You Cannot License a Moving Target

The most popular idea in AI policy right now is that we should regulate powerful models the way we regulate drugs: a pre-market review process, a trusted federal evaluator, no public release without sign-off. It is an appealing analogy. It is also a category error, and the gap between why it's appealing and why it's wrong is exactly where good policy goes to die. I say this as someone who would have been the agency.

This is not a hypothetical anymore. On the evening of May 20, the White House had a signing ceremony on the calendar and frontier-lab executives invited to the room. The draft executive order would have stood up a government review process for advanced models before public release — a window of up to ninety days for federal agencies to evaluate a system for security vulnerabilities. Kevin Hassett, the National Economic Council director, had been making the comparison out loud: a clear roadmap for how future models should be "released to the wild after they've been proven safe, just like an FDA drug." Then Trump pulled it, hours before the pens came out, telling reporters he "didn't like certain aspects of it" and worried the language "could have been a blocker" on an American lead he doesn't want to surrender.

So the order is postponed, not buried. The instinct behind it is bipartisan and durable, and it will be back — in a statute, in a future order, in a state capitol. Which makes this the right moment to argue against it on the merits, before the frame hardens into law.

The strongest version of the case

Let me state the consensus fairly, because it deserves to be. Some technologies are dangerous enough that "ship it and see" is morally unacceptable. We don't let a pharmaceutical company run a national experiment on the public and tally the bodies afterward; we make them prove safety and efficacy first, to an expert agency, behind closed doors. Frontier models can lower the barrier to a credible bioweapon, or to an offensive cyber operation, or to chemical synthesis that used to require a specialist. If a model can do that, the argument goes, then a private firm's release decision is a public-safety decision, and we already have a respected template for taking public-safety decisions out of the seller's hands. The FDA is slow and cautious and that is the point. Better a delayed cure than a fast catastrophe.

I find that argument serious. I do not find it dismissible with a slogan about innovation, and the people who reach for that slogan are not helping. The harder question is the one the analogy quietly skips.

What a drug is, and what a model isn't

A drug is a fixed molecule. Its composition is stable; the thing you tested in Phase III is the thing in the bottle; the manufacturer cannot reach into your medicine cabinet and silently alter the compound after approval. The entire apparatus of pre-market review depends on that stability. You define the product, you test it against a defined endpoint, you approve that product, and the approval means something because the product won't change underneath you.

A model holds none of that still. It changes with every fine-tune, every system prompt, every retrieval source you bolt on, every tool you give it the right to call, every downstream developer who wraps it in an application you've never seen. Approve it on Monday and it is a meaningfully different system by Friday — not because anyone cheated, but because that is what the technology is by design. Daniel Carpenter and Carson Ezell, in the most rigorous treatment of this question I've read, put the problem precisely: approval regulation founders on "the difficulty of defining the regulated product" and on "distributed activities among actors involved in the AI lifecycle." There is no single artifact to license, and no single party who controls the artifact's behavior end to end.

A drug is a fixed molecule tested once against a defined endpoint. A model is a moving target that changes with every fine-tune, every prompt, every integration downstream. You cannot license a thing that won't hold still.

This is the category error, named plainly: pre-market approval is a tool for fixed products with stable failure modes, and we are proposing to point it at a substrate that is fluid by construction. The closest real analogue to what a frontier model becomes in deployment is not a pill. It is a general-purpose ingredient — flour, electricity, a programming language — that thousands of people transform into thousands of products, most of them safe, some of them dangerous, none of them the thing you approved.

Who actually enforces this, and how

That is the question I learned to ask inside government, the one that separates a policy from a press release. Walk it through. Your evaluator certifies a base model as safe. A downstream firm fine-tunes it on a private corpus to strip the refusals — a documented, cheap, well-understood procedure. Is that a new product requiring its own license? If yes, you have just claimed approval jurisdiction over every fine-tune on earth, an enforcement universe with no edges and no realistic inspection regime. If no, your certification governs an artifact that no longer exists in the wild, and the dangerous capability ships under cover of an approval that no longer describes it.

