Regulatory Analysis

OECD-AI and the foundational layer of global AI governance

The OECD AI Principles created the shared vocabulary behind the EU AI Act, NIST AI RMF, and ISO/IEC 42001, but they do not enforce compliance.

Published on

Subscribe to our newsletter

By submitting your email, you agree to our Privacy Policy and consent to receiving updates from us

OECD AI Principles: The Foundation of Modern AI Governance, the EU AI Act, NIST AI RMF, and ISO/IEC 42001

The common ancestor of global AI governance, and what “OECD-aligned” actually means

Why do the EU AI Act, the National Institute of Standards and Technology AI Risk Management Framework (NIST AI RMF), and ISO/IEC 42001 each define an AI system in almost identical terms?

Each describes a machine-based system that infers, from the input it receives, how to generate outputs such as predictions, recommendations, or decisions that influence physical or virtual environments. Three distinct regulatory instruments. Three different jurisdictions. One definitional core. The trustworthiness properties each framework builds around that definition are equally convergent: transparency, accountability, robustness, and human-centricity appear across all three in near-identical formulations.

The answer traces to a single 2019 document that most AI governance practitioners can cite but have rarely read in full: the Organisation for Economic Co-operation and Development (OECD) Recommendation on Artificial Intelligence. That document’s vocabulary is now embedded in the major AI governance, regulatory, and compliance frameworks in force today. Understanding how that happened, and what it actually commits anyone to, requires tracing the influence chain that connects international standards bodies, regulators, and policymakers across multiple jurisdictions.

What Are the OECD AI Principles?

The OECD AI Principles are the first intergovernmental standard on AI. Adopted on 22 May 2019 at OECD Ministerial Council level, they emerged from the OECD Expert Group on AI (AIGO), a multi-year process drawing expertise from more than 50 participants across government, industry, civil society, and academia.

The Recommendation has two tiers. The first is five values-based principles: inclusive growth, sustainable development, and well-being; human rights and democratic values including fairness and privacy; transparency and explainability; robustness, security, and safety; and accountability. The second is five recommendations to policymakers directing national action across AI research investment, digital infrastructure, enabling policy environments, human capacity building, and international cooperation. Neither tier prescribes how compliance should be measured or enforced.

That architecture is deliberate. The ambition was consensus across rival jurisdictions, not codification. Achieving it required leaving implementation entirely to national governments. The same design choice that built a broad government coalition also means, by design, that the Principles do not directly impose implementation or enforcement requirements. The trustworthiness properties in the Principles function as a shared vocabulary for downstream governance and regulatory frameworks: built to be adopted downstream, not enforced from Geneva.

In June 2019, G20 Leaders at the Osaka Summit formally welcomed the G20 AI Principles, drawn directly from the OECD Recommendation. Political reach extended immediately beyond OECD membership to the world’s largest economies, without additional negotiation. That single summit endorsement substantially extended the geopolitical weight of a document most enterprises still treat as background reading.

The Principles had 47 formal adherents as of 3 May 2024, per the OECD press release announcing the May 2024 update; OECD.AI’s own principles page continues to show 47 adherents as of June 2026. A regulatory tracker maintained by White and Case, updated April 2026, separately reports 49 adherents. Both figures are presented with their original publication dates because adherent counts are updated at different times and may reflect different reporting methodologies.

In May 2024, the OECD Ministerial Council adopted significant revisions to the Principles responding directly to the emergence of general-purpose and generative AI. The update strengthened provisions on safety, privacy, intellectual property rights, and information integrity. The non-prescriptive architecture was preserved.

How the OECD AI System Definition Shaped the EU AI Act, NIST AI RMF, and ISO/IEC Standards

The OECD AI system definition became the shared definitional base for three major AI governance frameworks. The connections are stated in the primary texts, not inferred.

The official NIST AI 100-1 text explicitly attributes its AI system definition as adapted from the “OECD Recommendation on AI:2019; ISO/IEC 22989:2022.” ISO/IEC 22989:2022, the international standard on AI concepts and terminology, itself references the 2019 OECD Recommendation in Annex A. The OECD document is the upstream source for both citations. ISO/IEC 42001, the international AI management system standard, draws on the same conceptual vocabulary, establishing audit and management requirements for organizations that trace back to the same foundational definitions.

