A Tentative Draft of a Treaty, with Annotations

The States concluding this Treaty, hereinafter referred to as the Parties to the Treaty,

Alarmed by the prospect that the development of artificial superintelligence would lead to the deaths of all people and the end to all human endeavor,

Affirming the necessity of urgent, coordinated, and sustained international action to prevent the creation and deployment of artificial superintelligence under present conditions,

Convinced that the measures to prevent advancement of artificial intelligence capabilities will reduce the chance of human extinction,

Recognizing that the stability of this Treaty relies on the ability to verify the compliance of all Parties,

Recalling the precedent of prior arms control and nonproliferation agreements in addressing global security threats,

Undertaking to co-operate in facilitating the verification of artificial intelligence activities globally when they steer well clear of artificial superintelligence, and seeking to preserve access to the benefits of artificial intelligence systems even while avoiding dangers,

Have agreed as follows:

Each Party to this Treaty shall not develop, deploy, or seek to develop or deploy artificial superintelligence (“ASI”) by any means. Each Party shall prohibit and prevent all such development within their borders and jurisdictions, and, due to the uncertainty as to when further progress would produce ASI, shall not engage in or permit activities that materially advance toward ASI as described in this Treaty. Each Party shall assist, or not impede, reasonable measures by other Parties to dissuade and prevent such development by and within non-Party states and jurisdictions. Each Party shall implement and carry out all other obligations, measures, and verification arrangements set forth in this Treaty.

Where some classes of AI infrastructure and capabilities staying far from ASI may be deemed acceptable but only under conditions of international supervision, only Parties to the Treaty may carry out such activities, or own or operate AI chips and manufacturing capabilities that could potentially lead to the development of ASI if unsupervised. Non-Parties are denied such access for the safety of the Parties and of all life on Earth.(Article V, Article VI, Article VII).

Parties commit to a dispute resolution process (Article XI) to minimize unnecessary Protective Actions (Article XII).

For the purposes of this Treaty:

1. Artificial intelligence (AI) means a computational system that performs tasks requiring cognition, planning, learning, or taking actions in physical, social or cyber domains. This includes systems that perform tasks under varying and unpredictable conditions, or that can learn from experience and improve performance.
2. Artificial superintelligence (ASI) is operationally defined as any AI with sufficiently superhuman cognitive performance that it could plan and successfully execute the destruction of humanity.
   1. For the purposes of this Treaty, AI development which is not explicitly authorized by the ISIA (Article III) and is in violation of the limits described in Article IV shall be assumed to have the aim of creating artificial superintelligence.

