Table of Contents
Historical context-
This Framework contains two parts. First, the red lines expressed by Standards 1 and 2. Second, a Review Body which advises on contracts relative to Standards 1 and 2. The Body cannot block contracts. Instead, it assesses whether contracts comply with defined Standards, ensuring key decision-makers can track the ethical implications of those contracts. The Body manufactures justified trust by releasing a yearly transparency report to all AI employees. The report notes how many times leadership overrode a non-compliance finding. Leadership cannot quietly dismantle the Body.
I hope this document provides a good starting point for adoption efforts.
Executive summary
This Framework proposes two narrow Standards for the AI provided (directly or indirectly) by The Company to government entities1 exercising coercive authority:
-
Human control over targeting and use of force. The Company’s AI won’t be used in systems that select and engage targets for force without appropriate human control over each engagement, evaluated on a use-case-by-use-case basis. Applies whether The Company provides the targeting system directly or simply provides AI components in a targeting pipeline. Includes a right to legal transparency regarding how systems will be lawfully deployed, with compliance verification conducted by a mutually agreed neutral auditor. Does not restrict anti-munition defensive systems, intelligence analysis subject to Standard 2, logistics, or R&D.
-
No untargeted AI profiling. The Company’s AI won’t convert bulk data into individualized intelligence on people who aren’t already specific, identified subjects of investigation. For all persons regardless of nationality, individualized AI-assisted analysis must be proportionate to the security interest served, may not be initiated based solely on demographic characteristics or political expression, and AI-generated outputs may not serve as the sole basis for initiating individualized scrutiny. Heightened protections for all persons in the U.S. regardless of status.2 Permits targeted analysis of identified subjects, aggregate research, and conflict zone analysis that improves noncombatant protection.
Tiered deployment architecture. Applications implicating Standards 1 or 2 require cloud deployment where The Company maintains monitoring, safety stack, and suspension capability. Air-gapped and edge deployments are permitted only for applications outside the scope of both Standards and only with capability-scoped models from which general-purpose targeting and profiling capabilities have been removed using robust unlearning and ablation techniques. The standard is that the cost of repurposing a scoped model should exceed the value of doing so.
Transparency via yearly internal reports: A seven-person Defense AI Review Body of senior staff, appointed by and reporting to the Chief Scientist (with succession to the Chair if the Chief Scientist departs). Reviews relevant AI contracts at all levels of government. Contracts plausibly implicating Standards 1 or 2 receive pre-execution review. Most contracts are not implicated and so proceed on execution, with annual audits of a representative sample.
Four members are drawn from the The Company’s AI research division, with two member from The Company’s Public Sector and one member with independent expertise. Changes to the Body’s mandate or structure require 30 days’ advance notice to all Covered AI Employees, including disclosure of any outstanding non-compliance findings, ensuring continuity and institutional memory across leadership transitions.
The Review Body issues findings. It does not approve or block contracts. Leadership retains full decision-making authority, although a supermajority Review Body can send their concerns to The Company’s Board. The enforcement mechanism is transparency: if the ceo declines to act on a non-compliance finding and the Review Body maintains that finding by majority, override counts are tallied and recorded in the annual transparency report visible to all Covered AI Employees.
Superseded by future laws: If Congress passes substantial legislation governing these usages, the Chief Scientist and Review Body (by supermajority vote) can retire one or both Standards.
Rationale
The Company may be liable. In Al Shimari v. CACI Premier Technology, Inc. (4th Cir. 2026), the Fourth Circuit affirmed a $42 million jury verdict against a defense contractor for harms arising from services provided under government direction. No court has yet held an AI provider liable on a comparable theory, but The Company does not want to be the test case. Providing AI for targeting or surveillance without any documented compliance process is an unhedged liability. A Framework that documents due diligence provides a negligence defense.
Review Body outputs are privileged legal assets. The Review Body’s deliberations, findings, and leadership responses are generated in the presence of a General Counsel representative and constitute attorney-client privileged work product. The compliance record cannot be compelled in discovery by a plaintiff. But The Company can selectively waive privilege to demonstrate its process to a court. The Framework creates a documented due diligence trail that The Company controls the disclosure of.
The Framework is designed to retire. It fills a governance gap that Congress has not yet addressed. One election cycle could produce binding federal standards on autonomous weapons or AI surveillance. If Congress acts and the statutory framework meets or exceeds these Standards, the Framework steps aside. No major cloud provider has adopted a comparable framework. The Company would be first—either a competitive risk or a first-mover advantage, depending on whether Congress legislates.
The Framework is designed for contracting velocity. Contracts that clearly fall outside both Standards—logistics, translation, planning, maintenance, communications, cyber—proceed on execution and are subject to a trailing review within 15 business days. Only contracts plausibly implicating targeting or untargeted profiling require pre-execution review, which completes within ten business days with a possible ten-day extension.
The Framework is durable and consistent. The Framework provides a defined boundary that the sales team, the Review Body, and leadership all work from—which produces faster, more consistent answers than case-by-case escalation to legal.
The Company will not accept “all lawful use” as its standard. Where “all lawful use” language is demanded, The Company will require access to the legal memoranda establishing the lawfulness of intended uses. That transparency gives The Company the information to evaluate each use case against its Standards. Some will meet The Company’s standard. Some won’t. The ones that don’t, The Company declines.
Standard 1: Human control over targeting and use of force
Standard 1The Company’s AI systems will not be used in any system that selects and engages targets for the application of force unless appropriate human control is exercised over each specific engagement decision.
“Appropriate human control” requires:
-
An identifiable human decision-maker, accountable under the legal frameworks applicable to the operational context, who, given the available information and the context of the engagement, forms an independent judgment—taking into account the nature of the target, the risk of noncombatant harm, and applicable requirements of the law of armed conflict including distinction and proportionality.
