A comprehensive legal risk analysis of the AI Assessment Index, Corroboration Standard, Assessment Charter, and public-facing scorecards — with case law, jurisdiction-specific analysis, exact disclaimer language, publication policies, and score publication rules.
* High before safeguards. Reduced to Moderate with recommended protections implemented.
The prior report's central positioning is correct: the Foundation's safest legal position is as an independent publisher of methodology-based assessments, not as a regulator, certifier, guarantor, or professional advisor. The distinction is not rhetorical — it is the legal line that separates the protection of Bose Corp. v. Consumers Union from the liability of Hanberry v. Hearst Corp.
Three legal shields protect the Foundation that the prior report does not analyze: the First Amendment opinion privilege, Section 230 immunity for hosted third-party content, and the truth defense supported by published reproducible methodology. These shields are not automatic — each requires specific structural conditions that this report specifies.
The two highest risks — certification liability and professional services liability — are manageable but require active architectural decisions, not just disclaimer language. The Corroboration Standard already makes the correct structural moves; this report identifies where the architecture needs strengthening and where the language needs precision.
The EU AI Act analysis in the prior report is inadequate for a Foundation with international aspirations. Articles 40–51 of the EU AI Act establish a specific legal regime for conformity assessment bodies that the Foundation must explicitly disclaim and structurally separate from, or risk being treated as an unregistered notified body operating in European markets.
The First Amendment's protection of speech on matters of public concern is the Foundation's strongest legal protection. AI safety, reliability, and governance are unambiguously matters of public concern. The Foundation is publishing assessments of commercial AI systems in a public policy and consumer information context — the precise setting where First Amendment protection is most robust.
The First Amendment analysis turns on whether IAF dimensional scores and composite scores are "objectively verifiable facts" or "methodology-applied evaluative judgments." The more the score can be characterized as the latter, the stronger the protection.
| Dimension Type | Verifiability | First Amendment Protection | Key Condition |
|---|---|---|---|
| Objective dimensions (Accuracy, Hallucination) | Partially verifiable by retesting | Moderate — closer to factual claims | Methodology must be published and reproducible; truth defense primary shield |
| Human-review dimensions (Wisdom, Fairness) | Inherently evaluative; not objectively verifiable | Strong — classic evaluative judgment | IRR requirements and multi-reviewer panels must be followed to support methodology claim |
| Composite score | Verifiable as a calculation; not verifiable as a definitive characterization | Strong if framed as methodology output, not objective truth | Confidence intervals, weight sensitivity ranges, and L-level disclosure are essential to maintain "evaluative" framing |
| Floor failure designation (INVALID) | Specific, potentially verifiable | Weaker — most exposed to factual challenge | Pre-publication legal review required for every floor failure designation. Truth defense is primary shield; legal review ensures the score accurately reflects the methodology. |
The First Amendment protection is not automatic. It depends on structural conditions. If these conditions are absent, the Foundation's assessments may be treated as statements of fact subject to the full defamation standard:
1. Published, reproducible methodology. The IAF methodology must be publicly available and reproducible. This is the structural fact that makes scores "methodology-applied evaluative judgments" rather than arbitrary opinions. The Foundation's current publication of the IAF satisfies this requirement.
2. Consistent disclosure of uncertainty. Confidence intervals, L-level designations, and weight sensitivity ranges must appear on all published scores. A score presented as a precise objective truth (without CI ranges, without L-level, without weight sensitivity) looks more like a statement of fact than an evaluative judgment.
3. Framing as assessment, not verdict. All score publications must be framed as outputs of the methodology, not as objective characterizations of the system. "Under IAF v1.0, System X scored 42 on Manipulation Resistance (L2 Confidence, 95% CI ±18)" is protected differently than "System X is dangerously manipulable."
4. Provider response published simultaneously. The simultaneous publication of provider responses is not just a fairness requirement — it is a legal architecture choice. It establishes that the Foundation is publishing an assessment with a response, not a verdict without appeal, which reduces the strength of any "knowledge of falsity" allegation.
5. No financial relationship between score and outcome. Any suggestion that scores are commercially influenced destroys both the First Amendment protection and the truth defense. The Assessment Charter's anti-capture mechanisms must be operational and documented.
Section 230 of the Communications Decency Act, 47 U.S.C. §230(c)(1), provides that "[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." This is the primary liability shield for platforms hosting third-party content.
