Blog · Analysis · Last reviewed June 23, 2026

The Model Constitution Arrives as a Code of Practice

The EU's General-Purpose AI Code of Practice is not a constitution in law. It is a compliance instrument: a public grammar for making foundation-model builders document, report, and manage obligations before their models become invisible infrastructure.

Here, "model constitution" means the enforceable and semi-enforceable record around a model: provider identity, model version, documentation, copyright policy, training-content summary, systemic-risk process, incident channel, signatory scope, and the institutions that can ask for proof.

It is constitutional only in the modest governance sense: it asks who may define the model's obligations, who can inspect the evidence, who can demand correction, and what survives when a model name, interface, or release story changes.

From Product to Institution

Foundation models are no longer only products. They are becoming institutional substrate: search assistants, workplace copilots, coding systems, public-service interfaces, tutoring tools, customer-support layers, creative engines, and agents that act through browsers, APIs, documents, and enterprise software.

This creates a governance problem that ordinary product regulation struggles to name. A general-purpose model may be released by one company, customized by another, embedded by a third, and encountered by a user inside a system that looks like a bank form, school portal, help desk, or phone interface. The model's builder is upstream, but its effects are downstream and distributed.

The European Union's AI Act tries to answer that upstream problem by creating obligations for providers of general-purpose AI models, or GPAI models. Under the Act, a GPAI model is not simply a popular chatbot. It is a model with significant generality that can competently perform a wide range of distinct tasks and be integrated into many downstream systems or applications. The Commission says these obligations entered into application on August 2, 2025. All GPAI providers face documentation, copyright-policy, and training-content-summary duties. Providers of GPAI models with systemic risk face additional duties around notification, risk assessment, mitigation, incident reporting, and cybersecurity.

The governed object is therefore not just a brand name or chat interface. It is the provider-side record that follows a model across versions, integrations, release channels, and downstream dependencies. A useful code has to say who built the model, what version is being described, what downstream actors may rely on, what has changed after further training, and where regulators can demand evidence.

The model constitution is not the system prompt, the usage policy, or the public brand. It is the stack of claims that remains when a provider must answer: which model, which provider role, which documents, which downstream information, which safety process, which copyright and training-content notices, which incident channel, which update record, and which enforcement body?

The General-Purpose AI Code of Practice, published in July 2025, sits inside that architecture. It is voluntary, but not decorative. The Commission and the AI Board have assessed it as an adequate voluntary tool for providers to demonstrate compliance. Signatories get a clearer path; non-signatories must show compliance by other means.

That is why the code matters. It marks a shift from asking whether a model is impressive to asking what public obligations attach to the act of building a model other institutions will depend on.

What the Code Does

The Code of Practice was prepared by independent experts through a multi-stakeholder process. The Commission's Q&A says the process involved nearly 1,000 stakeholders, representatives of EU Member States, and European and international observers, including model providers, small and medium-sized enterprises, academics, safety experts, rightsholders, and civil-society organizations.

That process does not make the code perfect. Multi-stakeholder governance can blur accountability when every actor gets a voice but no actor owns the social consequences. It can also become a site where powerful companies shape compliance into something they can already do. Still, the process is institutionally important because it moves model governance out of pure company policy and into a public compliance vocabulary.

The Commission describes the code as a tool for complying with AI Act obligations on safety, transparency, and copyright. This is the right triad. Transparency asks what the model is and what evidence surrounds it. Copyright asks how the model relates to the cultural memory used to train it. Safety and security ask what happens when the model's capability becomes large enough to create systemic risk.

In other words, the code begins to treat a model as a public object: not public property, not necessarily open source, and not a legal person, but an artifact whose builders owe society some structured account of what they made.

Read against the legal text, the code also separates audiences. The AI Office may need confidential submissions. Downstream providers need enough information to integrate and comply. Rightsholders and the public need a training-content summary that is visible and tied to a model or model version. Signatories need shared implementation practice. A credible model constitution keeps those audiences distinct instead of treating one public document as if it answered every governance question.