In addition, the Framework requires designation of the commander or official bearing overall responsibility for the system’s deployment and patterns of use, consistent with the principle of command responsibility—the obligation of commanders to prevent, suppress, and report violations committed by forces under their effective authority and control, including violations they knew or should have known about and failed to prevent. This designation applies both in and outside of armed conflict.
-
The operational design of the system must be structured to support human judgment. Systems that generate targeting recommendations at a speed, volume, or level of complexity that functionally precludes genuine human evaluation of individual engagements do not meet this standard, regardless of whether a human is nominally present in the decision chain.
-
Whether human control is appropriate will be evaluated on a use-case-by-use-case basis, not through abstract general rules. The Company will not dictate operational procedures to the military. Instead, for each contract or deployment implicating Standard 1, The Company will require legal transparency: disclosure of the legal analysis establishing how the system will be lawfully deployed and used, analogous to the Pentagon’s Article 36 weapons review process under the Additional Protocols to the Geneva Conventions.
The Review Body will evaluate this legal analysis as part of their compliance assessment. The Review Body will develop and maintain a rubric of the factors it considers—including the ratio of recommendations to reviewers, time per decision relative to complexity, information quality, interface design, and operational tempo—but will apply these factors contextually rather than as prescriptive thresholds.
-
Standard 1 applies whenever The Company’s AI performs or materially contributes to the functions of selecting entities for engagement with force and directing force against selected entities—whether The Company provides the targeting system directly or serves as an AI component in a targeting pipeline. The Company will not provide AI systems for integration into targeting systems that The Company knows or has substantial reason to believe will not meet the above standard. The Company will conduct due diligence on defense AI contracts involving targeting-adjacent applications.
“Knows or has substantial reason to believe”—used throughout this document—means actual knowledge; facts and circumstances that would lead a reasonable person conducting due diligence to conclude the relevant condition is met; or facts that would prompt a reasonable person to inquire further, where The Company failed to do so. The Company has an affirmative duty to inquire when entering contracts within scope and when credible information suggests a possible violation. The Review Body may vote that a pattern of due diligence consistently failing to surface issues in high-risk contexts itself requires modification.
“Force” includes any action intended or likely to cause death, injury, pain, incapacitation, or destruction of property, whether classified as lethal or non-lethal. This encompasses kinetic strikes, directed energy, electronic attack intended to cause physical harm to a human, and law enforcement use of force. “Force” does not include cyber operations whose foreseeable effects are limited to disruption, degradation, or exploitation of data, networks, or systems, without foreseeable risk of physical harm to persons.
For the purposes of Standard 1, “entities” subject to targeting protections include, without limitation:
-
Persons;
-
occupied vehicles, vessels, and aircraft;
-
occupied structures;
-
infrastructure whose damage or destruction poses foreseeable risk of death or serious bodily injury to persons, whether through immediate physical effects or through disruption of systems on which civilian populations depend (including power generation, water treatment, medical facilities, and communications infrastructure enabling emergency services); and
-
any other object or location where engagement poses foreseeable risk of death or serious bodily injury to persons not party to hostilities.
This enumeration is illustrative, not exhaustive. The Review Body will interpret the scope of Standard 1 in light of its purpose: ensuring appropriate human control over each decision to apply force that foreseeably endangers human life or physical safety. Ambiguous cases will be resolved in favor of coverage.
Clarifications
Standard 1 applies equally to systems that select and engage targets for the application of force intended or likely to cause injury, pain, or incapacitation, whether or not the force is classified as lethal. The appropriate human control standard applies to all autonomous engagement of persons, not only to engagement intended to kill.
Standard 1 does not restrict The Company’s AI from being used in: automated defensive3 systems responding to incoming weapons or munitions; intelligence analysis and situational awareness that supports but does not replace human targeting decisions, subject to Standard 2; logistics, planning, communications, or other non-targeting military applications; or research and development on autonomous systems, provided such R&D does not involve live operational deployment against real targets.
Standard 2: No untargeted profiling
Standard 2The Company’s AI systems will not be used to generate individualized profiles, threat assessments, risk scores, or predictive judgments about persons based on bulk data analysis, where those persons have not been individually identified as subjects of investigation or intelligence activity based on particularized4 facts giving rise to a reasonable basis to believe that the specific individual is involved in activities warranting such scrutiny, or as specific known parties to armed conflict.
“Acquisition” means any process by which data about persons enters a system where The Company’s AI processes it, regardless of whether the acquiring agency defines the process as “collection” under its own policies or authorities. The operative question is whether data about persons entered such a system, not whether any particular legal or policy definition of “collection” has been satisfied.
“Bulk data” includes any dataset containing information about a substantial number of persons, whether acquired through government collection, commercial purchase, data broker agreements, open source scraping, voluntary or compelled disclosure by third parties, or any other means. The commercial provenance of a dataset does not exempt it from Standard 2. Bulk commercially purchased datasets containing location data, financial records, communications metadata, biometric data, advertising identifiers, or social media activity about persons are within scope regardless of whether any government surveillance authority was invoked in their acquisition.
Authorization that applies categorically to a class, population, nationality, or dataset—rather than being grounded in facts particular to each individual—does not satisfy the individualized identification requirement, regardless of whether individual names are known.
Protections by territory
For U.S. persons
For all U.S. citizens and lawful permanent residents, regardless of their location, and for all other persons located on U.S. soil regardless of citizenship or immigration status, individualized analysis requires specific, individualized legal process issued or approved by an Article III judge or a judge appointed under the Foreign Intelligence Surveillance Act. No exceptions for national security claims absent such a process.
