The General-Purpose AI (GPAI) Code of Practice translates the EU AI Act’s obligations into concrete measures across safety and security, transparency, and copyright. The Safety and Security chapter—which applies only to GPAI models with systemic risk (GPAISR)—requires signatories to meet the ‘state of the art’ (SOTA) for several of its most central provisions. A dynamic reference, SOTA is meant to future-proof the regulation, allowing risk management to evolve alongside the technology.
Yet neither the AI Act nor the Code specifies how to determine which measures may qualify as SOTA, how to adjudicate competing claims, or when to update regulatory expectations in light of new evidence. In this memo, we address some of the challenges associated with using SOTA as a dynamic reference to the ‘forefront of relevant research, governance and technology.’
We argue that SOTA is best understood as a process-driven concept: it is not determined by provider practice alone, but established through scientific discourse within the broader expert ecosystem—including scholars, civil society, and independent experts. To make SOTA assessments structured and comparable, we propose three criteria grounded in EU legal precedent: availability (technically feasible, not aspirational), proportionality (balancing effectiveness against burden), and verifiability (open to independent scrutiny).
Making SOTA operational requires an appropriate institutional process. We propose a three-step framework: (1) monitoring gaps in current risk management; (2) enabling innovation and evidence sharing from any actor in the ecosystem; (3) and formal assessment and communication by the AI Office supported by the Scientific Panel.
