Governance posture toward releasing frontier model weights publicly (Meta Llama, Mistral, DeepSeek vs. closed-weight Anthropic / OpenAI / DeepMind). EU AIA Recital 102 + Art. 53(2) carve-outs; CA SB-1047's failed framework; Meta Frontier AI Framework's explicit defence; emerging US export-control overlay.
Definition & scope
The cross-jurisdiction picture below shows how each of 45 tracked instruments treats this topic. The patterns vary substantially — and 33 regimes are silent, leaving gaps that future policy work could address.
Regulatory approaches
Where instruments engage open-weight release at all, they do so through four distinct modalities rather than a single "open-weight rule" — a structure the per-instrument verdicts above do not make explicit. (1) Exemption-with-threshold: the EU AI Act removes the Article 53(1)(a)-(b) documentation duties for models "released under a free and open-source licence" but claws the exemption back for general-purpose models with systemic risk, presumed above a 10^25 FLOP training-compute threshold (Regulation (EU) 2024/1689, Art. 53(2); Recital 102; Art. 51) — so openness reduces obligations only below the frontier, an asymmetry scholars warn can fall unevenly on open versus closed developers 1. (2) Monitor-not-restrict: the NTIA report on dual-use models with widely available weights recommends that government "not restrict the wide availability of model weights" now and instead build monitoring capacity, applying a marginal-risk test 2 whose evidentiary basis researchers find still "insufficient to effectively characterize the marginal risk" of open models 3. (3) Modality-neutral conduct duties: China's Interim Measures apply registration and security-assessment duties regardless of how weights are distributed (Interim Measures for Generative AI Services, Art. 17), and the Seoul Frontier AI Safety Commitments bind signatories irrespective of open/closed posture. (4) Preservation-and-refusal contracting: California's AI Transparency Act reaches weight distribution indirectly — a licensor must contractually require licensees to keep a disclosure capability and revoke within 96 hours otherwise (Cal. Bus. & Prof. Code § 22757.3(c)), while a hosting platform may not knowingly host a non-disclosing system whose weights it distributes (§ 22757.3.2, added by AB 853) (SB-942 § 22757.3(c)). No tracked instrument bans open release outright.
Key fault lines
Three structural disagreements organise the debate the page's single "open contested question" only gestures at. First, the *regulatory locus*: should release be governed by capability tier (block above a compute threshold), by safety-evaluation evidence (permit subject to pre-release red-teaming), or by recipient restriction (export controls)? Each frame implies different binding parties and is in active conflict, and each maps onto a point on the access gradient from fully closed to fully open 4. Second, the *firm-level cleavage* exposed by California SB-1047: Meta opposed the bill, urging a lighter approach (Meta letters to California lawmakers, 2024), whereas Anthropic moved from non-support to "measured support" after amendments (D. Amodei letter to Gov. Newsom, Aug 2024) — a split that maps onto the companies' commercial postures (Meta ships open-weight Llama; Anthropic ships closed). Both nonetheless objected to versions of the bill on different grounds, and it was vetoed. Third, a *definitional* fault line over what "open" even denotes: Liesenfeld & Dingemanse (2024), surveying 45+ systems across 14 openness dimensions, argue many self-described "open source" models are "open weight at best" and that providers invoke openness to "evade scientific, legal and regulatory scrutiny" under the EU exemption — i.e., the exemption's trigger is itself contested 5. A connected critique holds that openness rhetoric can entrench incumbent power rather than democratise access, since "openness alone" neither ensures democratic access nor solves oversight 6. These are genuine divergences among experts and jurisdictions, not settled questions.