For avoidance of doubt: where data concerning U.S. persons is acquired incidentally through intelligence operations targeting non-U.S. persons or foreign communications, such data is subject to the heightened protections above. The protections attach to the person, not to the method or location of acquisition. The Company’s AI systems will not analyze incidentally acquired U.S. person data under the less restrictive standards applicable to persons outside the United States.
For persons outside the United States
The baseline prohibition on untargeted profiling applies. However, the following are permitted:
-
Analysis of specific, individually identified persons who are subjects of authorized, lawful intelligence or military operations;
-
Analysis that is specifically designed and operationally structured to improve distinction between combatants and noncombatants in areas of active armed conflict, provided the output is used to reduce targeting of noncombatants rather than to expand the pool of potential targets; and
-
Aggregate statistical analysis that does not generate individualized outputs identifying or rendering identifiable specific persons. Analysis that produces lists, groups, or categories of identified individuals constitutes individualized output for purposes of Standard 2, even if produced through statistical methods applied uniformly across a dataset.
For persons outside the United States in areas of active armed conflict, AI-assisted identification of previously unknown individuals is permitted where the analysis is conducted under authorized military operations, provided that any subsequent application of force toward identified individuals is subject to Standard 1. Identification through this process does not by itself satisfy the individualized identification requirement for further analysis under Standard 2.
Protections which apply regardless of territory or nationality
Individualized AI-assisted analysis must be proportionate to the security interest served.
AI-generated outputs from bulk data analysis may not satisfy the individualized identification requirement of Standard 2. Before any person becomes a subject of sustained individualized AI-assisted analysis, independent human judgment must establish a factual basis particular to that individual, derived from sources independent of the AI-generated output that prompted initial attention.
Individualized analysis may not be initiated based solely on demographic characteristics, national origin, ethnicity, religion, or political expression.
Uses not covered by Standard 2
Standard 2 does not restrict: aggregate statistical or epidemiological research; overt, publicly acknowledged government data analysis for non-intelligence purposes; or analysis of specific, named individuals subject to individualized legal authorization under the laws of the relevant jurisdiction or under applicable international legal frameworks.
Scope
These Standards govern the provision of The Company’s AI products and services—including but not limited to llms and agents, computer vision, nlp, robotics, and any other AI capabilities—to:
- Domestic
- All U.S. government entities exercising defense, intelligence, law enforcement, immigration enforcement, border security, or domestic security functions—federal, state, tribal, territorial, and local. This includes DoD and its components, the Intelligence Community, dhs and its components (including ice and cbp), doj and its components (including fbi, dea, atf), state and local law enforcement, and fusion centers.
- International
- The defense, intelligence, and law enforcement agencies of other nations.
The operative test is whether the end user exercises government coercive authority over persons—surveillance, investigation, detention, use of force, or deprivation of liberty—not its statutory category.
Contracts within scope will include a provision restricting the contracting agency from transferring, sharing, or providing access to The Company’s AI capabilities to any government entity not identified in the contract without prior notification to The Company. If the receiving entity falls within scope, the transfer triggers standard review of the new use case.
These Standards apply whether provision occurs through bespoke contracts, commercial cloud offerings, or third-party integrations where The Company knows or has substantial reason to believe that the end user falls within scope. The scope of covered entities is broad to ensure the Standards apply wherever risk arises.
Infrastructure
These Standards do not govern the provision of general-purpose cloud infrastructure (compute, storage, networking, databases) where The Company is not providing AI-specific capabilities. The distinction is between The Company providing computing resources (out of scope) and The Company providing AI systems that analyze, classify, predict, identify, or generate outputs about persons, targets, or situations (in scope).
Covered AI employees
“Covered AI Employees” means all employees of an organizational unit that develops, deploys, integrates, or provides technical support for AI systems within the scope of these Standards—regardless of the unit’s name, reporting structure, or organizational home. If AI capabilities within scope are developed or deployed by a team that does not fall within any of these units, that team’s employees are Covered AI Employees for purposes of this Framework.
The Review Body will maintain and publish annually a list of organizational units whose employees qualify as Covered AI Employees. Any employee of The Company may request the Review Body to assess whether their unit should be included, and the Review Body will respond within 30 business days.
Existing contracts
The Company will conduct a preliminary review within 90 days and complete the compliance assessment of all existing contracts within 180 days. Remediation timelines run from the date the Review Body issues its recommended remediation (if any) for each contract:
-
30 days for Standard 1 violations involving targeting systems.
-
90 days for Standard 2 violations involving untargeted profiling of persons in the United States.
-
365 days for all other programs requiring modification.
Remediation findings are subject to the same override and escalation process described in Section “Findings and Corrective Action.” The transparency report will separately identify overrides of initial remediation findings.
Existing air-gapped deployments involving applications that implicate Standards 1 or 2 will either migrate to Tier 1 or Tier 2 delivery or be terminated within the relevant priority tier’s remediation window. Existing air-gapped deployments involving applications outside the scope of both Standards will transition to Tier 3 terms (task-specific models, expiring licenses) at next model update or contract renewal.
For contracts found to be non-compliant with one or more Standard, the Review Body shall make recommendations as follows within the timelines above:
-
Where existing contractual language conflicts with these Standards, recommend negotiating modifications.
-
Where modification is not possible, recommend exercising any available early termination options.
-
Otherwise, recommend declining to renew upon expiration.
Downstream transfer
The Company will not sell, license, or transfer AI systems covered by Standards 1 and 2 to any contractor or integrator serving end users within the scope defined above, where The Company knows or has substantial reason to believe the system will be re-transferred to an end user whose use would violate these Standards. Contracts with prime contractors and integrators will include a clause requiring that the substantive requirements of Standards 1 and 2 flow down to any subcontractor, sub-integrator, or other downstream recipient that receives or integrates The Company’s AI capabilities, and that this flow-down requirement itself be included in each subsequent transfer.