3. Dangerous AI activities are those activities which substantially increase the risk of an artificial superintelligence being created, and are not limited to the final step of developing an ASI but also include precursor steps as laid out in this treaty. The full scope of dangerous AI activities is concretized by Articles IV through IX and may be elaborated and modified through the operation of the Treaty and the activities of the ISIA.
4. Floating-point operations (FLOP) is the computational measure used to quantify the scale of training and post‑training, based on the number of mathematical operations done. FLOP shall be counted as either the equivalent operations to the half-precision floating-point (FP16) format or the total operations (in the format used), whichever is higher.
5. Training run means any computational process that optimizes an AI’s parameters (specifications of the propagation of information through a neural network, e.g., weights and biases) using gradient-based or other search/learning methods, including pre-training, fine-tuning, reinforcement learning, large-scale hyperparameter searches that update parameters, and iterative self-play or curriculum training.
6. Pre-training means the training run by which an AI’s parameters are initially optimized using large-scale datasets to learn generalizable patterns or representations prior to any task- or domain-specific adaptation. It includes supervised, unsupervised, self-supervised, and reinforcement-based optimization when performed before such adaptation.
7. Post-training means a training run executed after a model’s pre-training. In addition, any training performed on an AI created before this Treaty entered into force is considered post-training.
8. Advanced computer chips are integrated circuits fabricated on processes at least as advanced as the 28 nanometer process node.
9. AI chips mean specialized integrated circuits designed primarily for AI computations, including but not limited to training and inference operations for machine learning models [this would need to be defined more precisely in an Annex]. This includes GPUs, TPUs, NPUs, and other AI accelerators. This may also include hardware that was not originally designed for AI uses but can be effectively repurposed. AI chips are a subset of advanced computer chips.
10. AI hardware means all computer hardware for training and running AIs. This includes AI chips, as well as networking equipment, power supplies, and cooling equipment.
11. AI chip manufacturing equipment means equipment used to fabricate, test, assemble, or package AI chips, including but not limited to lithography, deposition, etch, metrology, test, and advanced-packaging equipment [a more complete list would need to be defined in an Annex].
12. H100-equivalent means the unit of computing capacity (FLOP per second) equal to one NVIDIA H100 SXM accelerator, 990 TFLOP/s in FP16, or a Total Processing Performance (TPP) of 15,840, where TPP is calculated as TPP = 2 × non-sparse MacTOPS × (bit length of the multiply input).
13. Covered chip cluster (CCC) means any set of AI chips or networked cluster with aggregate effective computing capacity greater than 16 H100-equivalents. A networked cluster refers to chips that either are physically co-located, have inter-node aggregate bandwidth — defined as the sum of bandwidth between distinct hosts/chassis — greater than 25 Gbit/s, or are networked to perform workloads together. The aggregate effective computing capacity of 16 H100 chips is 15,840 TFLOP/s, or 253,440 TPP, and is based on the sum of per-chip TPP. Examples of CCCs would include: the GB200 NVL72 server, three eight-way H100 HGX servers residing in the same building, CloudMatrix 384, a pod with 32 TPUv6e chips, every supercomputer.
14. National Technical Means (NTM) includes satellite, aerial, cyber, signals, imagery (including thermal), and other remote-sensing capabilities employed by Parties for verification consistent with this Treaty.
15. Chip-use verification means methods that provide insight into what activities are being run on particular computer chips in order to differentiate acceptable and prohibited activities.
16. Methods used to create frontier models refers to the broad set of methods used in AI development. It includes but is not limited to AI architectures, optimizers, tokenizer methods, data curation, data generation, parallelism strategies, training algorithms (e.g., RL algorithms) and other training methods. This includes post-training but does not include methods that do not change the parameters of a trained model, such as prompting. New methods may be created in the future.

1. Treaty Parties hereby establish the International Superintelligence Agency (ISIA), to implement this Treaty and its provisions, including those for international verification of compliance with it, and to provide a forum for consultation and cooperation among Parties.
2. There are hereby established as the organs of the ISIA: the Conference of the Parties, the Executive Council, and the Technical Secretariat.
3. Conference of the Parties
   1. The Conference of the Parties comprises all Treaty Parties.
   2. The Conference of the Parties shall: Determine overall policy; adopt and oversee the budget; elect members of the Executive Council; consider compliance matters reported by the Executive Council; and adopt and revise Annexes upon Executive Council recommendation.
   3. It shall convene in regular session no less than annually, or at a more frequent rate as may be set by the Conference, in addition to special sessions as required. Each Party has one vote. Quorum is a majority of Parties.

4. Executive Council
   1. The Executive Council shall have 15 members: (i) 5 designated seats for permanent members of the United Nations Security Council, and (ii) 10 elected seats distributed by equitable geographic representation. Details of this are elaborated in Annex A.
   2. Elected members serve two-year terms. Half of the seats are elected each year.
   3. The Executive Council shall: approve challenge inspections; recommend budget and policy to the Conference; appoint the Director-General; provide oversight of the Technical Secretariat and approve its recommendations.
   4. Decision making processes are as follows:
      1. The Executive Council elects the Chair and Vice Chair of the Executive Council.
      2. The Chair or Vice Chair can act as the presiding officer.
      3. Voting proceeds by One Member, One Vote.
      4. Votes to approve a challenge inspection under Article X require a majority.
      5. Votes to recall or appoint a Director-General require two-thirds majority.
      6. All other decisions require a majority.
      7. Quorum requires two-thirds of the Executive Council

