This study addresses the regulatory blind spots confronting cutting-edge AI models during internal deployment, where existing external governance frameworks fall short in mitigating emerging risks. The work proposes the first standardized risk reporting framework tailored for internal AI use across multiple jurisdictions—specifically California, New York, and the European Union. Centered on two primary risk vectors, namely autonomous AI misbehavior and insider threats, the framework integrates threat modeling with legal compliance analysis through the lens of means, motive, and opportunity. It delivers a structured, actionable security assessment template that enhances pre-deployment risk identification and management transparency. Designed as a practical guide for high-capability AI developers, this approach significantly strengthens organizational readiness to anticipate and govern internal AI risks in alignment with diverse regulatory expectations.

Frontier AI companies first deploy their most advanced models internally, for weeks or months of safety testing, evaluation, and iteration, before a possible public release. For example, Anthropic recently developed a new class of model with advanced cyberoffense-relevant capabilities, Mythos Preview, which was available internally for at least six weeks before it was publicly announced. This internal use creates risks that external deployment frameworks may fail to address. Legal frameworks, notably California's Transparency in Frontier Artificial Intelligence Act (SB 53), New York's Responsible AI Safety And Education (RAISE) Act, and the EU's General-Purpose AI Code of Practice, all discuss risks from internal AI use. They require frontier developers to make and implement plans for how to manage risks from internal use, and to produce internal use risk reports describing their safeguards and any residual risks. This guide provides a harmonized standard for companies to produce internal use risk reports suitable for all three regulatory frameworks. It is addressed primarily to evaluation and safety teams at frontier AI developers, and secondarily to regulators and auditors seeking to understand what good reporting looks like. Given the pace of AI R&D automation and the limited external visibility into how companies use their most capable models internally, regular and detailed risk reporting may be one of the few mechanisms available to ensure that the risks from internal AI use are identified and managed before they materialize. Whenever a substantially more capable or riskier model is deployed internally, the developer should create a risk report and argue why the model is safe to deploy. We structure the reporting framework around two threat vectors -- autonomous AI misbehavior and insider threats -- and three risk factors for each: means, motive, and opportunity.