Internal Deployment Gaps in AI Regulation
It highlights a critical oversight problem in AI regulation for policymakers and organizations, focusing on internal deployments that are often incremental in regulatory frameworks.
This paper examines how frontier AI regulations in the U.S. and EU in 2025 handle internal deployment, identifying three gaps that could cause internally-deployed systems to evade oversight, such as scope ambiguity and information asymmetries, and analyzes approaches to address them.
Frontier AI regulations primarily focus on systems deployed to external users, where deployment is more visible and subject to outside scrutiny. However, high-stakes applications can occur internally when companies deploy highly capable systems within their own organizations, such as for automating R\&D, accelerating critical business processes, and handling sensitive proprietary data. This paper examines how frontier AI regulations in the United States and European Union in 2025 handle internal deployment. We identify three gaps that could cause internally-deployed systems to evade intended oversight: (1) scope ambiguity that allows internal systems to evade regulatory obligations, (2) point-in-time compliance assessments that fail to capture the continuous evolution of internal systems, and (3) information asymmetries that subvert regulatory awareness and oversight. We then analyze why these gaps persist, examining tensions around measurability, incentives, and information access. Finally, we map potential approaches to address them and their associated tradeoffs. By understanding these patterns, we hope that policy choices around internally deployed AI systems can be made deliberately rather than incidentally.