Either branch defeats the purpose. The mandate is either impossibly broad or substantively hollow, and there is no version that lands in between. Add open weights — once a capable model is downloadable, the "no release without a license" premise is simply void, because the release already happened and cannot be recalled. A licensing regime that the most safety-relevant releases can route around is not a safety regime. It is a tax on the law-abiding, which is the worst kind of rule: onerous, theatrical, and ineffective at the exact harm it was written to prevent.

The capacity we don't have

There is also the unglamorous matter of who does the work. The FDA reviews on the order of fifty novel drugs a year and takes months on each. Frontier evaluation is the opposite shape of problem: a small number of labs, each shipping capable systems and countless variants on a cadence measured in weeks, probing capabilities — offensive cyber, bioweapon uplift, chemical synthesis — that the evaluators themselves are still inventing the tests for. The honest practitioners admit this is genuine Knightian uncertainty, not a known risk you can score on a rubric.

And here the government's own behavior gives the game away. We already have the institution. NIST's Center for AI Standards and Innovation — the body that until recently was the AI Safety Institute — announced expanded agreements on May 5 with Google DeepMind, Microsoft, and xAI to evaluate models before public release, joining OpenAI and Anthropic, who signed on years earlier. CAISI says it has completed more than forty such evaluations, including of state-of-the-art systems still unreleased, covering cybersecurity, biosecurity, and chemical-weapons risk, some run in classified settings by an interagency task force. Notice what that is. It is pre-deployment testing, today, at the frontier — and it is voluntary, collaborative, and not a license. The capability the licensing camp says we need already exists in a form that doesn't require the broken legal theory.

What I'd do instead — and what it costs

I am not arguing for nothing, which is the lazy place this column is expected to land. The realistic version stops pretending we can approve a moving target once and instead governs the thing that does hold still: specific deployments, specific actors, specific harms, on a continuing basis.

• Mandatory disclosure over pre-approval. California's SB 53, signed last September, is the better template than any drug analogy: large developers must publish their safety frameworks, file transparency reports before deployment, and report critical incidents within days. It regulates what you must tell the public, not whether you may release at all — and it survives the moving-target problem because disclosure is continuous, not a one-time gate.
• Procurement as leverage, honestly named. Jessica Tillipman's point is the sharpest in this debate: the government doesn't need a freestanding licensing statute to reshape behavior. It can make cooperation on testing, classified evaluation, and deployment constraints a condition of federal market access, the way Section 508 quietly became an industry standard. Leverage operates whether or not it's a mandate.
• Liability at the point of harm. Tie responsibility to the deployer who fine-tunes, integrates, and ships to real users — the party who actually controls the system's behavior — rather than to a base-model certificate that downstream changes render meaningless.
• Keep CAISI voluntary and well-funded, and resist turning collaborative evaluation into a gate. The moment a security review becomes a release license, you import every enforcement contradiction above and lose the candor that makes the evaluations useful.

Now the part the licensing camp gets to throw back at me, because it's fair. My approach is genuinely weaker on the worst case. Disclosure and liability act after a capability is loose; they do not guarantee that a catastrophic model never ships. If you believe a single uncontrolled release could be civilization-scale, a leaky regime that mostly works is not good enough, and I cannot honestly promise you it is. That is the real cost of my position, and I won't paper over it. My claim is only that pre-market licensing doesn't actually buy you the guarantee it advertises — it buys you the feeling of one, plus an enforcement apparatus that the most dangerous releases sail straight past.

The EU's systemic-risk obligations land in August, and some statutory version of this fight is coming here regardless of what one cancelled ceremony decided. When it does, the test is not whether a rule sounds reassuring in a press release. It is whether anyone in the room can answer the question I kept asking from the inside: who enforces this, against what fixed thing, and what happens the first Friday after approval when the thing has already changed? Until the licensing camp has an answer, they're not regulating the technology. They're regulating a metaphor.