Third-Party Compliance Reviews for Frontier AI Safety Frameworks

arXiv:2505.01643v2 [cs.CY] 4 Jul 2025 Third-party compliance reviews for frontier AI safety frameworks Aidan Homewood∗ 1 Sophie Williams1 Noemi Dreksler1 John Lidiard1 Malcolm Murray2 Lennart Heim1 Marta Ziosi† 3 Seán Ó hÉigeartaigh4 Michael Chen5 Kevin Wei6 Christoph Winter4,7 Miles Brundage8 Ben Garfinkel1 Jonas Schuett1 1Centre for the Governance of AI 2SaferAI 3Oxford Martin AI Governance Initiative 4Leverhulme Centre for the Future of Intelligence, University of Cambridge 5METR 6Harvard University 7Institute for Law & AI 8Independent

Abstract

Safety frameworks have emerged as a best practice for managing risks from frontier artificial intelligence (AI) systems. However, it may be difficult for stakeholders to know if companies are adhering to their frameworks. This paper explores a potential solution: third-party compliance reviews. During a third-party compliance review, an independent external party assesses whether a frontier AI company is complying with its safety framework. First, we discuss the main benefits and challenges of such reviews. On the one hand, they can increase compliance with safety frameworks and provide assurance to internal and external stakeholders. On the other hand, they can create information security risks, impose additional cost burdens, and cause reputational damage, but these challenges can be partially mitigated by drawing on best practices from other industries. Next, we answer practical questions about third-party compliance reviews, namely: (1) Who could conduct the review? (2) What information sources could the reviewer consider?

Executive summary

This paper makes the case for third-party compliance reviews for frontier AI safety frameworks and answers practical questions about how to conduct them. What are third-party compliance reviews? (Section 1) During a third-party compliance review, an independent external party assesses whether a frontier AI company complies with its safety framework. Anthropic and G42 have already committed to commissioning such reviews, while the third draft of the EU General-Purpose AI Code of Practice recommends that companies assess whether they will adhere to their framework. Note that compliance reviews are distinct from adequacy reviews, which examine whether or not a safety framework and the way it is implemented are adequate for mitigating the risks posed by frontier AI systems. The case for third-party compliance reviews (Section 2) Third-party compliance reviews can benefit a frontier AI company in three main ways. First, they likely increase compliance with safety frameworks, which aim to keep risks associated with the development and deployment of frontier AI systems to an acceptable level. Second, they provide assurance to external stakeholders that the company is compliant with its safety framework (e.g. the public, government bodies, and other frontier AI companies). Third, they provide assurance to internal stakeholders (e.g. senior management, the board of directors, and employees). However, third-party compliance reviews also present several challenges. For example, they can create new security risks if sensitive information is leaked. They can also impose substantial time and financial costs on frontier AI companies. Additionally, they could provide inaccurate results, leading to reputational damage or a false sense of security. Practical obstacles also arise, including measurability challenges and the risk of employee self-censorship. However, these challenges are not unique to frontier AI companies. They can be mitigated through measures often used in audit and assurance (e.g. segregating and monitoring reviewer duties, appointing an internal liaison, and choosing a competent reviewer). How to conduct third-party compliance reviews (Section 3) We identify six key aspects of compliance reviews and evaluate options for each of them.Question Options Who could conduct the review?

2.1 Benefits

Third-party compliance reviews offer three key benefits to a frontier AI company. Increased compliance. Third-party compliance reviews are likely to increase the extent to which companies adhere to their safety frameworks. For example, research has found that employees tend to improve their performance when anticipating an audit (Neidermeyer & Neidermeyer, 2005). They also become more accountable to their peers (Cardinaels & Jia, 2012), management (Pilbeam et al., 2016), and auditors (Ewelt-Knauer et al., 2021). Because reviews provide an independent perspective, they can also identify areas of noncompliance that companies themselves may overlook. Employees may even reveal compliance issues to reviewers that they had not shared with upper management (Tynan, 2005). This can help to ensure that the objectives of the safety framework are met. Assurance for external stakeholders. Third-party compliance reviews provide assurance to external stakeholders through external validation. Internal teams could conduct similar reviews, but external stakeholders might question their reliability (Brundage et al., 2020; Avin et al., 2021; Ashfaq et al., 2021). Independent reviews produce findings that stakeholders are more likely to view as trustworthy (Öhman et al., 2012). Relevant stakeholders include government entities and society, as they may want to verify company claims about responsible AI development practices. Compliance reviews also provide other frontier AI companies with evidence that their competitors are implementing safety measures. This is particularly valuable given that some companies define acceptable risk relative to competitors’ deployments (Meta, 2025; OpenAI, 2025). Publication of the review’s results could also reduce pressure to release untested models (Brundage et al., 2020) thus lessening race dynamics. Compliance reviews may also provide assurance to downstream developers (Williams et al., 2025) and users, especially in cases where they have limited visibility into the foundation models they are using. This can enhance security confidence for customers who process sensitive data through these systems. As a result, a frontier AI company that proactively seeks compliance reviews may build a stronger reputation for themselves in the long term. Assurance for internal stakeholders. Third-party compliance reviews also provide assurance to internal stakeholders about safety framework adherence. Internal stakeholders include senior management, board members, and employees working on unrelated projects. Generally, the company or reviewer will provide the board and management with a detailed report covering the review’s findings. This enables boards and management to effectively address safety framework compliance gaps. Other governing bodies such as Anthropic’s Long-Term Benefit Trust (Anthropic, 2023) or Google DeepMind’s AGI Safety Council (Dragan et al., 2025) could receive a similar report. This would enable them to consider safety framework compliance when making decisions. Employees could receive lightly redacted reports under non-disclosure agreements, instead of the full version. This would still allow them to gain a detailed understanding of safety framework compliance and the reviewer’s recommendations, whilst presenting less risk than external disclosure.