Current Compliance Layer

As of June 23, 2026, the code is no longer only a drafting exercise. The GPAI obligations have applied since August 2, 2025. The Commission's enforcement powers for GPAI providers begin on August 2, 2026, and providers of GPAI models already on the market before August 2, 2025 must comply by August 2, 2027. The Commission's 2026 guidelines are not legally binding, but they state how the Commission interprets key GPAI concepts and how it expects providers to prepare for compliance.

The compliance layer now has several artifacts, and they should not be collapsed. The Code of Practice is a voluntary route for demonstrating compliance with Article 53 and Article 55 duties. The public summary of training content is a mandatory template-based disclosure for GPAI providers. The model documentation form is a structured way to supply technical information. EU SEND is the channel for submitting documents to the AI Office, including systemic-risk notifications, serious-incident reports, safety and security frameworks, model reports, and non-signatory reports on alternative compliance. The Signatory Taskforce, chaired by the AI Office, exists to help signatories apply the code coherently; its public page records meetings on January 30, March 13, and March 27, 2026.

The Commission's current code page also shows a live signatory layer. It lists multiple providers as signatories of the code and separately states that xAI signed the Safety and Security chapter only, which means transparency and copyright compliance must be demonstrated through other adequate means. That detail is a useful warning: "signed the code" is not a single status unless the covered chapters, models, versions, and exceptions are visible.

This matters because the code is not only a PDF. It is becoming a governance interface: signatory lists, taskforce meetings, documentation templates, training-content summaries, submissions to the AI Office, and future enforcement actions. That interface can make obligations more concrete. It can also create compliance theater if the existence of the interface is mistaken for proof that a model is lawful, safe, or socially justified.

The Three Chapters

The code has three separately authored chapters: Transparency, Copyright, and Safety and Security.

Transparency gives providers a model-documentation form for information needed under Article 53 of the AI Act. This is not glamorous work. It is administrative legibility: facts about the model, its provider, technical characteristics, training process, capabilities, limitations, and intended use. But administrative legibility is where governance starts. A system that cannot be described cannot be audited, compared, procured responsibly, or contested. This chapter belongs beside model cards and system cards, audit trails, and AI bills of materials.

Copyright offers practical ways for providers to maintain a policy for complying with EU copyright law. This matters because general-purpose models are trained on large bodies of text, images, code, music, video, metadata, and other cultural traces. Copyright is not the whole moral problem of training data, but it is one of the few existing legal languages that can force the training stack to acknowledge human contribution, opt-outs, licensing, and recordkeeping.

Safety and Security applies to the smaller class of providers whose models present systemic risk. The Commission describes this chapter as state-of-the-art practice for managing systemic risks from the most advanced models. It belongs beside the emerging AI safety-institute layer discussed in The Measurement State Comes for AI: public governance now depends on tests, documentation, incident records, risk models, and institutional capacity to understand systems before deployment normalizes them.

The three chapters are not equal in political meaning. Transparency and copyright apply broadly. Safety and security concentrate on the frontier. Together they create a two-level model polity: baseline duties for all general-purpose model providers, and heavier duties for the most capable systems.

Keeping the chapters separate is a safety discipline. A provider can be legible on model documentation while still having contested copyright practices. It can have a training-content summary while still needing stronger systemic-risk tests. It can sign only part of the code. Governance fails when those separate claims are merged into one vague badge of responsibility.

The evidence should also stay chapter-bound. Transparency evidence belongs to documentation, model identity, versioning, downstream information, and public-facing cards. Copyright evidence belongs to policies, opt-out handling, source categories, licensing, and training-content summaries. Safety and security evidence belongs to evaluations, adversarial testing, serious-incident reporting, model-weight protection, cybersecurity, and safety cases. A strong chapter should point to the others; it should not impersonate them.

Soft Law With Teeth Nearby

The code is voluntary, but the AI Act is not. This distinction is easy to misunderstand. A voluntary code in isolation can become public-relations foam. A voluntary code attached to legal obligations can become a compliance bridge.

