General-Purpose AI Models Under the EU AI Act: What OpenAI, Anthropic, and You Must Do

Elena: The GPAI chapter — Title IX of the EU AI Act — is one of the most technically complex parts of the regulation, and it's also one of the most relevant to any startup building products on top of foundation models. Let me break it down.

Elena: First, what is a General-Purpose AI Model? The Act defines it as an AI model trained on broad data, capable of multiple tasks, made available to a large number of downstream providers. GPT-4, Claude 3.5, Gemini Ultra — these are GPAI models. The companies providing them — OpenAI, Anthropic, Google — are "providers" under the Act.

Elena: What do GPAI providers have to do? Maintain technical documentation, comply with EU copyright law regarding training data, publish a summary of training data, cooperate with downstream providers. For high-capability GPAI models — those above a certain computational threshold — there are additional requirements: adversarial testing, incident reporting, cybersecurity obligations.

Elena: Now, critically, what does this mean for a startup building on top of GPT-4? You're a "downstream provider." You have your own obligations separate from OpenAI's. The key one is that you must not deploy the GPAI model in a way that creates a high-risk AI system without meeting the high-risk AI requirements. You can't outsource your compliance to OpenAI by saying "we're just using their model." The compliance duty attaches to the deployment, not just the model.

Elena: Practically: if you're building a hiring tool on top of an LLM, the hiring tool is high-risk, and you're responsible for the conformity assessment. OpenAI's compliance with the GPAI chapter doesn't discharge your obligation.