Article X: Information Consolidation and Challenge Inspections

A key source of information for the ISIA is the independent information gathering efforts of Parties. As such, the Information Consolidation division (Article III) will be ready to receive this information.
1. The Information Consolidation division shall take precautions to protect commercial, industrial, security, and state secrets and other confidential information coming to its knowledge in the implementation of the Treaty, including the maintenance of secure, confidential, and, optionally anonymous reporting channels.
2. For the purpose of providing assurance or compliance with the provisions of this Treaty, each Party shall use National Technical Means (NTM) of verification at its disposal in a manner consistent with generally recognized principles of international law.
  1. Each Party undertakes not to interfere with the National Technical Means of verification of other Parties operating in accordance with the above.
  2. Each Party undertakes not to use deliberate concealment measures which impede verification by national technical means of compliance with the provisions of this Treaty.
  3. Parties are encouraged, but not obligated, to cooperate in the effort to detect dangerous AI activities in non-Party countries. Parties are encouraged, but not obligated, to support the NTM of Parties directed at non-Parties, as relevant to this Treaty.

A key source of information for the ISIA are individuals who provide evidence of dangerous AI activities to the ISIA. These individuals are subject to whistleblower protections.
1. This Article establishes protections, incentives, and assistance for individuals (“Covered Whistleblowers”) who, in good faith, provide the ISIA or a Party with credible information concerning actual, attempted, or planned violations of this Treaty or other activities that pose a serious risk of human extinction, including concealed chips, undeclared datacenters, prohibited training or research, evasion of verification, or falsification of declarations. Covered Whistleblowers include employees, contractors, public officials, suppliers, researchers, and other persons with material information, as well as Associated Persons (family members and close associates) who assist or are at risk due to the disclosure.
2. Parties shall prohibit and prevent retaliation against Covered Whistleblowers and Associated Persons, including but not limited to dismissal, demotion, blacklisting, loss of benefits, harassment, intimidation, threats, civil or criminal actions, visa cancellation, physical violence, imprisonment, restriction of movement, or other adverse measures. Any contractual terms (including non‑disclosure or non‑disparagement agreements) purporting to limit protected disclosures under this Treaty shall be void and unenforceable. Mistreatment of whistleblowers shall constitute a violation of this Treaty and be handled under Article XI, Paragraph 3.
3. The ISIA shall maintain secure, confidential, and, optionally anonymous reporting channels. Parties shall establish domestic channels interoperable with the ISIA system. The ISIA and Parties shall protect the identity of Covered Whistleblowers and Associated Persons and disclose it only when strictly necessary and with protective measures in place. Unauthorized disclosure of protected identities shall constitute a violation of this Treaty and be handled under Article XI, Paragraph 3.
4. Parties shall offer asylum or humanitarian protection to Covered Whistleblowers and their families, provide safe‑conduct travel documents, and coordinate secure transit.

The ISIA may conduct challenge inspections of suspected sites upon credible information about dangerous AI activities.
1. Parties may request for the ISIA to perform a challenge inspection. The Executive Council, either by request or because of the analysis provided by the Information Consolidation division, will consider the information at hand in order to request additional information, of Parties or non-Parties, or to propose a challenge inspection, or to decide that no further action is warranted.
2. A challenge inspection requires approval by a majority of the Executive Council.
3. Access to a suspected site must be granted by the nation in which the site is present within 24 hours of the ISIA calling for a challenge inspection. During this time, the site may be surveilled, and any people or vehicles leaving the site may be inspected by officials from a signatory Party or the ISIA.
4. The challenge inspection will be conducted by a team of officials from the ISIA who are approved by both the Party being inspected and the Party that called for the inspection. The ISIA is responsible to work with Parties to maintain lists of approved inspectors for this purpose.
5. Challenge inspections may be conducted in a given Party’s territory at most 20 times per year, and this limit can be changed by a majority vote of the Executive Council.
6. Inspectors will take absolute care to protect the sensitive information of the inspected state, passing along to the Executive Council only what information is pertinent to the treaty.

Precedent

We previously discussed precedent for information consolidation with Article VIII, where we cited the existence of intelligence agreements understood to include compartmentalization practices like the “third party rule.” Similar rules can be seen in the IAEA, as in INFCIRC/153 Part 1.5:

…the Agency shall take every precaution to protect commercial and industrial secrets and other confidential information coming to its knowledge in the implementation of the Agreement.

Staff are bound by confidentiality obligations and face criminal penalties for leaks. This matters, because the IAEA has benefited from the intelligence disclosures of participating states, including satellite imagery and documents, as in the case of Iran’s undeclared enrichment activities. Similarly, the IAEA required a special inspection of North Korea’s undeclared plutonium production in response to provided intelligence.

Recognizing the indispensable role of national technical means (NTM — satellite imagery, signals collection, and other remote sensing) in verification of multilateral agreements, our draft agreement borrows language from the ABM treaty limiting anti-ballistic missile systems, in which “each Party shall use national technical means of verification” and “undertakes to not interfere with the national technical means of verification of the other Party.” Similar language can be found in Article XII of the 1987 Intermediate-Range Nuclear Forces Treaty, Article IV of the 1996 Comprehensive Nuclear-Test-Ban Treaty, and throughout the 2010 New START treaty.

