In the public imagination, “AI arms control” sounds like a single, dramatic agreement: a treaty that freezes the most dangerous capabilities, verified by inspectors, enforced by penalties, and signed by rival powers. But the closer policymakers look at how frontier AI is actually built and deployed, the more the concept starts to resemble something else entirely—a patchwork of practical rules, shared evaluation methods, incident reporting norms, and verification mechanisms that can be updated as models evolve.
That shift matters. It changes what success looks like. Instead of asking whether countries can agree on a hard cap for capability, the more realistic question becomes: can they coordinate enough to reduce catastrophic risk, limit the most destabilizing behaviors, and create mutual confidence that safety claims are not just marketing?
The Financial Times framing—suggesting that even a US–China safety deal may be difficult given competition—points toward a broader conclusion. Multilateral “AI arms control,” if it happens at all, is likely to be less like Cold War disarmament and more like a living governance system: modular, incremental, and designed to work even when trust is partial.
Why a treaty is the wrong mental model
Traditional arms control assumes that the object being controlled is relatively stable and measurable. Missiles have ranges; warheads have yields; ships have hulls. Verification is possible because the relevant attributes are observable or can be inferred from inspections.
Frontier AI doesn’t behave that way. Capabilities can emerge from training choices, data mixtures, fine-tuning strategies, and post-training alignment techniques. Two systems with similar “headline” performance can differ dramatically in how they fail, how they generalize, and how easily they can be steered toward harmful outcomes. Even the same model family can change behavior after updates to safety layers, tool integrations, or deployment contexts.
So the governance challenge is not only political. It’s technical and epistemic: countries need a shared understanding of what counts as risk, what evidence is sufficient, and what can be checked without revealing proprietary methods.
That’s why many experts increasingly talk about “AI safety frameworks” rather than “AI arms control treaties.” The frameworks aim to standardize evaluation and reporting, not to freeze innovation outright.
A multilateral patchwork: what it could include
If multilateral AI safety coordination were to take shape, it would likely be built from several components that reinforce each other. Each component would be politically easier to negotiate than a single comprehensive ban, and each would address a different failure mode.
1) Common safety benchmarks and testing standards
One of the most immediate areas for coordination is evaluation. Without shared benchmarks, every country can claim it is “safe” based on different tests, different thresholds, and different definitions of harm.
A multilateral framework could establish a set of common safety benchmarks for high-risk categories: cyber misuse, biological and chemical assistance, large-scale fraud and deception, election interference, and other forms of wrongdoing that frontier models can enable. The key would be not just the benchmark itself, but the testing protocol: how prompts are generated, how adversarial attempts are scored, what constitutes a “harmful” response, and how results are reported.
The unique twist would be to treat benchmarks as evolving artifacts rather than fixed scorecards. As models improve, benchmarks would need periodic refresh cycles, with independent parties contributing new adversarial test suites. This resembles how cybersecurity standards evolve: you don’t rely on one static checklist; you update continuously as attackers adapt.
2) Rules for high-risk development and deployment timelines
Even if countries cannot agree on a capability ceiling, they might agree on process requirements around high-risk releases. For example, a framework could require that certain classes of models undergo additional scrutiny before deployment—especially when they cross predefined risk thresholds on standardized evaluations.
This could include staged release practices: internal red-teaming first, then limited external testing under controlled conditions, then broader deployment only after meeting safety criteria. The multilateral element would be the shared definition of what triggers those stages and what evidence must be produced.
The political advantage is that such rules can be framed as “responsible engineering” rather than restraint. Countries can argue they are not blocking progress; they are reducing the chance of catastrophic misuse.
3) Incident reporting norms for serious failures and misuse
A major gap in current AI governance is learning speed. When a model fails—whether through unexpected emergent behavior, jailbreak vulnerabilities, or harmful outputs—there is often no systematic mechanism for others to learn quickly. Companies may report incidents internally; regulators may investigate case-by-case; but cross-border learning is inconsistent.
Multilateral incident reporting norms could change that. The framework could define categories of incidents (for example, severe cyber enabling, credible threats, large-scale automated fraud, or repeated failures in safety-critical domains). It could also specify what information must be shared: not necessarily the full model weights, but enough to reproduce the failure mode, understand the conditions under which it occurs, and mitigate it.
The hardest part would be balancing transparency with security. Too much disclosure could help adversaries. Too little would make reporting useless. A patchwork approach could solve this by using tiered disclosure: some details shared publicly, others shared with trusted technical bodies under confidentiality agreements.