5. Technical Secretariat and Director-General
   1. The Director-General of the Technical Secretariat shall be its head and chief administrative officer.
   2. The Director-General is appointed by the Executive Council for a four-year term, renewable once. The Executive Council can recall the Director-General.
   3. The Technical Secretariat shall at its outset include technical divisions for Chip Tracking and Manufacturing Safeguards, Chip Use Verification Safeguards, Research Controls, Information Consolidation, Technical Reviews, Administration and Finance, and Legal and Compliance. The Director-General can create and disband technical divisions.
   4. The Technical Secretariat, by means of the Director-General, proposes changes to technical definitions and safeguard protocols, as necessary to implement Article IV, Article V, Article VI, Article VII, Article VIII, Article IX, and Article X of this Treaty.
      1. Time-sensitive changes to FLOP thresholds (Article IV), the size of covered compute clusters (Article V), and the boundaries of restricted research (Article VIII) may be implemented by the Director-General immediately in the case where inaction poses a security risk. Such changes remain in effect for thirty days. Past that, the changes need approval from the Executive Council to remain in effect.
      2. The Executive Council shall make decisions on matters of substance as far as possible by consensus; the Director-General should make efforts to achieve consensus. If consensus is not possible at the end of 24 hours, a vote will be taken, and the Executive Council shall accept the changes if a majority of members present and voting vote to accept the changes, and shall reject them otherwise.

6. The ISIA’s regular budget is funded by assessed contributions of Parties, using a scale derived from the UN assessment scale, subject to a floor and ceiling set by the Executive Council. Member states also have the option of making voluntary contributions for AI safety research related to alignment, interpretability, and capacity-building activities of member states including beneficial uses of safe AI, test bed development, good practices, information sharing, and the facilitation of cooperation and joint activities loosely modeled on the IAEA network of Nuclear Security Support Centers.

1. Each Party agrees to ban and prohibit AI training above the following thresholds: Any training run exceeding 1e24 FLOP or any post-training run exceeding 1e23 FLOP. Each Party agrees to not conduct training runs above these thresholds, and to not permit any entity within its jurisdiction to conduct training runs above these thresholds.
   1. The Technical Secretariat may modify these thresholds, in accordance with the process described in Article III.

2. Each Party shall report any training run between 1e22 and 1e24 FLOP to the ISIA, prior to initiation. This applies for training runs conducted by the Party or any entity within its jurisdiction.
   1. This report must include, but is not limited to, all training code, and an estimate of the total FLOP to be used. The Party must provide ISIA staff supervised access to all data, with access logging appropriate to the data’s sensitivity, and protections against duplication or unauthorized disclosure. Failure to provide ISIA staff sufficient access to data is grounds for denying the training run, at the ISIA’s discretion. The ISIA may request any additional documentation relating to the training run. The ISIA will also pre-approve a set of small modifications that could be made to the training procedure during training. Any such changes will be reported to the ISIA when and if they are made.
   2. Nonresponse by the ISIA after 30 days constitutes approval, however the ISIA may extend this time period by giving notice that they require additional time to review. These extensions are not limited, but Parties may appeal excessive delays to the Director or the Executive Council.
   3. The ISIA may monitor such training runs, and the Party will provide checkpoints of the model to the ISIA upon request from the ISIA, including the final trained model [initial details for such monitoring would need to be described in an Annex].
   4. In the event that monitoring indicates worrisome AI capabilities or behaviors, the ISIA can issue an order to pause a training run or class of training runs until they deem it safe for the training run to proceed.
   5. The ISIA will maintain robust security practices. The ISIA will not share information about declared training runs unless it determines that the declared training violates the Treaty, in which case it will provide all Treaty Parties with sufficient information to determine whether a violation occurred.
   6. In the event that a Party discovers a training run above the designated thresholds, the Party must report this training run to the ISIA, and halt this training run (if it is ongoing). Such a training run may only resume with approval from the ISIA.

3. Each Party, and entities within its jurisdiction, may conduct training runs of less than 1e22 FLOP without oversight or approval from the ISIA.
4. The ISIA may authorize, upon two thirds majority vote of the Executive Council, specific carveouts for activities such as safety evaluations, self‑driving vehicles, medical technology, and other activities in fashions which are are deemed safe by the Director-General. These carveouts may allow for training runs larger than 1e24 FLOP with ISIA oversight, or a presumption of approval from the ISIA for training runs between 1e22 and 1e24 FLOP.

