Summary

• OpenAI has published a Frontier Governance Framework linking its safety and security practices to emerging legal requirements.
• The framework explicitly refers to the EU AI Act’s Code of Practice for General Purpose AI.
• The publication shows frontier AI providers trying to shape enterprise and regulatory confidence before compliance norms fully settle.

OpenAI has published a Frontier Governance Framework that maps its safety and security practices to emerging legal requirements, including the EU AI Act’s Code of Practice for General Purpose AI.

The framework sets out how the company says it manages risk assessment and mitigation for advanced AI systems, covering cyber offence, chemical, biological, radiological, and nuclear risks, harmful manipulation, loss of control, model reporting, security risk management, incident response, external expert input, and framework updates.

Europe’s AI regime is now moving from legislative design into implementation. The AI Act entered into force in 2024, with obligations for general-purpose AI models already applicable from August 2025 and wider application dates continuing through 2026, 2027, and 2028. The European Commission describes the GPAI Code of Practice as a voluntary compliance tool designed to help providers meet transparency, copyright, safety, and security obligations.

OpenAI’s framework also has a clear commercial function. Enterprises and public-sector bodies considering frontier AI systems need more than model capability. They need evidence of risk management, incident processes, security controls, evaluation practices, and governance that can withstand internal audit, board scrutiny, procurement review, and regulatory challenge.

The document draws on OpenAI’s Preparedness Framework, which the company uses to define and operationalise its approach to serious risks from advanced AI systems. The new framework turns that approach into a public-facing governance artefact aligned with specific legal obligations, giving buyers and regulators a clearer view of how OpenAI wants its safety systems to be assessed.

Europe’s AI Act has created a regulatory centre of gravity for global providers. Even companies headquartered outside the bloc need to show how they will meet European requirements if they want to operate at scale in the market. Compliance is becoming a commercial condition for selling frontier AI into regulated industries, public bodies, and large enterprises.

Public frameworks, however, are only part of the assurance picture. Frontier AI companies have strong incentives to describe their controls clearly and confidently. Regulators, customers, and independent evaluators still need ways to test whether those controls work in practice, especially for dangerous capability evaluations, model security, systemic risk, and incident disclosure.

Procurement teams are likely to treat this type of document as part of supplier assessment. As organisations move from pilots to deployment, AI governance will sit alongside price, latency, model quality, integration support, data controls, and contractual liability. Providers that cannot explain their assurance model in operational terms will struggle in markets where AI failures carry legal, safety, or public trust consequences.

The AI market is therefore moving into a more demanding phase. The first wave rewarded performance claims and rapid product release. The next wave will be shaped by compliance, trust, auditability, and operational accountability. In Europe, law is accelerating that shift.

OpenAI’s framework will need to evolve as model capabilities and regulatory guidance develop. The European AI regime is still being interpreted across member states, standards bodies, procurement teams, and companies building on top of general-purpose models. OpenAI has set out its version of frontier governance; the harder test is how much of it can be independently verified when advanced systems are deployed in business, government, and critical workflows.