General-purpose AI models
General-Purpose AI (GPAI) models are trained for broad tasks and adapt into many downstream systems. EU AI Act Chapter V sets two tiers: baseline duties for all GPAI providers, plus extras for Systemic risk GPAI - red-teaming, incident reporting, cyber/physical safeguards and the odd one out, energy consumption disclosure.
GPAI models are trained for a broad range of tasks and adapt into many downstream systems → LLMs, multimodal models, recommendation engines, vision models. Laws increasingly regulate them as models, not just systems.
| All GPAI providers - baseline duties | Systemic-risk GPAI - baseline PLUS |
|---|---|
| Maintain technical documentation; publish training-data summaries while respecting IP and copyright; transparency to downstream providers via model cards, usage conditions, limitations; appoint an EU representative if established outside the EU. | Risk assessments and mitigation; document and report serious incidents; red-teaming / adversarial testing; robust cybersecurity and physical safeguards; disclose energy consumption. Systemic risk = very large models above computing thresholds. |
| Regime | GPAI approach |
|---|---|
| 🇺🇸 US states | Colorado → GPAI developers become developers of high-risk systems if models feed consequential-decision tools; California AB 2013/SB 942 → training data transparency reports, watermarking and detection tools |
| 🇰🇷 South Korea | Life cycle risk plan and documentation; transparency to downstream deployers and end-users; domestic representative; safety, reliability, human oversight |
| 🇨🇳 China | CAC filing before public release; security and safety assessment; label and watermark outputs (deep synthesis rules); content compliance; monitor, rectify, report changes |
| 🇯🇵 Japan | Nonbinding → documentation and logs, capability and limitation disclosure, oversight and explainability; NIST AI RMF nonbinding but widely referenced in procurement |
Common global GPAI obligations span documentation for deployers and regulators, transparency on training data and limitations, detection, traceability and labelling tools (watermarking), systemic-risk controls, human oversight downstream, incident reporting, and filing or representative appointment where required. Governance challenges centre on data quality (a general text model may need extra training for healthcare or criminal justice), transparency and automatically generated logs, and risk-assessing third-party integrations.
Favourite picks → red-teaming, serious-incident reporting, cybersecurity and physical safeguards, and the odd one out, energy consumption disclosure. Only systemic-risk GPAI carries these; baseline GPAI does not.