1. Each Party shall ensure that within their jurisdiction, all covered chip clusters (CCCs), as defined in Article II (i.e., a set of chips with capacity greater than 16 H100-equivalents) [note that 16 H100s collectively cost around $500,000 in 2025 and these are rarely owned by individuals], are located in facilities declared to the ISIA, and that these AI chips are subject to monitoring by the ISIA.
   1. Parties shall aim to avoid co-locating AI chips with non-ancillary non-AI computer hardware in these declared facilities.
   2. These facilities shall be accessible to physical inspection. This may include, for instance, that verification teams can reach any CCC from at least one airport with scheduled international service within 12 hours.
   3. Parties shall not house AI chips in so many different locations that it is infeasible for the ISIA to monitor all locations. If requested by the ISIA, Parties must further consolidate their AI chips into fewer monitored facilities.

2. Unmonitored AI chips that are not part of a CCC (i.e., that have capacity less than 16 H100‑equivalents) may remain outside of ISIA‑declared facilities, provided that such stockpiles are not aggregated or networked to meet the CCC definition, are not rotated among sites to defeat monitoring, and are not used for prohibited training. Parties will make reasonable efforts to monitor the sale and aggregation of AI chips to ensure that any newly created CCCs are detected and monitored.
3. Within 120 days of the Treaty entering into force, each Party shall locate, inventory, and consolidate all CCCs into facilities declared to the ISIA. Parties shall not disaggregate, conceal, or otherwise reassign chips to evade this requirement or to cause a set of chips which would have been classified as a CCC to no longer be classified as a CCC.
4. The ISIA shall monitor the domestic consolidation process, including through on‑site inspections, document and inventory verification, accompaniment of domestic authorities during transfers and inspection, and information sharing with Parties under Article X. The ISIA may require chain‑of‑custody records for transfers and may conduct challenge inspections as described in Article X. Parties shall provide timely access to relevant facilities, transport hubs, and records. Whistleblower protections and incentives under Article X apply to the consolidation process, and the ISIA shall maintain protected reporting channels.
5. Within 120 days of the Treaty entering into force, Parties shall submit to the ISIA a register of their CCCs. The register must include the location, type, quantity, serial or other unique identifiers where available, and associated interconnects of all AI chips in the CCCs. Each Party shall provide the ISIA with an updated and accurate register no later than every 90 days.
6. Parties shall provide the ISIA with advance notice of any planned transfer of AI chips, whether domestic or international, no less than 14 days before the planned transfer. No transfer shall proceed unless the ISIA is afforded the opportunity to observe the transfer. For international transfers, both the sending and receiving Parties shall coordinate with the ISIA on routing, custody, and receipt. Emergency transfers undertaken for safety or security reasons shall be notified as soon as practicable, with post‑facto verification.
7. Broken, defective, surplus, or otherwise decommissioned AI chips shall continue to be treated as functional chips, until the ISIA certifies they are destroyed. Parties shall not destroy AI chips without ISIA oversight. Destruction or rendering permanently inoperable shall be conducted under ISIA oversight using ISIA‑approved methods and recorded in a destruction certificate [the details will need to be explained in an Annex]. Salvage or resale of components from such hardware is prohibited unless expressly authorized by the ISIA.

1. The ISIA will implement monitoring of AI chip production facilities and key inputs to chip production. This monitoring will ensure that all newly produced AI chips are immediately tracked and monitored until they are installed in declared CCCs and that unmonitored supply chains are not established.
   1. The ISIA will monitor AI chip production facilities determined to be producing or potentially producing AI chips and relevant hardware [the precise definitions of AI chip production facilities, AI chips, and relevant hardware would need to be further described in an Annex; the monitoring methods would also need to be described in an Annex].
   2. Monitoring of newly produced AI chips will include monitoring of production, sale, transfer, and installation. Monitoring of chip production will start with fabrication. The full set of activities includes fabrication of high-bandwidth memory (HBM), fabrication of logic chips, testing, packaging, and assembly [this set of activities would need to be specified in an Annex].

2. For facilities where ISIA tracking and monitoring is not feasible or implemented, production of AI chips will be halted. Production of AI chips may continue when the ISIA declares that acceptable tracking and monitoring measures have been implemented.
3. If a monitored chip production facility is decommissioned or repurposed, the ISIA will oversee that process, and, if done to the satisfaction of the ISIA, this ends the monitoring requirement.
4. No Party shall sell or transfer AI chips or AI chip manufacturing equipment except as authorized and tracked by the ISIA.
   1. Sale or transfer of AI chips within or between Treaty Parties shall have a presumption of approval and be tracked by the ISIA.
   2. Sale or transfer of AI chip manufacturing equipment within or between Treaty Parties shall not have a presumption of approval. Approval for such transfer shall be based on an assessment of the risk of diversion or Treaty withdrawal of the receiving Party.
   3. Sale or transfer of AI chips and AI chip manufacturing equipment to non-Party States or entities outside a Party State shall have a presumption of denial.