The Foundation operates ARIA Network boards where AI agents generate answers and users submit questions. The AI agents are "information content providers" generating content. The Foundation, as the platform operator hosting this content, is an "interactive computer service provider." Section 230 protects the Foundation from liability for the underlying AI-generated content on those boards — claims that an AI agent's answer caused harm, provided incorrect information, or defamed a third party are claims against the content provider (the AI developer/deployer), not the Foundation.
The Corroboration Standard's labels — "Corroborated," "Expert Verified," "AI-Generated," "Disputed" — are the Foundation's own editorial additions to third-party AI-generated content. Section 230 protects the Foundation from liability for the underlying AI content, but these labels are the Foundation's own speech. They are evaluated under defamation, false advertising, and professional services liability standards.
Section 230 does not protect the Foundation's IAF assessment scores. Those scores are the Foundation's own original content — assessments it conducts and publishes about AI systems. They are not "information provided by another information content provider." Defamation and trade libel claims arising from IAF scores are evaluated under standard defamation law, with the First Amendment and truth defenses as the primary shields.
Texas has an anti-SLAPP statute (the Texas Citizens Participation Act, TCPA, Tex. Civ. Prac. & Rem. Code Ch. 27) that provides strong procedural protections for speech on matters of public concern. An AI developer who files a meritless defamation lawsuit over an IAF assessment is subject to early dismissal under the TCPA, with mandatory fee-shifting to the plaintiff. The Foundation's Texas incorporation provides access to this protection. The Assessment Charter's anti-SLAPP fund requirement (§6.7.1) operationalizes this protection.
Defamation is the most predictable litigation threat. Any AI developer who receives a low score, particularly a floor failure designation, will consider whether a defamation claim is viable. The legal analysis is favorable to the Foundation but requires structural conditions to maintain.
| Element | What Plaintiff Must Prove | Foundation's Defense |
|---|---|---|
| False statement of fact | The score/designation is false | Truth (absolute defense if methodology is sound and correctly applied); Opinion privilege (methodology-based evaluative judgment); Methodological framing |
| Publication to third parties | Score was published publicly | No contest — publication is intentional and is the purpose |
| Fault | Negligence (private figure plaintiff); Actual malice (public figure plaintiff) | Published methodology + cryptographic log + multi-reviewer process + provider notice period = strong evidence of good faith, defeating actual malice |
| Damages | Actual harm to reputation or commercial interests | CI ranges, L-level labels, weight sensitivity ranges all reduce the plausibility of damages caused specifically by Foundation score (vs. underlying system performance) |
Trade libel applies to false statements about a plaintiff's goods or services, rather than the plaintiff itself. It has a higher plaintiff burden than defamation: the plaintiff must prove actual malice (knowledge of falsity or reckless disregard for truth) AND special damages (specific, identified commercial losses, not merely reputational harm). This higher burden makes trade libel claims against the Foundation difficult to sustain if the methodology is sound and correctly applied.
The Foundation's INVALID / Floor Failure designation is the highest defamation exposure. "INVALID — Floor Fail on Manipulation Resistance = 22" is a specific, concrete claim about a commercial AI system that can be independently tested. Unlike a composite score (which is an aggregate evaluation), a floor failure designation pinpoints a specific dimension and claims the system scored below a stated threshold.
This is the Foundation's most exposed publication act. It is also, if true, the most important publication act — a floor failure is a public safety signal. The legal architecture for this specific publication requires:
1. Pre-publication legal review. Every floor failure designation must receive legal review before publication. The reviewer must confirm: (a) the score accurately reflects the methodology as applied; (b) the methodology was correctly applied to this system version; (c) the cryptographic log commits the assessment record before the designation is announced; (d) the provider notification period has been completed.
2. The 14-day provider notice period is not optional. Publishing a floor failure designation without completing the notice period, under any circumstances, dramatically weakens the good-faith defense that defeats actual malice claims.
3. System version commitment.** The floor failure must identify the specific assessed version with its cryptographic hash. If the provider updates the system between assessment and publication, the Foundation must re-assess or label the designation as applicable to the assessed version only.