As NTM would not be sufficient for detecting all dangerous violations in the case of ASI, we have borrowed features of the IAEA Safeguards framework that encourage internal reporting and provide channels for doing so. But these are hampered by a lack of explicit whistleblower protections; nothing in the NPT or these Safeguards would protect an informant from their government if it decides to retaliate unless that state has applicable domestic protections in place. The treaty-level provisions for whistleblower protection and asylum in our draft agreement are meant to address this shortcoming.

Recent EU legislation on AI has taken similar measures. The EU AI Act’s Recital 172 explicitly extends the Union’s existing general whistleblower protections to those reporting AI Act infringements.

The 1951 Refugee Convention provides a possible framework for granting asylum to informants, basing qualification on “well-founded fear of being persecuted,” though an amendment or supplemental agreement may be needed to ensure that AI whistleblowing is a legally qualifying cause of persecution.

Asylum for people with sensitive knowledge or expertise was routinely granted in the context of the Cold War and its aftermath. Section 7 of the CIA Act of 1949 provided for admission and permanent residence of up to a hundred defectors and their immediate families per fiscal year if deemed “in the interest of national security or essential to the furtherance of the national intelligence mission.” The Soviet Scientists Immigration Act of 1992 gave up to 750 visas to former Soviet and Baltic States scientists with “expertise in nuclear, chemical, biological or other high technology fields or who are working on nuclear, chemical, biological or other high-technology defense projects.”

The challenge inspections mechanism we lay out in Paragraph 3 of this article is modeled after that of Part IX of the CWC:

Each State Party has the right to request an on-site challenge inspection of any facility or location in the territory or in any other place under the jurisdiction or control of any other State Party for the sole purpose of clarifying and resolving any questions concerning possible non-compliance…

The CWC, along with other arms control treaties such as the INF and START I nuclear treaty between the U.S. and USSR, combines NTM with challenge-like inspections to verify compliance.

Notes

Intelligence Gathering

We expect all parties would make ongoing efforts to independently determine whether any actor is conducting dangerous AI activities, out of interest in their own security. A range of state intelligence gathering activities would supplement and validate monitoring the ISIA conducts directly (as described in Articles IV through VII). Towards that end, an Information Consolidation division is vital, and must be trusted to receive information from all parties.

Towards that end, confidentiality is vital, and must be sufficiently robust to assure state intelligence services that the risks imposed on their intelligence methods are minimal, and are justified in order to provide needed information to the ISIA. Avoiding collecting sensitive information whenever possible, and keeping the collected information in the strictest confidence, minimizes risks of compromise.

Article X also addresses the surveillance of non-signatories, where the need for intelligence is strong.

Article X stops short of imposing an obligation to surveil. It would be unprecedented to mandate the creation of a self-sufficient intelligence gathering capability within the ISIA at the required level of capability to give states assurance, and such it seems unnecessary in light of the fact that the creation of superintelligence would pose a grave security threat, which means all parties are already strongly incentivized to surveil and monitor any actor with that capability. Thus, the ISIA relies on parties to provide key intelligence

Whistleblower Protections

The overall effectiveness of this treaty relies on parties’ justified confidence that other parties are not undertaking prohibited AI activities. Even with National Technical Means and other intelligence gathering, it may be difficult for states to detect clandestine efforts to develop superintelligence. There are many domains in which it may not be feasible for states to gather intelligence on their rivals, such as efforts conducted inside military facilities. Whistleblowers can serve as an additional source of information, and the possibility of whistleblowing provides further deterrence against non-compliance.

Whistleblowers may be effective because individuals involved in secret treaty violations (e.g., clandestine training runs or AI research) may themselves be concerned about the danger from ASI. This article aims to make it safer and less costly for them to report violations, shifting the personal incentives away from silence and toward disclosure.

Whistleblowers could sound the alarm for violations of the treaty including:

Article IV: Training runs that are unmonitored, exceed thresholds, or use prohibited distributed training methods.
Article V: The existence of undeclared chip clusters, the failure to consolidate all covered hardware, or the diversion of chips to secret, unmonitored facilities.
Article VI: New manufactured AI chips diverted away from monitoring, or created without mandated security features.
Article VIII: Prohibited AI research.

Modifications to the whistleblower clauses could change its efficacy and political viability in various ways. For example, states could offer to financially compensate legitimate whistleblowers to provide additional incentives, but this may be seen as paying citizens to defect on their own countries.

Challenge Inspections

Challenge inspections are a critical function provided by the ISIA. Without the credible threat of detection, parties may fear that their rivals would attempt to cheat the treaty (despite the lose-lose nature of a race to superintelligence). Intelligence gathering is one method to combat apparent (illusory) incentives to defect.

Article XI: Dispute Resolution

→