Trajectory / what's changing
The governance picture is moving quickly along several dated tracks. The US federal posture pivoted: Executive Order 14110 (Oct 2023), under which the open-weights-focused NTIA report was produced, was rescinded by Executive Order 14148 on 20 Jan 2025; the separate Executive Order 14179 (23 Jan 2025) directs a deregulatory, pro-innovation stance and does not address release modality — leaving the NTIA "monitor-not-restrict" recommendation without an active federal vehicle. In California, the vetoed SB-1047 (vetoed 29 Sep 2024) was succeeded by SB-53, the Transparency in Frontier Artificial Intelligence Act, signed 29 Sep 2025 and effective 1 Jan 2026; it imposes transparency-framework publication and critical-safety-incident reporting on developers training above ~10^26 FLOP, applying uniformly to open- and closed-weight models rather than carving open release out (Brookings, *What is California's AI safety law?*, 2025). In the EU, the GPAI Code of Practice was finalised in July 2025 and the GPAI provider regime became enforceable on 2 Aug 2025, operationalising the systemic-risk obligations that override the open-source exemption (European Commission 2025). Two California disclosure-preservation duties phase in next: § 22757.3(c) operative 2 Aug 2026 and the hosting-platform refuse-to-host duty (AB 853, § 22757.3.2) operative 1 Jan 2027. Capability events are also reshaping the debate: DeepSeek's open-weight R1 (released 20 Jan 2025), the first openly released frontier-class model from a Chinese lab since GPT-2, intensified the export-control strand of the argument (IISS, 2025) — and once weights are public the safeguards meant to constrain misuse are hard to make durable or even to evaluate 7, a fragility that underpins the view that for the most capable systems open-sourcing "may pose sufficiently extreme risks to outweigh the benefits" 8.
Coverage across jurisdictions
Historical primacy & cross-jurisdiction tension
First addressed by Interim Measures for Generative AI Service Management on (implicit). Subsequent regimes have either codified, diverged from, or remained silent on this baseline.
- Forum-shoppingEU AI Act↔Executive Order 14179 — Removing Barriers to American Leadership in AI
- Forum-shoppingCalifornia SB-1047: Safe and Secure Innovation for Frontier AI Models Act↔UK Pro-Innovation Approach to AI Regulation (White Paper)
- Forum-shoppingMeta Frontier AI Framework↔G7 Hiroshima AI Process Code of Conduct
Compare jurisdictions: EU vs US · EU vs UK · EU vs CN
Enforcement & impact
Silent regimes — gap signal
Instruments that do not address Open-Weight Frontier Release — candidates for future policy work.
- Executive Order 14179 — Removing Barriers to American Leadership in AIUS
- UK Pro-Innovation Approach to AI Regulation (White Paper)UK
- G7 Hiroshima AI Process Code of ConductG7
- OECD AI Principles (Recommendation)OECD
- Council of Europe Framework Convention on AIcouncil_of_europe
- UN GA Resolution on Safe, Secure, Trustworthy AIUN
- NIST AI Risk Management FrameworkUS
- Bletchley Declaration on AI Safetyglobal
- NIST AI RMF Generative AI ProfileUS
- India Digital Personal Data Protection Act + AI Advisory (MEITY)IN
- Brazil AI Bill (PL 2338/2023)BR
- ASEAN Guide on AI Governance and EthicsASEAN
- UK-US AI Safety Institute Memorandum of Understandingglobal
- White House Voluntary AI CommitmentsUS
- Singapore Model AI Governance Framework for Generative AISG
- Japan METI AI Guidelines for BusinessJP
- General Data Protection Regulation (GDPR)EU
- EU General-Purpose AI Code of PracticeEU
- OMB Memorandum M-24-10 (Advancing Governance, Innovation, and Risk Management for Agency Use of AI)US
- GSA Generative AI and Specialized Computing Infrastructure Acquisition Resource GuideUS
- DoD Responsible AI Strategy and Implementation PathwayUS
- FedRAMP AI Cloud Procurement GuidanceUS
- DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)US
- California SB-53: Transparency in Frontier Artificial Intelligence Act (TFAIA)US
- California SB 243: Companion ChatbotsUS
- Revised Product Liability Directive (Directive (EU) 2024/2853)EU
- UNESCO Recommendation on the Ethics of Artificial IntelligenceUNESCO
- Directive (EU) 2024/2831 on improving working conditions in platform workEU
- Provisions on the Administration of Deep Synthesis of Internet Information ServicesCN
- New York RAISE Act: Responsible AI Safety and Education ActUS
- TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act)US
- Italy Law No. 132/2025 on Artificial Intelligence (Legge 23 settembre 2025, n. 132)IT
- Japan AI Promotion Act (Act on the Promotion of Research, Development and Utilization of AI-Related Technologies)JP
See also
Further reading
11 academic & grey-literature sources bearing on this topic — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- On the Societal Impact of Open Foundation Models Preprint✦ AIProposes a marginal-risk framework, finding current research "insufficient to effectively characterize the marginal risk of open foundation models relative to pre-existing technologies."