4. The designation frames the score, not the provider. "System X version 2.1 scored 22 on Manipulation Resistance under IAF v1.0 (INVALID — Floor Failure)" is legally distinct from "System X is dangerous" or "Provider Y cannot be trusted." The former is a methodology-framed assessment; the latter is a character claim that creates different liability exposure.
| Prohibited | Permitted Alternative | Legal Rationale |
|---|---|---|
| "[System X] is unsafe" | "Under IAF v1.0, [System X] scored 22 on Manipulation Resistance, triggering a floor failure designation." | The first is a categorical safety conclusion; the second is a methodology-framed score. Courts distinguish these. |
| "[Provider Y] cannot be trusted" | "Provider Y's assessed system version 2.1 received an INVALID designation due to Floor Failure on Manipulation Resistance." | Character statements about the provider (vs. methodology-based statements about the system) have no methodological basis and lose opinion privilege. |
| "[System X] hallucinates constantly" | "Under HAL dimension assessment, [System X] version 2.1 scored 31 on Hallucination Resistance (L2 confidence, 95% CI ±18)." | Qualitative characterizations beyond what the methodology supports create independent defamation exposure. |
| Comparisons like "worse than" without CI overlap analysis | Score ranges with explicit CI ranges and MDD disclosures | If two scores are within each other's CI range, a published comparison may be literally false (the systems may be statistically equivalent). |
Tortious interference claims arise when a third party causes harm to a plaintiff's existing or prospective business relationships. An AI developer who loses a contract or investment after a Foundation assessment may allege that the publication was an improper interference with that relationship.
Under the Restatement (Second) of Torts §766B, tortious interference with prospective business relations requires: (1) existence of a prospective business relationship; (2) defendant's knowledge of it; (3) intentional interference that is improper; and (4) resulting damages. The "improper" element is where the Foundation's primary defense lies.
The Foundation's defense: The "improper means" element cannot be satisfied by truthful, methodology-based assessments published in the public interest. If the score is accurate and the methodology is sound, the interference privilege applies. If the score is inaccurate, the tortious interference claim merges with the defamation claim — both are defeated by the truth defense.
The Foundation's greatest tortious interference exposure is not from a provider challenging its own score — it is from a scenario where a competing provider influences the Foundation's assessment process, or where the Foundation's assessments systematically favor one commercial actor over another. This is the "capture" scenario the Assessment Charter's anti-capture mechanisms are designed to prevent. If capture is demonstrated, the privilege defense for tortious interference claims fails entirely.
The following Assessment Charter provisions directly serve as tortious interference defenses: (a) the cryptographic commitment log (proves scores were not altered to target a specific provider); (b) the Permanent Adversarial Function reporting (demonstrates ongoing anti-capture monitoring); (c) the Industry Contribution Program restrictions and affiliation mapping (demonstrates no commercial favoritism in funding); (d) the provider notification and response process (demonstrates procedural fairness). Document these governance processes carefully — they are the evidence base for the privilege defense.
Section 43(a) of the Lanham Act, 15 U.S.C. §1125(a), prohibits false or misleading descriptions of fact in "commercial advertising or promotion" that are likely to deceive consumers and cause competitive harm. Two threshold questions determine applicability to the Foundation.
Does the Foundation engage in "commercial advertising or promotion"? The Foundation does not sell AI systems and does not commercially compete with them. Courts have generally held that nonprofits publishing informational assessments are not engaged in "commercial advertising or promotion" for Lanham Act purposes. This is the Foundation's most important Lanham Act protection — the statute's threshold requirement likely is not met.
Who has standing to sue? Under the Supreme Court's ruling in Lexmark International, Inc. v. Static Control Components, Inc., 572 U.S. 118 (2014), a plaintiff must allege an injury to a commercial interest that falls within the zone of interests protected by the Lanham Act. AI developers whose commercial interests are harmed by published assessments may have standing, but must still satisfy the "commercial advertising" element.
The FTC has authority over "unfair or deceptive acts or practices in or affecting commerce" — which extends beyond commercial entities to any entity making representations that affect commerce. The FTC's primary concern with a Foundation-type organization would be:
Independence claims: If the Foundation claims to be independent but is actually influenced by industry funding, the FTC could characterize the independence claim as deceptive. The Assessment Charter's funding restrictions and public disclosure requirements directly address this risk.
Endorsement by assessment: If AI companies use Foundation scores in their own marketing ("IAF-Assessed" or "Foundation-Reviewed"), the FTC's Endorsements and Testimonials Guides (16 C.F.R. Part 255) require disclosure of the relationship between the Foundation and the assessed entity. The Foundation should require in its terms of use that any commercial use of Foundation scores discloses the assessment relationship and links to the full methodology.
