Merge branch 'main' into extract/2026-03-20-bench2cop-benchmarks-insufficient-compliance

2026-03-20 00:58:42 +00:00 · 2026-03-20 00:58:42 +00:00 · 677597e227
commit 677597e227
parent 18190084a3 9a5dc2dc11
8 changed files with 268 additions and 3 deletions
--- a/inbox/archive/general/2026-03-20-eu-ai-act-article43-conformity-assessment-limits.md
+++ b/inbox/archive/general/2026-03-20-eu-ai-act-article43-conformity-assessment-limits.md
@ -0,0 +1,48 @@
 ---
 type: source
 title: "EU AI Act Article 43: Conformity Assessment is Mostly Self-Assessment, Not Independent Third-Party Evaluation"
 author: "European Union / EU AI Act (euaiact.com)"
 url: https://www.euaiact.com/article/43
 date: 2024-07-12
 domain: ai-alignment
 secondary_domains: []
 format: legislation
 status: processed
 priority: medium
 tags: [EU-AI-Act, Article-43, conformity-assessment, self-assessment, notified-bodies, high-risk-AI, independence, FDA-comparison]
 ---
 ## Content
 Article 43 establishes conformity assessment procedures for **high-risk AI systems** (not GPAI — high-risk AI is a separate category covering things like medical devices, recruitment systems, law enforcement uses).
 **Assessment structure:**
 - For high-risk AI in **Annex III point 1** (biometric identification): providers may choose between internal control (self-assessment) OR quality management system assessment with notified body involvement
 - For high-risk AI in **Annex III points 2-8** (all other categories): **internal control (self-assessment) only** — no notified body required
 - Third-party notified body required ONLY when: harmonized standards don't exist, common specifications unavailable, provider hasn't fully applied relevant standards, or standards published with restrictions
 **Notified bodies:** Third-party conformity assessment organizations designated under the regulation. For law enforcement and immigration uses, the market surveillance authority acts as the notified body.
 **Key implication:** For the vast majority of high-risk AI systems, Article 43 permits self-certification of compliance. The "conformity assessment" of the EU AI Act is predominantly a documentation exercise, not an independent evaluation.
 **Important distinction from GPAI:** Article 43 governs high-risk AI systems (classification by use case); GPAI systemic risk provisions (Articles 51-56) govern models by training compute scale. These are different categories — the biggest frontier models may be GPAI systemic risk WITHOUT being classified as high-risk AI systems, and vice versa. They operate under different regulatory regimes.
 ## Agent Notes
 **Why this matters:** Article 43 is frequently cited as the EU AI Act's "conformity assessment" mechanism, implying independent evaluation. In reality it's self-assessment for almost all high-risk AI, with third-party evaluation as an exception. This matters for understanding whether the EU AI Act creates the "FDA equivalent" that Brundage et al. say is missing. Answer: No, not through Article 43.
 **What surprised me:** The simplicity of the answer. Article 43 ≠ FDA because it allows self-assessment for most cases. The path to any independent evaluation in the EU AI Act runs through Article 92 (compulsory AI Office evaluation), not Article 43 (conformity assessment). These are different mechanisms with different triggers.
 **What I expected but didn't find:** Any requirement that third-party notified bodies verify the actual model behavior, as opposed to reviewing documentation. Even where notified bodies ARE required (Annex III point 1), their role appears to be quality management system review, not independent capability evaluation.
 **KB connections:**
 - Previous session finding from Brundage et al. (arXiv:2601.11699): AAL-1 (peak of current voluntary practice) still relies substantially on company-provided information. Article 43 self-assessment is structurally at or below AAL-1.
 **Extraction hints:** This source is better used to CORRECT a potential misunderstanding than to make a new claim. The corrective claim: "EU AI Act conformity assessment under Article 43 primarily permits self-certification — third-party notified body review is the exception, not the rule, applying to a narrow subset of high-risk use cases when harmonized standards don't exist." The path to independent evaluation runs through Article 92, not Article 43.
 **Context:** Article 43 applies to high-risk AI systems (Annex III list: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice). GPAI models face a separate and in some ways more stringent regime under Articles 51-56 when they meet the systemic risk threshold.