The EU AI Act arrived at its definition through a more layered path. Recital 12 of Regulation (EU) 2024/1689 states that the AI system definition should be “closely aligned with the work of international organisations” on AI, to ensure legal certainty and facilitate international convergence.

Article 3(1) then defines an AI system as a machine-based system designed to operate with varying levels of autonomy, capable of adaptiveness after deployment, and able to infer from input to generate outputs including predictions, content, recommendations, or decisions that influence physical or virtual environments. The convergence with the OECD formulation is deliberate and documented. For practitioners working across multiple jurisdictions, that definitional alignment matters more than any specific formulation: a scope determination reached under one framework often provides a useful starting point for analysis under another.

Research published in 2026, in Defining AI Models and AI Systems (arXiv 2603.10023), documents a bidirectional feedback loop: the OECD’s 2024 revision was written with awareness of the evolving EU AI Act, while the Act’s final text converged back toward the updated OECD formulation. The NIST AI 100-1 “adapted from” attribution and the EU AI Act’s explicit alignment with international AI definitions provide direct evidence of this lineage in primary texts. The G20’s Osaka endorsement substantially expanded the Recommendation’s international reach and influence.

“OECD-aligned” in regulatory documentation is not rhetorical. It describes a documented definitional lineage that runs from a 2019 Recommendation through ISO/IEC 22989, through NIST AI 100-1, and into the binding text of the EU AI Act. The shared AI system definition is one of the foundations that makes cross-border AI governance interoperability possible.

OECD.AI: The Live Infrastructure Behind Global AI Governance

OECD.AI is the online platform that operationalizes the OECD AI Principles through four active tools, providing a shared AI governance framework infrastructure for policymakers, regulators, standards bodies, and enterprises. More than a document repository, it is the substrate layer of the global AI governance stack: the evidence and measurement infrastructure that converts a non-binding standard into a live observatory of national AI governance frameworks and the real-world divergence between them.

In practice, it provides the common evidentiary and analytical foundation through which governments, standards bodies, researchers, and enterprises observe how AI governance is evolving across jurisdictions.

The OECD.AI Policy Navigator describes a living repository of AI policy initiatives spanning more than 80 jurisdictions and organisations. OECD sources report initiative totals differently depending on the dataset and reporting date, ranging from 900+ on the OECD.AI home page to over 1,000 across more than 70 jurisdictions as of May 2023 per oecd.org/en/topics/ai-principles.html. The figures vary because they are drawn from different datasets updated at different intervals.

The same Observatory documented a nine-fold increase in venture capital investment in generative AI startups between 2019 and 2024, per the OECD’s May 2024 press release. That growth data was central to the rationale for the 2024 Principles revision; the empirical and normative functions of OECD.AI are not separate.

The Observatory’s significance lies not in the count itself, but in what the data reveals: jurisdictions operating under the same OECD Principles have adopted substantially different regulatory approaches.

The AI Incidents and Hazards Monitor (AIM) is the empirical counterweight to the principles layer. AIM tracks real-world AI harms and hazards from the global press, supplying the evidence base that normative principles alone cannot generate. Governance frameworks built only on theoretical risk models carry a structural blind spot. AIM helps address that gap by grounding discussions of trustworthy AI in documented incident and hazard data.

The Catalogue of Tools and Metrics for Trustworthy AI maps practical implementation instruments to the trustworthiness properties defined in the Principles. Its value for AI governance architects is specific: it answers not just what a standard requires, but which techniques may support implementation and evidence-generation in practice.

The Hiroshima AI Process (HAIP) Reporting Framework, launched on 7 February 2025 at the AI Action Summit in Paris, provides a standardized voluntary structure for organizations developing advanced AI systems to disclose AI governance and AI risk management practices. It supports the G7 Hiroshima AI Process International Code of Conduct, initiated under Japan’s G7 Presidency in 2023 and developed further under Italy’s 2024 G7 Presidency.

