Dive Brief:
- OpenAI released its Frontier Governance Framework Thursday, a look into the company’s safety and security practices and how it plans to align with emerging state and global AI regulations. The document details the company’s approach to assessing and mitigating cyber offense, risk management and incident response, among other security factors.
- The company said the framework responded to requirements in California’s Transparency in Frontier AI Act, which requires the disclosure of risk management protocols by model builders. OpenAI also cited the EU AI Act’s General-Purpose AI code of practice, which puts regulatory responsibility on developers of AI to mitigate risk of harm by the system and requires technical documentation for review by EU officials.
- The framework will continue to evolve, the company said, and it will be informed by national and international AI risk management standards. “We are committed to safely developing and deploying highly capable AI models, which create significant benefits and also bring new risks,” OpenAI said in the framework document.
Dive Insight:
Right before Memorial Day, OpenAI and other AI providers braced for an executive order from the Trump administration that would establish a voluntary AI model review process. Trump scrapped the order on the day it was set to be signed, telling reporters in the Oval Office he “didn’t want to do anything to get in the way of” what he described as the country’s lead over China in AI.
The order, which reportedly allowed federal agencies to review AI models on a voluntary basis before they were released to the public, was a change in tune for the Trump administration, which has been taking a hands-off approach to tech regulation.
Anthropic’s April preview of its powerful model, Mythos, which highlighted a number of cybersecurity concerns and weaknesses, likely contributed to the idea of a federal vetting system, according to Samir Jain, VP of policy at the Center for Democracy and Technology. OpenAI responded to the concerns quickly, by launching its cybersecurity initiative, Daybreak.
“It may have made the national security agencies both more interested in being involved in this debate and having more of a voice,” Jain said.
Although the executive order was pulled, AI providers are facing regulations on the state and global level.
The EU’s code of practice can’t dictate how American companies run their AI models, but non-European companies will be required to meet certain compliance standards to operate in Europe when the act goes fully into effect in August 2027. OpenAI signed the voluntary code of practice last summer.
OpenAI documented in its governance framework its technical and organizational protocols to mitigate risks, as defined under California’s AI act. The state joins Colorado, the first state to pass comprehensive AI legislation in 2024. Lawmakers in Illinois are awaiting the governor’s signature on a historic AI bill that would require much of the same oversight as California and Colorado, and introduce third-party audits on model safety issues.
The National Institute of Standards and Technology announced Friday it would be extending the scope of an AI-focused consortium it founded two years ago and calling for new members. Even without federal regulation, the Mythos preview may have highlighted the need for more transparency into AI models, Jain said.
Anthropic’s newest model “made more concrete some of the risks, and particularly national security risks, that the AI models potentially are raising,” he said.
CIOs should pay close attention as AI becomes a more regulated industry, said Dion Hinchcliffe, VP and practice lead at The Futurum Group, in an emailed statement.
“Large enterprises already favor vendors that can demonstrate disciplined testing, red-teaming, and operational safeguards before models reach production, so even a voluntary federal review framework could actually accelerate AI procurement toward vendors with mature governance and slower, more predictable release engineering,” Hinchcliffe said.
OpenAI said it will continue to evaluate whether its models create a risk of severe harm through a routine risk assessment process, and will incorporate feedback from researchers, industry bodies, the U.S. government and other governing agencies.