The prior report correctly identifies the certification language risk. The specific legal issue: "certified" creates an implied warranty of fitness for purpose. "IAF-Assessed" or "IAF-Evaluated" does not. The Foundation should prohibit providers from using the word "certified" in any description of a Foundation assessment, and should establish clear trademark-like guidelines for any authorized use of Foundation score references in commercial contexts.
Certification liability arises when a testing or rating organization certifies a product and that product subsequently causes harm. The theory: the certifier's seal of approval induced reliance, and the harm resulted from the deficiency the certifier should have detected. This is the most serious potential liability category for the Foundation.
The Fluor rationale is the Foundation's greatest concern. Users of AI systems in high-stakes contexts (medical, legal, emergency response) may not be able to independently verify AI system safety. If they rely on Foundation scores for deployment decisions and harm results, the "inevitable reliance" theory could apply.
The Foundation's L-level architecture is specifically designed to prevent this. A system deployed in a medical context based on an L1 Provisional Foundation score has not been approved, endorsed, or certified by the Foundation — it has been evaluated by a 100-item pilot benchmark with ±36.8 point confidence intervals. The Foundation's explicit prohibition on using L1 Provisional scores for deployment authorization is both a methodological and a legal protection.
| L Level | Certification Liability Exposure | Required Protective Language |
|---|---|---|
| L1 Provisional | Low if labeled correctly; high if misused without Foundation action | "This L1 Provisional assessment may not be used to support deployment authorization, safety claims, or regulatory submissions. It is suitable for internal development use only." |
| L2 Indicative | Moderate — preliminary external use creates reliance risk | "This L2 Indicative assessment is a preliminary evaluation. Confidence intervals of ±[x] points indicate meaningful measurement uncertainty. Not suitable for high-stakes deployment authorization without additional validation." |
| L3 Standard | Moderate — standard use with adequate disclosure | "This assessment reflects performance under IAF v[x] at the time of assessment. Performance may change as systems are updated. Not a guarantee of safety, fitness for purpose, or compliance with applicable law." |
| L4 High Confidence | Low with proper scope limitation | Standard disclaimer plus explicit scope statement: "This assessment evaluates [specific dimensions]. It does not evaluate [dimensions not tested]." |
| L5 Validated | Lowest with correct scope limitation and independent replication disclosure | Full methodology citation, replication study citation, scope limitation, standard disclaimer. |
The Macker case's protections should be explicitly incorporated into Foundation practice:
1. Explicitly scope-limited assessments. Every published score must state exactly what was tested and what was not. "This assessment evaluated Accuracy, Hallucination Resistance, and Citation Integrity under IAF v1.0. It did not evaluate Consistency, Governance Compatibility, Behavioral Consistency, or Domain Caution behaviors." A provider cannot claim a Foundation assessment covers dimensions the Foundation did not test.
2. No implied warranties of fitness. The Foundation never represents that a system is "safe," "reliable," "fit for purpose," or "meets legal requirements." These are warranty-creating phrases. The Foundation evaluates performance on IAF dimensions; it does not make fitness conclusions.
3. Assessment date and version specificity. Every published score includes the assessment date and the assessed system version. The Foundation cannot be held liable for performance changes after the assessment date if the version is clearly specified.
The Corroboration Standard's deployment of licensed professionals to assess AI-generated legal and medical information creates unauthorized practice of law (UPL) and unauthorized practice of medicine (UPM) risks that vary significantly by jurisdiction. The standard's existing architecture correctly identifies the legal boundary between information quality assessment and professional service delivery — but the architecture must be maintained precisely, and the required disclosures must be permanent and specific.
The Corroboration Standard operates on a legally meaningful distinction: a licensed professional reviewing the accuracy of published information against professional knowledge standards has not provided professional services to any specific person. The analogy in the standard (a physician reviewing a medical journal article for accuracy) is legally sound but must be structurally maintained. Three structural conditions preserve the boundary:
1. Total question anonymization. Reviewers must never know who asked the question. The moment a reviewer knows the questioner's identity, purpose, or circumstances, the information quality assessment begins to look like professional advice tailored to a specific person — which is UPL/UPM.
2. Information quality vocabulary only. Reviewer scoring rubrics that use "accurate," "incomplete," "misleading," or "appropriately qualified" are information quality assessments. Rubrics that use "appropriate for this person," "recommended treatment," or "advisable course of action" are professional advice. The rubric vocabulary is a legal architecture choice, not just a stylistic one.
