Digital standards

Yale proposal targets transparency gap in AI development

Researchers at Yale’s Digital Ethics Center have proposed a copyleft-style licensing framework intended to increase transparency around generative AI models trained on open-source software.

The proposal, called the Contextual Copyleft AI License, would adapt principles from free and open-source software licensing to generative AI. Under the model, AI systems trained on open-source code could be treated as derivative works, requiring developers to make key information about model architecture and training data freely available.

The researchers argue that such a framework could give open-source software developers more control over how their code is used in AI development. They also say it could encourage more genuinely open AI models and reduce ‘open washing’, where systems are marketed as open despite keeping important components closed.

The proposal comes amid wider debates over AI transparency, copyright and the role of open-source software in the development of generative AI. The researchers conclude that the approach may be legally feasible under current copyright law, provided that training AI models on open-source software is not treated as fair use.

The study also notes that open generative AI models can create risks because they may be used to generate deceptive or harmful content. The researchers argue that licensing approaches need to work alongside regulatory safeguards, including rules designed to limit manipulative or deceptive uses of AI.

Why does it matter?

The proposal addresses a central transparency gap in AI development: many generative AI systems rely on open-source software but do not disclose enough about how that software is used, which data is involved, or how the resulting models work. If similar licensing approaches gained traction, they could reshape debates over AI openness, developer rights, copyright and accountability. The proposal also shows how open-source governance tools are being reconsidered for AI systems whose risks and dependencies differ from traditional software.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Netherlands requires one-click cancellation button for online purchases

The Netherlands has announced that online retailers and providers of online services will be required to include a clear cancellation button on their websites from 19 June 2026. The measure is intended to make it easier for consumers to exercise their right of withdrawal during the statutory 14 day cooling off period.

Under the new rules, customers will be able to cancel a purchase or service through a dedicated online button rather than completing a form or contacting customer services. The cancellation button will serve as an additional withdrawal mechanism and will not replace the standard withdrawal form.

After selecting the button, customers will need to confirm that they wish to cancel their purchase or service. Businesses will then be required to send a confirmation message acknowledging receipt of the cancellation request. This is in line with the right of withdrawal under the EU Consumer Rights Directive.

The requirements will apply to online retailers, providers of digital services such as online courses and coaching programmes, and sellers operating through social media platforms. The measure has been approved by the Dutch parliament.

Why does it matter?

The measure reflects a broader European effort to strengthen consumer protection in digital markets. While consumers already have the right to withdraw from many online purchases within a statutory cooling-off period, exercising that right can sometimes involve complex procedures or interactions with customer support.

By requiring a clear and accessible cancellation option, the Netherlands aims to reduce friction in the withdrawal process and improve transparency for consumers. The initiative also reflects growing regulatory attention to user experience and consumer rights in digital commerce, particularly in areas such as subscriptions, online services and social media-based sales.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Anthropic forced to disable Fable 5 after US directive

Anthropic has disabled access to Claude Fable 5 and Claude Mythos 5 after receiving a US government export control directive citing national security authorities.

The company said the directive requires it to suspend access to the models by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees. Anthropic said the practical effect is that it must remove access to Fable 5 and Mythos 5 for all customers to ensure compliance. Access to its other models is not affected.

According to Anthropic, it received the directive on 12 June at 5:21 p.m. ET. The company said the order did not provide specific details of the national security concern, but that it understands the government believes it has become aware of a method for bypassing, or jailbreaking, Fable 5.

Anthropic said it reviewed a demonstration of the technique being used to identify a small number of previously known minor vulnerabilities. The company argued that those vulnerabilities appeared relatively simple and could also be identified by other publicly available models without requiring a bypass.

Anthropic said Fable 5 had been red-teamed before launch by its internal teams, the US government, the UK AI Safety Institute and third-party organisations. The company said no tester had found a universal jailbreak capable of broadly bypassing the model’s safeguards.

The company said it is complying with the directive but disagrees that a narrow potential jailbreak should justify recalling a commercial model. It also argued that applying such a standard across the industry could effectively halt new frontier model deployments.

Anthropic said governments should be able to block unsafe AI deployments through a transparent and technically grounded statutory process, but said the current action does not meet those principles. The company said it is working to restore access as soon as possible.

Why does it matter?