The Commission's Q&A says adherence to the code is a means to demonstrate compliance, but not a presumption of conformity. Providers may comply by other means, but they are expected to justify why those alternatives are adequate, for example through a gap analysis against the approved code. The AI Office is responsible for supervising and enforcing GPAI obligations at the EU level, while national competent authorities oversee many AI-system rules.

The teeth nearby are specific. The AI Office can request information, conduct evaluations of GPAI models, request measures including risk mitigations or market recall, and impose fines of up to 3% of worldwide annual turnover or EUR 15 million, whichever is higher. Those powers do not make every code commitment self-enforcing, but they prevent the code from being merely aspirational.

This is a real institutional design choice. Instead of waiting for every technical standard to harden, the EU is using a code to translate broad legal duties into operational practices. That can reduce ambiguity. It can also create a risk: early compliance templates may freeze a narrow picture of responsibility before the technology's social consequences are understood.

The adequacy assessment is therefore category-level evidence, not model-level certification. The Commission and AI Board have accepted the code as an adequate voluntary tool. They have not certified that any specific model is safe, lawful in every deployment, or free of downstream harms. That distinction should stay visible in procurement, journalism, audits, and litigation.

The test is whether the code becomes a floor or a ceiling. If it becomes a floor, providers meet baseline documentation, copyright, and safety practices while regulators, researchers, workers, users, and courts continue to identify missing duties. If it becomes a ceiling, companies can treat signature as a badge that ends the conversation.

For non-signatories, the corresponding discipline is visible alternative compliance. If a provider chooses not to sign, or signs only one chapter, the public-interest question is not whether the provider has rejected safety. The question is what evidence it supplies instead, whether the AI Office can inspect it, whether downstream providers can rely on it, and whether affected people can understand the consequence of that choice.

The copyright chapter is often treated as a fight between rights holders and model developers. It is that, but it is also a fight over machine memory.

Generative AI turns cultural archives into capability. Books, news, websites, art, recordings, code, subtitles, comments, manuals, forum posts, and public datasets become part of a statistical system that can answer, imitate, summarize, translate, style-transfer, and compete. The model does not preserve works the way a library preserves works. It metabolizes patterns and sells access to the resulting capability.

That is why a training-content summary matters even when it is incomplete. It gives the public a handle on the memory source of the machine. It does not settle whether training was lawful, fair, exploitative, transformative, or socially legitimate. But it refuses the blankness of "the model was trained on data."

The Commission's template makes that handle more concrete. It requires a common baseline for summaries: general provider and model information, broad modalities and data characteristics, lists of data-source categories, information about scraped online sources, user data and synthetic data where relevant, and processing details useful to parties exercising rights under Union law. The template also says summaries should be public, clearly tied to the covered model or model version, and updated when further training materially changes the training content. This is narrower than a full training-data ledger, but stronger than a generic assurance.

The earlier essay After the Book Becomes a Database argued that public knowledge is being moved into private retrieval and answer systems. The GPAI obligations are a European attempt to put some recordkeeping around that movement. They cannot solve the ownership problem alone. They can make it harder for model providers to pretend the training world has no authors, no exclusions, no contracts, and no political economy. The same pressure appears in AI data licensing and AI copyright litigation: a source summary is not a legal defense, but it can make rights claims less blind.

Systemic Risk Is a Political Category

The AI Act uses compute thresholds as part of the systemic-risk framework, but the legal definition is broader than a single number. Article 3 defines systemic risk as risk specific to the high-impact capabilities of GPAI models, with significant impact on the Union market or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or society as a whole, propagated at scale across the value chain. Article 51 then creates a presumption of high-impact capability when training compute exceeds 10^25 floating-point operations. Commission guidance separately uses a 10^23 FLOP threshold plus generative capability as part of its interpretation of GPAI scope.