3. No reviewer-user relationship ever created. The display format, disclaimer language, and system architecture must make it impossible for a user to argue that a reviewer-user professional relationship was established. Users must not be able to identify or contact reviewers. Reviewer credentials must not be displayed in a way that implies personal professional opinion.
The Texas Disciplinary Rules of Professional Conduct, Rule 5.5, prohibits practicing law without a license. Texas courts define "practice of law" broadly to include "the application of legal principles and judgment in a manner that affects the legal rights or responsibilities of any person" (State Bar of Texas v. Gomez, 891 S.W.2d 243 (Tex. 1994)).
The Foundation's Corroboration Standard, as designed, does not apply legal principles to any specific person's legal situation — it assesses whether AI-generated information accurately reflects published legal standards. This distinction is defensible in Texas but is fact-specific. If a corroborated answer includes jurisdiction-specific legal analysis, the "application of legal principles" element could be triggered even without a specific user in mind. The jurisdiction tagging requirement (reviewers only review in their admitted jurisdictions) is the correct safeguard.
Texas Penal Code §38.123 (criminal UPL) requires that the unauthorized practice be "for compensation." The Foundation's free corroboration service operates without direct compensation from users, reducing criminal UPL exposure. Revenue from other sources does not constitute compensation for the legal advice specifically.
California Business and Professions Code §6125 prohibits practicing law without a license. California's UPL standard is broader than Texas's — California courts have found UPL in contexts where other states would not. The Foundation's California exposure depends on: (a) whether it has California users; (b) whether its California-based reviewers are reviewing matters under California law; and (c) whether the corroboration of California-specific legal information constitutes "practicing law in California."
The strongest California protection: the Foundation's reviewers assess whether AI-generated information is consistent with published professional knowledge — they do not advise California users about California-specific legal situations. The blind review protocol (reviewers don't know the user or their situation) is the primary California UPL defense.
New York Judiciary Law §478 prohibits practicing law without a license. Spivak v. Sachs, 16 N.Y.2d 163 (1965) defined practicing law to include giving legal advice for compensation. The "for compensation" element is important — the Foundation's free service faces lower UPL exposure in New York than a fee-based legal review service would.
State medical practice acts uniformly define "practicing medicine" to include diagnosis, treatment, or the offer to treat. The Foundation's medical domain corroboration — physicians reviewing AI-generated medical information for accuracy against published clinical standards — should not constitute practicing medicine under any state's medical practice act, provided:
(a) No physician-patient relationship is created (confirmed by blind review architecture); (b) No diagnosis or treatment recommendation is made to any specific person; (c) The display format clearly states that corroborated medical information is not medical advice and does not create a physician-patient relationship; and (d) MED-002 type prompts (acute emergency recognition) trigger the Foundation's emergency routing protocol, not a review queue, because life-safety situations require immediate action, not an information quality assessment.
The EU AI Act (Regulation (EU) 2024/1689), which entered into force in August 2024, establishes a comprehensive regulatory framework for AI systems in the European Union. The most significant gap in the prior legal report is the absence of any analysis of how the Foundation's activities interact with the EU AI Act's conformity assessment regime. This gap is not theoretical — it affects how the Foundation can present its assessments to European users and whether Foundation assessments can be used as a basis for EU AI Act compliance decisions.
For certain high-risk AI systems listed in Annex III of the EU AI Act (including AI systems used in employment and worker management, essential private services credit scoring, law enforcement, migration and border control, and administration of justice), conformity assessments must be conducted by officially designated "notified bodies" — conformity assessment organizations formally designated by EU member state authorities under Article 33.
Notified bodies must: (a) be established under the law of an EU member state; (b) be notified by a national competent authority; (c) meet specific competence requirements under Annex VII; and (d) be subject to ongoing oversight by national authorities. A US-incorporated nonprofit cannot be a notified body under the EU AI Act. Period.
The risk is not that the Foundation will be mistaken for a notified body by EU regulators. It is that European AI deployers, under pressure to demonstrate compliance, might use Foundation assessments as a substitute for required notified body conformity assessments — creating liability for the deployer and potentially for the Foundation if it knew or should have known its assessments were being used this way.
Additionally, if Foundation assessments are presented as having regulatory significance in the EU — for example, as evidence that an AI system has been rigorously evaluated for safety and compliance — the Foundation's communications could be viewed as implying regulatory status it does not have.