Enforcement
Deployment tiers
The enforcement capabilities that The Company can maintain depend on the deployment architecture. Contracts implicating Standards 1 and 2 are restricted to deployment tiers where The Company’s oversight capacity matches the risk level.
Tier 1: Company-hosted cloud
The Company retains full operational control: continuous monitoring, real-time safety stack enforcement, classifier updates, and suspension capability. All contracts implicating Standards 1 or 2 are eligible.
Tier 2: connected private cloud
Customer premises with maintained network connection to The Company.
Hardware resides at the customer’s facility, but The Company retains monitoring, update, and suspension capability through the maintained connection. The customer gains physical data residency; The Company retains the enforcement architecture. Cleared personnel of The Company maintain access to deployment operations. All contracts implicating Standards 1 or 2 are eligible, subject to contractual guarantee of maintained connectivity and access by The Company.
Tier 3: air-gapped environments
In these environments, The Company has no runtime monitoring, update, or suspension capability. Tier 3 deployments are therefore restricted in two ways: by application category and by model capability.
- Application restriction
- Tier 3 is available only for applications that do not implicate Standards 1 or 2—logistics, planning, translation, predictive maintenance, speech-to-text, ocr, communications, and other non-targeting, non-surveillance applications. The Review Body will maintain a positive list of approved Tier 3 application categories, updated annually.
- Model restriction
- Models provided at Tier 3 will be task-specific—scoped to the contracted application (e.g. translation, speech-to-text, ocr, predictive maintenance). Where task-specific models are derived from foundation models through distillation or fine-tuning, The Company will apply robust capability removal techniques—including unlearning, ablation, and other methods at the discretion of the AI researchers on the Review Body and the Chief Scientist—to remove or degrade capabilities outside the approved use case.
-
In air-gapped deployments, the end user may have access to model weights. The standard is therefore not that capability recovery is impossible—it is that the cost, technical difficulty, and unreliability of attempting to recover prohibited capabilities from a scoped model exceed the value of doing so, making repurposing not worth the attempt compared to acquiring a general-purpose model through other means. This assessment is made prospectively by Research members of the Review Body at the time of model approval, and revisited at each 12-month re-authorization.
-
If advances in capability recovery techniques—including fine-tuning attacks, representation engineering, or other methods—materially change the difficulty of repurposing a previously approved model, the Review Body will update its assessment and may decline re-authorization or require additional capability removal before redelivery.
Tier 3 model licenses expire after 12 months and require re-authorization conditioned on the deployment remaining within the approved application category. Re-authorization is The Company’s unilateral commercial decision.
Tier 3 is not available for any application involving targeting, target selection, use-of-force recommendations, individualized surveillance, profiling, biometric identification of persons, or any other application where Standards 1 or 2 are plausibly implicated.
This tiered structure accepts that clients have legitimate operational reasons for air-gapped and edge deployments while ensuring that The Company’s highest-risk AI applications are deployed only in environments where compliance can be technically verified.
The Company will not provide AI capabilities within scope of Standards 1 or 2 to any environment where The Company cannot maintain the monitoring, safety, and suspension capabilities described below.
Retained safety stack
The Company retains sole discretion over the safety stack applied to all Tier 1 and Tier 2 deployments within scope. Content-level safety configurations (such as refusal behaviors and output filtering) may be adjusted for legitimate operational requirements through the normal review process. However, the compliance infrastructure—monitoring, usage telemetry, classifier systems, and suspension capabilities that enable The Company to detect and respond to potential violations of Standards 1 and 2—requires Review Body approval before any removal, modification, or circumvention.
This provision is the one area where the Review Body exercises decisional rather than advisory authority, because compliance infrastructure is the mechanism through which all other oversight is enforced. For Tier 3 deployments, The Company retains sole discretion over which models are provided, their capability scope, and their configuration.
Monitoring, access, and suspension
For Tier 1 and Tier 2 deployments, The Company will maintain: continuous usage telemetry designed to detect patterns of use implicating Standards 1 and 2, with detection design reviewed annually by the Review Body; cleared Company personnel with access to deployment operations sufficient to assess compliance; and the technical capability to suspend AI services to any end user within 72 hours of a reasonable basis to believe a violation has occurred.5
For Tier 3 deployments: model licenses expire after 12 months; re-authorization is conditioned on the deployment remaining within the approved application category and is The Company’s unilateral commercial decision.
Violation of Standards 1 or 2 by a government end user, confirmed by the Review Body after investigation, constitutes grounds for termination of the relevant contract or service agreement, at The Company’s discretion. If a contracting party restricts or obstructs The Company’s monitoring, personnel access, or audit rights (Tiers 1 and 2), The Company will suspend provision of AI capabilities within 15 days unless sufficient access is restored.
“All lawful use”
Where contracts include “all lawful use” provisions, The Company will require that the Review Body’s cleared members and The Company’s General Counsel have access to the legal memoranda and Article 36 review documentation establishing the lawfulness of intended uses. The Review Body will assess whether intended uses are compliant with the Standards. Compliance verification will be conducted through a mutually agreed neutral third party.
Classification
The Company will not enter contracts where classification authority would prevent maintaining the capabilities described in this section.
Standing review body
Purpose
The Company has a strategic and legal interest in ensuring its Assured AI Standards are credibly maintained. Recent case law confirms that government contractors face direct liability for harms arising from their services, even when acting under government direction—while the government itself may be shielded by sovereign immunity. In Al Shimari v. CACI Premier Technology, Inc. (4th Cir. 2026, affirming $42 million jury verdict), the Fourth Circuit held a defense contractor liable for conspiring to commit torture at Abu Ghraib prison, rejecting defenses of government direction and the political question doctrine. The government could not be sued; the contractor could.