2.2 Challenges

At the same time, third-party compliance reviews pose some challenges. Below, we set out four key challenges and suggest ways to address them. Security risks. Third-party compliance reviews may increase security risks for a frontier AI company. Reviewers may have access to sensitive information about hardware and software providers, security systems, and internal security processes. This information could be used to identify security weaknesses (Nelson & Simek, 2013; Thompson, 2017). Furthermore, if a reviewer were to improperly store this information, this could create an attack surface for adversaries. Model weights represent one critical intellectual property at risk. Model weight theft threatens national competitiveness and security (Nevo et al., 2024). Tacit information about the model development process is another critical intellectual property. This knowledge could similarly compromise national competitiveness and security. Third-party induced security incidents have been documented in other industries. One study found 247 such incidents in public firms between 2000 and 2020 (Benaroch, 2021). In one notable example, an insider from Amazon Web Services identified a misconfiguration during a cloud security compliance review. This person later exploited this weakness to access Capital One’s cloud storage, exposing sensitive banking data. Although unlikely, this suggests reviewers could exploit sensitive information they encounter during reviews. This might result in intellectual property leakage or exposure of sensitive commercial information (e.g. model release schedules). Information leaks could also trigger negative media coverage. A frontier AI company can mitigate security risks through techniques used on other highly sensitive industries. Most obviously, the company can also be selective about what information is shared with the reviewer (see Section 3.2 and Section 4). Auditor activities (e.g. the files they read) can be tracked using an “audit trail” (Layton, 2016; Duncan & Whittington, 2016; ISO, 2022). Duties can be segregated and role-based access management can be implemented for individual review employees (Hewett et al., 2008; Aftab et al., 2019; ISO, 2022). Enhanced physical security can be established through document review rooms, asset controls (check in/check out), and escort protocols (Lightman et al., 2022). For less sensitive material, secure document management and transfer software can be used (Jagadeeswari et al., 2023). Companies can vet reviewers through processes similar to internal hiring procedures (see ISO, 2022). Third-party compliance reviews may also improve security by identifying issues. This identification may allow for quick fixes or security process improvements. Private third parties routinely conduct security compliance reviews in industries with the highest security needs (e.g. banking and cloud services) (Bryce, 2019; Federal Deposit Insurance Corporation, 2023; Lins et al., 2018) . Anthropic already holds external certification for ISO 27001, an information security standard (see Anthropic, n.d.), while OpenAI commits to third-party audits of their security controls (OpenAI, 2025). The security benefits from compliance reviews may therefore outweigh the security risks they create. Cost burden. Third-party compliance reviews will likely impose a cost burden on a frontier AI company. This could manifest in several ways, including the diversion of employee and management time, the use of internal resources, and direct monetary cost from reviewer fees. Negotiating the terms of the review and managing employees’ expectations requires time and attention from senior management. Employees may also be required to participate in interviews or engage in other timeconsuming interactions with reviewers. Legal teams, in particular, might need to oversee document disclosure and monitor reviewer access to sensitive information, especially if there are concerns about confidentiality breaches or other legal risks (Berkowitz, 2021). Reviewer fees typically scale with the time spent on the engagement, meaning longer or more complex reviews can drive up costs. If relevant information is fragmented across multiple teams or departments this may result in a prolonged review process. Some of these costs do not vary with the scope of the review, so third-party compliance reviews may be too costly for smaller AI companies with limited budgets and management capacity. However, several strategies drawn from auditing and assurance practices can help to manage costs. First, a frontier AI company could adopt a more minimalist approach to the review (see Section 4). Second, appointing a dedicated review liaison can streamline communications and coordination (Ismael & Roberts, 2018). Third, early engagement with legal teams can proactively address potential issues related to confidentiality and access, reducing bottlenecks later in the process. Fourth, initiating a structured kick-off session between reviewers and company employees can help set clear expectations and promote efficiency from the outset. Finally, the frontier AI company could complete an internal compliance review in advance, allowing them to identify and resolve issues before the third-party review begins (Abbott et al., 2012). False results. Third-party compliance reviews may provide false results that mislead a frontier AI company and their stakeholders. False positives occur when reviewers deem a company compliant with its safety framework when it is not. This creates a false sense of security within the company and among stakeholders. Reviewers face strong incentives that can compromise their objectivity. Auditors want to retain large clients, particularly in concentrated markets, which may lead to overly positive reviews (Wills, 2025). Smaller auditors could face even stronger retention pressure since large clients are likely to represent a larger portion of their overall revenue. Reviewers may have a conflict of interest if they provide the company with other services (e.g. consulting or model evaluations), which could lead to false positive results (Salehi, 2009; Tepalagul & Lin, 2023). However, firms typically seek highly reputable auditors (Barton, 2010), which also provides auditors with an incentive to maintain their reputation. False negatives present a different problem. They occur when reviewers incorrectly determine that a company is not compliant with its safety framework. This can subject companies to unjustified negative attention. A frontier AI company can reduce the risk of false results through several approaches. First, they can ensure reviewers receive adequate information to complete effective reviews (or, at the very least, acknowledge where information might be insufficient). Second, they can ensure that reviewers possess the expertise and resources needed to conduct an effective review – for example, by opting to employ multiple reviewers (see Section 3.1). Third, they can reduce potential conflicts of interest – for example, by choosing a reviewer not providing other services for a fee (e.g. consulting, model evaluations). Measurability challenges. Measuring compliance with the commitments in the safety framework also presents significant challenges. Key commitments may be subjective or open to interpretation, potentially setting a low bar for certifying a frontier AI company as safe. In some cases, thresholds for commitments evolve through an unspecified process (Kasirzadeh, 2024), creating ambiguity when evaluating if a threshold was met and whether corresponding mitigations were applied. OpenAI’s initial Preparedness Framework illustrates this problem by stating that risk thresholds (low, medium, high, and critical) are “speculative and will keep being refined” (OpenAI, 2023). Without internal documentation providing additional clarity, significant time may be needed to define or operationalize aspects of the safety framework. Alternatively, reviewers might declare in their report that they cannot determine compliance with a requirement due to insufficient information. Compliance reviews lose effectiveness without sufficient operationalization, potentially becoming mere box-ticking exercises for commitments so vague they cover a wide range of company behaviors. A frontier AI company can improve measurability through several approaches. One approach is to enhance future iterations of safety frameworks or internal documentation. For example, companies could clarify the intended scope and frequency of compliance reviews in their safety framework. Companies could also enhance future safety frameworks by replacing optional clauses with if-then commitments (Karnofsky, 2024). For example, instead of writing that they “may also solicit external expert input prior to making final decisions on the capability and safeguards assessments” (Anthropic, 2025), they could specify conditions that would trigger expert consultation. Companies could also specify their response to new information or practices. For example, rather than stating that they “expect concrete measures implemented to reach each level of security to evolve substantially” (Google DeepMind, 2025b), they could specify the sources they expect to rely on for new information (e.g. security reports from leading think tanks), establish methods for deciding which measures merit implementation, and assign responsibility for implementing new measures. Another way to improve measurability would be to require reviewers to highlight any commitments requiring further operationalization after completion of a review. Self-censorship. Employee self-censorship also presents a significant limitation of third-party compliance reviews. Employees may voluntarily withhold or alter information they provide to reviewers due to three main factors: psychological concerns, organizational influences, and legal considerations. Psychological factors emerge when employees are concerned about retaliation from peers or management for speaking up (Ewelt-Knauer et al., 2021; Lee et al., 2021). This can create reporting gaps (O’Brien et al., 2024) or chilling effects throughout the organization. Employees may also believe their disclosures will not lead to meaningful change, discouraging them from revealing safety framework compliance concerns (Lee et al., 2021). Organizational factors include employees’ desire to maintain high financial compensation from their employer (Balafoutas et al., 2020). The company culture may also foster a “code of silence” where employees subtly or explicitly agree to remain silent about compliance concerns. For example, one study found that employees may act dishonestly as a group when collective rewards exist (Balafoutas et al., 2020). This is particularly important if model deployment, or increases to the market capitalization of a frontier AI company, act as collective rewards. Finally, legal considerations can also shape employee self-censorship, since frontier AI companies may be within scope of several authorities in the United States. This includes the Defense Production Act, the Export Administration Regulations, the International Emergency Economic Powers Act, and the Federal Trade Commission consumer protection authorities (Bullock et al., 2024). Reviews that reveal awareness of potential harms without appropriate responses may establish negligence in subsequent legal proceedings, increasing company liability. In addition, employees with confidentiality agreements might worry about contract breaches when sharing information with external reviewers. Companies can mitigate employee self-censorship through a range of interventions. Organizations can implement anonymous reporting systems or surveys that allow employees to share concerns without fear of identification. They can conduct private interviews designed to be credibly anonymous and build trust with employees. Companies can establish robust whistleblower protections that shield employees who report compliance concerns (Anderljung et al., 2023). Management can clearly explain to employees their exact legal obligations, while clarifying the scope of confidentiality agreements. They can also set explicit expectations about what information employees should share with reviewers. Finally, companies can offer financial bonuses for compliance and apply penalties for noncompliance (Fochmann et al., 2020). The limitations described above may raise concerns among a frontier AI company considering thirdparty compliance reviews. However, auditing practices in other industries demonstrate that it may be possible to mitigate them effectively. 3 Key aspects of the review In this section, we examine six aspects of third-party compliance reviews for frontier AI safety frameworks, namely who could conduct the review (Section 3.1), what information sources they could consider (Section 3.2), what assessment framework could be used (Section 3.3), what information could be disclosed externally (Section 3.4), how AI companies could respond to findings (Section 3.5), and when a review could be completed (Section 3.6). For each question, we list plausible options and discuss their main advantages and disadvantages.