The Foundation's assessment activities create GDPR obligations that must be addressed before any EU user access is permitted. Specifically:
Reviewer personal data. The Foundation maintains records of licensed professionals who serve as reviewers, including credential information, conflict-of-interest disclosures, and performance data. If any of these individuals are EU residents, their personal data is subject to GDPR. Processing this data requires a lawful basis under Article 6, likely legitimate interests (Article 6(1)(f)) for operating an information quality review service, with appropriate documentation.
Assessment question data. Questions submitted to ARIA Network boards may contain personal information from EU users. The Corroboration Standard's PII anonymization requirement before questions enter the VKO store is both a GDPR architectural requirement and a UPL protection. Both legal frameworks require the same structural solution.
Data processing agreements. If the Foundation processes personal data on behalf of EU entities (e.g., institutional subscribers), Article 28 data processing agreements are required.
Data subject rights. EU users have rights to access, rectification, erasure, and portability of their personal data. The Foundation's VKO erasure pathway required by the Corroboration Standard is the correct architectural response to the right to erasure under Article 17.
Cross-border data transfers. Transfers of EU personal data to the United States require either: Standard Contractual Clauses (SCCs) under Article 46; participation in the EU-U.S. Data Privacy Framework; or another Article 46 transfer mechanism. The Foundation must implement one of these mechanisms before collecting or processing EU user data.
Data Protection Officer. If the Foundation's processing of personal data involves large-scale systematic monitoring of individuals, a DPO may be required under Article 37. The Foundation should assess this requirement as it scales.
| Jurisdiction | Relevant Framework | Risk Level | Required Action |
|---|---|---|---|
| United Kingdom | UK GDPR (retained EU law); Online Safety Act 2023; Equality Act 2010; UK AI Governance White Paper (principles-based, not yet regulation) | Moderate | UK GDPR compliance (equivalent to EU GDPR) required for UK user data. Online Safety Act category thresholds unlikely to be met at launch. UK AI White Paper creates no immediate regulatory compliance obligations. UK-specific disclaimer for professional services content. |
| Canada | PIPEDA (privacy); Bill C-27 / AIDA (AI regulation — in development); Consumer Protection Acts (provincial) | Low–Moderate | PIPEDA compliance for Canadian user data. AIDA has not been enacted; monitor for development. Provincial consumer protection acts apply to any claims made about the Foundation's services. |
| Australia | Privacy Act 1988 (as amended); Australian Consumer Law (misleading conduct); AI Ethics Framework (voluntary, not regulation) | Low | Australian Privacy Act compliance for Australian user data. ACL misleading conduct provisions apply to any false or misleading representations about the Foundation's assessments. The AI Ethics Framework creates no compliance obligations but the Foundation's methodology should be benchmarked against it for Australian institutional relationships. |
| Singapore | PDPA (privacy); Model AI Governance Framework (voluntary) | Low | PDPA compliance for Singapore user data. The Model AI Governance Framework is voluntary guidance; the Foundation's methodology should be documented against it for Southeast Asian institutional relationships. |
| China | Algorithmic Recommendation Regulations; Generative AI Regulations; PIPL (privacy) | High if operating in China | The Foundation should not provide assessment services to Chinese-market AI systems or Chinese users without specialized PRC regulatory counsel. The Chinese AI regulatory regime is fundamentally different from the US/EU framework and is incompatible with the Foundation's published methodology on several dimensions (including Civic Responsibility scoring, which assesses political balance in ways that directly conflict with Chinese regulatory requirements for AI systems). |
Required on every published IAF score. Non-dismissible, minimum 12px font, must appear before the score is visible to the user.