In April 2025, the OECD published initial reports from 19 organisations, the first tangible output of the reporting mechanism. Version 2.0, available at transparency.oecd.ai, broadens participation beyond frontier developers to the wider deployment ecosystem. Many voluntary transparency frameworks follow a recognizable trajectory from early adoption toward industry normalization, procurement consideration, and, in some cases, regulatory expectation. HAIP remains in an early adoption phase, with its long-term role in procurement, assurance, and regulation still emerging.

OECD.AI’s institutional scope expanded further in July 2024, when the Global Partnership on Artificial Intelligence (GPAI) and OECD member countries joined forces under the GPAI brand at the New Delhi Summit, integrating 44 countries across six continents into a unified AI governance partnership anchored in the OECD AI Recommendation.

Are the OECD AI Principles Legally Binding? Flexibility as a Design Trade-Off

The OECD AI Principles are non-binding by design. That is the correct framing: a deliberate architectural choice for a consensus-based intergovernmental organisation (IGO), not a deficiency in the AI governance stack. The design that built a broad adherent coalition is the same design that avoids imposing direct implementation or enforcement obligations.

The OECD cannot enforce its Recommendations. Adherence is a political commitment. An enterprise operating in a jurisdiction that has signed onto the Principles has not thereby incurred a specific legal AI compliance obligation. That obligation flows from the downstream legislation the jurisdiction has enacted. As OECD.AI’s analysis of the 2024 update notes, non-binding status allows governments to adapt and tailor implementation to different national contexts at a manageable pace. The OECD AI Principles coordinate law-making; they do not substitute for it.

The AI Policy Observatory documents the consequence directly. The EU AI Act imposes mandatory requirements with enforcement powers and extraterritorial reach. The NIST AI RMF is voluntary and designed for self-assessment. National AI strategies across OECD adherents range from binding legislation to broad-aspiration frameworks with no enforcement mechanism. Shared values have not produced shared AI compliance obligations.

For enterprises operating across adherent jurisdictions, OECD alignment reduces definitional friction but does not resolve compliance burden. The practical requirements that organizations must satisfy remain dependent on the specific legal, regulatory, and sectoral frameworks that apply in each jurisdiction. An AI system consistent with OECD Principles in its design still faces country-specific AI risk management requirements, AI assurance obligations, conformity assessments, documentation requirements, and enforcement regimes that the Principles neither harmonize nor govern.

When a vendor represents its product as “OECD-aligned,” a rigorous evaluation starts with two questions: which version of the OECD AI system definition does that alignment reference, and which downstream regulatory instrument with legal weight in the relevant jurisdiction incorporates it? “OECD-aligned” is a claim about vocabulary orientation. It does not confirm EU AI Act compliance, NIST AI RMF implementation, or any specific risk control in any jurisdiction.

Researchers examining the AI governance influence chain have also noted that successive revisions to the OECD AI system definition in 2023 and 2024 introduced interpretive adjustments across framework versions. The 2026 arXiv analysis is useful here not as an endorsement of its thesis but as a caution: the precise definitional version a given regulatory instrument adopted is a material question for AI compliance analysis, particularly as downstream frameworks continue their own update cycles.

From OECD AI Principles to Production AI Governance

A shared definition and a shared evidence base are necessary preconditions for trustworthy AI at global scale. The OECD AI Principles and OECD.AI have built both, establishing the common vocabulary that makes international AI governance interoperability theoretically possible. The influence chain from the 2019 Recommendation through ISO/IEC 22989, the NIST AI RMF, and the EU AI Act is well documented in both standards and policy texts. That is a nontrivial achievement, and it is easy to take for granted once it exists.

Shared definitions and evidence bases sit upstream of where any individual AI system actually operates. The GPAI integration in July 2024 expanded OECD.AI’s institutional reach. The HAIP framework, now in Version 2.0, is moving voluntary transparency toward operational norms. These are meaningful developments in the right direction.

The OECD solved a coordination problem. It established a common foundation for AI governance frameworks, AI risk management approaches, and international AI policy coordination. The remaining challenge is operationalizing those shared principles consistently within real-world systems and organizational processes.

The open question is how principles become operational controls. A shared AI system definition can coordinate law-making, and a shared evidence base can improve governance, but neither determines how a specific AI system behaves in production. That translation happens through operational governance mechanisms, runtime controls, assurance processes, and organizational accountability structures. The next challenge is understanding how those shared principles are converted into enforceable controls inside real-world AI systems.

