General-Purpose AI Model Requirements: A Comprehensive Guide for AIGP Exam Preparation
Introduction
General-Purpose AI (GPAI) models have become one of the most significant topics in AI governance. As these powerful foundation models—such as large language models (LLMs) and multimodal systems—are deployed across countless downstream applications, regulators and standards bodies have recognized the need for specific requirements governing their development and deployment. Understanding GPAI model requirements is essential for anyone preparing for the IAPP AI Governance Professional (AIGP) exam, as this topic sits at the intersection of law, policy, and technical governance.
Why Are General-Purpose AI Model Requirements Important?
GPAI models are unique because they are not designed for a single, predefined purpose. Instead, they can be adapted for a wide variety of tasks across many domains. This flexibility creates several governance challenges:
1. Unpredictable downstream uses: Providers of GPAI models often cannot foresee all the ways their models will be used, making it difficult to conduct traditional risk assessments tied to specific use cases.
2. Concentration of power: A small number of GPAI model providers can influence an enormous number of downstream applications and deployers, meaning any deficiency in the model propagates at scale.
3. Systemic risks: The most capable GPAI models may pose systemic risks—risks that affect public health, safety, fundamental rights, or society at large—due to their scale, reach, and capability.
4. Accountability gaps: Without specific requirements for GPAI model providers, there can be a gap in the AI value chain where no party takes responsibility for foundational model-level risks.
5. Transparency needs: Downstream deployers need adequate information about the models they integrate to fulfill their own compliance obligations.
These factors make GPAI model requirements a critical pillar of modern AI regulation, particularly under the EU AI Act, which is the first major legislation to establish binding rules specifically for GPAI models.
What Are General-Purpose AI Model Requirements?
General-Purpose AI model requirements are legal and regulatory obligations placed on providers of GPAI models. The most prominent framework is found in the EU AI Act (Articles 51–56 and related annexes), but the concept is also reflected in emerging standards and voluntary commitments worldwide.
Key Definitions:
- General-Purpose AI Model: An AI model—including when trained with large amounts of data using self-supervision at scale—that displays significant generality and is capable of competently performing a wide range of distinct tasks, regardless of how the model is placed on the market. This can be integrated into a variety of downstream systems or applications.
- GPAI Model Provider: The entity that develops or commissions the development of a GPAI model and places it on the market or puts it into service, including through open-source release.
- Systemic Risk: A risk that is specific to the high-impact capabilities of GPAI models, having a significant effect on the Union market due to reach or other reasonably foreseeable negative effects on public health, safety, fundamental rights, or society as a whole, that can be propagated at scale across the value chain.
The Two-Tier Approach Under the EU AI Act
The EU AI Act establishes a two-tier system for GPAI models:
Tier 1: All GPAI Models (Article 53)
All providers of GPAI models must comply with baseline transparency and documentation requirements, including:
1. Technical documentation: Providers must draw up and maintain up-to-date technical documentation of the model, including its training and testing process and results of its evaluation. This documentation must be made available to the AI Office and national competent authorities upon request.
2. Information and documentation for downstream providers: GPAI model providers must provide adequate information and documentation to downstream providers who intend to integrate the model into their own AI systems. This enables downstream providers to understand the model's capabilities and limitations and comply with their own obligations.
3. Copyright compliance policy: Providers must put in place a policy to comply with EU copyright law, particularly the Text and Data Mining provisions under the Copyright Directive (Directive 2019/790). They must identify and respect rights reservations (opt-outs) expressed by rights holders.
4. Training data summary: Providers must draw up and make publicly available a sufficiently detailed summary of the content used for training the GPAI model, following a template provided by the AI Office.
Tier 2: GPAI Models with Systemic Risk (Articles 54–55)
GPAI models classified as posing systemic risk are subject to additional, more stringent obligations. A GPAI model is presumed to have systemic risk if:
- It has high-impact capabilities, which is presumed when the cumulative amount of compute used for training exceeds 10^25 FLOPs (floating point operations), or
- It is designated as such by the European Commission based on criteria such as the number of registered end users, the degree of autonomy, or other indicators.