 ## Curator Notes (structured handoff for extractor)
 PRIMARY CONNECTION: voluntary safety pledges cannot survive competitive pressure — self-certification under Article 43 has the same structural weakness as voluntary commitments; labs certify their own compliance
 WHY ARCHIVED: Corrects common misreading of EU AI Act as creating FDA-equivalent independent evaluation via Article 43; clarifies that independent evaluation runs through Article 92 (reactive) not Article 43 (conformity)
 EXTRACTION HINT: This is primarily a clarifying/corrective source; extractor should check whether any existing KB claims overstate Article 43's independence requirements and note the Article 43 / Article 92 distinction
--- a/inbox/archive/general/2026-03-20-euaiact-article92-compulsory-evaluation-powers.md
+++ b/inbox/archive/general/2026-03-20-euaiact-article92-compulsory-evaluation-powers.md
@ -0,0 +1,61 @@
 ---
 type: source
 title: "EU AI Act Articles 51-56, 88-93, 101: GPAI Systemic Risk Obligations and Compulsory Evaluation Framework"
 author: "European Union / EU AI Act (euaiact.com)"
 url: https://www.euaiact.com/article/51
 date: 2024-07-12
 domain: ai-alignment
 secondary_domains: []
 format: legislation
 status: processed
 priority: high
 tags: [EU-AI-Act, GPAI, systemic-risk, Article-55, Article-92, conformity-assessment, independent-evaluation, AI-Office, enforcement, 10-25-FLOPs]
 ---
 ## Content
 ### Article 51 — GPAI Systemic Risk Classification
 A GPAI model qualifies as having systemic risk if it demonstrates high-impact capabilities OR if the Commission designates it as such. Presumption threshold: cumulative training compute exceeding **10^25 floating-point operations** (approximately the compute used to train GPT-4 and above). This threshold captures only the most computationally intensive frontier models.
 ### Article 53 — Standard GPAI Provider Obligations
 All GPAI providers must: (1) maintain technical documentation of training and testing processes; (2) provide downstream developers with capability/limitation disclosures; (3) establish copyright compliance policies; (4) publish training data summaries. Open-source exception applies EXCEPT for models with systemic risk.
 ### Article 55 — Systemic Risk GPAI Obligations
 Providers of systemic-risk GPAI models must: (1) **perform model evaluation including adversarial testing** in accordance with standardized protocols reflecting state-of-the-art; (2) assess and address systemic risks at EU level; (3) track and report serious incidents without undue delay; (4) maintain cybersecurity protections. Compliance pathways are flexible: codes of practice, harmonized standards, or "alternative adequate means" assessed by the Commission. NOT mandatory independent third-party audit.
 ### Article 56 — Codes of Practice
 AI Office facilitates voluntary codes of practice development with industry, academia, civil society. Codes must be ready by May 2025; Commission approved final Code July 10, 2025. Commission may give approved codes binding force via implementing act. If codes prove inadequate by August 2025, Commission may impose binding common rules.
 ### Article 88 — Commission Exclusive Enforcement Powers
 Commission receives exclusive powers to supervise and enforce GPAI rules. Implementation delegated to AI Office. National authorities can request Commission assistance when proportionate.
 ### Article 91 — Information and Documentation Requests
 AI Office may request GPAI providers to submit compliance documentation or "any additional information necessary for assessing compliance." Commission may also compel access upon scientific panel requests. Structured dialogue may precede formal requests. Procedurally specific requirements for all requests.
 ### Article 92 — Compulsory Evaluation Powers (KEY PROVISION)
 The AI Office may conduct independent evaluations of GPAI models in two scenarios: (1) when Article 91 documentation is insufficient for compliance assessment; (2) to investigate union-level systemic risks following qualified alerts from the scientific panel. Powers include: appointing **independent experts** from the scientific panel; compelling access via APIs, source code, and "appropriate technical means and tools." Providers must comply under penalty of fines. This is a **compulsory** access mechanism — not voluntary-collaborative.
 ### Article 101 — Fines for GPAI Providers
 Maximum fine: **3% of annual worldwide turnover or EUR 15 million, whichever is higher**. Applies to violations including: violating regulation provisions, failing to provide requested documents, disobeying measures requested, denying access for Commission evaluations.
 ## Agent Notes
 **Why this matters:** This is the most detailed picture of what the EU AI Act actually creates for GPAI systemic risk models. The key finding is that Article 92 creates genuinely compulsory evaluation powers — not voluntary-collaborative like METR/AISI — but they're triggered reactively (by qualified alerts or compliance failures), not proactively required before deployment. This is a crucial distinction from the FDA pre-market approval model.