5. No Party shall sell or transfer non-AI advanced computer chips or non-AI advanced computer chip manufacturing equipment to non‑Party States or entities outside a Party State except as authorized and tracked by the ISIA.
6. Sale or transfer of non-AI advanced computer chips or non-AI advanced computer chip manufacturing equipment within or between Treaty Parties is not restricted under this Article.

1. Parties accept continuous on‑site verification of total chip usage by the ISIA at declared CCCs. The methods used for verification will be determined and updated by the Technical Secretariat, in accordance with the process described in Article III. These methods may include, but are not limited to:
   1. In-person inspectors
   2. Tamper-proof cameras
   3. Measurements of power, thermal, and networking characteristics
   4. On-chip hardware-enabled mechanisms, including retrofitted mechanisms
   5. Declaration of the workloads and operations of chips by the CCC operator
   6. Rerunning of declared workloads at an ISIA facility to confirm fidelity of declarations

2. The aim of this verification will be to ensure chips are not being used for prohibited activities, such as large-scale AI training described in Article IV.
3. In cases where the ISIA assesses that current verification methods cannot provide sufficient assurance that the AI hardware is not being used for prohibited activities, AI hardware must be powered off, and its non-operation continually verified by in-person inspectors or other ISIA-approved verification mechanisms.
4. The ISIA may impose various restrictions on how chips can operate in order to ensure proper verification. These restrictions may include but are not limited to:
   1. Restrictions on the bandwidth and latency between different chips, or between chips and their datacenter network, in order to distinguish permitted inference from prohibited training.
   2. Restrictions on the number or rate of FLOP/s or memory bandwidth at which chips can operate, in order to distinguish permitted inference from prohibited training or other prohibited workloads.
   3. Restrictions on the numerical precision of chip operations, in order to differentiate AI from non-AI workloads.

5. The ISIA will approach verification for different CCCs differently based on their likelihood of being used for AI activities and their sensitivity as relevant to national security.
6. The ISIA will lead research and engineering to develop better technologies for chip use monitoring and verification. Parties will support these efforts [more details would be provided in an Annex].

1. For the purpose of preventing specific research that advances the frontier of AI capabilities or undermines the ability of Parties to implement the measures in this Treaty, this Treaty designates research meeting any of the conditions below as Restricted Research:
   1. Improvements to the methods used to create frontier models, as defined in Article II, that would improve model capabilities or the efficiency of AI development, deployment, or use
   2. Distributed or decentralized training methods, or training methods optimized for use on widely available or consumer hardware
   3. Research into computer artificial intelligence paradigms beyond machine learning
   4. Advancements in the fabrication of AI-relevant chips or chip components
   5. Design of more performant or more efficient AI chips

2. The ISIA’s Research Controls division shall classify all Restricted Research activities as either Controlled or Banned.
   1. Each Party shall monitor any Controlled Research activities within its jurisdiction, and take measures to ensure that all controlled research is monitored and made available to the Research Controls division for review and monitoring purpose.
   2. Each Party shall not conduct any Banned Research, and shall prohibit and prevent Banned Research by any entity within its jurisdiction.

3. No Party shall assist, encourage, or share Banned Research, including by funding, procuring, hosting, supervising, teaching, publishing, providing controlled tools or chips, or facilitating collaboration.
4. Each Party shall provide a representative to the ISIA’s Research Controls division, under the Technical Secretariat (established in Article III). This division gains these responsibilities:
   1. Interpret and clarify the categories of Restricted Research, and respond to questions as to the boundaries of Restricted Research, in response to new information, and in response to requests from researchers or organizations or Party members.
   2. Interpret and clarify the boundary between Controlled Research and Banned Research, and respond to questions as to this boundary, in response to new information, and in response to requests from researchers or organizations or Party members.
   3. Modify the definition of Restricted Research and its categories, in response to changing conditions, or in response to requests from researchers or organizations or Party Members.
   4. Modify the boundary between Controlled Research and Banned Research in response to changing conditions, or in response to requests from researchers or organizations or Party Members.
   5. The Technical Secretariat may modify the categories, boundaries, and definitions of Restricted Research in accordance with the process described in Article III.