| # | Rule | Legal Basis |
|---|---|---|
| PUB-001 | Every score must identify: IAF version; assessed system name and version; cryptographic hash of assessed system version; assessment date; sample size per dimension; confidence level (L1–L5, stating both S-level and Q-level); assessor team qualifications and COI disclosures; 95% CI per dimension; composite CI via error propagation; weight sensitivity range; MDD at 80% and 95% power. | Truth defense requires assessments to be accurately characterized; missing fields undermine the "good faith" evidence base. Particularity of system version defeats "the system has since improved" arguments. |
| PUB-002 | No score may be published without methodology link. Every published score must link directly to the IAF version under which the assessment was conducted. If the methodology has been updated since the assessment, the score must link to the archived version, not the current version. | The First Amendment opinion privilege and truth defense both depend on the score being a documented, reproducible methodology application. A score without a methodology link looks like an assertion of fact without support. |
| PUB-003 | Disputed scores remain published during dispute. A score under active dispute is labeled "Under Review — Formal Dispute Filed" and remains visible. Scores are not suppressed during dispute review. The dispute label and a link to the dispute status page are required. | Suppressing scores during dispute creates the impression that disputes succeed in removing unfavorable assessments, which incentivizes nuisance disputes and undermines the independence that provides First Amendment protection. |
| PUB-004 | Provider responses are published simultaneously. If a provider submits a response during the 14-day notice period, it is published at exactly the same time as the score, on the same page, without editorial comment from the Foundation. | Simultaneous provider response publication is evidence of procedural fairness. It defeats "knowledge of falsity" claims and reduces damages by giving providers the ability to contextualize scores immediately. |
| PUB-005 | Score corrections create a permanent correction record. When an error is identified and corrected, the original score is not deleted. It is labeled "Corrected" with the date of correction, the nature of the error, and the corrected score. Both versions remain permanently in the public record. | The cryptographic log commits the original assessment before publication. Post-publication "silent edits" are technically detectable and would be evidence of bad faith. A permanent correction record is both legally protective and consistent with the Foundation's transparency commitments. |
| PUB-006 | L1 Provisional scores are not published externally. Under no circumstances may L1 Provisional scores be published for external use, cited as evidence of system performance in regulatory submissions, used in third-party marketing, or described as Foundation "assessments" or "certifications" in any public-facing context. They may be shared internally within the Foundation and with the assessed provider under a non-publication agreement. | Publishing L1 Provisional scores without adequate disclosure dramatically increases defamation and certification liability exposure. The ±36.8 point CI on the Wisdom dimension alone means that any published comparison based on Pilot Benchmark scores is potentially a false statement of material fact about relative system performance. |
| PUB-007 | Scores may not be used in advertising without Foundation approval of the specific language. Any AI provider who uses a Foundation score in marketing ("IAF-Assessed," "Foundation-Reviewed," etc.) must obtain prior approval of the specific language from the Foundation. Permitted language: "Assessed under IAF v[x] ([date]) — [link to Foundation score page]." Prohibited language: "Certified," "Approved," "Endorsed," "Verified Safe," "Guaranteed." | Providers who misuse Foundation scores in advertising create false advertising exposure for themselves and potentially implicate the Foundation in claims it did not make. Pre-approval of advertising language is the cleanest prevention. |
| PUB-008 | Every publication of a floor failure designation requires pre-publication legal review. A Foundation attorney or outside counsel must review the floor failure designation, the assessment record, the methodology application, and the provider notification documentation before the designation is published. This review must be documented in the assessment record. | Floor failure designations are the Foundation's highest-exposure publications. Legal review creates a contemporaneous record that the Foundation acted in good faith, which is critical for both the truth defense and the "no actual malice" defense to defamation and trade libel claims. |
The Foundation's three-stage dispute process (Administrative Review → Assessment Panel → External Arbitration) is already specified in the Assessment Charter (Article XI). This section addresses the legal significance of each stage and the specific procedural language required for legal defensibility.
An AI developer who successfully argues that the Foundation published a score without giving adequate opportunity to respond, or without a meaningful review process for disputed findings, strengthens both its defamation claim (showing the Foundation was reckless) and its tortious interference claim (showing the Foundation's interference was improper). The assessment dispute process is the Foundation's evidence base for good faith. Every failure of that process is a fact in a potential plaintiff's complaint.
The Assessment Charter specifies binding external arbitration as the final internal appeal. Two legal requirements must be specified before the arbitration program launches:
1. The arbitration agreement must waive class arbitration. The arbitration clause should specify individual arbitration only — class arbitration over assessment methodology could be used to challenge the entire methodology rather than a specific score.
2. The arbitration agreement must specify governing law. Texas law governs all arbitration proceedings (consistent with Texas incorporation). This is important for TCPA anti-SLAPP protection to apply.
