontier-model releases
- DEEPMIND-FSF-2024: FSF applies to Google DeepMind frontier-model releases
- META-FRONTIER-2024: Framework applies to Meta frontier-model releases (Llama family)
- UK-US-AISI-MOU-2024: MoU scope is frontier AI evaluation
- WH-VOLUNTARY-2023: Commitments §1-2 — internal + external security testing of frontier models
- SG-MODEL-AI-2024: Framework Dimension 3 (Trusted Development + Deployment) explicitly covers GenAI models
- JP-METI-AI-2024: Guidelines Part 3 — covers AI providers including foundation-model developers
- EU-GPAI-COP-2025: Chapter 3 (Safety & Security) operationalises Art. 55 systemic-risk-tier obligations for GPAI providers
- OMB-M-24-10: §5 + Attachment 1 — minimum practices apply to safety- + rights-impacting AI regardless of foundation-model classification; no compute-threshold trigger
- GSA-AI-GUIDE-2024: Sections posing generative-AI vendor-evaluation + model-provenance due-diligence questions for contracting officers
- DOD-RAI-2022: Tenet 3 (AI Product and Acquisition Lifecycle) + Tenet 5 (Responsible AI Ecosystem) — RAI integration applies regardless of model architecture; foundation-model-specific obligations flow through CDAO RAI Toolkit guidance
- FEDRAMP-AI-2024: GenAI-specific control tailoring guidance addresses model-specific risks (training-data exposure, prompt-injection, output disclosure) within SSP + NIST SP 800-53 control overlay selection
- DFARS-252-204: 252.204-7012 — AI-system source code, model weights, training data fall within Covered Defense Information scope when the underlying contract designates these as CDI; foundation-model artefacts are CDI through the standard contract designation pathway
- CA-SB-53: Bus. & Prof. Code § 22757.11 — defines 'foundation model' + 'frontier model' (>10^26 FLOP) as the regulated class
- CA-SB-942: No operative provision regulates foundation models as a class; the regulated party ('covered provider', § 22757.1) is defined by an output/scale hook — a producer of a publicly-accessible GenAI system with over 1,000,000 monthly users — so a foundation-model producer is reached only incidentally via the § 22757.2–.3 output-disclosure duties, not by any model-level obligation
- NY-RAISE-2025: N.Y. Gen. Bus. Law § 1420(6) defines 'frontier model' (>10^26 FLOP, >$100M compute) + § 1421 imposes operative pre-deployment duties on large frontier-model developers
- JP-AIPROMO-2025: Act No. 53 of 2025, Arts. 2 & 12
- UN-GDC-2024: GDC Objective 5 (A/RES/79/1, Annex I)
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/foundation-models — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
34 instruments tracked.