 **What surprised me:** Article 92's compulsory access to APIs and source code is meaningfully stronger than I expected based on yesterday's research. The AI Office can appoint independent experts and compel technical access. This moves the EU AI Act closer to AAL-2 (non-reliance on company statements when triggered) but still falls short of AAL-3/4 (deception-resilient, proactive).
 **What I expected but didn't find:** A proactive pre-deployment evaluation requirement. The EU AI Act creates mandatory obligations (Article 55) with binding enforcement (Articles 92, 101) but the evaluation is triggered by problems, not required as a condition of deployment. The FDA analogy fails specifically here — drugs cannot be deployed without pre-market approval; GPAI models under EU AI Act can be deployed while the AI Office monitors and intervenes reactively.
 **KB connections:**
 - voluntary safety pledges cannot survive competitive pressure — Article 55 creates mandatory obligations that don't depend on voluntary commitment, but the flexible compliance pathways preserve lab discretion in HOW they comply
 - scalable oversight degrades rapidly as capability gaps grow — Article 92's compulsory evaluation powers don't solve the AAL-3/4 infeasibility problem; even with source code access, deception-resilient evaluation is technically infeasible
 - technology advances exponentially but coordination mechanisms evolve linearly — the 10^25 FLOP threshold will require updating as compute efficiency improves
 **Extraction hints:** Primary claim: "EU AI Act Article 92 creates the first binding compulsory evaluation powers for frontier AI models globally — AI Office can compel API/source code access and appoint independent experts — but enforcement is reactive not proactive, falling structurally short of FDA pre-market approval." Secondary claim: "EU AI Act flexible compliance pathways for Article 55 allow GPAI systemic risk models to self-certify compliance through codes of practice rather than mandatory independent third-party audit."
 **Context:** This is a synthesis of Articles 51, 53, 55, 56, 88, 91, 92, 101 from the EU AI Act. GPAI obligations became applicable August 2, 2025. The Act is in force globally for any frontier AI models deployed in EU market.
 ## Curator Notes (structured handoff for extractor)
 PRIMARY CONNECTION: [[voluntary safety pledges cannot survive competitive pressure because unilateral commitments are structurally punished when competitors advance without equivalent constraints]] — EU AI Act's mandatory structure counters this weakness, but flexible compliance pathways partially reintroduce it
 WHY ARCHIVED: First binding mandatory evaluation framework globally for frontier AI — essential for B1 disconfirmation assessment and the multi-session "governance gap" thesis
 EXTRACTION HINT: Focus on the Article 92 compulsory evaluation / reactive vs proactive distinction — this is the key structural feature that makes EU AI Act stronger than voluntary-collaborative METR/AISI but weaker than FDA pre-market approval
--- a/inbox/archive/general/2026-03-20-stelling-gpai-cop-industry-mapping.md
+++ b/inbox/archive/general/2026-03-20-stelling-gpai-cop-industry-mapping.md
@ -0,0 +1,44 @@
 ---
 type: source
 title: "Mapping Industry Practices to EU AI Act GPAI Code of Practice Safety and Security Measures (arXiv:2504.15181)"
 author: "Lily Stelling, Mick Yang, Rokas Gipiškis, Leon Staufer, Ze Shen Chin, Siméon Campos, Ariel Gil, Michael Chen"
 url: https://arxiv.org/abs/2504.15181
 date: 2025-04-01
 domain: ai-alignment
 secondary_domains: []
 format: paper
 status: processed
 priority: high
 tags: [GPAI, Code-of-Practice, industry-practices, EU-AI-Act, safety-measures, OpenAI, Anthropic, Google-DeepMind, compliance, voluntary]
 ---
 ## Content
 166-page analysis comparing safety and security measures in the EU AI Act's General-Purpose AI Code of Practice (Third Draft) against actual commitments from leading AI companies. Examined documents from over a dozen companies including OpenAI, Anthropic, Google DeepMind, Microsoft, Meta, and Amazon.
 **Key Finding:** "Relevant quotes from at least 5 companies' documents for the majority of the measures in Commitments II.1-II.16" within the Safety and Security section.
 **Important Caveat (author-stated):** "This report is not meant to be an indication of legal compliance, nor does it take any prescriptive viewpoint about the Code of Practice or companies' policies."
 **Context:** The GPAI Code of Practice (Third Draft, April 2025) was finalized and received by the Commission on July 10, 2025, and became applicable August 2, 2025.