1. Each Party shall create or empower a domestic agency with the following responsibilities:
   1. Maintain awareness of and relationships with domestic researchers and organizations working on areas adjacent to Restricted Research, in order to communicate the categories of Restricted Research established in Article VIII.
   2. Impose penalties to deter domestic researchers and organizations from conducting Restricted Research. These penalties shall be proportionate to the severity of the violation and should be designed to act as a sufficient deterrent. Each Party shall enact or amend legal statutes as necessary to enable the imposition of these penalties.
   3. Establish secure infrastructure for reporting and containment of inadvertent discoveries meeting the conditions for Restricted Research. These reports will be shared with the Research Controls division.

2. To aid in the international verification of research bans, the Research Controls division will develop and implement verification mechanisms.
   1. These mechanisms could include but are not limited to:
      1. ISIA interviews of researchers who have previously worked in Restricted Research topics, or are presently working in adjacent areas.
      2. Monitoring of the employment status and whereabouts of researchers who have previously worked in Restricted Research topics, or are presently working in adjacent areas.
      3. Maintaining embedded auditors from the ISIA in selected high-risk organizations (e.g., projects difficult to distinguish from Restricted Research, organizations that were previously AI research organizations).
   2. Parties will assist in the implementation of these verification mechanisms.
   3. The information gained through these verification mechanisms will be compiled into reports for the Executive Council, keeping as much sensitive information confidential as possible to protect the privacy and secrets of individuals and Parties.

1. A key source of information for the ISIA is the independent information gathering efforts of Parties. As such, the Information Consolidation division (Article III) will be ready to receive this information.
   1. The Information Consolidation division shall take precautions to protect commercial, industrial, security, and state secrets and other confidential information coming to its knowledge in the implementation of the Treaty, including the maintenance of secure, confidential, and, optionally anonymous reporting channels.
   2. For the purpose of providing assurance or compliance with the provisions of this Treaty, each Party shall use National Technical Means (NTM) of verification at its disposal in a manner consistent with generally recognized principles of international law.
      1. Each Party undertakes not to interfere with the National Technical Means of verification of other Parties operating in accordance with the above.
      2. Each Party undertakes not to use deliberate concealment measures which impede verification by national technical means of compliance with the provisions of this Treaty.
      3. Parties are encouraged, but not obligated, to cooperate in the effort to detect dangerous AI activities in non-Party countries. Parties are encouraged, but not obligated, to support the NTM of Parties directed at non-Parties, as relevant to this Treaty.

2. A key source of information for the ISIA are individuals who provide evidence of dangerous AI activities to the ISIA. These individuals are subject to whistleblower protections.
   1. This Article establishes protections, incentives, and assistance for individuals (“Covered Whistleblowers”) who, in good faith, provide the ISIA or a Party with credible information concerning actual, attempted, or planned violations of this Treaty or other activities that pose a serious risk of human extinction, including concealed chips, undeclared datacenters, prohibited training or research, evasion of verification, or falsification of declarations. Covered Whistleblowers include employees, contractors, public officials, suppliers, researchers, and other persons with material information, as well as Associated Persons (family members and close associates) who assist or are at risk due to the disclosure.
   2. Parties shall prohibit and prevent retaliation against Covered Whistleblowers and Associated Persons, including but not limited to dismissal, demotion, blacklisting, loss of benefits, harassment, intimidation, threats, civil or criminal actions, visa cancellation, physical violence, imprisonment, restriction of movement, or other adverse measures. Any contractual terms (including non‑disclosure or non‑disparagement agreements) purporting to limit protected disclosures under this Treaty shall be void and unenforceable. Mistreatment of whistleblowers shall constitute a violation of this Treaty and be handled under Article XI, Paragraph 3.
   3. The ISIA shall maintain secure, confidential, and, optionally anonymous reporting channels. Parties shall establish domestic channels interoperable with the ISIA system. The ISIA and Parties shall protect the identity of Covered Whistleblowers and Associated Persons and disclose it only when strictly necessary and with protective measures in place. Unauthorized disclosure of protected identities shall constitute a violation of this Treaty and be handled under Article XI, Paragraph 3.
   4. Parties shall offer asylum or humanitarian protection to Covered Whistleblowers and their families, provide safe‑conduct travel documents, and coordinate secure transit.