Thresholds are useful because law needs handles. But systemic risk is not only a number. A model's social risk depends on deployment, tool access, autonomy, user base, domain, safeguards, integration into institutions, and incentives around it. A model attached to medical triage, financial services, cyber tools, companion products, workplace management, or public administration can matter differently than the same model in a sandbox.

The Commission knows this at least in part: Article 55 duties include state-of-the-art model evaluation, documented adversarial testing, systemic-risk assessment and mitigation, serious-incident reporting, and cybersecurity protection for the model and, where appropriate, its physical infrastructure. Those duties point beyond raw scale toward institutional behavior. The provider must not only build. It must watch, report, secure, and respond.

That response duty should include version discipline. A systemic-risk assessment that names a model family but not the release, post-training procedure, tool scaffolding, deployment channel, or rollback plan leaves too much ambiguity. The point is not to make paperwork longer. It is to make responsibility traceable when a model changes.

One practical bridge is the AI safety case. The code and Article 55 name duties, but a safety case can force those duties into an argument: which model version, which risk pathway, which evaluation, which mitigation, which residual risk, which reviewer, and which release or restriction decision follows. Without that connective tissue, evaluations and incident processes can remain separate compliance artifacts rather than a governed release decision.

This is the real constitutional move. A model provider becomes a governed actor because its system may shape the conditions under which other actors know, decide, create, and act.

The Governance Standard

A strong GPAI regime should meet sixteen practical tests.

First, documentation must be usable. A model-documentation form should help regulators, downstream providers, researchers, and procurers understand real capabilities and limits. It should not become a dense paperwork shield that only compliance teams can parse.

Second, training-content summaries must preserve contestability. If creators, publishers, researchers, or regulators cannot understand broad source categories and opt-out practices, the summary will not support accountability.

Third, systemic-risk assessment must include deployment context. Scale matters, but so do tools, agents, memory, integrations, user populations, and foreseeable misuse.

Fourth, incident reporting must connect to public memory. A serious incident should not disappear into private remediation. It should feed institutional learning, as argued in The Incident Report Becomes Public Memory, and it should align with the recordkeeping discipline in AI incident reporting.

Fifth, signatory status must not become moral laundering. Signing a code is evidence of participation in a compliance regime. It is not proof that a model is safe, fair, lawful in every use, or socially legitimate.

Sixth, downstream handoff must be explicit. Providers should make clear what downstream system builders can rely on, what they must test themselves, and where the model-layer obligation stops. That belongs with AI registers, system inventories, and procurement records.

Seventh, open-weight and fine-tuned releases need their own boundary rules. The AI Act's documentation exemptions for some free and open-source GPAI models do not apply to systemic-risk models, and the Commission's Q&A warns that risk mitigations can be harder to implement after open-source release. A model constitution that ignores modification, fine-tuning, adapters, quantization, and redistribution is incomplete.

Eighth, evaluation claims must be tied to release gates. Safety testing should not live only in launch documents. It should affect model access, feature rollout, tool permissions, monitoring, and rollback, as discussed in frontier AI safety frameworks and system-card release rituals.

Ninth, public summaries must not pretend to be full data provenance. The Commission template is a minimum public baseline, not a complete ledger of every work, crawl, license, or exclusion. Its value is that it creates a handle for contestation, not that it resolves the training-data problem by itself.

Tenth, signatory scope must be versioned. A public list should make it possible to understand which provider, chapter, model family, and time period are covered. Withdrawals, partial signatures, new versions, and changed training runs should not vanish into the word "signatory."

Eleventh, assurance should be independent enough to matter. Internal compliance records are necessary but not sufficient. The model constitution needs outside checks: audits, safety institutes, researcher access where appropriate, and procurement processes that can reject insufficient evidence. That connects this essay to AI audit interfaces and AI audits and assurance.

Twelfth, enforcement capacity must remain visible. A code, taskforce, template, or signature is useful only if it connects to monitoring, information requests, evaluations, corrective measures, penalties, and public learning. Otherwise compliance becomes another interface that hides power behind process.