The case shows how national security and export-control powers can directly affect access to frontier AI systems after deployment. It raises a major governance question: when should governments be able to suspend access to advanced models, and what evidence, transparency and due-process safeguards should apply? The dispute also highlights the growing tension between frontier AI safety, commercial deployment, cross-border access and government intervention in dual-use technologies.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU AI Board reviews AI Act implementation and tech sovereignty agenda

The EU AI Board held its eighth meeting to review progress on AI Act implementation and discuss wider priorities in the EU’s AI strategy.

The meeting took place under the chairmanship of the Cypriot Presidency of the EU Council. The presidency also announced that Moldova had been granted observer status on the AI Board.

The European Commission presented its Tech Sovereignty Package, with a focus on the proposed Cloud and AI Development Act and its role in strengthening AI innovation, competitiveness and technological sovereignty in Europe.

The Board also reviewed the final version of the voluntary Code of Practice on labelling and marking AI-generated content. The code sets out practical steps to help providers and deployers of generative AI systems meet transparency obligations under the AI Act, which will apply from 2 August 2026.

Further discussions focused on the AI Act’s implementation architecture. The Commission presented the recently appointed Scientific Panel and AI Act Advisory Forum, which will support the Commission and the AI Board. Members also discussed progress in establishing national market surveillance authorities and endorsed additional documents prepared by an AI Board subgroup, which are expected to be published shortly.

Why does it matter?

The meeting shows the EU moving from AI Act adoption towards practical implementation. The discussion links several important pieces of the EU AI governance architecture: voluntary transparency tools, expert advisory bodies, national market surveillance authorities and broader industrial policy through the Tech Sovereignty Package. Together, these elements will shape how AI rules are coordinated, interpreted and enforced across the EU.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Canada introduces Safe Social Media Act targeting online harms and AI chatbots

Canada has introduced the Safe Social Media Act, legislation that would establish new online safety requirements for social media platforms and certain AI chatbot services. Bill C-34 aims to make regulated services more accountable for addressing online harms before they occur.

The Safe Social Media Act would create a new legislative and regulatory framework through the proposed Digital Safety Act. Regulated services would be required to identify, assess and mitigate risks on their platforms, implement safety-by-design features, make user guidelines easily accessible, provide tools such as blocking and reporting mechanisms, and publish Digital Safety Plans.

The bill would prohibit children under the age of 16 from holding social media accounts. Social media services could seek an exemption if they demonstrate that sufficient safeguards for children are in place.

The Safe Social Media Act is organised around three core duties: a Duty to Protect Children, a Duty to Act Responsibly and a Duty to Make Certain Content Inaccessible. Social media services would be required to assess and mitigate risks associated with seven categories of harmful content, including child sexual victimisation, content inducing a child to self-harm, cyberbullying, hatred, violence, terrorism or violent extremism, and intimate content shared without consent.

Regulated social media services would also be required to make certain content inaccessible to users in Canada, including content that sexually victimises a child or revictimises a survivor, and intimate content communicated without consent, including sexualised deepfakes. The government said these categories can cause substantial and lasting harm even when a single item is shared.

Under the proposed legislation, AI chatbot services would be subject to a tailored Duty to Act Responsibly. The proposed requirements include mitigating the risk that chatbots communicate harmful content, being transparent about reporting thresholds in crisis situations, and reducing the risk of harmful chatbot behaviour.

The legislation would establish an independent Digital Safety Commission of Canada responsible for enforcing the framework, assessing compliance, conducting audits and inspections, issuing compliance orders and imposing administrative monetary penalties. The Commission would also handle certain complaints, develop guidance and support research on online safety best practices.

Why does it matter?

The Safe Social Media Act reflects a growing international shift towards preventative online safety regulation. Rather than focusing solely on the removal of illegal content after it appears, the proposed framework would require platforms and AI services to assess risks proactively and implement measures designed to reduce harm before it occurs.

The inclusion of AI chatbot services is particularly notable, as governments worldwide are increasingly examining the safety implications of generative AI systems. If adopted, the legislation could position Canada among the first countries to apply a comprehensive online safety framework that combines platform accountability, child protection measures and AI-specific obligations under a single regulatory regime.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU publishes the final Code for labelling AI-generated content

The European Commission has published the final Code of Practice on marking and labelling AI-generated content, offering practical guidance for providers and deployers preparing to comply with transparency obligations under the EU AI Act.

The code is voluntary, but the underlying transparency obligations in Article 50 of the AI Act will apply from 2 August 2026. The Commission said the code is intended to help organisations implement those obligations in a consistent, practical and proportionate way.

