Hostname: page-component-76d6cb85b7-5qg8f Total loading time: 0 Render date: 2026-07-16T21:23:51.447Z Has data issue: false hasContentIssue false

On Regulating Downstream AI Developers

Published online by Cambridge University Press:  04 August 2025

Sophie Williams*
Affiliation:
Centre for the Governance of AI, Oxford, UK
Jonas Schuett
Affiliation:
Centre for the Governance of AI, Oxford, UK
Markus Anderljung
Affiliation:
Centre for the Governance of AI, Oxford, UK
*
Corresponding author: Sophie Williams; Email: sophie.williams@governance.ai
Rights & Permissions [Opens in a new window]

Abstract

Foundation models – models trained on broad data that can be adapted to a wide range of downstream tasks – can pose significant risks, ranging from intimate image abuse, cyberattacks, to bioterrorism. To reduce these risks, policymakers are starting to impose obligations on the developers of these models. However, downstream developers – actors who fine-tune or otherwise modify foundational models – can create or amplify risks by improving a model’s capabilities or compromising its safety features. This can make rules on upstream developers ineffective. One way to address this issue could be to impose direct obligations on downstream developers. However, since downstream developers are numerous, diverse, and rapidly growing in number, such direct regulation may be both practically challenging and stifling to innovation. A different approach would be to require upstream developers to mitigate downstream modification risks (e.g., by restricting what modifications can be made). Another approach would be to use alternative policy tools (e.g., clarifying how existing tort law applies to downstream developers or issuing voluntary guidance to help mitigate downstream modification risks). We expect that regulation on upstream developers to mitigate downstream modification risks will be necessary. Although further work is needed, regulation of downstream developers may also be warranted where they retain the ability to increase risk to an unacceptable level.

Information

Type
Articles
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2025. Published by Cambridge University Press
Figure 0

Table 1. Overview of actors along the AI value chain22

Figure 1

Figure 1. Overview of the AI value chain.

Figure 2

Table 2. Examples of downstream modifications39

Figure 3

Table 3. Approaches policymakers could take with regards to risks from downstream modifications

Figure 4

Table 4. Examples of specific criteria that could be used to target a subset of downstream developers

Figure 5

Table 5. Types of obligations that could apply to downstream developers

Figure 6

Table 6. Types of obligations that could apply to upstream developers to reduce the risks from downstream modifications

Figure 7

Figure 2. One possible approach for identifying downstream developers whose modifications might warrant regulatory intervention.

Figure 8