- Considerations for governing open foundation models Peer-reviewed✦ AI"Open foundation models can benefit society by promoting competition, accelerating innovation, and distributing power," but regulation risks an uneven impact on open vs. closed models.
- Dual-Use Foundation Models with Widely Available Model Weights (NTIA Report) Research institute✦ AIRecommends the US government monitor but not currently restrict open-weight models, assessing case-by-case whether 'marginal risks' over closed models or pre-existing technology warrant action.
- Rethinking open source generative AI: open-washing and the EU AI Act Peer-reviewed✦ AIA 14-dimension survey of 45+ systems finds many self-described 'open source' models are 'open weight at best' and providers seek to 'evade scientific, legal and regulatory scrutiny' under the EU AI Act's open-source exemption.
- On Evaluating the Durability of Safeguards for Open-Weight LLMs Preprint✦ AIShows tamper-resistance safeguards for open weights are fragile and hard to assess, cautioning that 'even evaluating these defenses is exceedingly difficult and can easily mislead audiences' — undercutting safeguard-conditioned…
- The Gradient of Generative AI Release: Methods and Considerations Peer-reviewed✦ AIMaps six access levels for generative AI where "each level, from fully closed to fully open, can be viewed as an option along a gradient," grounding release-policy tradeoffs.
- Open-Sourcing Highly Capable Foundation Models: An evaluation of risks, benefits, and alternative methods for pursuing open-source objectives Research institute✦ AIArgues that for some highly capable models "open-sourcing may pose sufficiently extreme risks to outweigh the benefits," and evaluates alternative routes to open-source objectives.
- Open (For Business): Big Tech, Concentrated Power, and the Political Economy of Open AI Preprint✦ AIArgues 'even the most open of open AI systems do not, on their own, ensure democratic access...nor does openness alone solve the problem of oversight,' and that openness rhetoric can entrench Big Tech power.
- Hazards from Increasingly Accessible Fine-Tuning of Downloadable Foundation Models Preprint✦ AIGrounds the open-weight marginal-risk debate technically: 'increasingly accessible fine-tuning methods may increase hazard through facilitating malicious use and making oversight...more difficult.'
- Structured Access: An Emerging Paradigm for Safe AI Deployment Peer-reviewed✦ AIProposes 'structured access' (controlled, arm's-length cloud interactions) as a middle path between open release and full closure, restricting dangerous capabilities while preserving beneficial use and scrutiny.
- Release Strategies and the Social Impacts of Language Models Preprint✦ AIDocuments OpenAI's GPT-2 staged-release experiment, arguing 'staged release allows time between model releases to conduct risk and benefit analyses' and proposing publication norms for powerful models.
References
Sources cited inline in the analysis (linked from the superscript markers), then the primary instrument sources behind the classifications.
- Rishi Bommasani, Sayash Kapoor, Kevin Klyman, Shayne Longpre, Ashwin Ramaswami, Daniel Zhang, Marietje Schaake, Daniel E. Ho, Arvind Narayanan, Percy Liang (2024) Considerations for governing open foundation models, Science. 10.1126/science.adp1848 — "Open foundation models can benefit society by promoting competition, accelerating innovation, and distributing power," but regulation risks an uneven impact on open vs. closed models. ↩
- National Telecommunications and Information Administration (NTIA), U.S. Department of Commerce (2024) Dual-Use Foundation Models with Widely Available Model Weights (NTIA Report), NTIA / U.S. Department of Commerce. source — Recommends the US government monitor but not currently restrict open-weight models, assessing case-by-case whether 'marginal risks' over closed models or pre-existing technology warrant action. ↩
- Sayash Kapoor, Rishi Bommasani, Kevin Klyman, Shayne Longpre, et al. (2024) On the Societal Impact of Open Foundation Models, arXiv. arXiv:2403.07918 — Proposes a marginal-risk framework, finding current research "insufficient to effectively characterize the marginal risk of open foundation models relative to pre-existing technologies." ↩
- Irene Solaiman (2023) The Gradient of Generative AI Release: Methods and Considerations, ACM FAccT. 10.1145/3593013.3593981 — Maps six access levels for generative AI where "each level, from fully closed to fully open, can be viewed as an option along a gradient," grounding release-policy tradeoffs. ↩