4) Verification and audit approaches that don’t expose sensitive techniques
Verification is where multilateral AI governance will either succeed or collapse. If verification requires revealing proprietary training data, model architectures, or weights, companies and governments will resist. Yet without some form of verification, commitments become unverifiable promises.
A plausible multilateral design would use “auditability without full disclosure.” That could include:
Independent evaluation labs that run standardized tests on submitted model versions.
Secure enclaves or controlled environments where auditors can test behavior without extracting sensitive internals.
Third-party attestation of safety claims based on reproducible test protocols.
Documentation requirements that allow auditors to verify that safety processes were followed, even if the underlying methods remain confidential.
This is not science fiction. Similar approaches exist in other regulated domains, including financial compliance and certain cryptographic assurance models. The novelty is adapting them to AI behavior, where the “thing being verified” is not a physical artifact but a dynamic system.
5) Controls tied to compute and key inputs, paired with reporting
Some proposals for AI governance focus on controlling access to compute or key inputs, arguing that scaling laws make compute a proxy for capability. In a multilateral setting, compute controls could be paired with reporting requirements rather than outright bans.
For instance, countries could agree on reporting thresholds for large-scale training runs: when a training project exceeds certain compute or duration metrics, developers must submit standardized safety evaluation results and incident mitigation plans. This would create a shared picture of where frontier risk is being concentrated.
However, compute controls alone are unlikely to be sufficient. Capability can be achieved through different routes, including algorithmic improvements, data quality, and fine-tuning. So the patchwork would need to combine compute-related reporting with behavioral testing and deployment safeguards.
6) Joint research cooperation on safety methods and evaluation tools
Finally, multilateral governance could include cooperative research. This is often overlooked because it sounds less urgent than regulation, but it can be strategically important.
If countries jointly develop evaluation tools, red-teaming methodologies, and interpretability techniques, they reduce the incentive to “reinvent safety” in isolation. They also create shared technical language, which makes later negotiations easier.
The unique angle here is that joint research can function as a confidence-building measure. Even rivals can cooperate on measurement and mitigation while competing on deployment speed and product differentiation.
Why multilateral buy-in is difficult
Even if the components are technically plausible, the political obstacles are formidable.
First, governments have different risk tolerances. Some prioritize preventing misuse; others prioritize maintaining industrial competitiveness. Some worry about domestic stability; others worry about strategic military advantage. These priorities shape what each country is willing to verify and enforce.
Second, regulatory capacity varies. A multilateral framework requires institutions that can evaluate models, manage audits, and respond to incidents. Not every country has the technical workforce or legal infrastructure to do this at scale. That could lead to uneven participation, with some states acting as “standard setters” and others as “rule takers.”
Third, the incentives to defect are real. If one country adopts strict safety processes that slow deployment, competitors may gain market and strategic advantage. In that environment, safety commitments can become politically fragile unless they are paired with credible enforcement or at least strong reputational incentives.
This is where the “patchwork” approach becomes more than a compromise—it becomes a survival strategy. A single treaty with heavy enforcement might fail because too many parties would see it as constraining. Modular commitments allow partial participation and gradual strengthening over time.
The US–China problem: why bilateral deals may be harder than they sound
The idea that even a US–China safety deal may be difficult is not just pessimism; it reflects structural realities.
AI is both a commercial race and a strategic capability. Safety agreements can be interpreted as constraints on national advantage. Even if both sides share concerns about catastrophic misuse, they may disagree on what constitutes acceptable risk, what should be disclosed, and how to prevent the other side from gaining intelligence through audits.
There is also the issue of linkage. In many arms control contexts, parties want reciprocity: if one side provides verification access, the other side must provide something comparable. But in AI, the “something comparable” is hard to define. Model weights, training data, and evaluation results are not symmetric in value or sensitivity across firms and jurisdictions.
So bilateral deals may stall. But multilateral frameworks can sometimes bypass bilateral deadlocks by creating a broader coalition where no single pair must fully trust each other. Standards can be negotiated in technical fora, with verification performed by third parties rather than directly by rivals.
Still, the US–China relationship will likely set the ceiling for ambition. If the two largest players refuse to participate in meaningful verification, multilateral efforts may remain mostly voluntary and focused on transparency rather than enforcement.
What “success” could look like in practice
If multilateral AI arms control becomes a patchwork, success won’t be measured by a single headline