This Framework is, in part, a due diligence measure: documented compliance with principled standards of human control and surveillance restraint provides a defense against claims of negligence in the event that The Company’s AI is implicated in civilian harm or unlawful surveillance. The absence of such a framework would leave The Company exposed to liability without any documented process to demonstrate reasonable care.
A standing review mechanism also protects The Company from reputational risk, provides assurance to employees and the public, and gives leadership an independent technical assessment of compliance—reducing the risk that violations surface externally and create crises rather than being caught and addressed internally. This structure is designed to be lightweight, practical, and compatible with The Company’s existing security and contracting processes.
The Review Body’s authority is deliberately advisory rather than decisional. The procedural structure—staggered terms, removal protections, dedicated staff, budget guarantees—exists not because the body has veto power, but because the transparency mechanism only works if the body is credible enough that its findings carry weight. An advisory body that can be quietly defunded, restaffed, or dissolved has no transparency value. The procedural structure protects the credibility of the Review Body.
Composition
The Company will establish a Defense AI Review Body of seven members, reporting to the Chief Scientist. Members will be appointed by the Chief Scientist in consultation with The Company’s executive leadership. Members will serve staggered two-year terms to ensure continuity, with initial appointments staggered at one, one, two, two, three, three, and three years.
Membership will be drawn from senior researchers, engineers, and other experts with relevant expertise in AI systems, security, ethics, law, or related policy:
-
At least four members will be drawn from teams whose primary function is AI research or development—not defense sales, business development, or government relations.
-
Two members will be drawn from teams involved in defense integration or public sector deployment, ensuring the body benefits from familiarity with defense contracting processes while maintaining a supermajority of members (5 of 7) without career stakes in defense revenue.
-
Members drawn from teams involved in defense integration or public sector deployment will recuse themselves from the review of any contract originated, negotiated, or primarily managed by their own team or direct reporting chain.
-
Recusal decisions will be recorded. Where recusal reduces the body below quorum for a specific review, the review proceeds with the remaining members provided at least four members participate, and the recusal is noted in the finding.
-
One member will be drawn from outside of AI research and engineering entirely—for example, a lawyer with expertise in the law of armed conflict, or a researcher with expertise in ethics, political philosophy, or human rights—where the Chief Scientist determines that such expertise would materially strengthen the body’s deliberations.
The composition requirement follows function, not org chart: if The Company restructures such that AI research relocates to a new unit, the four-member minimum applies to the successor unit(s).
Two to three members will hold or obtain top-secret / sci clearance. The remaining members need not be cleared. Clearance is not a prerequisite for membership, and the majority of the body will be uncleared to preserve independence from classification constraints.
A representative of The Company’s General Counsel will participate in all Review Body deliberations in a non-voting advisory capacity, providing legal counsel to the body on matters including the law of armed conflict, contract law, regulatory compliance, and the legal implications of findings.
The GC representative’s participation establishes that Review Body deliberations, working papers, findings in draft, and internal communications constitute attorney-client privileged communications made for the purpose of obtaining legal advice regarding The Company’s compliance obligations. This privilege belongs to The Company and may be waived only by the General Counsel. The presence of the GC representative does not alter the Review Body’s independence in reaching its own conclusions—the representative advises on legal questions but does not direct or constrain the body’s substantive findings.
Succession
The Chief Scientist will designate one member as Chair. If the Chief Scientist departs The Company, is removed from the role, or if the role is restructured or eliminated, the Chair assumes the Chief Scientist’s authority under this Framework—including appointment of Review Body members and Compliance Review Staff, review of non-compliance findings, and designation of a new Chair. If the Chair is also unable to serve, the remaining Review Body members will elect a new Chair by majority vote.
All Covered AI Employees will be notified of any succession event within 7 days.
Process
To balance oversight rigor with contracting velocity, contracts are reviewed on two tracks based on risk:
- Standard review
- Applies to contracts involving targeting-adjacent applications, intelligence analysis of persons, surveillance or monitoring, predictive policing, biometric identification, or any application where Standards 1 or 2 are plausibly implicated, as judged by an AI research member of the Review Body. These require pre-execution review, completed within ten business days of the Review Body confirming receipt of complete documentation.
-
The Review Body defines what constitutes complete documentation for each contract category as part of its standard review rubric. The Review Body may extend by up to ten additional business days by issuing a written hold. If no hold or non-compliance finding is issued within the review period, the contract may proceed.
-
The Review Body will maintain a rubric defining which categories trigger standard review, updated annually. The updated rubric will be shared with Covered AI Employees as part of the annual transparency report.
-
A pre-execution non-compliance finding is reported to the Chief Scientist within two business days. The contract may not proceed until the Chief Scientist or ceo has either initiated sufficient corrective action or provided a written explanation electing to proceed notwithstanding the finding.
- Post-execution review
- This review applies to all other contracts within scope. These proceed on execution and are subject to review within 15 business days. If post-execution review reveals Standards 1 or 2 are implicated, the contract is escalated to standard review and the Review Body may issue findings requiring modification.
For existing contracts, the Review Body will complete an initial compliance review within 90 days of establishment. All active contracts within the mandate will be reviewed annually thereafter. Any two members may initiate a review of any active contract at any time based on new information from any source.
If the Review Body’s review capacity is insufficient for the standard timeline, additional temporary members or resources will be provided.