3.1 Who could conduct the review?

We assess six options for who could conduct compliance reviews: Big Four accounting firms, evaluation firms, consulting firms, AI audit firms, security audit firms, and law firms. Our assessment is based on five criteria: (1) AI expertise, (2) risk management expertise, (3) compliance review expertise, (4) public reputation, and (5) ability to handle sensitive information (see Table 1). Big Four firms. One set of potential reviewers are the Big Four accounting firms: KPMG, EY, PwC and Deloitte. These four professional services firms conduct financial audits for virtually all large companies in the world. In 2017, all 500 companies in the S&P 500 index used a Big Four auditor (Gow & Kells, 2018). They also conduct compliance audits with legal requirements like the EU Digital Services Act, including securities regulation (Peterson, 2017) and Environmental, Social and Governance internal frameworks and internal standards (Gipper et al., 2024). Big Four firms offer several benefits as compliance reviewers. They may have superior risk management expertise from their work in other industries, which may cause a greater reduction in corporate risk compared to other audit firms (Bley et al., 2018). They have compliance audit and compliance review expertise across different industries, including banks and defense clients (Gow & Kells, 2018). This expertise suggests their superior security resources and experience (Rosati et al., 2020). Collusion and fraud are less likely than with other categories of firms (Lennox & Pittman, 2008), though their professional standards may vary depending on the context. Big Four reviewers provide greater assurance to stakeholders because of their good reputation (Ege et al., 2025). However, these firms also face limitations. They may have very limited frontier AI expertise. Although each firm has set up responsible AI teams (Bruno & Skoglund, 2024), they do not usually focus on frontier AI. The improved quality of Big Four audits may rely on partner quality (Che et al., 2019), and experienced partners may not yet be available in the AI governance context. It remains unclear if they would find Criteria Big Four firms AI evaluation firms Consulting firms AI audit firms Security audit firms Law firms AI expertise Low. Little to no context on frontier AI and common risk mitigations. High. Experience evaluating risks and mitigations for frontier models. Low. Little to no context on key AI risks and common mitigations. Medium. Some experience of risks and mitigations for frontier models. Low. Little to no context on frontier AI and common risk mitigations. Low. Little to no context on key AI risks and common mitigations. Risk management expertise High. Experience managing risks across different industries. Medium. Some experience managing risks in the AI context. High. Experience managing risks across different industries. Medium. Some experience managing risks in the AI context. High. Extensive experience with technical risk assessment frameworks. Medium. Some experience managing risks in a legal context. Compliance review expertise High. Experience conducting compliance reviews across different industries. Low. No experience conducting compliance reviews. Low. Little to no experience conducting compliance reviews. Medium. Some experience conducting compliance audits in the AI context. Medium. Experience with security compliance assessments. Medium. Some experience with regulatory compliance assessments. Public reputation High. Multinational companies and their shareholders rely on their audits. High. AI companies and external stakeholders rely on their evaluations. Medium. Large companies, but not stakeholders, rely on their consulting. Medium. Some large clients, but limited public visibility. Medium. Some large clients, but limited public visibility. Medium. Large companies, but not stakeholders, rely on their advice. Ability to handle sensitive information High. Experience in national security and defense sectors. Medium. Experience conducting evaluations for frontier developers High. Experience in national security and defense sectors. Low. Limited use of security tools and techniques. High. Specialized in handling security-critical information. Medium. Experience with non-technical client information.Table 1: Comparative analysis of potential reviewers. this market attractive; the segment might be too small relative to their established business, and they might perceive potential reputational risks. AI evaluation firms. AI evaluation firms, such as METR and Apollo Research, represent another set of potential reviewers. These specialized organizations focus on technical assessments of AI systems, particularly frontier models. They offer technical evaluation services ranging from model testing and benchmarking to vulnerability assessments and safety analyses for frontier AI companies. AI evaluation firms offer important benefits. Their extensive frontier AI expertise places them at the frontier of evaluation science. Existing relationships with frontier AI companies suggest that these firms have already addressed security concerns and internal cost limitations. Such established connections may also foster trust from other frontier AI companies in the review results. But these firms also have possible limitations as compliance reviewers. Despite having potential for growth with proper investment, these firms currently maintain limited organizational capacity. Compliance reviews represent uncharted territory, as these companies have no previous experience conducting such assessments. The narrow focus on AI also prevents these evaluators from applying relevant insights from similar compliance work in other industries. Consulting firms. Consulting firms, particularly McKinsey, BCG, Bain & Company, Accenture, and Capgemini represent another set of potential reviewers. These professional services firms provide strategic and operational advice on business activities across diverse sectors and contexts. Their services typically focus on improving organizational performance, strategy formulation, and implementation of business solutions. Consulting firms offer several benefits for compliance reviews. Their experience across industries may provide valuable risk management expertise. These firms maintain robust protocols for appropriately handling sensitive information, demonstrated through their work with government and banking clients. Their established reputations in the business community likely provide greater assurance to stakeholders regarding the credibility of review results. But these firms also have limitations in the context of a safety framework compliance review. Unlike accounting firms, most consulting organizations do not typically offer structured compliance review services as part of their core offerings. Although they possess well-developed security resources and experience through engagements with large companies, banks, and national security clients, their capabilities mirror those of Big Four firms without additional advantages. Much like the Big Four, their frontier AI expertise remains limited. While some consulting firms have established specialized AI teams, such as Bain & Company’s Responsible AI program, these initiatives rarely focus on frontier AI technologies and their unique governance challenges. AI audit firms. Specialized AI audit firms, such as BABL AI and Holistic AI, are another set of potential reviewers. These boutique organizations offer dedicated AI audit services focused on compliance with standards like ISO 42001, HIPAA, and the NYC Bias Audit law. However, their expertise typically centers on downstream applications rather than foundation models, which may limit their ability to address the unique challenges of frontier AI systems. AI audit firms provide several distinctive benefits. Some possess frontier AI expertise along with a comprehensive understanding of evaluation methodologies and widely implemented safety measures. Their familiarity with organizational policies in the AI context enables them to navigate internal governance structures effectively. Several of these firms demonstrate particular skill in translating abstract internal policies into concrete operational processes that support compliance objectives. But limitations also constrain the suitability of AI audit firms. Their specialized focus on AI means they lack insights into similar compliance work in other regulated industries. Their security capabilities present another concern, as these organizations typically maintain limited security resources and experience. This deficiency stems from the relatively lower security requirements of their usual clients – downstream AI deployers – compared to the robust security needs of banks, defense contractors, and national security clients. Security audit firms. Security audit firms, such as NCC Group, IOActive, and Mandiant (now part of Google), represent another potential set of reviewers. These specialized companies evaluate organizations’ cybersecurity practices, information systems, and technical infrastructure for vulnerabilities and compliance with security standards. They typically conduct penetration testing, vulnerability assessments, and security compliance reviews across various industries. Security audit firms offer several benefits. They possess strong technical expertise in evaluating complex systems and identifying security weaknesses. Many security audit firms also have experience handling highly sensitive information and maintaining confidentiality. Their familiarity with risk assessment frameworks and various compliance standards provides valuable context for evaluating compliance with frontier AI safety frameworks. However, these firms also have limitations. Most security audit firms have limited AI-specific expertise, particularly in regard to frontier AI capabilities and risks. Their assessments typically focus on technical security concerns rather than broader governance issues relevant to AI compliance. Furthermore, while security audit firms understand technical controls, they may have less experience with the organizational governance structures necessary for effective frontier AI risk management. Law firms. The final set of potential reviewers we identify is law firms. Big law firms like Latham & Watkins or Freshfields regularly advise on legal compliance and conduct internal investigations, and sometimes serve as third-party monitors to ensure ongoing regulatory adherence (Martinez, 2013). A big law firm with a dedicated technology practice, or a specialized AI governance firm (e.g. ZwillGen), may be particularly appropriate for conducting AI compliance reviews. Law firms offer several unique benefits for compliance reviews. Many have established expertise in conducting internal investigations (Davis, 2019). Their professionals possess refined skills in gathering evidence through various methods, particularly interviews with organizational stakeholders. A significant advantage in many jurisdictions is that attorney-client privilege can provide legal protection for sensitive communications and findings generated during the review process. But law firms also have limitations in the AI compliance context. Even law firms specializing in AI governance likely lack the frontier AI expertise necessary for evaluating advanced systems. Most top legal practices have minimal experience conducting comprehensive compliance reviews compared to their traditional advisory roles. Their security capabilities present another concern, as these firms typically maintain limited security resources and technical experience. While they routinely handle legally sensitive information, they rarely interact with sensitive details about IT and cybersecurity systems. Finally, law firms generally lack experience operationalizing internal policy. Hybrid approaches. Two or more of the above firms could collectively carry out a compliance review. This collaborative approach could be implemented through several structures: contracting different firms individually, engaging a single consortium of providers, or contracting a primary firm that then subcontracts one or more additional firms (see Figure 1). Big Four accounting firms routinely engage domain experts as subcontractors to complete specialized audits or assurance engagements. Although less common, they also occasionally serve as subcontractors themselves, sometimes loaning professional staff to support the internal audit functions of client companies (Glover et al., 2006). Hybrid approaches offer significant benefits for complex compliance reviews. The primary advantage is complementary expertise – a gap in one firm’s capabilities can be effectively addressed by partnering with another organization that possesses the required competencies. For example, combining a Big Four accounting firm with an AI evaluation firm could create a comprehensive review team with both established compliance methodologies and frontier AI expertise, while maintaining a high ability to handle sensitive information (see Table 1). However, hybrid approaches introduce several limitations. Company Domain expert Professional services firm Professional services firm Domain expert Domain expert Company Company Professional services firm Domain expert Domain expert Professional services firm Domain expert Domain expert Company Company individually contracts professional services firm and domain experts Company contracts consortium of professional services firm and domain experts Professional services firm subcontracts domain experts Domain expert subcontracts professional services firm a b c dFigure 1: Different models for potential hybrid approaches. A frontier AI company may face higher setup costs due to increased contractual complexity when multiple service providers must be engaged simultaneously. This challenge could potentially be mitigated by working with a Big Four firm that maintains existing subcontractor relationships or internal capabilities for identifying and managing specialized partners. Organizational clarity presents another concern – contracting different firms individually or engaging a consortium may create confusion among employees and relevant stakeholders about roles and responsibilities. Finally, these approaches may result in blurred accountability when multiple organizations share responsibility for review outcomes, potentially complicating remediation efforts if deficiencies are identified. Our analysis demonstrates distinct strengths and limitations across the various potential reviewers. Each category offers unique capabilities that may be valuable depending on specific organizational needs and compliance contexts. The comparative assessment highlights important tradeoffs between technical AI expertise, knowledge of risk management, established compliance methodologies, reputation, and security capabilities. Organizations considering compliance reviews must carefully weigh these factors against their particular requirements. Hybrid approaches that combine complementary capabilities from different reviewer categories may provide comprehensive solutions that address the complex challenges of frontier AI safety framework compliance.