Additional requirements for GPAI models with systemic risk include:
1. Model evaluation: Providers must perform model evaluations, including conducting and documenting adversarial testing (red-teaming) to identify and mitigate systemic risks.
2. Systemic risk assessment and mitigation: Providers must assess and mitigate possible systemic risks, including their sources, that may arise from the development, placing on the market, or use of the model.
3. Incident tracking and reporting: Providers must track, document, and report serious incidents and possible corrective measures to the AI Office and relevant national competent authorities without undue delay.
4. Adequate cybersecurity protections: Providers must ensure an adequate level of cybersecurity protection for the GPAI model and its physical infrastructure.
Codes of Practice
The EU AI Act encourages the development of codes of practice as a mechanism for GPAI model providers to demonstrate compliance. The AI Office facilitates the drawing up of these codes, involving GPAI model providers, downstream providers, civil society, academia, and other stakeholders. Until harmonized standards are published, compliance with approved codes of practice can serve as a presumption of conformity with the relevant GPAI obligations.
How Do GPAI Model Requirements Work in Practice?
1. Classification and Threshold Determination
The first step is determining whether a model qualifies as a GPAI model and, if so, whether it poses systemic risk. The 10^25 FLOPs threshold serves as an initial quantitative benchmark, though the Commission retains discretion to designate additional models or adjust the threshold through delegated acts.
2. Documentation and Transparency
Providers must create and maintain comprehensive technical documentation covering:
- Model architecture and design choices
- Training data sources and curation methods
- Computational resources used
- Training methodology and hyperparameters
- Evaluation results and known limitations
- Energy consumption and environmental considerations
The training data summary must be made publicly available, promoting transparency about the data foundation of the model.
3. Downstream Information Sharing
GPAI model providers must ensure that entities integrating their models into downstream AI systems have sufficient information to:
- Understand the model's intended and foreseeable uses
- Be aware of known risks and limitations
- Fulfill their own compliance obligations (e.g., under high-risk AI system requirements)
- Perform appropriate risk assessments for their specific applications
4. Ongoing Compliance
Compliance is not a one-time exercise. Providers must:
- Update documentation as models evolve
- Monitor for emerging risks, particularly systemic risks
- Report serious incidents promptly
- Engage with the AI Office and respond to requests for information
5. Role of the AI Office
The EU AI Office plays a central supervisory role for GPAI models. Unlike the general enforcement of the AI Act (which falls primarily to national authorities), the AI Office has direct supervisory and enforcement powers over GPAI model providers, including the ability to:
- Request documentation and information
- Conduct evaluations of GPAI models
- Issue binding instructions to address systemic risks
- Impose fines for non-compliance
6. Open-Source Considerations
The EU AI Act provides certain exemptions for open-source GPAI models. Providers of GPAI models released under free and open-source licenses are generally exempt from many of the Tier 1 requirements (such as detailed technical documentation for downstream providers), unless the model is classified as posing systemic risk. However, even open-source providers must still comply with copyright-related obligations and the training data summary requirement.
International Context and Other Frameworks
While the EU AI Act is the most detailed regulatory framework for GPAI models, the concept resonates across jurisdictions:
- G7 Hiroshima Process: Established voluntary International Guiding Principles and a Code of Conduct for organizations developing advanced AI systems, including foundation models.
- U.S. Executive Order 14110 (2023): Required reporting by developers of dual-use foundation models above certain compute thresholds, including information about training, red-team testing, and safety measures (though the status of this EO may change with administration changes).
- OECD: Has developed frameworks and principles relevant to general-purpose and foundation AI models.
- China: Has implemented regulations governing generative AI services, including requirements for training data, content moderation, and registration.
Connection to Other AI Act Provisions
GPAI model requirements interact with other parts of the AI Act:
- High-risk AI systems: When a GPAI model is integrated into a high-risk AI system, the deployer or integrator must comply with high-risk system requirements (Chapter III, Section 2). The GPAI model provider's documentation supports downstream compliance.
- Prohibited practices: GPAI models could be used in prohibited applications; the provider's obligations help ensure transparency about capabilities.