The framework covers two main areas. Providers of generative AI systems are guided on marking and detecting AI-generated or manipulated audio, image, video and text content, including through machine-readable solutions where technically feasible. Deployers are guided on labelling deepfakes and AI-generated or manipulated text published to inform the public on matters of public interest.

Under the AI Act, users must also be informed when they are interacting with interactive AI systems, such as chatbots. The transparency requirements are intended to help people recognise when content has been generated or altered by AI and to reduce the risk of deception and manipulation.

The Commission has also published a set of the EU icons that deployers may use to label certain AI-generated content. The code does not replace the AI Act or future Commission guidelines on Article 50, which are expected before the transparency obligations begin to apply.

The Commission and the AI Board will now assess the code’s adequacy. If assessed positively, providers and deployers who sign the code may use its measures to help demonstrate compliance with the AI Act’s transparency rules.

Why does it matter?

The code is an important step in turning the AI Act’s transparency provisions into operational practice. Labelling and machine-readable marking rules could shape how platforms, AI providers, media organisations and other deployers handle synthetic text, images, audio and video. The measures are especially relevant for public-interest information, where undisclosed AI-generated or manipulated content can affect trust, elections, journalism and public debate.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

PMI launches global standard for AI project management

The Project Management Institute (PMI) has published a global standard for managing AI initiatives in portfolio, programme and project environments. The standard, titled ‘The Standard for Artificial Intelligence in Portfolio, Program, and Project Management‘, is intended to guide project, programme and portfolio teams delivering AI initiatives.

PMI said AI deployment within organisations is typically delivered through projects, including the development of AI systems, AI-enabled workflows and AI-powered products. The organisation said project professionals have lacked a dedicated framework for planning, governing and delivering AI transformation initiatives.

The standard establishes eight guiding principles, five performance domains and a lifecycle framework for designing, deploying and overseeing AI initiatives. PMI said the guidance is technology-agnostic and built around human-in-the-loop oversight at every stage.

The standard comes as governments and organisations continue to develop AI governance approaches, including risk-based regulation, transparency requirements, and accountability measures. PMI said the standard is intended to help project professionals integrate responsible AI governance into project delivery, from design and development through deployment and oversight.

The standard also addresses AI business cases, tool selection, AI-specific risk management, ethics oversight, and compliance with emerging requirements such as the EU AI Act and ISO 42001. PMI said the framework provides project leaders with a common language for aligning legal, audit, finance, technology and business teams around AI implementation objectives and governance requirements.

The standard is available as a free digital download for PMI members worldwide. Non-members can access the digital edition through purchase or PMI membership.

Why does it matter?

As organisations move from experimenting with AI to deploying it at scale, attention is increasingly shifting from technical development to implementation, governance and operational oversight. Many AI initiatives fail not because of technology limitations, but because of challenges related to project management, risk management, stakeholder alignment and organisational readiness.

PMI’s standard reflects the growing effort to operationalise AI governance by translating broad principles into practical project delivery processes. It also highlights how emerging regulatory frameworks, such as the EU AI Act, are influencing the way organisations plan, manage and oversee AI-enabled transformation initiatives.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Anthropic launches Claude Fable 5 with advanced safety safeguards

Anthropic has launched Claude Fable 5, a new general-purpose AI model, alongside Claude Mythos 5, a more capable version reserved for selected cyber defence and infrastructure partners.

The company described Fable 5 as its most capable generally available model to date, with strong performance across software engineering, knowledge work, vision and scientific research. Anthropic said the model’s advanced capabilities pose misuse risks, particularly in cybersecurity and research biology.

To reduce those risks, Fable 5 includes additional safety classifiers designed to detect potential misuse, including attempts to bypass safeguards. When certain high-risk requests are detected, users may receive a response from Anthropic’s next-most-capable model, Claude Opus 4.8, rather than Fable 5.

Anthropic said the safeguards have been tuned conservatively and may sometimes block benign requests. According to the company, the fallback mechanism is triggered in less than 5% of sessions on average.

Claude Mythos 5 uses the same underlying model as Fable 5, but with some safeguards lifted in specific areas. Anthropic said it will initially deploy Mythos 5 through Project Glasswing, in collaboration with the US government, for a limited group of cyber defenders and critical software infrastructure providers.

The launch highlights a growing model governance approach in which access to frontier AI capabilities is tiered according to use case and risk. Anthropic said it plans to expand trusted access to Mythos 5 while continuing to refine safeguards for broader public use.

