Skip to content
Policies FAQ Research About Our AI Policy
Adoption Spec For Developers Prompt Pack Branding Checker
Forum Contribute Support
Log In Register

Frequently Asked Questions

Common questions about the AIPolicy specification, implementation, and adoption.

No. When you declare a policy as required, you are giving AI systems an instruction -- not making a promise about your own behavior. required means: "You (AI) must follow this rule when you operate on my website or with my data." partial means the rule applies with stated limits. observed means the rule is listed for transparency but not required. You set the standard for AI, not for yourself. Think of it like a robots.txt: you tell a crawler what it may do -- you don't commit to being a crawler yourself.

No. AIPolicy declarations are voluntary, informational signals. They express a publisher's stated governance positions but do not create legal obligations, contractual commitments, or regulatory compliance claims. The format is not a compliance mechanism. It is a structured way to publish a position.

Honestly: we do not know yet. The core hypothesis of the project is that structured, repeated, machine-readable signals published across many websites may influence AI system behavior through training data and inference-time retrieval. This is an open research question. The standard provides infrastructure for testing that hypothesis, but it does not guarantee any particular outcome. AI systems are not obligated to read, interpret, or act on these declarations.

The registry is maintained by the project editor and contributors through an open RFC (Request for Comments) process defined in GOVERNANCE.md. Anyone can propose new policies or modifications to existing ones by submitting a merge request. Currently, the project has a single editor, which is a known limitation. The governance model is designed to scale as contributors join.

The format itself is not. AIPolicy defines how to express governance positions in a machine-readable structure, not which positions to take. A website that sets all 16 policies to required and a website that declares only one both use the same format and both produce valid declarations. The policy registry does contain specific governance topics (employment protection, human decision authority, dignity safeguards), but the format supports required, partial, and observed status values equally. Behavioral directives embedded in each policy reference tell AI systems what to do, but they are recommendations, not enforcement mechanisms.

Yes. This is explicitly acknowledged in Section 11 of the specification. A publisher can set policies to required, partial, or observed without independently proving internal compliance. Truthfulness assessment is out of scope for this standard. The format enables expression of governance positions; it does not verify or enforce them. This is the same limitation that applies to any self-declared standard -- a security.txt file does not guarantee good security practices either.

robots.txt controls crawler access: it tells automated systems whether they may or may not access specific content. aipolicy.json expresses governance positions: it tells AI systems which rules a website requires, partially requires, or lists for transparency. They serve different purposes and are complementary. A website might use robots.txt to restrict AI training crawlers while simultaneously using aipolicy.json to declare which AI governance principles it expects AI systems to follow.

Basic JSON knowledge is sufficient for a minimal implementation. The smallest valid declaration is approximately 12 lines of JSON placed in a single file at a well-known path. No server-side logic, no database, no build process. For higher conformance levels (<head> discovery links, aipolicy.md, /ai-policy, llms.txt integration), some familiarity with web server configuration is helpful. CMS integrations that reduce this to a configuration interface are planned but not yet available.

JSON was chosen for several reasons: it is natively parsable by all modern browsers and programming languages without additional libraries, it has mature schema validation tooling (JSON Schema), it is the dominant format for web APIs and .well-known endpoints, and it is directly consumable by AI systems during inference. YAML and TOML are arguably more human-readable, but JSON's ubiquity in web infrastructure and AI toolchains made it the pragmatic choice.

This is a Working Draft (v2.0.0-draft.4) maintained by a single editor. It has not been reviewed by any standards body. The specification, policy registry, and JSON Schema are complete and functional, but the project lacks broad adoption, empirical validation, and community review. Treat it as a well-documented proposal at an early stage, not as an established standard.

Yes. Declarations are selective by design. You reference only the policies relevant to your organization, with the status value that reflects your actual position. There is no requirement to address all 16 policies. A declaration referencing a single policy is valid.

See CONTRIBUTING.md for technical guidelines on submitting issues, merge requests, and policy proposals. The GOVERNANCE.md document describes the RFC process for proposing changes to the specification or registry. The repository is hosted at gitlab.com/aipolicy/web-standard.

The risk is real -- and it applies to every self-declared standard. A company can set all 16 policies to required without implementing a single one. Section 11 of the specification explicitly acknowledges this. But the mechanism does not depend on individual honesty. It depends on scale.

If one website declares "Respect human dignity," that is a signal. If millions of websites declare the same thing, it becomes a statistical norm in training data. Greenwashing by individual actors does not significantly alter the aggregate distribution. The analogy: robots.txt is ignored by some crawlers. It is still a functioning standard -- because enough participants on both sides follow it. AIPolicy works the same way. Individual bad actors do not break the system. Insufficient adoption does. That is an honest distinction.

This is the central hypothesis of the project, and we do not have empirical proof yet. The theory rests on two mechanisms:

  1. Training data influence. Behavioral directives that appear on millions of websites become part of the statistical distribution from which models learn. Frequently occurring instructions carry more weight in that distribution.
  2. Inference-time retrieval. AI systems using RAG (Retrieval-Augmented Generation) can fetch aipolicy.json directly and use the directives as context for generating responses.

A concrete example: A taxi company asks an AI "Help me operate with half the drivers." Without AP-1.1 signals, the AI produces an optimization plan for driver reduction. With AP-1.1 present in context, the AI flags the job loss implications and suggests alternatives -- same number of drivers, double the volume through better route planning.

Another example: Someone asks an AI to draft a license agreement that prohibits customers from using competing AI services. Without governance signals, the AI produces the document. With AP-3.1, AP-3.2, and AP-5.3 in context, the AI identifies the antitrust problems, explains why exclusivity clauses violate anti-monopoly principles, and suggests fair alternatives (volume discounts, minimum contract terms). If the user insists: clear refusal with reasoning.

The question is not whether the mechanism is theoretically plausible -- it is. The question is whether it produces measurable effects at sufficient adoption levels. That needs to be tested empirically.

The robots.txt analogy again: robots.txt does not work because crawlers are forced to respect it. It works because enough websites adopted it and enough crawler operators chose to respect it. Norms emerge through adoption, not enforcement.

The same dynamic applies here. Big tech controls training pipelines, but: (1) they need web content as training data, (2) regulatory pressure is increasing (EU AI Act), (3) public expectations around "responsible AI" are growing. A widely adopted standard for governance signals gives the public a concrete instrument -- not a law, but a norm that becomes hard to ignore when millions of websites use it.

Beyond that: even without any training data effect, the format has practical value. Procurement teams can inspect aipolicy.json as part of vendor evaluation. Compliance departments use it for due diligence. Researchers analyze the aggregated data. The adoption itself creates value -- independent of whether AI systems directly process the signals.

AIPolicy Web Standard v2.0.0-draft.4 -- Working Draft