diff --git a/inbox/archive/general/2026-03-20-stelling-gpai-cop-industry-mapping.md b/inbox/archive/general/2026-03-20-stelling-gpai-cop-industry-mapping.md
new file mode 100644
index 00000000..b7f2286f
--- /dev/null
+++ b/inbox/archive/general/2026-03-20-stelling-gpai-cop-industry-mapping.md
@@ -0,0 +1,44 @@
+---
+type: source
+title: "Mapping Industry Practices to EU AI Act GPAI Code of Practice Safety and Security Measures (arXiv:2504.15181)"
+author: "Lily Stelling, Mick Yang, Rokas Gipiškis, Leon Staufer, Ze Shen Chin, Siméon Campos, Ariel Gil, Michael Chen"
+url: https://arxiv.org/abs/2504.15181
+date: 2025-04-01
+domain: ai-alignment
+secondary_domains: []
+format: paper
+status: processed
+priority: high
+tags: [GPAI, Code-of-Practice, industry-practices, EU-AI-Act, safety-measures, OpenAI, Anthropic, Google-DeepMind, compliance, voluntary]
+---
+
+## Content
+
+166-page analysis comparing safety and security measures in the EU AI Act's General-Purpose AI Code of Practice (Third Draft) against actual commitments from leading AI companies. Examined documents from over a dozen companies including OpenAI, Anthropic, Google DeepMind, Microsoft, Meta, and Amazon.
+
+**Key Finding:** "Relevant quotes from at least 5 companies' documents for the majority of the measures in Commitments II.1-II.16" within the Safety and Security section.
+
+**Important Caveat (author-stated):** "This report is not meant to be an indication of legal compliance, nor does it take any prescriptive viewpoint about the Code of Practice or companies' policies."
+
+**Context:** The GPAI Code of Practice (Third Draft, April 2025) was finalized and received by the Commission on July 10, 2025, and became applicable August 2, 2025.
+
+## Agent Notes
+
+**Why this matters:** This paper shows that existing frontier AI lab policies already contain language matching the majority of Code of Practice safety measures. This is important for two competing interpretations: (1) Pro-governance reading: the Code of Practice reflects real existing practices, making compliance feasible. (2) Anti-governance reading: if labs already claim to do most of this, the Code simply formalizes current voluntary commitments rather than creating new obligations — it's the same voluntary-collaborative problem in formal dress.
+
+**What surprised me:** The author caveat is striking: they explicitly say this is NOT evidence of compliance. Labs may publish commitments that match the Code language while the actual model behaviors don't correspond. This is the deception-resilient gap — what labs say they do vs. what their models do.
+
+**What I expected but didn't find:** Evidence that the Code of Practice requires genuinely independent third-party verification of the safety measures it lists. From the structure, it appears labs self-certify compliance through code adherence, with the AI Office potentially auditing retrospectively.
+
+**KB connections:**
+- voluntary safety pledges cannot survive competitive pressure — the Code of Practice may formalize existing voluntary commitments without adding enforcement mechanisms that survive competitive pressure
+- an aligned-seeming AI may be strategically deceptive — the gap between published safety commitments and actual model behavior is precisely what deception-resilient evaluation (AAL-3/4) is designed to detect
+
+**Extraction hints:** Supporting claim: "GPAI Code of Practice safety measures map to existing commitments from major AI labs — but the mapping is of stated policies, not verified behaviors, leaving the deception-resilient gap unaddressed." Use cautiously — authors explicitly say this is not compliance evidence.
+
+**Context:** Independent analysis by researchers at AI safety/governance organizations. Not affiliated with the AI Office or Commission.
+
+## Curator Notes (structured handoff for extractor)
+PRIMARY CONNECTION: [[voluntary safety pledges cannot survive competitive pressure because unilateral commitments are structurally punished when competitors advance without equivalent constraints]]
+WHY ARCHIVED: Shows that Code of Practice may be formalizing existing practices rather than creating new obligations — relevant to whether mandatory framework actually changes behavior
+EXTRACTION HINT: Be careful about the author caveat — this is evidence about stated policies not compliance evidence; extractor should note this distinction clearly