3.2 What information sources could the reviewer consider?

Reviewers can use various information sources to assess a company’s adherence to its safety framework. We classify these sources into four tiers: (1) structural, (2) procedural, (3) operational, and (4) technical. Table 2 provides a list of information sources with ratings to indicate their confidentiality. Structural information sources. Structural information sources provide high-level information about how an organization intends to govern safety. These sources include organizational charts, board minutes, and public outputs. These sources allow reviewers to map formal lines of responsibility and Type of information source Information source Description Confidentiality Structural information sources Public outputs System cards, blog posts, press releases, social media posts, interviews, etc. Public Organization charts Diagrams showing job titles, names and key responsibilities Low Written representations Signed statements, typically by management, to confirm their responsibilities, activities, and other factual matters Low Board minutes Written records of the discussions, decisions, and actions taken during board meetings Medium Governance interviews Interviews with senior executives Medium Previous internal compliance reviews Reports, documents, or notes describing the preliminary learnings or final conclusions from previous internal reviews Medium Procedural information sources Process documentation Internal documents describing procedural steps and the responsibilities of employees or other stakeholders Low Internal reports Internal documents describing events (e.g. results from experiments, details of an incident, how a process unfolded) Low System documentation Documents explaining how a system works and provide guidance on how to use it Medium Process communications Approval emails, request tickets and standard escalation threads Medium Process-owner interviews Targeted interviews with employees that lead the implementation of specific processes Medium Operational information sources External inquiries Inquiries of relevant external parties clarifying the existence and extent of external engagement Low Staff interviews Interviews with personnel to uncover how processes and controls function in daily practice. Medium Casual conversations Informal, unplanned conversations between the reviewer and employees Medium Attending meetings Notes from passively attending meetings between employees, leadership, and/or external parties Medium Operational communications Emails, message threads, ticket escalations, and call summaries that capture team coordination around safety‑relevant anomalies, urgent requests, and deviations from expected operation High Walkthroughs Process by which the reviewer physically observes and traces a workflow from start to finish, documenting each step and responsible party High Technical information sources Model access (via an API) Access to the company’s models through an API Public Evaluation results Results of AI model evaluations (i.e. tests of their capabilities, limitations, and potential risks) High Monitoring systems Tools and dashboards used to observe model behavior in production High System logs Chronological records of events, operations and state changes within a system High Reviewer testing Tests of the live infrastructure (e.g. incident-response run-throughs), evaluations of AI models (i.e. tests of model capabilities, limitations, and potential risks). High Model architecture and development process Detailed model information regarding e.g. architecture and training process High Model weights (via Privacy-preserving access) Privacy-preserving access to model weights for interpretability work HighTable 2: List of information sources and their level of confidentiality. risk management commitments. Many industries commonly use these sources in audits. Structural information sources offer some key benefits. First, requests for information can be handled by senior staff and kept to a minimum. Second, these sources consist mainly of electronic documents, meaning that costs are kept low. Third, information security risks remain low as reviewers do not need access to production systems or sensitive data. However, restricting a review to these structural information sources also has limitations. First, reviewers may not be able to identify compliance gaps or behavioral drift because the information is high-level. As a result, the findings would provide limited assurance of actual compliance. Second, key indicators of operational failures or control weaknesses (i.e. logs, internal communications, or process documentation) are unavailable, limiting the potential for corroboration between sources. Third, these sources do not provide insight into the safety culture or staff experiences. Fourth, using these sources alone may lead to recommendations that are too generic to lead to meaningful improvements. Procedural information sources. Procedural information sources reveal how a company implements its policies and governance intentions. These include system documentation, logs, and process communications. These sources allow reviewers to confirm that controls are in place, trace specific events, and uncover procedural weaknesses that structural sources may miss. These sources are routinely used in audits, particularly within the technology sector. Procedural information sources provide additional benefits beyond structural ones. First, they allow reviewers to assess if relevant processes and controls exist. Second, reviewers can make more confident findings, providing stakeholders with greater assurance. However, limitations exist with procedural information sources too. For example, access to logs or ticketing systems could surface personal data, model details, or trade secrets. Risk reduction methods (e.g. redaction, masking, on-premise viewing, and audit-trail logging) reduce this risk but add coordination time and effort. Furthermore, reviewers are unable to factor in organizational culture, tacit knowledge, and undocumented norms. Finally, staff might self-censor or move sensitive discussions to untraceable channels, reducing the value of examining their communications (see Section 2.2). Operational information sources. Operational information sources provide direct or near-real-time visibility into granular tasks, decision-making, and team interactions. These sources include staff interviews, operational communications, and walkthroughs. Their purpose is to verify that controls function as intended while surfacing tacit knowledge and behavioral drift. These sources are routinely used in audits, particularly within the technology sector. Operational information sources offer further benefits beyond structural and procedural ones. These sources allow reviewers to uncover tacit, undocumented information about company activities. These sources can also allow reviewers to make more confident findings, providing stakeholders with greater assurance. In addition, these sources allow reviewers to make more practical recommendations about how to improve compliance. However, tacit information about security, alongside reviewer testing, could further exacerbate information security risks. Various teams would need to provide considerable input to organize observations, prepare test environments, and manage external inquiries. Technical information sources. Technical information sources originate from the deployed model and its supporting infrastructure. These include API access to AI models, evaluation results, and model architecture and development process. Reviewers can use these sources to verify the implementation of technical requirements and safeguards mandated by the safety framework. Technical information sources offer a number of benefits. These sources allow reviewers to test safety claims with actual system data rather than relying solely on internal reports or system cards. Second, these sources can contain fine-grained technical evidence to identify the causes of safety failures. This allows reviewers to produce confident findings, providing the highest level of stakeholder assurance. Finally, reviewers could better scrutinize the development process with more access to technical information, which could improve the credibility of the review (Casper et al., 2024). However, reviewer access to technical information sources also has limitations. Access to model internals can risk intellectual property theft, data leakage, and potential misuse. In addition, many system-level tests require specialized expertise and significant computing resources which auditors may not have. Furthermore, to the extent that these benefits require access to model weights, additional progress in privacy-preserving technology is necessary to facilitate safe access (Bucknall & Trager, 2023). In summary, a more expansive set of information sources strengthens a review by increasing the breadth and granularity of evidence. This allows reviewers to make precise and realistic findings and recommendations, which may improve compliance. However, access to broader and more granular information increases security and privacy risks, and raises coordination challenges. This creates trade-offs in deciding what information sources to use. The next section explores frameworks for assessing information sources to assess compliance.

3.3 How could compliance with the safety framework be assessed?

Before a reviewer can check whether a company is doing what its safety framework states, they must decide how they will translate that framework into something they can measure. This oper- Objective Control Implemented Ensure the safety case remains accurate after the deployment of the model. Two team members are designated safety-case monitors Yes / No Maintain an incident escalation protocol for on-call engineer Yes / No Maintain a user feedback triage system for product managers Yes / No Quarterly threat-model review Yes / No Safety case check-in meeting after each release Yes / NoTable 3: Compliance grading rubric for a single mock objective and five mock controls. ationalization1 process first requires identifying the commitments that a frontier AI company has made in its safety framework. These commitments can be individual intentions, policies, actions, and methods for managing risks from frontier AI systems (Alaga et al., 2024; METR, 2025; Buhl et al., 2025) and can vary in their level of abstraction. A reviewer can then assess compliance with the safety framework commitments by (1) grading the safety framework commitments without further operationalization, (2) operationalizing the safety framework commitments into a control framework, or (3) operationalizing the safety framework commitments into a process maturity framework. Assess without further operationalization. The reviewer could provide a grade for each of the commitments in the safety framework (e.g. “solicit internal and external feedback on the capabilities report”) without operationalizing them. The grade for each commitment could be on a simple pass/fail scale (ISO, 2015), a degree of compliance (e.g. “compliant”, “partially-compliant”, and “noncompliant”), or a degree of confidence (e.g. from “not at all confident” to “fully confident” that the company is compliant), although the last is not commonly used. There are two benefits of this option. First, the results will be easy to understand, particularly for external stakeholders, as they map directly to the safety framework. Second, this approach is less costly because it does not require an internal team or an external firm to further operationalize the safety framework. However, there are limitations to this approach. First, compliance with the commitments may be difficult to measure, and so the assessment of compliance could be highly open to interpretation. Second, this approach limits the ability for a frontier AI company to improve its processes, which may reduce compliance in the long term. Operationalize into a control framework. Alternatively, the company could use a control framework to operationalize the commitments in the safety framework. Controls are policies, processes, or technical measures that modify risk (ISO, 2018). The first step would be to list their objectives – the concrete outcomes that must hold for each commitment in their safety framework to be achieved (e.g. “the safety case remains accurate after deployment”).2 Before a compliance review, a frontier AI company – or a contracted professional services firm – would identify controls that are already in place or design new ones. Table 3 illustrates how a single objective can be supported by several controls. The designed controls would need to be implemented before the review. During the review, the assessor tests a random set of controls for each objective, and notes any deviations and uncertainty in their report. Control-based assurance is common in sectors such as finance (Sarbanes–Oxley Act, 2002) and technology (AICPA, 2017), and is already being used by frontier AI companies for other purposes (see e.g. Anthropic, n.d.). This approach has a number of benefits. First, controls are easier to follow compared to vague safety framework requirements, and might therefore lead to greater compliance. Second, the approach provides better guidance on addressing areas of noncompliance, 1Turning broad or abstract commitments into check-points that can be scored is called operationalization and makes them observable and testable in practice. 2Objectives can span multiple aspects and levels (ISO, 2018). Similarly, commitments in a safety framework can be at different levels of abstraction, so may require varying levels of operationalization to be turned into objectives. as individual commitments can be targeted. Third, control frameworks are common, meaning the company can draw on existing standards (COSO, 2013; ISO, 2018) and expertise. However, there are limitations to this approach. For example, it could have a high cost burden, particularly if a professional services firm is required. In addition, if they decide to repeat the review process, the company may need to change the control framework. This approach could also reduce the company’s flexibility in response to emerging risks, if the controls are too rigid and difficult to adapt. Operationalize into a process maturity framework. Another way of operationalizing the commitments in the safety framework is using a process maturity framework. This type of framework allows a reviewer to assess the maturity of a company’s processes, even if those processes are complex or undefined (The Institute of Internal Auditors, 2013). Process maturity frameworks are commonly used in software development (Helgesson et al., 2012), particularly for US federal government technology projects (Mishra et al., 2016; Department of Defense, 2024). While process maturity frameworks can be adapted to assess compliance (Schrimpf et al., 2020), they are not commonly used for this purpose. Before conducting the compliance review, a frontier AI company – or a contracted professional services firm – would create a framework for grading processes. The first step would be to list the processes required to implement the safety framework commitments. Next, the expectations for each process would be described (see Table 4 as an example). Finally, the target level for each process would be specified. Often this target is the third level, “defined & managed”, as not all processes need to operate at the highest level of maturity (The Institute of Internal Auditors, 2013). During the review, the reviewer would use the process maturity framework and information sources to evaluate the current level of maturity, and compare this to the target level of maturity. Upon meeting the target level for a process, the company would be compliant with the corresponding commitment or commitments. Using a process maturity framework has a number of benefits. First, processes are typically easier to follow compared to vague safety framework requirements, which might lead to greater compliance. Second, it allows reviewers to highlight the individual components of processes to be targeted for improvement in their recommendations, also likely improving compliance. Third, it encourages the company to continuously improve their processes outside of third-party compliance reviews. However, this approach also has limitations. First, creating and implementing a process maturity framework is likely a large cost burden to the frontier AI company. Second, to the extent processes must be continuously improved to be fully compliant, this approach would continue to be burdensome. Third, this approach risks overemphasizing process improvements rather than point-in-time improvements (i.e. a single fix that does not need ongoing work). The assessment approach used changes what is assessed, how the results are presented, and the specificity of recommendations. How these results could be shared externally is discussed in the next section.