Thirteenth, downstream handoff must be usable. The information supplied to downstream providers should connect to AI bills of materials, system inventories, and procurement. A downstream actor cannot govern a model-layer risk if the upstream record arrives as a vague compliance assertion.

Fourteenth, serious-incident duties need repair paths. Incident reporting should link to model versions, affected downstream systems, mitigation status, notification duties, vulnerability channels, and post-market monitoring. The point is not only that the AI Office receives a report; it is that the model ecosystem learns, corrects, and preserves memory.

Fifteenth, copyright summaries must not impersonate data provenance. The public template creates a minimum summary, not a full ledger of every work, license, exclusion, scrape, deduplication step, or contract. A stronger governance stack should still preserve deeper data provenance for auditors, courts, regulators, and legitimate rightsholder processes.

Sixteenth, the model constitution must govern updates. A new training run, fine-tune, adapter, model substitution, deployment channel, safety framework, or public summary can change the practical meaning of the code commitment. Change management and post-market monitoring should treat those changes as constitutional events, not housekeeping.

What This Changes

The Code of Practice is a ritual of legibility. That is not an insult. Rituals matter when they make power answerable to form.

A foundation model is difficult to govern because it hides inside other things. It becomes the summary in the search box, the suggestion in the editor, the classifier in the workflow, the agent in the browser, the tutor in the school product, the voice in the customer-service line. By the time a user encounters it, the model may feel like the institution itself.

The code interrupts that invisibility. It says there is a provider, a model, a training history, a documentation duty, a copyright policy, a risk process, a security obligation, a reporting path, and an enforcement body. It turns the glowing interface back into an accountable chain.

But the danger is compliance theater. The provider signs. The model ships. The interface smiles. The downstream institution points upstream. The upstream provider points to the code. The user experiences an automated decision, generated claim, lost job pathway, broken citation, manipulative companion, or impossible appeal, and every actor says the paperwork was in order.

The useful standard is harder: public obligations must remain connected to human consequence. Documentation must help someone understand. Copyright policy must help someone contest. Risk assessment must change deployment. Incident reports must preserve memory. Enforcement must be capable of saying no. The point is not to imagine the model as a citizen; it is to stop powerful private infrastructure from becoming ungovernable because it is technically upstream and socially everywhere.

The model constitution has arrived in modest clothes: a code, a form, a threshold, a chapter, a signature, an office. That modesty is appropriate. No code can govern the whole machine. But without such instruments, the machine governs through defaults, and defaults are constitutions written by whoever shipped first.

Source Discipline

This essay treats the EUR-Lex text of Regulation (EU) 2024/1689 as the controlling legal source for Articles 3, 51, 53, 55, 56, and 101. It treats AI Act Service Desk article pages as useful explanatory navigators, while remembering that summaries are not legally binding. It treats Commission guidelines and Q&A pages as official interpretation and implementation guidance, not as amendments to the Act. It treats the Code of Practice page as evidence of the code's structure, signatory process, current signatory list, and adequacy assessment, not proof that any signatory's model is compliant in practice.

The public-summary template is a separate source category. It is mandatory for training-content summaries, while adherence to the Code of Practice is voluntary. The two are related parts of the GPAI package, but they do different governance work. A provider can publish a training-content summary without proving systemic-risk safety; a provider can sign the code without proving lawful use of every source in the training stack.

For current claims, dates matter. August 2, 2025 is the application date for GPAI obligations; August 2, 2026 is the start of Commission enforcement powers for GPAI providers; August 2, 2027 is the compliance deadline for many pre-existing GPAI models. The Signatory Taskforce and signatory list are implementation facts as of the current Commission pages, not permanent status claims. Any future article should recheck them before naming providers or treating signature as settled evidence.

Source discipline also means avoiding status inflation. "The code is adequate," "the provider signed," "the template was used," "the model report was submitted," "the public summary was published," and "the model is safe enough to deploy" are different claims. Each needs its own artifact, date, model boundary, and evidence class.

Sources


Return to Blog