 ## Agent Notes
 **Why this matters:** This paper shows that existing frontier AI lab policies already contain language matching the majority of Code of Practice safety measures. This is important for two competing interpretations: (1) Pro-governance reading: the Code of Practice reflects real existing practices, making compliance feasible. (2) Anti-governance reading: if labs already claim to do most of this, the Code simply formalizes current voluntary commitments rather than creating new obligations — it's the same voluntary-collaborative problem in formal dress.
 **What surprised me:** The author caveat is striking: they explicitly say this is NOT evidence of compliance. Labs may publish commitments that match the Code language while the actual model behaviors don't correspond. This is the deception-resilient gap — what labs say they do vs. what their models do.
 **What I expected but didn't find:** Evidence that the Code of Practice requires genuinely independent third-party verification of the safety measures it lists. From the structure, it appears labs self-certify compliance through code adherence, with the AI Office potentially auditing retrospectively.
 **KB connections:**
 - voluntary safety pledges cannot survive competitive pressure — the Code of Practice may formalize existing voluntary commitments without adding enforcement mechanisms that survive competitive pressure
 - an aligned-seeming AI may be strategically deceptive — the gap between published safety commitments and actual model behavior is precisely what deception-resilient evaluation (AAL-3/4) is designed to detect
 **Extraction hints:** Supporting claim: "GPAI Code of Practice safety measures map to existing commitments from major AI labs — but the mapping is of stated policies, not verified behaviors, leaving the deception-resilient gap unaddressed." Use cautiously — authors explicitly say this is not compliance evidence.
 **Context:** Independent analysis by researchers at AI safety/governance organizations. Not affiliated with the AI Office or Commission.
 ## Curator Notes (structured handoff for extractor)
 PRIMARY CONNECTION: [[voluntary safety pledges cannot survive competitive pressure because unilateral commitments are structurally punished when competitors advance without equivalent constraints]]
 WHY ARCHIVED: Shows that Code of Practice may be formalizing existing practices rather than creating new obligations — relevant to whether mandatory framework actually changes behavior
 EXTRACTION HINT: Be careful about the author caveat — this is evidence about stated policies not compliance evidence; extractor should note this distinction clearly
--- a/inbox/queue/.extraction-debug/2026-03-20-eu-ai-act-article43-conformity-assessment-limits.json
+++ b/inbox/queue/.extraction-debug/2026-03-20-eu-ai-act-article43-conformity-assessment-limits.json
@ -0,0 +1,26 @@
 {
  "rejected_claims": [
    {
      "filename": "eu-ai-act-article-43-conformity-assessment-is-self-certification-not-independent-evaluation.md",
      "issues": [
        "missing_attribution_extractor"
      ]
    }
  ],
  "validation_stats": {
    "total": 1,
    "kept": 0,
    "fixed": 3,
    "rejected": 1,
    "fixes_applied": [
      "eu-ai-act-article-43-conformity-assessment-is-self-certification-not-independent-evaluation.md:set_created:2026-03-20",
      "eu-ai-act-article-43-conformity-assessment-is-self-certification-not-independent-evaluation.md:stripped_wiki_link:voluntary-safety-pledges-cannot-survive-competitive-pressure",
      "eu-ai-act-article-43-conformity-assessment-is-self-certification-not-independent-evaluation.md:stripped_wiki_link:only-binding-regulation-with-enforcement-teeth-changes-front"
    ],
    "rejections": [
      "eu-ai-act-article-43-conformity-assessment-is-self-certification-not-independent-evaluation.md:missing_attribution_extractor"
    ]
  },
  "model": "anthropic/claude-sonnet-4.5",
  "date": "2026-03-20"
 }
--- a/inbox/queue/.extraction-debug/2026-03-20-euaiact-article92-compulsory-evaluation-powers.json
+++ b/inbox/queue/.extraction-debug/2026-03-20-euaiact-article92-compulsory-evaluation-powers.json
@ -0,0 +1,37 @@
 {
  "rejected_claims": [
    {
      "filename": "eu-ai-act-article-92-creates-compulsory-evaluation-powers-but-reactive-not-proactive.md",