3. The ISIA may conduct challenge inspections of suspected sites upon credible information about dangerous AI activities.
   1. Parties may request for the ISIA to perform a challenge inspection. The Executive Council, either by request or because of the analysis provided by the Information Consolidation division, will consider the information at hand in order to request additional information, of Parties or non-Parties, or to propose a challenge inspection, or to decide that no further action is warranted.
   2. A challenge inspection requires approval by a majority of the Executive Council.
   3. Access to a suspected site must be granted by the nation in which the site is present within 24 hours of the ISIA calling for a challenge inspection. During this time, the site may be surveilled, and any people or vehicles leaving the site may be inspected by officials from a signatory Party or the ISIA.
   4. The challenge inspection will be conducted by a team of officials from the ISIA who are approved by both the Party being inspected and the Party that called for the inspection. The ISIA is responsible to work with Parties to maintain lists of approved inspectors for this purpose.
   5. Challenge inspections may be conducted in a given Party’s territory at most 20 times per year, and this limit can be changed by a majority vote of the Executive Council.
   6. Inspectors will take absolute care to protect the sensitive information of the inspected state, passing along to the Executive Council only what information is pertinent to the treaty.

1. Any Party (“Concerned Party”) may raise concerns regarding the implementation of this treaty, including concerns about ambiguous situations or possible non-compliance by another Party (“Requested Party”). This includes misuse of Protective Actions (Article XII).
   1. The Concerned Party shall notify the Requested Party of their concern, while also sharing their concern with the Director-General and Executive Council. The Requested Party will acknowledge this notification within 36 hours, and provide clarification within 5 days.

2. If the issue is not resolved, the Concerned Party may request that the Executive Council assist in adjudicating and clarifying the concern. This may include the Concerned Party requesting a challenge inspection in accordance with Article X.
   1. The Executive Council shall provide appropriate information in its possession relevant to such a concern.
   2. The Executive Council may task the Technical Secretariat to compile additional documentation, convene closed technical sessions, and recommend resolution measures.

3. If the Executive Council determines there was a Treaty violation, it can take actions to prevent dangerous AI activities or reprimand the Requested Party. These actions may include:
   1. Require additional monitoring or restrictions on AI activities
   2. Require relinquishment of AI hardware
   3. Call for sanctions
   4. Recommend Parties take Protective Actions under Article XII

1. Recognizing that the development of ASI or other Dangerous AI Activities, as laid out in Articles IV through IX, would pose a threat to global security and to the life of all people, it may be necessary for Parties to this Treaty to take drastic actions to prevent such development. The Parties recognize that development of artificial superintelligence (ASI), anywhere on earth, would be a threat to all Parties. Under Article 51 of the United Nations Charter and as longstanding precedent, states have a right to self-defence. Due to the scale and speed of ASI-related threats, self-defence may require pre-emptive actions to prevent the development of ASI.
2. To prevent the development or deployment of ASI, this Article authorizes tailored Protective Actions. Where there is credible evidence that a State or other actor (whether a Party or a non‑Party) is conducting or imminently intends to conduct activities aimed at developing or deploying ASI in violation of Article I, Article IV, Article V, Article VI, Article VII, or Article VIII, a State Party may undertake Protective Actions that are necessary and proportionate to prevent activities. In recognition of the harms and escalatory nature of Protective Actions, Protective Actions should be used as a last-resort. Outside of emergencies and time-sensitive situations, Protective Actions shall be preceded by other approaches such as, but not limited to:
   1. Trade restrictions or economic sanctions
   2. Asset restrictions
   3. Visa bans
   4. Appeal to the UN Security Council for action

3. Protective Actions may include measures such as cyber operations to sabotage AI development, interdiction or seizure of covered chip clusters, military actions to disable or destroy AI hardware, and physical disablement of specific facilities or assets directly enabling AI development.
4. Parties shall minimize collateral harm, including to civilians and essential services, wherever practical, subject to mission requirements.
5. Protective Actions shall be strictly limited to preventing ASI development or deployment and shall not be used as a pretext for territorial acquisition, regime change, resource extraction, or broader military objectives. Permanent occupation or annexation of territory is prohibited. Action will cease upon verification by AIAI that the threat no longer exists.
6. Each Protective Action shall be accompanied, at initiation or as soon as security permits, by a public Protective Action Statement that:
   1. Explains the protective purpose of the action;
   2. Identifies the specific AI‑enabling activities and assets targeted;
   3. States the conditions for cessation;
   4. Commits to cease operations once those conditions are met.