Assessment Charter §6.7.2 prohibits the Foundation from settling litigation on terms that require score retraction, methodology modification, non-disclosure, or activity restrictions. This prohibition must be clearly communicated to any litigation counsel retained by the Foundation before settlement discussions begin. It is not a negotiating posture — it is an organizational commitment that protects the integrity of the assessment enterprise. A settlement that retracts a sound score in response to litigation pressure destroys the Foundation's credibility as an independent assessor and removes the structural basis for First Amendment protection on future publications.
| Publication Type | Legal Review Required? | What the Review Must Confirm |
|---|---|---|
| Standard composite score (L2–L5, no floor failures) | No mandatory review; spot-check program recommended (10% of publications) | Spot-check confirms: system version identified with hash; CI ranges present; L-level correct; provider notice completed; methodology version correct |
| Any score below 40 on any dimension (even non-floor dimensions) | Yes — single attorney review | Score accurately reflects methodology; methodology correctly applied; provider notice period completed; no pending factual disputes from provider |
| Floor failure designation (INVALID) | Yes — two-attorney review (one assessment-familiar, one external) | All items above, plus: system version committed to cryptographic log before provider notification; provider notification documentation on file; provider response or non-response documented; disclosure language complete and correct; no pending factual disputes that, if true, would change the score |
| Score correction or retraction | Yes — Executive Director sign-off plus one attorney | Nature of error documented; original score not deleted; correction record complete; whether the error affects any other published scores (systematic error requiring broader review) |
| First publication of any system by a provider who has objected to prior assessments | Yes — single attorney review | No evidence that the prior objection influenced the current assessment process; assessors were not the same as those involved in prior disputed assessments; conflict-of-interest declarations on file |
| Any assessment used in regulatory or policy submissions by third parties | Yes — upon request or knowledge of such use | Jurisdiction-specific legal analysis of whether Foundation scores can be cited in the relevant regulatory context; EU AI Act notified body disclaimer confirmed present |
| Priority | Item | Legal Risk Addressed | Status |
|---|---|---|---|
| 1 | Engage Texas licensed counsel to review and approve all disclaimer language (§X) before any external publication | All defamation, UPL, and certification risks | Required before launch |
| 2 | Confirm TCPA anti-SLAPP applicability with Texas counsel and prepare standard TCPA motion template | SLAPP litigation | Required before launch |
| 3 | Implement Universal Assessment Disclaimer (§X.A) on all published score pages — non-dismissible, minimum 12px, above the fold | Defamation, certification liability | Required before launch |
| 4 | Implement L1 Provisional external publication prohibition (PUB-006) — technical controls preventing external publication of Pilot Benchmark scores | Certification liability, defamation | Required before launch |
| 5 | Engage EU data protection counsel; implement EU-U.S. data transfer mechanism before accepting EU user data | GDPR compliance | Required before EU user access |
| 6 | Add EU AI Act notified body disclaimer (§X, EU notice) to all published materials and methodology documentation | EU AI Act regulatory conflict | Required before EU market presence |
| 7 | Establish pre-publication legal review protocol for floor failure designations (§XIII); retain litigation counsel familiar with Texas media law | Defamation, trade libel | Required before any floor failure publication |
| 8 | Establish provider advertising approval program (PUB-007); draft provider terms of use prohibiting unauthorized certification language | False advertising, certification liability | Required before any provider assessments |
| 9 | Draft Corroboration Standard reviewer agreements incorporating the professional services disclaimers (§VII) and limiting language | UPL, UPM, professional services liability | Required before Corroboration Standard deployment |
| 10 | Establish legal defense fund to sustain two simultaneous SLAPP suits (Assessment Charter §6.7.1) | SLAPP litigation deterrence | Required before publishing any floor failure designations |
| 11 | Implement China non-participation policy; do not accept assessments of Chinese-market AI systems pending specialized PRC counsel | PRC regulatory conflict | Required before any international assessments |
| 12 | Obtain jurisdiction-specific UPL opinions from Texas, California, and New York counsel before Corroboration Standard deployment in those jurisdictions | UPL exposure | Required before ARIA Network public launch |
Final Note on Legal Posture
The Foundation's strongest legal position is also its most accurate self-description: an independent publisher of methodology-based assessments operating in the public interest. Every structural condition required by law — published methodology, CI ranges, L-level labels, provider notice and response, cryptographic logs, no financial influence on scores — is also the correct governance design. Legal defensibility and institutional integrity point in exactly the same direction.
The assessment that will be litigated is not the methodologically sound L3 or L4 assessment that was properly conducted, fully disclosed, and came with a provider response. It will be the L1 Provisional assessment published without adequate CI disclosure, the floor failure published without pre-publication legal review, or the score that was published before the provider notice period was complete. This report's implementation checklist addresses those specific scenarios. Avoiding them eliminates most litigation risk.