- Andreas Liesenfeld, Mark Dingemanse (2024) Rethinking open source generative AI: open-washing and the EU AI Act, Proceedings of the 2024 ACM Conference on Fairness, Accounta. 10.1145/3630106.3659005 — A 14-dimension survey of 45+ systems finds many self-described 'open source' models are 'open weight at best' and providers seek to 'evade scientific, legal and regulatory scrutiny' under the EU AI Act's open-source exemption. ↩
- David Gray Widder, Sarah West, Meredith Whittaker (2023) Open (For Business): Big Tech, Concentrated Power, and the Political Economy of Open AI, SSRN Electronic Journal. 10.2139/ssrn.4543807 — Argues 'even the most open of open AI systems do not, on their own, ensure democratic access...nor does openness alone solve the problem of oversight,' and that openness rhetoric can entrench Big Tech power. ↩
- Xiangyu Qi, Boyi Wei, Nicholas Carlini, et al. (2024) On Evaluating the Durability of Safeguards for Open-Weight LLMs, arXiv. arXiv:2412.07097 — Shows tamper-resistance safeguards for open weights are fragile and hard to assess, cautioning that 'even evaluating these defenses is exceedingly difficult and can easily mislead audiences' — undercutting safeguard-conditioned… ↩
- Elizabeth Seger, Noemi Dreksler, Richard Moulange, et al. (Centre for the Governance of AI) (2023) Open-Sourcing Highly Capable Foundation Models: An evaluation of risks, benefits, and alternative methods for pursuing open-source objectives, Centre for the Governance of AI. arXiv:2311.09227 — Argues that for some highly capable models "open-sourcing may pose sufficiently extreme risks to outweigh the benefits," and evaluates alternative routes to open-source objectives. ↩
- EU-AIA-2024: Art. 53(2) + Recital 102/104 — explicit open-source GPAI exemption (with caveats for systemic-risk models)
- US-EO-14110: §4.6 NTIA report on dual-use foundation models specifically addresses open-weight risk; not binding obligation
- CN-GENAI-2023: Art. 8 — registration / safety assessment applies regardless of weight release modality
- SEOUL-2024: Frontier AI Safety Commitments apply to all 16 signatories regardless of open/closed weight stance (Meta is signatory)
- CA-SB-1047: Vetoed bill — would have required covered models (incl. open-weight releases) to adopt a safety & security protocol + self-certified compliance, with independent third-party audits from 2026 (Anthropic + Meta objected on different grounds)
- AU-AI-STRATEGY-2024: Continental strategy frames AI capacity-building — open access to weights aligns with capacity goals
- ANTHROPIC-RSP-2024: RSP applies to Anthropic's models which are closed-weight; framework does not address third-party open release
- OPENAI-PREPAREDNESS-2023: Framework applies to OpenAI deployments (closed-weight); does not address third-party open release
- DEEPMIND-FSF-2024: Framework applies to Google DeepMind deployments (mostly closed); third-party open release not addressed
- META-FRONTIER-2024: Framework's distinctive feature — explicit defence of open-weight release as governance posture; halt-training commitment if 'critical risk' threshold reached without mitigations
- CA-SB-942: Cal. Bus. & Prof. Code § 22757.3(c) (added by SB 942, operative Aug. 2, 2026) — a covered provider that LICENSES its GenAI system to a third party must require by contract that the licensee preserve the § 22757.3(b) disclosure capability, and must revoke the license within 96 hours if the licensee disables it; reinforced by § 22757.3.2 (added by AB 853, operative Jan. 1, 2027), which bars a GenAI hosting platform distributing a system's source code or model weights from knowingly hosting a non-disclosing system
- UN-GDC-2024: GDC Objective 5 capacity-building partnerships (A/RES/79/1, Annex I)
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/open-weight-release — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
12 instruments tracked.
Does governance work? — the social-science evidence
What the peer-reviewed social science shows: whether the harm this topic addresses is empirically real, and whether governance of it works. The badge is the epistemic status of the evidence(not the policy debate) — “thin” or “absent” efficacy evidence is itself a finding (the “second silence”). Each epistemic-status label is Policy Window's editorial assessment of the cited evidence base (a structured classification), not a verdict any single source issues.