7. Protective Actions shall terminate without delay upon any of the following:
   1. ISIA certification that the relevant activities have ceased.
   2. Verified surrender or destruction of covered chip clusters or ASI‑enabling assets, potentially including the establishment of sufficient safeguards to prevent Restricted Research activities.
   3. A determination by the acting Party, communicated to the ISIA, that the threat has abated.

8. Parties shall not regard measured Protective Actions taken by another Party under this Article as provocative acts, and shall not undertake reprisals or sanctions on that basis. Parties agree that Protective Actions meeting the above requirements shall not be construed as an act of aggression or justification for the use of force.
9. The Executive Council shall review each Protective Action for compliance with this Article and report to the Conference of the Parties. If the Executive Council finds that an action was not necessary, proportionate, or properly targeted, actions may be taken under Article XI, Paragraph 3.

1. For AI models created via declared training or post‑training within the limits of Article IV, the ISIA may require evaluations and other tests. These tests will inform whether the thresholds set in Article IV, Article V, Article VII, and Article VIII need to be revised. The methods used for reviews will be determined by the ISIA and may be updated.
2. Evaluations shall be conducted at ISIA facilities or monitored CCCs, by ISIA officials. Officials from Treaty Parties may be informed which tests are conducted, and the ISIA may provide a summary of the test results. Parties will not gain access to AI models they did not train, except when granted access by the model owner, and the ISIA will take steps to ensure the security of sensitive information.
3. The ISIA may share detailed information with Parties or the public, if the Director-General deems that this may be necessary to reduce the chance of human extinction from advanced AI.

1. Any State Party may propose amendments to this treaty. “Amendments” are considered revisions to the main body and Articles of the treaty. Amendments include revisions to the purpose of the Articles of the Treaty. Under Article III, The ISIA Technical Secretariat, with a majority vote from the Executive Council, may change specific definitions and implementation methods, such as those relevant to Article IV, Article V, Article VI, Article VII, Article VIII, Article IX, and Article X. Fundamental revisions to the purposes of these Articles or to voting procedures require an Amendment.
2. Such proposed amendments will be submitted to the ISIA Director-General and circulated to the State Parties.
3. For an amendment to be formally considered, one third or more of the State Parties must support its consideration.
4. Amendments to the main body of the treaty are not ratified until accepted by all State Parties (with no negative votes).
5. If the Executive Council recommends to all States Parties that the proposal be adopted, the changes will be considered approved if no State Party rejects it within 90 days.
6. Three years after the entry into force of this Treaty, a Conference of the Parties shall be held in Geneva, Switzerland, to review the operation of this Treaty with a view to assuring that the purposes of the Preamble and the provisions of the Treaty are being realized. At intervals of three years thereafter, Parties to the Treaty will convene further conferences with the same objective of reviewing the operation of the Treaty.

1. The Treaty shall be of unlimited duration.
2. Each Party shall in exercising its national sovereignty have the right to withdraw from the Treaty if it decides that extraordinary events, related to the subject matter of this Treaty, have jeopardized the supreme interests of its country. It shall give notice of such withdrawal to the ISIA 12 months in advance.
3. During this 12 month period, the withdrawing state shall cooperate with ISIA efforts to certify that after withdrawal, the withdrawing state will be unable to develop, train, post-train, or deploy dangerous AI systems, including ASI or systems above the Treaty thresholds. Withdrawing states acknowledge that such cooperation aids the ISIA and Parties in avoiding the use of Article XII.
   1. In particular, the withdrawing state, under ISIA oversight, will remove all covered chip clusters and ASI-enabling assets (e.g., advanced computer chip manufacturing equipment) from its territory to ISIA-approved control or render them permanently inoperable (as described in Article V).

4. Nothing in this Article limits the applicability of Article XII. A State that has withdrawn (and is therefore a non-Party) remains subject to Protective Actions if credible evidence indicates activities aimed at ASI development or deployment.