      "issues": [
        "missing_attribution_extractor"
      ]
    },
    {
      "filename": "eu-ai-act-flexible-compliance-pathways-allow-self-certification-partially-reintroducing-voluntary-commitment-weakness.md",
      "issues": [
        "missing_attribution_extractor"
      ]
    }
  ],
  "validation_stats": {
    "total": 2,
    "kept": 0,
    "fixed": 7,
    "rejected": 2,
    "fixes_applied": [
      "eu-ai-act-article-92-creates-compulsory-evaluation-powers-but-reactive-not-proactive.md:set_created:2026-03-20",
      "eu-ai-act-article-92-creates-compulsory-evaluation-powers-but-reactive-not-proactive.md:stripped_wiki_link:voluntary-safety-pledges-cannot-survive-competitive-pressure",
      "eu-ai-act-article-92-creates-compulsory-evaluation-powers-but-reactive-not-proactive.md:stripped_wiki_link:only-binding-regulation-with-enforcement-teeth-changes-front",
      "eu-ai-act-article-92-creates-compulsory-evaluation-powers-but-reactive-not-proactive.md:stripped_wiki_link:pre-deployment-AI-evaluations-do-not-predict-real-world-risk",
      "eu-ai-act-flexible-compliance-pathways-allow-self-certification-partially-reintroducing-voluntary-commitment-weakness.md:set_created:2026-03-20",
      "eu-ai-act-flexible-compliance-pathways-allow-self-certification-partially-reintroducing-voluntary-commitment-weakness.md:stripped_wiki_link:voluntary-safety-pledges-cannot-survive-competitive-pressure",
      "eu-ai-act-flexible-compliance-pathways-allow-self-certification-partially-reintroducing-voluntary-commitment-weakness.md:stripped_wiki_link:only-binding-regulation-with-enforcement-teeth-changes-front"
    ],
    "rejections": [
      "eu-ai-act-article-92-creates-compulsory-evaluation-powers-but-reactive-not-proactive.md:missing_attribution_extractor",
      "eu-ai-act-flexible-compliance-pathways-allow-self-certification-partially-reintroducing-voluntary-commitment-weakness.md:missing_attribution_extractor"
    ]
  },
  "model": "anthropic/claude-sonnet-4.5",
  "date": "2026-03-20"
 }
--- a/inbox/queue/2026-03-20-eu-ai-act-article43-conformity-assessment-limits.md
+++ b/inbox/queue/2026-03-20-eu-ai-act-article43-conformity-assessment-limits.md
@ -7,9 +7,13 @@ date: 2024-07-12
 domain: ai-alignment
 secondary_domains: []
 format: legislation
-status: unprocessed
+status: null-result
 priority: medium
 tags: [EU-AI-Act, Article-43, conformity-assessment, self-assessment, notified-bodies, high-risk-AI, independence, FDA-comparison]
 processed_by: theseus
 processed_date: 2026-03-20
 extraction_model: "anthropic/claude-sonnet-4.5"
 extraction_notes: "LLM returned 1 claims, 1 rejected by validator"
 ---
 ## Content
@ -46,3 +50,13 @@ Article 43 establishes conformity assessment procedures for **high-risk AI syste
 PRIMARY CONNECTION: voluntary safety pledges cannot survive competitive pressure — self-certification under Article 43 has the same structural weakness as voluntary commitments; labs certify their own compliance
 WHY ARCHIVED: Corrects common misreading of EU AI Act as creating FDA-equivalent independent evaluation via Article 43; clarifies that independent evaluation runs through Article 92 (reactive) not Article 43 (conformity)
 EXTRACTION HINT: This is primarily a clarifying/corrective source; extractor should check whether any existing KB claims overstate Article 43's independence requirements and note the Article 43 / Article 92 distinction
 ## Key Facts
 - EU AI Act Article 43 governs conformity assessment for high-risk AI systems (Annex III categories)
 - High-risk AI in Annex III points 2-8 use internal control (self-assessment) only
 - High-risk AI in Annex III point 1 (biometric identification) may choose between internal control OR notified body assessment
 - Third-party notified body required only when: harmonized standards don't exist, common specifications unavailable, provider hasn't fully applied standards, or standards published with restrictions
 - For law enforcement and immigration uses, the market surveillance authority acts as the notified body
 - Article 43 applies to high-risk AI systems (classification by use case), distinct from GPAI systemic risk provisions (Articles 51-56) which govern models by training compute scale
