Public Policy & Governance

The U.S. Department of Defense has signed agreements with SpaceX, OpenAI, Google, Nvidia, Reflection, Microsoft, and Amazon Web Services to deploy AI capabilities for classified military purposes, with contracts explicitly permitting 'any lawful use' of the technology. The breadth of that framing is the critical governance detail: it delegates discretion over use-case boundaries to the companies themselves, subject only to existing law rather than any bespoke DoD ethical AI framework or use-case restrictions. The Guardian reports that Anthropic was excluded, with a public dispute over potential AI misuse cited as the reason — a notable signal that at least one major frontier lab is maintaining a harder line on military applications.

This contrasts sharply with the EU's approach under the AI Act, which classifies certain AI uses in military and law enforcement contexts under high-risk or prohibited categories and requires conformity assessments. The U.S. government has no equivalent statutory framework governing military AI procurement. The Pentagon's own Responsible AI principles from 2020 are non-binding guidance, not enforceable compliance mandates, meaning the 'any lawful use' standard is effectively the operative constraint. The exclusion of Anthropic, and the implicit competitive pressure on other labs to accept permissive terms to maintain government contracts, creates a structural incentive problem that no current U.S. legislation addresses.

A letter from Massachusetts state legislators opposing federal AI talks — reported by Politico — is the most concrete recent indicator that Democratic coalition support for a federal AI framework that preempts state-level regulation is fracturing along predictable lines. State legislators who have invested political capital in their own AI governance bills view federal preemption not as a floor but as a ceiling, and the Massachusetts letter makes that position explicit. This follows similar dynamics in California, where Governor Newsom's veto of SB 1047 in 2024 did not end the state-level legislative push — it accelerated it, producing SB 53 and a pipeline of successor bills.

The structural problem for federal AI legislation is that the Republican-controlled Congress's primary interest in preemption is deregulatory — removing state-level obligations rather than establishing new federal ones. Democratic state lawmakers understand this trade-off clearly, and their opposition reflects a rational calculation that no federal floor is preferable to a federal ceiling that locks out stricter state action. For policy professionals tracking legislative timelines, this dynamic makes broad federal AI legislation with preemption provisions significantly harder to advance in the current session.

A joint report from the Center for Democracy and Technology and MIT's Algorithmic Alignment Group finds that fine-tuning foundation models for specialized applications produces unpredictable safety drift — meaning downstream developers may inadvertently or deliberately degrade safety properties established in the base model. CDT frames this as a critical governance gap: current regulatory frameworks, including the EU AI Act and U.S. state-level proposals, primarily address the foundation model developer, but accountability for fine-tuned variants remains underspecified. The EU AI Act's provisions on high-risk AI systems place obligations on deployers, but the technical mechanism of safety degradation through fine-tuning is not explicitly addressed in the Act's conformity assessment requirements.

This research dovetails with a separate IAPS proposal for a harmonized risk-reporting standard covering pre-release internal model use across California's SB 53, the federal RAISE Act, and the EU Code of Practice. IAPS argues that frontier companies run their most capable models internally for weeks before public release, creating a reporting blind spot in all three frameworks. Together, these two research outputs identify two concrete points in the AI development and deployment chain — internal pre-release use and post-release fine-tuning — where existing governance instruments have no effective reach.

AlgorithmWatch has submitted recommendations through the AI Omnibus procedure to operationalize the EU AI Act's prohibition on AI-generated deepfakes used in sexualized violence contexts. AlgorithmWatch argues that effective implementation requires simultaneous accountability for three actor categories — AI developers, hosting platforms, and individual perpetrators — and that current enforcement proposals focus too narrowly on platform-level takedown obligations at the expense of upstream developer liability and downstream criminal accountability. This is a live regulatory design question: the AI Act's prohibited practices provisions are in effect as of February 2025, but national competent authorities across EU member states have uneven enforcement capacity and divergent interpretations of where the primary compliance burden falls.

The AI Omnibus procedure, which is the vehicle for refining and supplementing the AI Act's implementation, is emerging as the key battleground for these design choices. Civil society organizations are using it to push for stronger victim protection mechanisms, while industry associations are pressing for narrower, more predictable liability standards. The outcome will set precedent for how the EU handles the broader class of AI-enabled harms that cross the developer-platform-user accountability chain.