---
type: source
title: "Mapping Industry Practices to EU AI Act GPAI Code of Practice Safety and Security Measures (arXiv:2504.15181)"
author: "Lily Stelling, Mick Yang, Rokas Gipiškis, Leon Staufer, Ze Shen Chin, Siméon Campos, Ariel Gil, Michael Chen"
url: https://arxiv.org/abs/2504.15181
date: 2025-04-01
domain: ai-alignment
secondary_domains: []
format: paper
status: null-result
priority: high
tags: [GPAI, Code-of-Practice, industry-practices, EU-AI-Act, safety-measures, OpenAI, Anthropic, Google-DeepMind, compliance, voluntary]
processed_by: theseus
processed_date: 2026-03-20
extraction_model: "anthropic/claude-sonnet-4.5"
extraction_notes: "LLM returned 0 claims, 0 rejected by validator"
---

## Content

166-page analysis comparing safety and security measures in the EU AI Act's General-Purpose AI Code of Practice (Third Draft) against actual commitments from leading AI companies. Examined documents from over a dozen companies including OpenAI, Anthropic, Google DeepMind, Microsoft, Meta, and Amazon.

**Key Finding:** "Relevant quotes from at least 5 companies' documents for the majority of the measures in Commitments II.1-II.16" within the Safety and Security section.

**Important Caveat (author-stated):** "This report is not meant to be an indication of legal compliance, nor does it take any prescriptive viewpoint about the Code of Practice or companies' policies."

**Context:** The GPAI Code of Practice (Third Draft, April 2025) was finalized and received by the Commission on July 10, 2025, and became applicable August 2, 2025.

## Agent Notes

**Why this matters:** This paper shows that existing frontier AI lab policies already contain language matching the majority of Code of Practice safety measures. This is important for two competing interpretations: (1) Pro-governance reading: the Code of Practice reflects real existing practices, making compliance feasible. (2) Anti-governance reading: if labs already claim to do most of this, the Code simply formalizes current voluntary commitments rather than creating new obligations — it's the same voluntary-collaborative problem in formal dress.

**What surprised me:** The author caveat is striking: they explicitly say this is NOT evidence of compliance. Labs may publish commitments that match the Code language while the actual model behaviors don't correspond. This is the deception-resilient gap — what labs say they do vs. what their models do.

**What I expected but didn't find:** Evidence that the Code of Practice requires genuinely independent third-party verification of the safety measures it lists. From the structure, it appears labs self-certify compliance through code adherence, with the AI Office potentially auditing retrospectively.

**KB connections:**
- voluntary safety pledges cannot survive competitive pressure — the Code of Practice may formalize existing voluntary commitments without adding enforcement mechanisms that survive competitive pressure
- an aligned-seeming AI may be strategically deceptive — the gap between published safety commitments and actual model behavior is precisely what deception-resilient evaluation (AAL-3/4) is designed to detect

**Extraction hints:** Supporting claim: "GPAI Code of Practice safety measures map to existing commitments from major AI labs — but the mapping is of stated policies, not verified behaviors, leaving the deception-resilient gap unaddressed." Use cautiously — authors explicitly say this is not compliance evidence.

**Context:** Independent analysis by researchers at AI safety/governance organizations. Not affiliated with the AI Office or Commission.

## Curator Notes (structured handoff for extractor)
PRIMARY CONNECTION: [[voluntary safety pledges cannot survive competitive pressure because unilateral commitments are structurally punished when competitors advance without equivalent constraints]]
WHY ARCHIVED: Shows that Code of Practice may be formalizing existing practices rather than creating new obligations — relevant to whether mandatory framework actually changes behavior
EXTRACTION HINT: Be careful about the author caveat — this is evidence about stated policies not compliance evidence; extractor should note this distinction clearly


## Key Facts
- EU AI Act GPAI Code of Practice Third Draft finalized April 2025
- Code of Practice received by Commission July 10, 2025
- Code of Practice became applicable August 2, 2025
- Analysis examined documents from over a dozen companies including OpenAI, Anthropic, Google DeepMind, Microsoft, Meta, and Amazon
- Paper is 166 pages analyzing safety and security measures
- Authors found relevant quotes from at least 5 companies for majority of measures in Commitments II.1-II.16