What Is a Foundation Model?
A foundation model is a large AI model trained on broad, diverse data at scale that can be adapted (fine-tuned) for a wide range of downstream tasks. Foundation models — including GPT-4, Claude, Gemini, Llama, and Mistral — are trained on massive datasets (text, images, code, or multimodal combinations) and develop general capabilities that can then be applied to specific use cases through fine-tuning, prompting, or RAG architectures. The EU AI Act uses the term General Purpose AI (GPAI) to describe these models and imposes specific obligations on their providers, including transparency requirements, copyright compliance, and additional obligations for GPAI models with systemic risk.
Foundation Model — a large AI model trained on broad data at scale and adaptable to a wide range of downstream tasks, typically through fine-tuning or prompting rather than purpose-specific training.
Foundation models are the basis of most modern frontier AI — including all large language models, image generators, and multimodal systems from OpenAI, Anthropic, Google DeepMind, Meta, Mistral, and others. Under the EU AI Act, foundation models are regulated as General-Purpose AI (GPAI) models, with provider obligations under Article 53 effective from 2 August 2025. Models meeting "systemic risk" thresholds (currently 10^25 FLOPs of training compute) face additional Article 55 obligations.
Source: EU AI Act, Articles 51–55; Stanford CRFM
Why it matters for governance
Foundation models create unique governance challenges because they are general-purpose: the same model can be used for customer service, medical diagnosis, legal research, and hiring decisions — each with different risk profiles and regulatory requirements. The EU AI Act's GPAI provisions (effective August 2025) require providers to publish training data summaries, comply with copyright obligations, and respect opt-out mechanisms. GPAI models with systemic risk (determined by compute thresholds) face additional obligations including adversarial testing, incident reporting, and cybersecurity measures.