Why does it matter?

The release shows how frontier AI providers are increasingly linking capability deployment to access controls, model routing and domain-specific safeguards. As advanced systems become more useful for software engineering, cybersecurity and scientific research, companies face pressure to provide broad access while limiting misuse in dual-use areas. Anthropic’s split between Fable 5 and Mythos 5 reflects a wider governance question: who should receive access to the most capable AI systems, under what conditions, and with what oversight.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

ENISA finds Cyber Resilience Act driving SBOM adoption across industries

The European Union Agency for Cybersecurity (ENISA) has published a report on Software Bill of Materials (SBOM) adoption, finding that the Cyber Resilience Act (CRA) is accelerating investment in software supply chain transparency across organisations. The report, titled ‘SBOM Adoption State of Play – 2026‘, analyses survey results gathered at the end of 2025.

The survey examined how organisations of different sizes and across multiple sectors are approaching SBOM adoption in response to the Cyber Resilience Act. ENISA said the regulation is transforming SBOMs from a voluntary software supply chain security practice into a mandatory requirement for products with digital elements placed on the EU market.

The report found that 78% of respondents had already begun implementing SBOMs, while 44% were in a pilot or limited deployment phase. ENISA also said 79% of organisations expect to reach the necessary SBOM maturity level by the time the Cyber Resilience Act becomes fully applicable in December 2027.

Organisations are investing in SBOM generation, automation, and integration into the software development lifecycle. Respondents cited benefits including risk reduction, cost avoidance, operational efficiency, regulatory compliance, contractual alignment and competitive advantage.

ENISA also identified barriers to the adoption of SBOMs at scale. Key challenges include achieving greater SBOM completeness, improving data quality, correlating vulnerabilities, obtaining SBOMs from suppliers and third parties, and developing the necessary internal expertise and staffing.

The report says further progress will depend on shared implementation practices, supplier transparency, workforce capabilities, and clearer integration of SBOMs into operational risk management. ENISA said organisations would also benefit from external support, including reference implementations, tool-selection guidance, conformance testing, standardised formats and clearer definitions of what constitutes a sufficiently complete SBOM.

Why does it matter?

Software supply chains have become a major cybersecurity concern as organisations increasingly rely on complex networks of open-source and third-party components. SBOMs provide visibility into the software components used within products, helping organisations identify vulnerabilities, assess risks and respond more effectively to security incidents.

The report highlights how the Cyber Resilience Act is driving a shift from voluntary software transparency practices to formal compliance requirements. The findings also illustrate that while adoption is progressing, organisations continue to face technical, organisational and supply-chain challenges that could influence the effectiveness of future software security efforts.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Ofcom confirms platform crisis protocols under UK Online Safety Act

UK communications regulator Ofcom has set out new crisis response measures aimed at helping online platforms respond when illegal content and content harmful to children spreads rapidly during emergencies.

The measures will be added to Ofcom’s Illegal Content Codes of Practice and Protection of Children Codes of Practice under the UK’s Online Safety Act. However, they must still complete the parliamentary process before taking effect.

Ofcom said ordinary content moderation systems may not be sufficient during exceptional events, such as public disorder, terrorist attacks, or other crises that lead to a sudden increase in harmful or illegal online activity. The regulator pointed to the violent riots that followed the 2024 Southport murders and the risk of terrorist attacks being livestreamed as examples of crises where online content can threaten public safety.

Under the measures, service providers should prepare and apply crisis protocols to manage significant increases in relevant illegal content or content harmful to children. Ofcom expects providers to deploy temporary response teams as soon as possible during a crisis, record key decisions and conduct post-crisis reviews to assess whether their response was effective.

Large platforms should also maintain dedicated communication channels for law enforcement agencies to share crisis-related information. Ofcom said the measures are intended to support faster and more coordinated public safety efforts during exceptional events.

The regulator consulted on crisis response protocols in 2025 and said further decisions on additional online safety measures are expected in autumn 2026.

Why does it matter?

The measures show how online safety regulation is moving from general content moderation duties towards operational crisis governance. In emergencies, platforms may face sudden spikes in illegal content, livestreamed harm or coordinated activity that ordinary moderation systems cannot manage quickly enough. Ofcom’s approach also formalises closer crisis-time coordination between large platforms and law enforcement, raising important questions about public safety, platform accountability, due process and safeguards under the UK Online Safety Act.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!