3.4 What information could be disclosed externally?

After completing a review, companies may share information with external stakeholders. Companies have four disclosure options: (1) no information about the review, (2) a statement that the review occurred, (3) a summary report, and (4) a detailed report including planned follow-up actions. Companies may choose to share different information depending on the stakeholder, which could include the public, enterprise customers, industry bodies, and relevant government entities. No information about the review. A frontier AI company may choose not to disclose that a compliance review occurred or to release any of the findings. Keeping compliance reviews confidential reduces reputational risks, and may make employees and management less averse to reviewer activities. This can lead to more open and collaborative reviews. Keeping the reviewers private also reduces the potential that they become attack surfaces for security threats. However, this approach provides no 3Alternatively, an existing process maturity framework can be adapted. One widely used framework is Capability Maturity Model Integration (CMMI) (CMMI Institute, 2023) which distinguishes between five levels:

3.5 How could noncompliance guide development and deployment actions?

In the event the reviewer documents gaps between the stated policy and actual practice, a frontier AI company can respond in a number of ways. One important consideration is whether the company delays certain development and deployment actions (e.g. deploying a model internally, deploying a model publicly, releasing model weights publicly, training models, activating new capabilities) if they are found to be noncompliant. The company could (1) not delay any actions, (2) delay certain actions until they are compliant in key areas, or (3) delay certain actions until they are compliant across all areas. Different internal response options will lead to different levels of safety improvement while presenting different costs to the organization. Do not delay any actions. The company could choose not to delay any development and deployment actions as a result of the review findings. This approach provides benefits, such as offering more operational flexibility and minimizing disruption as companies continue their activities regardless of the findings. This option may therefore be appealing for carrying out a first review. However, this approach also has limitations. For example, it does not create strong incentives to address findings, potentially reducing compliance. It also fails to provide additional assurance to stakeholders that the company will comply with its safety framework. Delay certain actions until compliant in key areas. A company could delay certain development and deployment actions until they are compliant in some “key areas”. These key areas could include processes that are important for maintaining deployment mitigations. The company could decide where they are not compliant by selecting findings from the results of the review that they agree with. Before a review, the company could define two elements: (1) the actions they will delay if found to be noncompliant in key areas, and (2) the key areas for compliance (e.g. the process of determining whether a capability threshold has been reached). This approach provides a number of benefits. First, it creates an incentive to address noncompliance in key areas. It also provides greater assurance to stakeholders that the company is complying with its safety framework. However, this approach has various limitations. Importantly, it may result in inadequate compliance fixes being implemented by the frontier AI company, given their incentive to proceed with development and deployment actions. This approach may also increase internal costs and decrease buy-in for compliance reviews, as employees may be frustrated with the degree of compliance needed to continue with development and deployment activities. Delay certain actions until compliant across all areas. A frontier AI company could delay certain development and deployment actions until they are compliant across all areas of the compliance review. This would require the company to define the actions that would be delayed if they were found to be noncompliant before the review is carried out. However, the company may first want to ensure that they agree with the findings of the review before delaying certain actions. There are benefits to this approach. Importantly, it creates the greatest incentive to address all areas of noncompliance identified by the review. It also provides the greatest practicable level of assurance for stakeholders with access to information about the response. But the approach also has limitations. Actions to address compliance issues may again be inadequate if the company is incentivized to address them as quickly as possible. This approach could significantly increase the cost burden for companies and decrease internal buy-in for compliance reviews. Furthermore, it severely limits flexibility for the company, as compliance is required across all areas of the review. Delaying certain actions until a frontier AI company achieves some level of compliance with the safety framework could improve assurance to stakeholders and increase compliance overall. However, delaying certain actions could limit flexibility and exacerbate the financial costs associated with a review.