- Transparency obligations: General transparency requirements for AI systems (e.g., disclosing AI-generated content) complement GPAI-specific transparency duties.
Key Challenges and Considerations
- Defining generality: Determining exactly when a model is "general-purpose" versus specialized can be nuanced.
- Compute thresholds: The 10^25 FLOPs threshold is a starting point and may evolve as technology advances.
- Extraterritorial application: GPAI model providers outside the EU must comply if their models are placed on the EU market.
- Supply chain complexity: The AI value chain may involve multiple providers, fine-tuners, and deployers, creating complex allocation-of-responsibility questions.
- Balancing innovation and regulation: Open-source exemptions reflect a policy choice to support open innovation while still addressing the most serious risks.
Exam Tips: Answering Questions on General-Purpose AI Model Requirements
1. Master the two-tier structure: The most commonly tested concept is the distinction between obligations for all GPAI models (Tier 1) and the additional obligations for GPAI models with systemic risk (Tier 2). Be able to list requirements in each tier and explain what triggers classification as systemic risk.
2. Remember the 10^25 FLOPs threshold: This is a frequently tested numerical benchmark. Know that it creates a presumption of systemic risk, but the Commission can also designate models based on other criteria.
3. Know the role of the AI Office: The AI Office has direct supervisory authority over GPAI model providers. This is distinct from the national-level enforcement structure for other parts of the AI Act. This is a common exam differentiator.
4. Understand the open-source exemptions: Know that open-source GPAI models have reduced obligations under Tier 1, but not if they pose systemic risk. Copyright and training data summary obligations still apply. Questions may test whether you can identify which requirements remain for open-source models.
5. Focus on the value chain perspective: Exam questions often test your understanding of how GPAI model provider obligations support downstream deployer compliance. The information-sharing obligation is key—model providers must enable downstream parties to meet their own regulatory requirements.
6. Distinguish codes of practice from harmonized standards: Codes of practice serve as an interim compliance mechanism until harmonized standards are developed. Adherence to codes of practice creates a presumption of conformity.
7. Copyright obligations are always required: Regardless of model type, size, or licensing, all GPAI model providers must comply with copyright law and the training data summary requirement. This is a commonly tested universal obligation.
8. Watch for scenario-based questions: You may encounter scenarios describing a company developing a large foundation model and be asked which obligations apply. Work through the classification systematically: (a) Is it a GPAI model? (b) Does it have systemic risk? (c) Is it open-source? Then identify the applicable obligations.
9. Connect GPAI requirements to broader AI Act themes: Exam questions may ask you to identify how GPAI model requirements fit within the risk-based framework of the AI Act. Understand that GPAI requirements address a gap that the risk-based classification of AI systems alone could not cover, because GPAI models are not deployed for specific purposes at the provider level.
10. Know the key transparency obligations: Be able to list: (a) technical documentation, (b) downstream information provision, (c) copyright compliance policy, and (d) publicly available training data summary. These four elements form the core Tier 1 requirements and are frequently tested.
11. Understand systemic risk additional obligations: For Tier 2, remember the four additional requirements: (a) model evaluation including adversarial testing, (b) systemic risk assessment and mitigation, (c) incident tracking and reporting, and (d) cybersecurity protections. A useful mnemonic: ERIC — Evaluation, Risk assessment, Incident reporting, Cybersecurity.
12. Pay attention to timing and transition periods: GPAI model provisions under the EU AI Act have specific timelines for when they take effect (generally 12 months after entry into force). Be aware that transition periods may be tested.
13. Think internationally: While the EU AI Act is the primary focus, be prepared for questions comparing GPAI approaches across jurisdictions (e.g., the G7 Hiroshima Process, US Executive Orders, OECD principles).
14. Read questions carefully for qualifiers: Words like "all," "only," "always," and "never" are important. For example, "All GPAI model providers must make technical documentation publicly available" is false—the training data summary must be public, but technical documentation is provided to authorities upon request, not made publicly available.
By thoroughly understanding the structure, substance, and practical application of GPAI model requirements, you will be well-prepared to handle any exam question on this increasingly important topic in AI governance.