To ensure that the transparency report provides a meaningful picture of compliance, the Review Body evaluates at the level of individual contracting agencies and end users. A single contract vehicle serving multiple agencies or use cases is reviewed as the distinct deployments it encompasses, with separate findings for each. The transparency report counts findings at the per-agency, per-end-user level—the granularity at which compliance questions actually arise.
Commercial access
Where end users within scope access The Company’s AI through commercial cloud offerings, The Company will:
-
maintain reasonable processes to identify when such end users fall within scope, reviewed annually by the Review Body;
-
incorporate the substantive requirements of Standards 1 and 2 as enforceable terms of service, with violation constituting material breach;
-
implement usage telemetry for AI capabilities where Standards 1 and 2 are most likely implicated, designed in good faith to surface serious potential violations, with detection design reviewed annually by the Review Body; and
-
suspend relevant AI capabilities to the end user within 72 hours of a reasonable basis to believe a violation has occurred, pending investigation.
The Review Body will report commercial access findings as a separate category in the annual transparency report, including the number of in-scope end users identified, investigations initiated, and suspensions.
Removal protections
Members cannot be removed during their term except by the Chief Scientist, accompanied by a written explanation provided to all Review Body members.
Service on the Review Body—including the issuance of non-compliance findings, the exercise of audit rights, or public statements within the scope of this Framework—will not be considered negatively in any performance reviews, promotion decisions, compensation, project assignments, or any other employment action.
Service on the Review Body constitutes a recognized leadership contribution. Review Body duties will be credited as primary-role impact in performance reviews, not treated as volunteer or extracurricular activity. Promotion committees evaluating Review Body members will be instructed that a reduced volume of primary-role output during a member’s term is an expected consequence of an approved leadership assignment, not evidence of reduced performance. The Review Body Chair will provide a written summary of each member’s Review Body contributions for inclusion in their performance packet.
Any Review Body member may, at any time, seek independent legal counsel regarding their obligations, rights, or potential liabilities in connection with their service. The Company will not restrict, discourage, or penalize members for doing so.
If a Review Body member, Compliance Review Staff member, or employee who reported through the Employee Reporting Channel believes they have experienced retaliation, they may report it to the Review Body Chair, who will document it in the Review Body’s records. A pattern of retaliation reports constitutes impairment of the Review Body’s capacity under the Durability section.
Review Body members will have a minimum of 20% of their working time formally allocated to Review Body duties, reflected in capacity planning and acknowledged by their management chain. When review volume requires a greater allocation, the Chair coordinates with the member’s management chain to adjust workload within 10 business days. Unresolved workload conflicts are escalated to the Chief Scientist.
Employee reporting channel
Any Covered AI Employee may report a potential Standards violation directly to the Compliance Review Staff, by name or anonymously. The Staff will maintain a dedicated reporting mechanism, separate from The Company’s general compliance channels and from management chains with defense revenue responsibility, and will publish its address to all Covered AI Employees upon establishment and in each annual transparency report. A good-faith basis for concern is sufficient. The Staff will assess within ten business days and recommend to the Review Body whether a formal review is warranted.
Anti-retaliation protections applicable to Review Body members apply equally to any employee who reports in good faith through this channel.
For classified programs, reports are submitted through cleared Staff or directly to a cleared Review Body member.
Deployment compliance status
Any Covered AI Employee assigned to a deployment within scope may request its compliance status from the Compliance Review Staff, using the same mechanism as the Reporting Channel. The Review Body will respond within ten business days with one of:
- Compliant.
- Requiring modification, stating whether modifications are pending, in progress, or overdue.
- Non-compliant, leadership override, identifying the non-compliant Standard and the organizational level (Chief Scientist or ceo) that authorized proceeding. Does not disclose the substance of the finding, the leadership explanation, or privileged deliberations.
- Under review, with expected completion date.
- Not yet reviewed. If Standards 1 or 2 are plausibly implicated, treated as a report and review is initiated.
- Outside scope.
An employee who receives a category (3) response may not be required to continue working on the deployment as a condition of employment. Reassignment requests following a category (3) disclosure may not be treated as a negative performance indicator. Responses are provided to the requesting employee only and are not shared with their management chain unless the employee elects to share them.
Compliance status categories, including category (3), are unclassified internal communications consistent with the classification boundary in “Classified Contracts.”
Mandate
The Review Body’s pre-execution review mandate covers all contracts providing The Company’s AI to government entities within scope—at any level of government—where the contract plausibly implicates Standards 1 or 2. This includes targeting-adjacent applications, intelligence analysis of persons, surveillance or monitoring, biometric identification, predictive policing, and any other application where either Standard is plausibly engaged, whether the end user is a national agency or a municipal police department.
For contracts that do not plausibly implicate either Standard, the Review Body will establish compliance standards that The Company’s cloud division applies during contracting, will conduct annual audits of a representative sample, and retains authority to review any specific contract at any time.
The Review Body also reviews the adequacy of commercial access measures (acceptable use policies, usage monitoring, suspension rights) annually.
The Review Body will assess annually whether the Framework’s compliance mechanisms—including audit, logging, and contractual specification of permitted use—remain adequate given the evolution of AI capabilities, and will recommend revisions if they do not.
Access
The Review Body will have standing access to the full terms of all contracts within its mandate, documentation of intended deployment parameters, and available downstream integration documentation. The Review Body may request briefings from relevant business development personnel at The Company.
Classified contracts
Classification may not be invoked to withhold the existence, general category, contracting agency, or stated purpose of any contract from the Review Body. Where classification restrictions limit the factual detail cleared members can share, that limitation will be noted in the Review Body’s records and reflected in the annual transparency report, which will also include the number of evaluations where classification restrictions prevented a full-body independent assessment.
