When the companies writing the rules are the same entities the rules will constrain, the process tends to produce documents that protect the drafters first.
This pattern has held across multiple jurisdictions. The EU's AI Act emerged after years of industry consultation. The US voluntary commitments announced in 2023 were drafted with input from the firms that signed them. China's regulatory guidance on algorithmic recommendation systems incorporated feedback from domestic platforms before publication. In each case, the language that survived committee review addressed deployment standards, transparency reports, and audit mechanisms. It left the design phase, the training data selection, and the compute allocation decisions largely untouched.
The record shows consistent choices. Liability thresholds were set at the point of deployment rather than at the point of model development. Definitions of high-risk systems focused on downstream applications rather than the general-purpose capabilities that enable those applications. Exemptions for research activities and for internal tools used by the companies themselves appeared in early drafts and remained through final versions. These were not accidental omissions. They were negotiated positions documented in public comments and meeting minutes.
The result is a set of frameworks that ask companies to report on their own conduct with limited external verification. Audit requirements are often self-attested or conducted by firms hired by the audited party. Enforcement timelines stretch across years. Penalties, where they exist, are calculated as percentages of revenue rather than tied to specific technical violations that can be measured before harm occurs. Logging this for the record, the mechanism for detecting violations remains slower than the mechanism for releasing new model versions.
The absence of binding pre-deployment requirements is not an oversight. It is the product of repeated decisions about where regulatory power should sit. Governments have chosen to regulate outputs rather than inputs. They have chosen to treat model capabilities as proprietary information rather than as objects of oversight. They have chosen to make compliance voluntary until a concrete incident forces a response. Each choice narrows the set of future options available to regulators once systems become more capable.
The record will show that the companies most active in governance discussions were also the ones with the largest training runs and the broadest product pipelines. Their participation shaped which questions reached the table and which questions stayed in the margins.