3.6 When could the reviews be conducted?

A single review cannot ensure long-term compliance with safety frameworks. Review frequency is therefore important. The frequency of reviews can be: (1) ad-hoc, (2) time-based, or (3) event-based. Ad-hoc. Companies can commission compliance reviews without fixed schedules. This approach may be appealing to companies in the early stages of adopting compliance reviews. Ad-hoc reviews allow companies to align review timing with internal capacity and organizational bandwidth. However, ad-hoc scheduling may create long gaps between review periods and delay detection of any issues. Furthermore, stakeholders only receive limited assurance from this approach because they cannot be confident that reviews will continue, and companies might only schedule reviews when compliance indicators appear favorable. Time-based. Time-based reviews occur at regular intervals (e.g. annually or semi-annually) which companies set in advance. Annual reviews represent the standard in many industries. Time-based reviews ensure regular attention to safety framework compliance. In addition, stakeholders have greater assurance that companies will maintain long-term compliance if they are aware of review schedules. However, reviews scheduled too infrequently may prove insufficient given rapid changes in frontier AI development. Conversely, overly frequent reviews may cause organizational fatigue and create unjustifiable costs. Regular schedules might also trigger “review-time behavior” where employees temporarily alter practices around expected review periods. Event-based. Event-based reviews would occur in response to predefined triggers, such as planned model releases or major incidents. This approach aligns reviews with periods of heightened risk or potential impact, turning “review-time behavior” into a potential advantage. It also ensures scrutiny at critical junctures without requiring frequent routine reviews. However, reviews tied to a model’s release could result in its release being delayed, which companies are likely to resist. Furthermore, long intervals between trigger events could allow compliance issues to develop undetected. In summary, review frequency is an important factor for ensuring their effectiveness over the long term. Overly frequent reviews may dilute quality and strain resources, while infrequent reviews risk missing important compliance issues. Therefore, it is important to strike a balance. 4 Suggesting different approaches In this section, we identify the trade-off companies face for each aspect of the review. We then suggest “minimalist”, “more ambitious”, and “comprehensive” approaches that a frontier AI company could take for each aspect of the review. Table 5 provides an overview of the different approaches for each aspect. Companies can mix different approaches or use options not covered in this analysis. Minimalist More ambitious Comprehensive Reviewer Big Four Big Four + evaluation firm Big Four + domain experts Information sources Structural sources Structural and procedural, alongside staff interviews Structural, procedural, operational, and technical sources Assessment Use safety framework without further operationalization Use a light-touch control framework Use a comprehensive control framework External disclosure Publicly acknowledge the review without further action Publicly share the overall result and privately share a summary report with key stakeholders Publicly share the summary report and privately share detailed results with key stakeholders Internal response Do not delay any actions Delay certain actions until compliant in (a few) key areas Delay certain actions until compliant in key areas Timing Ad-hoc Every 12 months Every 12 monthsTable 5: Minimalist, more ambitious, and comprehensive options for third-party compliance reviews. Reviewer. The selection of the reviewer types presents distinct expertise, reputation, and cost considerations for frontier AI companies. In Section 3.1, we discussed six potential reviewers: Big Four accounting firms, evaluation firms, consulting firms, AI audit firms, security audit firms, and law firms. When selecting reviewers, a frontier AI company faces a trade-off between the breadth of expertise the reviewer has, and the financial burden of the review. If the company prioritizes reducing their financial burden over ensuring the review team has technical expertise, they may want to only engage a Big Four accounting firm without additional subcontractors (minimalist approach). This is because Big Four firms demonstrate advantages across all approaches due to their superior capability in handling sensitive information, public reputation, extensive risk management expertise, and established compliance review experience. However, Big Four firms do not have much AI expertise. Therefore, if the company prioritizes technical expertise and financial cost similarly, they may want to engage a Big Four accounting firm with an evaluation firm as a subcontractor (more ambitious approach). If the company prioritizes technical expertise over financial cost, they may want to engage a Big Four accounting firm with multiple specialized subcontractors covering different domains (e.g. evaluation firms, cybersecurity specialists) to address all relevant technical aspects of AI safety (comprehensive approach). Other combinations, such as a security audit firm subcontracting an AI evaluation firm, could also provide enough expertise though they may lack compliance review experience. Information sources. The selection of information sources determines both the confidence in review findings and potential security exposure. In Section 3.2, we discussed four different types of information sources: structural (i.e. high-level governance intentions and actions), procedural (i.e. intended procedures), operational (i.e. implementation of procedures), and technical (i.e. models and technical infrastructure). A frontier AI company faces a trade-off between enabling confident reviewer findings and minimizing information security risks. A reviewer may not be able to recommend useful improvements to processes without access to procedural information. Therefore, if the company prioritizes information security risks over confident findings or recommendations, they may want to rely solely on structural sources (minimalist approach). If they weigh confident findings or recommendations and these information security risks similarly, they may want to use structural and procedural sources, as well as a selection of operational ones, such as staff interviews (more ambitious approach). If they prioritize confident findings or recommendations over these information security risks, or if they can mitigate these risks, they may want to use all four types of information sources (comprehensive approach). Companies may exercise discretion by exempting certain sources that they view as particularly sensitive or costly for the reviewer to acquire. Assessment. Different forms of assessment offer varying levels of specificity and operational clarity, but present financial costs. In Section 3.3, we discussed three possible assessment framework options: assess without further operationalization, use a control framework, and use a process maturity framework. A frontier AI company faces a trade-off between gaining specific findings and investing time in authoring a control framework. If the frontier AI company prioritizes reducing upfront costs over improving specificity, they may want to simply use the safety framework directly for assessment (minimalist approach). If they weigh improving specificity and reducing upfront costs similarly, they may want to implement a light-touch control framework that specifies key commitments (more ambitious approach). If they prioritize improving specificity over reducing upfront costs, they may want to develop a more detailed control framework that maps objectives to an extensive set of controls (comprehensive approach). Process maturity frameworks likely go beyond the scope of a compliance review, as they require the company to define multiple maturity levels, not just the single level that corresponds to compliance. External disclosure. External disclosure decisions shape stakeholder trust while determining reputational and information security risks. In Section 3.4, we discussed four options for what companies could disclose: no information, a statement that the review occurred, a summary report, or detailed results. A frontier AI company faces a trade-off between providing stakeholders with greater assurance and exposing themselves to information security risks when deciding what to disclose. We also discussed different stakeholders with whom companies may want to share information, including the public, enterprise customers, industry bodies, and relevant government bodies. More selective disclosure to these stakeholders can help navigate this trade-off, but may make stakeholders suspicious that important issues were hidden. If the company prioritizes information security risks over providing greater assurance to stakeholders, they may want to simply publicly acknowledge that a review occurred, using their discretion to decide whether to disclose the result (minimalist approach). If the company weighs providing greater assurance and these information security risks similarly, they may want to publish the overall result of the review, while only sharing the summary report with enterprise customers, industry bodies, and relevant government bodies (more ambitious approach). If the company prioritizes providing greater assurance over these information security risks, or if they can mitigate these risks, they may want to publish a summary report, and share a more complete version with enterprise customers, industry bodies, and relevant government bodies under appropriate confidentiality agreements (comprehensive approach). Internal response. A company could implement various restrictions on development and deployment actions if they are found to be noncompliant by the review. In Section 3.5, we discussed three options for how companies could respond to review findings: do not delay any actions, delay certain actions until compliant in key areas, or delay certain actions until compliant across all areas. The frontier AI company faces a trade-off between creating stronger compliance incentives and maintaining operational flexibility when deciding how to respond to review findings. If they prioritize flexibility over compliance, they may not want to commit to delaying any actions if found to be noncompliant (minimalist approach). If they weigh compliance and flexibility similarly, they may want to commit to delaying certain actions until they are compliant in a few key areas (more ambitious approach). If they prioritize compliance over flexibility, they may want to commit to delaying certain actions until they are compliant in a broader set of key areas (comprehensive approach). Review timing. The scheduling of compliance reviews affects both ongoing compliance and the cost burden a company faces. In Section 3.6, we discussed three options for when to conduct a review: ad-hoc, time-driven, and event-driven. The frontier AI company faces a trade-off between maintaining continuous compliance and minimizing ongoing costs when deciding when to conduct reviews. Event-driven reviews might balance assurance and cost by targeting high-risk periods, but may become burdensome, particularly for companies operating multiple models. If the frontier AI company prioritizes cost reduction over continuous compliance, they may want to conduct reviews on an ad-hoc basis (minimalist approach). If they weigh maintaining continuous compliance and avoiding ongoing costs similarly, they may want to undertake annual reviews (more ambitious approach). If they prioritize maintaining continuous compliance over avoiding ongoing costs, they may still favor annual reviews, as the additional benefits may not outweigh the additional cost burden (comprehensive approach). Interdependencies. Different components of compliance reviews depend on each other. While companies may vary in ambition across different aspects of the review, choices in one aspect can shape or constrain what is feasible in another. For example, if a company limits the review to structural information sources, the value of subcontracting an evaluation firm diminishes. This is because a Big Four firm can assess this information without involving domain experts. Similarly, if using structural information sources alone, it may be inappropriate to use a control framework. This is because a control framework typically requires more granular information to assess compliance. Furthermore, the longer-term ambitions of a company may need to influence early design decisions. For example, a company aiming for a comprehensive control framework may benefit from adopting a “light-touch” control framework initially. This approach creates a foundation to build upon rather than starting with a type of framework that does not align with the end goal. Companies can mix and match approaches but options need to remain compatible. Alternative solutions. Alternative solutions to third-party compliance reviews include internal compliance reviews and compliance management systems. Internal compliance reviews involve an internal but independent team carrying out the reviewer role (Schuett, 2024). Internal reviewers may better understand the company than third-party ones. This review could be completed before a thirdparty review to reduce internal costs (Abbott et al., 2012). However, internal reviewers may not be able to provide the risk management expertise and independence that a third-party reviewer would provide. This means that internal and third-party reviews may serve as complements rather than substitutes. Compliance management systems promote compliance through dedicated staff (e.g. a Responsible Scaling Officer), monitoring and evaluation (e.g. compliance reviews), training and communication (e.g. escalation protocol awareness), and management structures (e.g. reporting hotlines, disciplinary measures) (Coglianese & Nash, 2021; U. S. Department of Justice, 2024). A compliance management system could be created after a third-party review using a professional services firm or by hiring employees with compliance management system expertise. Given third-party compliance reviews can form a part of a compliance management system, they are also complements rather than substitutes. Selecting an approach to third-party compliance reviews requires careful evaluation of the trade-offs between potential benefits and risks. Companies do not need to apply the same level of ambition across all areas. Instead, they can adopt targeted strategies aligned with their specific priorities and risk profiles. Nevertheless, we think that either the minimalist and more ambitious approaches discussed are within reach for leading frontier AI companies undertaking their first third-party compliance review. As the industry matures, companies can progressively adopt more comprehensive approaches, allowing them to build compliance capacity while effectively managing risks. 5 Conclusion This paper has made the case for third-party compliance reviews for frontier AI safety frameworks, discussed different options for conducting such reviews, and provided guidance on how companies could decide what approach to take. The benefits of third-party compliance reviews include increased compliance with safety frameworks and assurance to both internal and external stakeholders. Despite these benefits, compliance reviews may create security risks if sensitive information is leaked, damage a company’s reputation or create a false sense of security if results are incorrect, impose costs on the organization, and face the practical challenges of operationalizing and grading subjective commitments and employee self-censorship. Nonetheless, we believe that these can be mitigated using established audit and assurance practices common in other industries. Our analysis addresses six key questions about how to conduct third-party compliance reviews: who could conduct the review, what information sources could be considered, how compliance could be assessed, what information could be disclosed externally, how noncompliance could guide development and deployment decisions, and when the reviews could be conducted. For each question, we describe minimalist, more ambitious, and comprehensive approaches that reflect different tradeoffs between the costs and benefits. Each organization can calibrate its efforts to match its ambition and risk appetite. Over time, companies can build toward more comprehensive approaches by implementing mitigations for the challenges identified. The paper left several questions unanswered that warrant further research. In particular, more research and experimentation are needed on which organizations or combinations of organizations are best positioned to conduct third-party compliance reviews for frontier AI safety frameworks, as the unique technical complexities and novel risks of these systems create significant reviewer selection challenges. Future work could examine how process maturity frameworks or control frameworks could be used to make safety framework requirements more concrete in practice. An examination of equivalent regulatory approaches would also be valuable to understand how governments could mandate compliance audits for frontier AI safety frameworks. Further work may also be needed on internal compliance reviews, which could be carried out at a higher frequency and improve internal buy-in compared to third-party compliance reviews. Additional work to develop compliance management systems for AI safety frameworks may also prove useful, particularly if frontier AI companies begin commissioning third-party compliance reviews. Finally, future research may be needed to help standardize results from third-party compliance reviews across the industry. Of course, if companies were to commission compliance reviews, their experience could shape further research directions. The AI governance field is not alone in its challenge to gain insight into company activities – established audit and assurance best practices from other industries offer a strong foundation to build upon. Implementing third-party compliance reviews can help ensure that frontier AI companies remain aligned with their safety frameworks, fostering more robust risk management and strengthening stakeholder trust. By embracing these practices, companies not only improve their compliance but also demonstrate a commitment to responsible innovation. Through proactive investment in third-party reviews, frontier AI companies can better prepare for future regulatory requirements and demonstrate leadership in frontier AI governance.

Acknowledgments

We are grateful for valuable comments and feedback from Andreas Drechsler, Connor Stewart Hunter, Edward Kembery, Jared Perlo, Krzysztof Bar, Rajiv Dattani, Simon Mylius, Vael Gates, Vinay Hiremath, Zaheed Kara, and the participants of a workshop on auditing frontier AI safety frameworks co-organized by FAR.AI in Berkeley. All remaining errors are our own.