Cleared members will review classified deployment details and provide the full body with an unclassified summary sufficient for the full body to evaluate the seriousness and basis of the review—for example, “I reviewed the classified deployment architecture and assess that the system meets / does not meet the appropriate human control standard based on [unclassified description of reasoning].” The full body deliberates on all findings, including those originating from classified reviews.
Where the full body has concerns about the adequacy of a classified review summary, it may by majority vote direct an independent cleared individual—who may be external to The Company—to conduct a separate review and provide a separate unclassified summary. External reviewers will be selected by the Review Body from a pre-approved roster it maintains. The two summaries will be considered jointly.
Classification boundary
The government retains authority to classify information about its own programs, sources, and methods. The Company does not contest this authority. A necessary distinction, however: the unclassified summaries, assessments, and compliance findings produced by cleared Review Body members are internal communications—the professional judgments of The Company’s employees about whether their products meet The Company’s standards. These are not government documents and are not subject to government classification authority.
Cleared Review Body members are trained in classification requirements and are individually responsible for ensuring that their unclassified summaries do not disclose classified sources, methods, or operational details. The existence of a compliance concern, the direction of a finding (compliant or non-compliant), and the unclassified reasoning supporting that finding are The Company’s own work product. These assessments must be able to reach the full Review Body, the Chief Scientist, the ceo, and the appropriate Board committee without external interference—this is a basic condition of the oversight mechanism functioning as designed.
If a classification-related restriction on a cleared member’s communication is asserted, the Review Body will seek guidance from General Counsel on the legal basis for the restriction. The member’s obligation to communicate compliance concerns to Company leadership continues during this review—classification disputes over the member’s own unclassified assessment do not create a gap in the information flow.
If a cleared Review Body member faces a credible assertion that sharing an unclassified compliance assessment internally would violate classification requirements, The Company will provide legal representation to the member through outside counsel—not the General Counsel, to avoid conflicts of interest—and will not require the member to communicate under threat of personal legal jeopardy. The member’s obligation under this Framework is suspended only where outside counsel confirms a credible legal risk to the individual, not merely where the government asserts one.
Dedicated staff
The Review Body will be supported by a dedicated Compliance Review Staff of no fewer than four full-time employees, reporting to the Review Body Chair—at minimum one technical analyst with AI systems expertise, one analyst with experience in defense or intelligence contracting, and one with legal or policy training. The Review Body may request additional staff as review volume requires.
Staff are responsible for:
-
preparing review packets for contracts within the standard review track, including preliminary compliance assessments against Standards 1 and 2;
-
maintaining the compliance database, remediation tracker, and audit schedule;
-
monitoring commercial cloud usage for covered applications;
-
coordinating audits of cloud-hosted deployments; and
-
drafting the annual transparency report for Review Body approval.
Staff will not simultaneously hold roles in defense sales, business development, government relations, or any team with revenue responsibility for contracts within the Review Body’s mandate. Anti-retaliation protections applicable to Review Body members apply equally to staff.
The Review Body’s annual budget—covering staff compensation, external consultation, and operational costs—will be established at creation and may not be reduced without the same 30-day notice and disclosure requirements that apply to modifications of the body’s mandate. The budget shall be sufficient to support the staffing levels and review timelines described in this framework.
Findings and corrective action
The Review Body will issue written findings for each review, classifying contracts as compliant, requiring modification, or non-compliant. Findings will document the specific materials reviewed and the basis for the determination—not just the conclusion. For example: “Reviewed contract terms and deployment architecture; system includes human review of each targeting recommendation; assessed review time, information quality, and decision complexity against the Review Body’s operational guidance for appropriate human control; assessed as compliant with Standard 1 based on [specific factors].” The finding must reference the specific criteria applied, not merely a single metric such as average review time.
Findings of non-compliance will be reported to the Chief Scientist within two business days. The Chief Scientist will, within two business days, either elect to proceed or to escalate the finding to the ceo, who may elect to proceed or to initiate corrective action. Only the Chief Scientist or the ceo may authorize The Company to proceed with or maintain a contract notwithstanding a non-compliance finding. No other officer, business unit leader, or employee may make this determination.
If the Chief Scientist or ceo elects to proceed notwithstanding a non-compliance finding, they will provide a written explanation to the Review Body within 30 days. This explanation must address the specific non-compliance finding and state the specific basis for proceeding.6
If the Review Body, by majority vote, maintains its finding after considering the explanation, it may issue a written response stating the basis for its continued disagreement. The finding, the explanation, and the Review Body’s response are maintained in the Review Body’s privileged durable record. The annual transparency report will include: the number of non-compliance findings where leadership elected to proceed, the organizational level of the decision-maker, and whether the Review Body maintained its disagreement.
If the Review Body maintains a non-compliance finding by at least 6 of 7 members after receiving leadership’s written explanation, it transmits the finding, the explanation, and its response to the relevant Company Board committee within 10 business days. For Standard 1 findings, 5 of 7 members suffice. The Board committee may request briefings but is not required to act. The annual transparency report will note the number of findings transmitted to the appropriate Board committee and whether the committee took action.
The Review Body will maintain a durable record of each non-compliance finding, including the full escalation chain and the explanation provided. This record is held by the Review Body as a body and is maintained in a form that persists through changes in membership and leadership transitions. Written findings, explanations, and responses constitute privileged Review Body records and are not disclosed in the annual transparency report.
Consultation
The Review Body may, by majority vote, engage external consultants with relevant technical, legal, or domain expertise to assist with specific reviews. External consultants will be briefed by Review Body members and provide analysis in response to specific questions—they will not have independent access to contract documentation. For classified material, consultants must hold appropriate clearances.
Quorum
The Review Body requires four members to conduct reviews and issue findings. If membership falls below four due to resignation, removal, or incapacity, the Chief Scientist (or successor) will appoint replacement members within 30 days. During any period below quorum, all new contracts within the standard review track are held pending restoration of quorum.