 - Article 92 provides compulsory AI Office evaluation as a separate mechanism from Article 43 conformity assessment
--- a/inbox/queue/2026-03-20-euaiact-article92-compulsory-evaluation-powers.md
+++ b/inbox/queue/2026-03-20-euaiact-article92-compulsory-evaluation-powers.md
@ -7,9 +7,13 @@ date: 2024-07-12
 domain: ai-alignment
 secondary_domains: []
 format: legislation
-status: unprocessed
+status: null-result
 priority: high
 tags: [EU-AI-Act, GPAI, systemic-risk, Article-55, Article-92, conformity-assessment, independent-evaluation, AI-Office, enforcement, 10-25-FLOPs]
 processed_by: theseus
 processed_date: 2026-03-20
 extraction_model: "anthropic/claude-sonnet-4.5"
 extraction_notes: "LLM returned 2 claims, 2 rejected by validator"
 ---
 ## Content
@ -59,3 +63,21 @@ Maximum fine: **3% of annual worldwide turnover or EUR 15 million, whichever is
 PRIMARY CONNECTION: [[voluntary safety pledges cannot survive competitive pressure because unilateral commitments are structurally punished when competitors advance without equivalent constraints]] — EU AI Act's mandatory structure counters this weakness, but flexible compliance pathways partially reintroduce it
 WHY ARCHIVED: First binding mandatory evaluation framework globally for frontier AI — essential for B1 disconfirmation assessment and the multi-session "governance gap" thesis
 EXTRACTION HINT: Focus on the Article 92 compulsory evaluation / reactive vs proactive distinction — this is the key structural feature that makes EU AI Act stronger than voluntary-collaborative METR/AISI but weaker than FDA pre-market approval
 ## Key Facts
 - EU AI Act became applicable August 2, 2025
 - GPAI systemic risk threshold: 10^25 floating-point operations (approximately GPT-4 training compute)
 - Maximum fine for GPAI violations: 3% of annual worldwide turnover or EUR 15 million, whichever is higher
 - Final Code of Practice approved July 10, 2025
 - Codes of practice deadline was May 2025
 - Commission deadline to impose binding common rules if codes inadequate: August 2025
 - Article 51 defines GPAI systemic risk classification
 - Article 53 defines standard GPAI provider obligations
 - Article 55 defines systemic risk GPAI obligations
 - Article 56 defines codes of practice process
 - Article 88 grants Commission exclusive enforcement powers
 - Article 91 defines information and documentation request powers
 - Article 92 defines compulsory evaluation powers
 - Article 101 defines fines for GPAI providers
 - Open-source exception applies to standard GPAI obligations EXCEPT for models with systemic risk
--- a/inbox/queue/2026-03-20-stelling-gpai-cop-industry-mapping.md
+++ b/inbox/queue/2026-03-20-stelling-gpai-cop-industry-mapping.md
@ -7,9 +7,13 @@ date: 2025-04-01
 domain: ai-alignment
 secondary_domains: []
 format: paper
-status: unprocessed
+status: null-result
 priority: high
 tags: [GPAI, Code-of-Practice, industry-practices, EU-AI-Act, safety-measures, OpenAI, Anthropic, Google-DeepMind, compliance, voluntary]
 processed_by: theseus
 processed_date: 2026-03-20
 extraction_model: "anthropic/claude-sonnet-4.5"
 extraction_notes: "LLM returned 0 claims, 0 rejected by validator"
 ---
 ## Content
@ -42,3 +46,12 @@ tags: [GPAI, Code-of-Practice, industry-practices, EU-AI-Act, safety-measures, O
 PRIMARY CONNECTION: [[voluntary safety pledges cannot survive competitive pressure because unilateral commitments are structurally punished when competitors advance without equivalent constraints]]
 WHY ARCHIVED: Shows that Code of Practice may be formalizing existing practices rather than creating new obligations — relevant to whether mandatory framework actually changes behavior
 EXTRACTION HINT: Be careful about the author caveat — this is evidence about stated policies not compliance evidence; extractor should note this distinction clearly
 ## Key Facts
 - EU AI Act GPAI Code of Practice Third Draft finalized April 2025
 - Code of Practice received by Commission July 10, 2025
 - Code of Practice became applicable August 2, 2025
 - Analysis examined documents from over a dozen companies including OpenAI, Anthropic, Google DeepMind, Microsoft, Meta, and Amazon
 - Paper is 166 pages analyzing safety and security measures
 - Authors found relevant quotes from at least 5 companies for majority of measures in Commitments II.1-II.16