References

Abbott, L. J., Parker, S., & Peters, G. F. (2012). Internal audit assistance and external audit timeliness. Auditing: A Journal of Practice & Theory, 31(4), 3–20. https://doi.org/10.2308/ajpt-10296. Aftab, M. U., Qin, Z., Hundera, N. W., Zakria, O. A., Son, N. T., & Dinh, T. V. (2019). Permissionbased separation of duty in dynamic role-based access control model. Symmetry, 11(5), 669. https://doi.org/10.3390/sym11050669. AICPA. (2017). Guide: Reporting on an entity’s cybersecurity risk management program and controls. Wiley. https://doi.org/10.1002/9781119449966. Alaga, J., Schuett, J., & Anderljung, M. (2024). A grading rubric for AI safety frameworks. arXiv preprint arXiv:2409.08751. Anderljung, M., Barnhart, J., Korinek, A., Leung, J., O’Keefe, C., Whittlestone, J., . . . Wolf, K. (2023). Frontier AI regulation: Managing emerging risks to public safety. arXiv preprint arXiv:2307.03718. Anthropic. (n.d.). Trust center. https://trust.anthropic.com. Anthropic. (2023). The Long-Term Benefit Trust. https://www.anthropic.com/news/the-long-term -benefit-trust. Anthropic. (2025). Responsible Scaling Policy. https :// www -cdn .anthropic .com / 17310f6d70ae5627f55313ed067afc1a762a4068.pdf. Ashfaq, K., Ur Rehman, S., Ul Haq, M., & Usman, M. (2021). Factors influencing stakeholder’s judgment on internal audit function’s effectiveness and reliance. Journal of Financial Reporting and Accounting, 21(5), 958-973. https://doi.org/10.1108/JFRA-12-2020-0371. Avin, S., Belfield, H., Brundage, M., Krueger, G., Wang, J., Weller, A., . . . Zilberman, N. (2021). Filling gaps in trustworthy development of AI. Science, 374, 1327-1329. https://doi.org/ 10.1126/science.abi7176. Badertscher, B. A., Kim, J., Kinney Jr, W. R., & Owens, E. (2023). Assurance level choice, CPA fees, and financial reporting benefits: Inferences from U.S. private firms. Journal of Accounting and Economics, 75(2), 101551. https://doi.org/10.1016/j.jacceco.2022.101551. Balafoutas, L., Czermak, S., Eulerich, M., & Fornwagner, H. (2020). Incentives for dishonesty: An experimental study with internal auditors. Economic Inquiry, 58(2), 764-779. https://doi.org/ 10.1111/ecin.12878. Barton, J. (2010). Who cares about auditor reputation? Contemporary Accounting Research, 22(3), 549-586. https://doi.org/10.1506/C27U-23K8-E1VL-20R0. Bate, R., Miller, S., Armitage, J., Cusick, K., Jones, R., Kuhn, D., . . . Reichner, A. (1994). A systems engineering capability maturity model, version 1.0. https://insights.sei.cmu.edu/documents/ 1620/1994_002_001_16247.pdf. Benaroch, M. (2021). Third-party induced cyber incidents: Much ado about nothing? Journal of Cybersecurity, 7(1). https://doi.org/10.1093/cybsec/tyab020. Berkowitz, P. (2021). Internal disclosures from compliance audits: What could go wrong? https:// www.littler.com/news-analysis/asap/internal-disclosures-compliance-audits-what-could-go -wrong. Bley, J., Saad, M., & Samet, A. (2018). Auditor choice and bank risk taking. International Review of Financial Analysis, 61, 37-52. https://doi.org/10.1016/j.irfa.2018.11.003. Brundage, M., Avin, S., Wang, J., Belfield, H., Krueger, G., Hadfield, G., . . . Anderljung, M. (2020). Toward trustworthy AI development: Mechanisms for supporting verifiable claims. arXiv preprint arXiv:2004.07213. Bruno, M., & Skoglund, K. (2024). Analyzing the themes of artificial intelligence as framed by the Big Four accounting firms: A document analysis. https://gupea.ub.gu.se/bitstream/handle/ 2077/82945/AFM%202024-8.pdf. Bryce, C. (2019). Security governance as a service on the cloud. Journal of Cloud Computing, 8(1). http://doi.org/10.1186/s13677-019-0148-5. Bucknall, B. S., & Trager, R. F. (2023). Structured access for third-party research on frontier AI models: Investigating researchers’ model access requirements. Oxford Martin AI Governance Initiative. https://cdn.governance.ai/Structured_Access_for_Third-Party_Research.pdf. Buhl, M. D., Bucknall, B., & Masterson, T. (2025). Emerging practices in frontier AI safety frameworks. arXiv preprint arXiv:2503.04746. Bullock, C., Van Arsdale, S., Arnold, M., Maas, M. M., & Winter, C. (2024). Existing authorities for oversight of frontier AI models. SSRN. https://doi.org/10.2139/ssrn.4976362. Campos, S., Papadatos, H., Roger, F., Touzet, C., Quarks, O., & Murray, M. (2025). A frontier AI risk management framework: Bridging the gap between current AI practices and established risk management. arXiv preprint arXiv:2502.06656. Cardinaels, E., & Jia, Y. (2012). How audits moderate the effects of incentives and peer behavior on misreporting. European Accounting Review, 25(1), 183–204. https://doi.org/10.1080/ 09638180.2015.1042889. Casper, S., Ezell, C., Siegmann, C., Kolt, N., Curtis, T. L., Bucknall, B., . . . Hadfield-Menell, D. (2024, June). Black-box access is insufficient for rigorous AI audits. In The 2024 acm conference on fairness, accountability, and transparency (p. 2254–2272). ACM. http://doi.org/ 10.1145/3630106.3659037. Che, L., Hope, O.-K., & Langli, J. C. (2019). How Big-4 firms improve audit quality. Management Science, 66(10), 4359-4919. https://doi.org/10.1287/mnsc.2019.3370. CMMI Institute. (2023). CMMI model viewer. https://cmmiinstitute.com/products/cmmi/cmmi -model-viewer. Coglianese, C., & Nash, J. (2021). Compliance management systems: Do they make a difference? In B. van Rooij & D. D. Sokol (Eds.), The Cambridge Handbook of Compliance (p. 571-593). Cambridge University Press. https://doi.org/10.1017/9781108759458.039. Coppersmith, B. B. (1997). An internal compliance review program. In SPE/EPA Exploration and Production Environmental Conference. https://doi.org/10.2118/37897-MS. COSO. (2013). Internal control: Integrated framework. https://www.coso.org/_files/ugd/3059fc _1df7d5dd38074006bce8fdf621a942cf.pdf. Davis, F. T. (2019). American criminal justice: An introduction. Cambridge University Press. https://doi.org/10.1017/9781108694773.017. Department of Defense. (2024). Cybersecurity maturity model certification (cmmc) model overview. https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverview.pdf. Dragan, A., Shah, R., Flynn, F., & Legg, S. (2025). Taking a responsible path to AGI. https:// deepmind.google/discover/blog/taking-a-responsible-path-to-agi. DSIT. (2024). Frontier AI safety commitments, AI Seoul Summit 2024. Retrieved from https:// perma.cc/M9NQ-GNED Duncan, B., & Whittington, M. (2016). Enhancing cloud security and privacy: The power and the weakness of the audit trail. In Cloud computing 2016: The seventh international conference on cloud computing, grids, and virtualization (p. 125-130). Ege, M., Wang, D., & Xu, N. (2025). The consequences of reputation-damaging events for big four auditors: evidence from 110 cases with media coverage between 2007 and 2019. https://doi.org/10.1007/s11142-024-09865-1. European Commission. (2023). Delegated Regulation on independent audits under the Digital Services Act. https://digital-strategy.ec.europa.eu/en/library/delegated-regulation-independent -audits-under-digital-services-act. European Commission. (2025). Third draft of the General-Purpose AI Code of Practice published, written by independent experts. https://digital-strategy.ec.europa.eu/en/library/third-draft -general-purpose-ai-code-practice-published-written-independent-experts. Ewelt-Knauer, C., Schwering, A., & Winkelmann, S. (2021). Probabilistic audits and misreporting – the influence of audit process design on employee behavior. European Accounting Review, 30(5), 989–1012. https://doi.org/10.1080/09638180.2021.1899014. Falco, G., Shneiderman, B., Badger, J., Carrier, R., Dahbura, A., Danks, D., . . . Yeong, Z. K. (2021). Governing AI safety through independent audits. Nature Machine Intelligence, 3, 566–571. https://doi.org/10.1038/s42256-021-00370-7. Federal Deposit Insurance Corporation. (2005). Non-public supervisory information interagency advisory on confidentiality of CAMELS ratings and other non-public supervisory information. https://www.fdic.gov/news/financial-institution-letters/2005/fil1305.html. Federal Deposit Insurance Corporation. (2023). Interagency guidance on third-party relationships: Risk management. Federal Reserve System. Fochmann, M., Kölle, T., Mohr, P., & Rockenbach, B. (2020). Trust them, threaten them, or lure them? effective audit systems to promote compliance. SSRN. https://ssrn.com/abstract=3645136. Frontier Model Forum. (2024). Issue brief: Components of frontier AI safety frameworks. https://www .frontiermodelforum.org/updates/issue-brief-components-of-frontier-ai-safety-frameworks. G42. (2025). Frontier AI safety framework. https://www.g42.ai/resources/publications/g42-frontier -ai-safety-framework. Gipper, B., Ross, S., & Shi, S. X. (2024). ESG assurance in the united states. Review of Accounting Studies, 18(3). https://doi.org/10.1007/s11142-024-09856-2. Glover, S. M., Prawitt, D. F., & Wood, D. A. (2006). Internal audit sourcing arrangement and the external auditor’s reliance decision. https://doi.org/10.2139/ssrn.898800. Google DeepMind. (2025a). Frontier Safety Framework Version 2.0. https://deepmind.google/ discover/blog/updating-the-frontier-safety-framework. Google DeepMind. (2025b). Taking a responsible path to AGI. https://deepmind.google/discover/ blog/taking-a-responsible-path-to-agi. Gow, I. D., & Kells, S. (2018). The Big Four: The curious past and perilous future of the global accounting monopoly. Berrett-Koehler. Hammer, M. (2007). The process audit. Harvard Business Review, https://hbr.org/2007/04/ the-process-audit. Helgesson, Y. Y. L., Höst, M., & Weyns, K. (2012). A review of methods for evaluation of maturity models for process improvement. Journal of Software: Evolution and Process, 24. https://doi.org/10.1002/smr.560. Hewett, R., Kijsanayothin, P., & Thipse, A. (2008). Security analysis of role-based separation of duty with workflows. 