This study addresses a critical gap in current U.S. and European AI regulatory frameworks, which predominantly focus on externally deployed systems while overlooking high-risk AI applications used internally by firms that may circumvent oversight. Through policy text analysis, comparative regulatory assessment, and institutional gap identification, the paper systematically uncovers three key regulatory blind spots concerning internal AI deployment: ambiguous scope of applicability, inadequate one-off compliance evaluation mechanisms, and significant information asymmetry. It elucidates the underlying causes of these gaps and argues for the development of dynamic, adaptive regulatory approaches coupled with enhanced transparency mechanisms. The findings offer both theoretical grounding and practical pathways for crafting governance policies that effectively balance innovation incentives with robust risk mitigation in the context of internal AI use.

Frontier AI regulations primarily focus on systems deployed to external users, where deployment is more visible and subject to outside scrutiny. However, high-stakes applications can occur internally when companies deploy highly capable systems within their own organizations, such as for automating R&D, accelerating critical business processes, and handling sensitive proprietary data. This paper examines how frontier AI regulations in the United States and European Union in 2025 handle internal deployment. We identify three gaps that could cause internally-deployed systems to evade intended oversight: (1) scope ambiguity that allows internal systems to evade regulatory obligations, (2) point-in-time compliance assessments that fail to capture the continuous evolution of internal systems, and (3) information asymmetries that subvert regulatory awareness and oversight. We then analyze why these gaps persist, examining tensions around measurability, incentives, and information access. Finally, we map potential approaches to address them and their associated tradeoffs. By understanding these patterns, we hope that policy choices around internally deployed AI systems can be made deliberately rather than incidentally.