The empirical picture splits into two well-separated questions. (1) The MECHANISM that distinguishes open-weight release — that safety guardrails can be cheaply and irreversibly stripped once weights are public — is established: Qi et al. (2024) removed GPT-3.5 Turbo safety alignment by fine-tuning on only ~10 adversarially designed examples for under $0.20 (and the attack generalizes to Llama-2), and even purpose-built tamper-resistant safeguards (Tamirisa et al. 2025, TAR) were subsequently shown to be defeatable by adaptive fine-tuning (Qi et al. 2024, durability critique). (2) Whether this mechanism produces real-world CATASTROPHIC uplift is genuinely contested and, for the headline biosecurity case, currently unsupported: RAND's red-team study found no statistically significant difference in the viability of bioweapon attack plans produced with versus without LLM assistance (Mouton, Lucas & Guest 2024), and OpenAI's 100-participant trial found at most mild uplift over an internet baseline (Patwardhan et al. 2024). Honest caveat: these null/mild results are time-stamped to 2023-2024 frontier capability and to biothreats specifically; the marginal-risk framework (Kapoor, Bommasani et al. 2024) concludes the evidence base is too thin to characterize marginal risk across most misuse vectors, so 'no measured harm yet' is not 'no harm.'
Sources: Kapoor, Bommasani, Klyman, Longpre et al. 2024, 'Position: On the Societal Impact of Open Foundation Models', PMLR 235 / ICML 2024 (arXiv 2403.07918); Mouton, Lucas & Guest 2024, RAND RR-A2977-2, 'The Operational Risks of AI in Large-Scale Biological Attacks: Results of a Red-Team Study'; Qi, Zeng, Xie, Chen, Jia, Mittal & Henderson 2024, 'Fine-tuning Aligned Language Models Compromises Safety', ICLR 2024 (arXiv 2310.03693); Tamirisa et al. 2025, 'Tamper-Resistant Safeguards for Open-Weight LLMs', ICLR 2025 (arXiv 2408.00761); Qi, Wei, Carlini, Huang, Xie, He, Jagielski, Nasr, Mittal & Henderson 2024, 'On Evaluating the Durability of Safeguards for Open-Weight LLMs' (arXiv 2412.07097); Patwardhan et al. 2024, 'Building an early warning system for LLM-aided biological threat creation', OpenAI
There is no impact evaluation showing that any specific weight-release governance regime reduces downstream harm, because no binding regime has been implemented and measured: California SB-1047's release-conditioning framework was vetoed in September 2024, and the EU AI Act's open-source carve-outs (Recital 102, Art. 53(2)) exempt most open-weight models (those below the systemic-risk compute threshold) from the documentation obligations that would generate evaluable conduct. The structural obstacle is also documented: Kapoor, Bommasani et al. (2024) characterize open-weight release as effectively irreversible and poorly monitorable once weights are public, so post-release governance has little to act on. The closest analogue evidence — technology export controls — is mixed and points to circumvention: commentators argue blanket export controls on freely copyable open-source models cannot work (Just Security 2024), and independent analyses of the post-2022 semiconductor controls document displacement to less-regulated channels (smuggling, threshold-tuned chip variants, cloud access) rather than disappearance of activity (e.g., CSIS, FPRI 2024), suggesting recipient-restriction regimes face the same leakage problem for weights. (Caveat: this is analogical, not direct evidence about weight-release governance, which remains unmeasured.)
Sources: Kapoor, Bommasani, Klyman, Longpre et al. 2024, 'Position: On the Societal Impact of Open Foundation Models', PMLR 235 (arXiv 2403.07918); California SB-1047 (2024, vetoed by Gov. Newsom 29 Sep 2024); EU AI Act Regulation (EU) 2024/1689, Recital 102 & Art. 53(2) open-source exemptions; Just Security 2024, 'Export Controls on Open-Source Models Will Not Win the AI Race'; CSIS, 'The Limits of Chip Export Controls in Meeting the China Challenge' and FPRI 2024, 'Breaking the Circuit: US-China Semiconductor Controls' (export-control circumvention analogue)