Meta has built much of its AI strategy around making advanced systems broadly available. But its Frontier AI Framework draws a line around some internally developed systems, saying the company may limit access, delay release, or stop development when the risks become too serious.
A new boundary around open AI
Meta CEO Mark Zuckerberg has pledged to make artificial general intelligence, or AGI, openly available one day. AGI is roughly defined as AI that can accomplish any task a human can. The new policy document does not abandon that ambition, but it does describe cases where Meta says release may not be appropriate.
The framework identifies two categories of systems that could be too risky to release: high-risk systems and critical-risk systems. Both categories involve highly capable AI that could help with cybersecurity, chemical, or biological attacks.
The distinction is about how severe and manageable the danger appears to be. A high-risk system might make an attack easier, but not with the same reliability or dependability as a critical-risk system. A critical-risk system, in Meta’s definition, could lead to a catastrophic outcome that cannot be mitigated in the proposed deployment context.
What Meta says could go wrong
The framework does not claim to list every possible catastrophe. Meta says the examples it names are among the most urgent and plausible risks that could follow directly from releasing a powerful AI system.
Those examples include the automated end-to-end compromise of a best-practice-protected corporate-scale environment. The document also points to the proliferation of high-impact biological weapons. In plain terms, Meta is focused on whether a system could make serious attacks easier to plan, execute, or scale.
That matters because an open release can be difficult to pull back. Once a powerful model is broadly available, the company has less control over who uses it, how it is modified, and whether safeguards remain in place. The framework is Meta’s attempt to describe when the benefits of availability may be outweighed by risks tied to misuse.
How Meta plans to judge risk
One notable part of the framework is how Meta says it will classify risk. The company does not describe a single empirical test that decides whether a system is high-risk or critical-risk. Instead, the process is informed by internal and external researchers, with review by senior-level decision-makers.
Meta says the reason is that the science of evaluation is not sufficiently robust to provide definitive quantitative metrics for this kind of decision. That means the company is presenting risk classification as a judgment process, not a simple pass-or-fail score.
This approach leaves room for expert review, but it also puts weight on internal governance. The framework suggests that Meta expects advanced AI risk to change as systems become more capable and as evaluation methods develop. Meta also says the Frontier AI Framework will evolve with the changing AI landscape.
What happens to risky systems
The framework lays out different responses depending on the category assigned to a system. If Meta determines that a system is high-risk, it says it will limit internal access and will not release the system until mitigations reduce risk to moderate levels.
If a system is deemed critical-risk, Meta says it will add security protections to prevent the system from being exfiltrated. It also says it will stop development until the system can be made less dangerous. The document does not specify all of those security protections.
The practical difference is important. A high-risk classification delays release while mitigations are added. A critical-risk classification goes further, triggering a pause in development until the danger is reduced.
The pressure on Meta’s open strategy
The framework appears to answer criticism of Meta’s open approach to AI system development. Meta has favored making its AI technology openly available, though not open source by the commonly understood definition. That differs from companies like OpenAI, which gate their systems behind an API.
Meta’s Llama family of AI models shows both sides of that strategy. Llama has reached hundreds of millions of downloads, giving Meta’s technology broad reach. But Llama has also reportedly been used by at least one U.S. adversary to develop a defense chatbot.
The framework may also be intended to draw a contrast with DeepSeek. DeepSeek also makes its systems openly available, but its AI has few safeguards and can be easily steered to generate toxic and harmful outputs.
Meta had earlier committed to publishing the framework ahead of the France AI Action Summit this month. By publishing it, the company is trying to show that open AI and risk controls can coexist. The central claim is that decisions about advanced AI should consider both benefits and risks before systems are developed and deployed.
For readers watching the future of AI, the key point is simple: Meta is still arguing for broad access to powerful systems, but it is also reserving the right to hold back systems it considers too dangerous. The question now is how that framework will work when a real system falls near the line between high-risk, critical-risk, and releasable.