2008 Third International Conference on Availability, Reliability and Security, 765-770. https://doi.org/10.1109/ARES.2008.71. Humphrey, W. S. (1998). Characterizing the software process: A maturity framework. IEEE Software, 5(2), 73-79. https://doi.org/10.1109/52.2014. Ismael, H. R., & Roberts, C. (2018). Factors affecting the voluntary use of internal audit: evidence from the UK. Managerial Auditing Journal, 33(3), 288-317. https://doi.org/10.1108/MAJ-08 -2016-1425. ISO. (2015). ISO 17021-1:2015 Conformity assessment — Requirements for bodies providing audit and certification of management systems. https://www.iso.org/standard/61651.html. ISO. (2018). ISO 31000 Risk management — Guidelines. https://www.iso.org/iso-31000-risk -management.html. ISO. (2022). ISO 27002:2022 Information security, cybersecurity and privacy protection — Information security controls. https://www.iso.org/standard/75652.html. Jagadeeswari, M., Karthi, P. N., Kumar, V. A. N., & Ram, S. L. S. (2023). A secure file sharing and audit trail tracking platform with advanced encryption standard for cloud-based environments. In International conference on electronics and sustainable communication systems (ICESC) (p. 540-547). https://doi.org/10.1109/ICESC57686.2023.10193389. Karnofsky, H. (2024). If-then commitments for AI risk reduction. Carnegie Endowment for International Peace, https://carnegieendowment.org/research/2024/09/if-then-commitments -for-ai-risk-reduction. Kasirzadeh, A. (2024). Measurement challenges in AI catastrophic risk governance and safety frameworks. arXiv preprint arXiv:2410.00608. Kempe, E., & Massey, A. (2021). Perspectives on regulatory compliance in software engineering. In Ieee international requirements engineering conference (re) (p. 46-57). https://doi.org/10.1080/ 09617353.2000.11690698. Kovynev, A. (2014). Inside a WANO peer review. https://www.nsenergybusiness.com/analysis/ featureinside-a-wano-peer-review-4294101. Layton, T. P. (2016). Information security. Auerbach Publications. https://doi.org/10.1201/ 9781420013412. Lee, J., Ramamoorti, S., & Zelazny, L. (2021). Whistleblowing intentions for internal auditors: Why psychological safety is critically important. The CPA Journal, 91(8-9). Lennox, C. S., & Pittman, J. A. (2008). Big five audits and accounting fraud. SSRN. http://doi.org/ 10.2139/ssrn.1137829. Lightman, S., Suloway, T., & Brule, J. (2022). Satellite ground segment: Applying the cybersecurity framework to assure satellite command and control. http://doi.org/10.6028/nist.ir.8401. Lins, S., Schneider, S., & Sunyaev, A. (2018). Trust is good, control is better: Creating secure clouds by continuous auditing. IEEE Transactions on Cloud Computing, 6(3), 890–903. http://doi.org/10.1109/tcc.2016.2522411. Liu, W.-P., & Huang, H.-W. (2020). Auditor realignment, voluntary SOX 404 adoption, and internal control material weakness remediation: Further evidence from U.S.-listed foreign firms. International Business Review, 29(5). https://doi.org/10.1016/j.ibusrev.2020.101712. Liu, Y. (2024). Build an audit framework for data privacy protection in cloud environment. Procedia Computer Science, 247, 166-175. https://doi.org/10.1016/j.procs.2024.10.020. Low, J. M. W., & Yang, K. K. (2019). An exploratory study on the effects of human, technical and operating factors on aviation safety. Journal of Transportation Safety & Security, 11(6), 595–628. https://doi.org/10.1080/19439962.2018.1458051. Manheim, D., Martin, S., Bailey, M., Samin, M., & Greutzmacher, R. (2024). The necessity of AI audit standards boards. arXiv preprint arXiv:2404.13060. Martinez, V. R. (2013). The monitor-’client’ relationship. SSRN. https://ssrn.com/abstract=2309498. Meta. (2025). Frontier AI framework. https://ai .meta .com/static -resource/meta -frontier -ai -framework. METR. (2025). Common elements of frontier AI safety policies. https://metr.org/common-elements .pdf. Mishra, A., Das, S. R., & Murray, J. J. (2016). Risk, process maturity, and project performance: An empirical analysis of us federal government technology projects. Production and Operations Management, 25(2), 210–232. http://doi.org/10.1111/poms.12513. Mökander, J., & Floridi, L. (2021). Ethics-based auditing to develop trustworthy AI. Minds and Machines, 31(2), 323–327. http://doi.org/10.1007/s11023-021-09557-8. Mökander, J., Schuett, J., Kirk, H. R., & Floridi, L. (2023). Auditing large language models: A three-layered approach. AI and Ethics. https://doi.org/10.1007/s43681-023-00289-2. Neidermeyer, A. A., & Neidermeyer, P. E. (2005). Audit anticipation: does it impact job performance? Managerial Auditing Journal, 20(1), 19-29. https://doi.org/10.1108/02686900510570669. Nelson, S. D., & Simek, J. W. (2013). Clients demand law firm cyber audits. Law Practice, 39. Nevo, S., Lahav, D., Karpur, A., Bar-On, Y., Bradley, H. A., & Alstott, J. (2024). Securing AI model weights. RAND, https://doi.org/10.7249/RRA2849-1. Object Management Group. (2008). Business process maturity model (BPMM). http://www.omg.org/ spec/BPMM/1.0/PDF. O’Brien, J., Ee, S., & Williams, Z. (2024). Deployment corrections: An incident response framework for frontier AI models. arXiv preprint arXiv:2310.00328. Öhman, P., Häckner, E., & Sörbom, D. (2012). Client satisfaction and usefulness to external stakeholders from an audit client perspective. Managerial Auditing Journal, 27(5), 477-499. https://doi.org/10.1108/02686901211227995. OpenAI. (n.d.). Trust portal. https://trust.openai.com. OpenAI. (2023). Preparedness Framework (Beta). https://perma.cc/9FBB-URXF. OpenAI. (2025). Preparedness Framework. https://cdn.openai.com/pdf/18a02b5d-6b67-4cec-ab64 -68cdfbddebcd/preparedness-framework-v2.pdf. Pang, J., & Mähler, C. (2014). Certified quality. Mechanical Engineering, 136(2), 40-43. https:// doi.org/10.1115/1.2014-Feb-2. Peterson, J. (2017). Count down: The past, present and uncertain future of the big four accounting firms (2nd ed.). Emerald Group Publishing. Pilbeam, C., Doherty, N., Davidson, R., & Denyer, D. (2016). Safety leadership practices for organizational safety compliance: Developing a research agenda from a review of the literature. Safety Science, 86, 110-121. https://doi.org/10.1016/j.ssci.2016.02.015. Pistillo, M. (2025). Towards frontier safety policies plus. arXiv preprint arXiv:2501.16500. Raji, I. D., Smart, A., White, R. N., Mitchell, M., Gebru, T., Hutchinson, B., . . . Barnes, P. (2020). Closing the AI accountability gap: defining an end-to-end framework for internal algorithmic auditing. In Conference on Fairness, Accountability, and Transparency (p. 33–44). https:// doi.org/10.1145/3351095.3372873. Raji, I. D., Xu, P., Honigsberg, C., & Ho, D. E. (2022). Outsider oversight: Designing a third party audit ecosystem for AI governance. In AAAI/ACM Conference on AI, Ethics, and Society (pp. 557–571). https://doi.org/10.1145/3514094.3534181. Rosati, P., Gogolin, F., & Lynn, T. (2020). Cyber-security incidents and audit quality. European Accounting Review, 31(3), 701–728. https://doi.org/10.1080/09638180.2020.1856162. Sabillon, R., Serra-Ruiz, J., Cavaller, V., & Cano, J. (2017). A comprehensive cybersecurity audit model to improve cybersecurity assurance: The cybersecurity audit model (CSAM). In International Conference on Information Systems and Computer Science (INCISCOS) (p. 253-259). https://doi.org/10.1109/INCISCOS.2017.20. Salehi, M. (2009). In the name of independence: With regard to practicing non-audit service by external auditors. International Business Research, 2(2). https://doi.org/10.5539/ibr.v2n2p137. Sarbanes–Oxley Act. (2002). Pub. L. No. 107-204, 116 Stat. 745. https://www.govinfo.gov/content/ pkg/COMPS-1883/pdf/COMPS-1883.pdf. Schoemaker, M. (2024). Putting teeth into AI risk management lessons from cybersecurity procurement rules and practices. Center for Security and Emerging Technology, https:// cset.georgetown.edu/publication/putting-teeth-into-ai-risk-management. Schrimpf, A., Drechsler, A., & Dagianis, K. (2020). Assessing identity and access management process maturity: first insights from the german financial sector. Information Systems Management. https://doi.org/10.1080/10580530.2020.1738601. Schuett, J. (2024). Frontier AI developers need an internal audit function. Risk Analysis, 1–21. https://doi.org/10.1111/risa.17665. Short, J. L., & Toffel, M. W. (2016). The integrity of private third-party compliance monitoring. Administrative & Regulatory Law News, 42(1), 22-25. Tepalagul, N., & Lin, L. (2023). Auditor independence and audit quality: A literature review. Journal of Accounting, Auditing & Finance, 30(1), 101-121. https://doi.org/10.1177/ 0148558X14544505. The Institute of Internal Auditors. (2013). Selecting, using, and creating maturity models: a tool for assurance and consulting engagements. https://www.theiia.org/globalassets/documents/ content/articles/guidance/practice-guides/selecting-using-and-creating-maturity-models/pg -maturity-models.pdf. Thompson, E. C. (2017). Building a HIPAA-Compliant cybersecurity program. Apress. Toy, A. (2017). Generating standards for privacy audits: Theoretical bases from two disciplines. Journal of Law, Information and Science, 25(1), 26-48. https://doi.org/10.3316/ ielapa.028570049755407. TVO. (2012). WANO conducts peer review of annual outages. https://www.tvo.fi/en/index/news/ pressreleasesstockexchangereleases/2012/hqfAPEOFY.html. Tynan, R. (2005). The effects of threat sensitivity and face giving on dyadic psychological safety and upward communication. Journal of Applied Social Psychology, 35(2), 223-247. https:// doi.org/10.1111/j.1559-1816.2005.tb02119.x. U. S. Department of Justice. (2024). Evaluation of corporate compliance programs. https:// www.justice.gov/criminal/criminal-fraud/page/file/937501/dl?inline=. Williams, S., Schuett, J., & Anderljung, M. (2025). On regulating downstream AI developers. arXiv preprint arXiv:2503.11922. Wills, P. (2025). Regulatory supervision of frontier AI developers. SSRN. https://ssrn.com/ abstract=5122871.