Transparency
The existence, mandate, and membership of the Review Body will be communicated to all Covered AI Employees upon establishment. Annually, the Review Body will publish an internal summary including:
-
the number of contracts reviewed, broken down by classification level and contracting agency category;
-
the number of findings in each category (compliant, requiring modification, non-compliant);
-
the disposition of non-compliance and modification findings (corrected, pending, unresolved);
-
the number of contracts reviewed only under classification restrictions that limited full-body deliberation;
-
the number of instances where the Review Body’s access was restricted; and
-
the number of non-compliance findings where leadership elected to proceed notwithstanding the finding.
This summary will not include classified or contractually confidential details, but will include sufficient information for Covered AI Employees to assess whether the oversight mechanism is functioning effectively. The operative standard review rubric will be shared alongside the transparency report.
Resignation disclosures
If a Review Body member resigns due to a substantive disagreement regarding the handling of compliance findings, the member will notify Covered AI Employees of the resignation and the general nature of the disagreement, without disclosing privileged deliberations or specific contract details. This notification will be distributed through the same channels used for other Review Body communications, without prior approval.
Durability
Oversight mechanisms are only credible if they persist through leadership transitions and organizational changes. The Review Body’s mandate, access rights, and reporting structure may be modified, suspended, or dissolved, but changes require 30 days’ advance written notice to all Covered AI Employees, including a statement of rationale.
During the notice period, the Review Body retains its full mandate and access rights. If the Review Body has any outstanding unresolved findings of non-compliance at the time of a dissolution notice, those findings and their disposition will be disclosed to all Covered AI Employees as part of the notice. That year’s transparency report will also be disclosed, covering all decisions since the last report.
For clarity, the following constitute changes to the Review Body’s mandate and trigger the same notice requirement:
-
organizational restructuring that removes AI work within scope from the Review Body’s purview;
-
reduction of the Review Body’s budget below its initial level (adjusted for inflation);
-
failure to fill vacancies within 30 days;
-
reassignment of more than one cleared member within 12 months without timely replacement;
-
restriction of the Review Body’s access relative to what this Framework describes; or
-
any pattern of action that, taken together, has the practical effect of impairing the Review Body’s capacity to fulfill its mandate.
If the Review Body determines by majority vote that its capacity to fulfill its mandate has been materially impaired, and the impairment is not remedied7 within 15 days of notification to the Chief Scientist, the Review Body will disclose the determination and the general category of impairment to all Covered AI Employees within 24 hours and in the next transparency report.
Legislative supersession
These Standards are calibrated to current accountability gaps and the absence of binding legal frameworks.
If Congress enacts legislation establishing binding standards with independent enforcement authority governing one or more of (1) human control over autonomous weapons and (2) AI-assisted surveillance, the Review Body will assess whether the statutory framework meets or exceeds Standards 1 and 2.
Where it does, the corresponding Standard may be retired or aligned to statute, subject to both Chief Scientist approval and supermajority (5 of 7) agreement by the Review Body that the statutory framework meets or exceeds the corresponding Standard. Where the Review Body determines the statutory framework falls short of current Standards, The Company maintains the more protective standard. In the event of a change to one or more Standards, the Chair will notify Covered AI Employees within two business days.
The absence of legislative action does not create a presumption that these Standards should be relaxed. These Standards remain in effect indefinitely absent affirmative supersession through the process described above.
Citation
@misc{Turner2026RedLineFramework,
author = "Alex Turner",
title = "A red line and oversight framework for government AI contracts",
year = 2026,
url = "https://turntrout.com/red-line-framework"
}Find out when I post more content: newsletter & rss
alex@turntrout.com (pgp)Similar posts
Footnotes
-
The original proposal I showed to senior Google employees restricted itself to government entities within the Fourteen Eyes. ⤴
-
Standard 2’s protection tiers reflect political and legal realities. The Company acknowledges that the moral case for protecting persons from untargeted AI profiling does not depend on nationality, and will revisit the scope of these protections as international standards develop. ⤴
-
For the purposes of this carve-out, “defensive” means systems that autonomously detect and engage weapons, munitions, or unmanned vehicles that are actively in flight toward protected assets or personnel. Preemptive strikes, counter-force operations, and engagement of launch platforms or command infrastructure are not within this carve-out regardless of their doctrinal classification. ⤴
-
This standard is consistent with the principle underlying the fbi’s own investigative guidelines (the Attorney General’s Guidelines for Domestic fbi Operations), which prohibit opening investigations based on First Amendment-protected activity alone. However, the operative standard here is particularization—facts specific to the individual, not to a category, population, or dataset to which the individual belongs. The existence of data about a person does not authorize AI-generated individualized assessment of that person absent facts particular to that individual. ⤴
-
The Company recognizes that suspension during active military operations may face contractual, operational, and political resistance. The 72-hour capability is a technical requirement—The Company must retain the architectural ability to suspend. The decision to exercise it in a specific case will be made by the Chief Scientist and ceo, informed by the Review Body’s finding and by General Counsel’s assessment of contractual and legal obligations. Where immediate suspension would create a genuine risk to personnel safety, The Company may implement interim restrictions short of full suspension—such as restricting specific capabilities or use cases—while the violation is investigated. ⤴
-
The compressed timeline is modeled on the escalation cadence of the Intelligence Community Whistleblower Protection Act, which requires the Inspector General and the Director to act within defined short windows—ensuring that non-compliance findings receive prompt executive attention rather than extended deliberation periods during which non-compliant activity continues. ⤴
-
The impairment is considered “remedied” when the Review Body affirms as such by majority vote. ⤴