The policy prohibits using Cohere's AI to write malware, cyberweapons, or attack tools, and to plan or execute attacks against critical infrastructure such as power grids, water systems, or financial networks.
This analysis describes what Cohere's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision covers both the creation of offensive tools and their potential deployment against critical infrastructure, meaning operators in cybersecurity contexts must assess whether legitimate security research or penetration testing use cases could be construed as prohibited.
Interpretive note: The boundary between permitted security research and prohibited cyberweapon creation is not defined in the document and may require case-by-case assessment.
Operators and users cannot use Cohere's services to generate functional malicious code or to support cyberattacks, including against critical infrastructure, regardless of stated research or testing justifications unless those use cases are separately authorized.
Cross-platform context
See how other platforms handle Prohibited Use: Cyberweapons and Critical Infrastructure Attacks and similar clauses.
Compare across platforms →Monitoring
Cohere has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Do not use Cohere's services to create cyberweapons or malicious code that could cause significant damage if deployed, or to conduct attacks on critical infrastructure.— Excerpt from Cohere's Cohere Responsible Use Policy
REGULATORY LANDSCAPE: This provision engages the US Computer Fraud and Abuse Act (CFAA), the EU's Directive on Attacks Against Information Systems (2013/40/EU), the UK Computer Misuse Act, and critical infrastructure protection frameworks such as CISA regulations. The EU AI Act also addresses AI use in contexts that could affect critical infrastructure. GOVERNANCE EXPOSURE: High for cybersecurity firms, penetration testing providers, and security researchers who use AI to assist with offensive security work. The boundary between authorized penetration testing and prohibited cyberweapon creation requires careful operational definition. JURISDICTION FLAGS: The US, EU, and UK all impose criminal liability for unauthorized computer access and cyberweapon deployment. Organizations providing cybersecurity services internationally face multi-jurisdictional exposure. US government contractors may face additional obligations under FISMA and sector-specific cybersecurity frameworks. CONTRACT AND VENDOR IMPLICATIONS: Cybersecurity vendors and managed security service providers using the Cohere API should assess whether their authorized offensive security use cases require specific permissions or carve-outs from Cohere. B2B agreements should address the boundary between permitted security research and prohibited cyberweapon creation. COMPLIANCE CONSIDERATIONS: Operators in the cybersecurity sector should document the distinction between their authorized use cases and the prohibited categories in this provision, implement controls to prevent generation of deployable malicious code, and consider whether their terms of service adequately restrict downstream misuse by their own users.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision covers both the creation of offensive tools and their potential deployment against critical infrastructure, meaning operators in cybersecurity contexts must assess whether legitimate security research or penetration testing use cases could be construed as prohibited.
Operators and users cannot use Cohere's services to generate functional malicious code or to support cyberattacks, including against critical infrastructure, regardless of stated research or testing justifications unless those use cases are separately authorized.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cohere.