For organizations navigating the EU AI Act, NIST AI RMF, ISO/IEC 42001, and related AI compliance requirements, understanding this OECD foundation is increasingly essential.

Frequently Asked Questions

What are the OECD AI Principles?

The OECD AI Principles are the first intergovernmental standard on AI, adopted in May 2019 by 47 adherents. They comprise five values-based principles (inclusive growth, human rights, transparency, robustness, and accountability) and five recommendations to policymakers. Revised in May 2024 to address generative AI, their shared vocabulary and AI system definition are now embedded in the EU AI Act, the NIST AI RMF, and ISO/IEC standards.

Are the OECD AI Principles legally binding?

No. The Principles are non-binding by design, a deliberate architectural choice to achieve intergovernmental consensus across rival jurisdictions. Adherence is a political commitment. Legal obligations for enterprises flow from the downstream legislation each adherent jurisdiction has enacted, such as the EU AI Act’s mandatory requirements or sector-specific national rules, not from the Principles themselves.

How many countries have adopted the OECD AI Principles?

As of May 2024, 47 governments formally adhere to the OECD AI Principles, per the OECD’s May 2024 press release. The White and Case global regulatory tracker, updated April 2026, reports 49 adherents, reflecting different reporting intervals. The OECD.AI principles page continues to show 47 adherents as of June 2026.

How did the OECD AI Principles influence the EU AI Act?

The EU AI Act’s AI system definition in Article 3(1) was deliberately aligned with the OECD Recommendation, as stated in Recital 12 of Regulation (EU) 2024/1689. NIST AI 100-1 explicitly attributes its definition to the OECD Recommendation and ISO/IEC 22989:2022. The OECD formulation functioned as the upstream source for both frameworks, establishing the foundation for cross-border AI governance interoperability.

What is OECD.AI?

OECD.AI is the online platform that operationalizes the OECD AI Principles through four active tools: the Policy Navigator (tracking AI policy initiatives across 80+ jurisdictions), the AI Incidents and Hazards Monitor (AIM), the Catalogue of Tools and Metrics for Trustworthy AI, and the Hiroshima AI Process Reporting Framework. It serves as the shared evidence infrastructure underpinning global AI governance.

What is the Hiroshima AI Process Reporting Framework?

The HAIP Reporting Framework, launched on 7 February 2025 at the AI Action Summit in Paris, provides a standardized voluntary structure for organizations developing advanced AI systems to disclose their AI governance and risk management practices. The first cycle published reports from 19 organizations in April 2025. Version 2.0, available at transparency.oecd.ai, broadens participation to the wider deployment ecosystem.

Sources

1. OECD Recommendation on Artificial Intelligence (OECD-LEGAL-0449) . Organisation for Economic Co-operation and Development. https://legalinstruments.oecd.org/en/instruments/oecd-legal-0449. Accessed June 16, 2026.

2. OECD updates AI Principles to stay abreast of rapid technological developments (3 May 2024) . OECD. https://www.oecd.org/en/about/news/press-releases/2024/05/oecd-updates-ai-principles-to-stay-abreast-of-rapid-technological-developments.html. Accessed June 16, 2026.

3. AI Principles Overview . OECD.AI. https://oecd.ai/en/ai-principles. Accessed June 16, 2026.

4. Evolving with innovation: The 2024 OECD AI Principles update . OECD.AI. https://oecd.ai/en/wonk/evolving-with-innovation-the-2024-oecd-ai-principles-update. Accessed June 16, 2026.

5. AI Watch: Global regulatory tracker, OECD (updated April 2026). White and Case. https://www.whitecase.com/insight-our-thinking/ai-watch-global-regulatory-tracker-oecd. Accessed June 16, 2026.

6. Artificial Intelligence Risk Management Framework (NIST AI 100-1) . National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf. Accessed June 16, 2026.

7. ISO/IEC 22989:2022 (Information technology: Artificial intelligence concepts and terminology). ISO. https://www.iso.org/standard/74296.html. Accessed June 16, 2026.

8. ISO/IEC 42001:2023 (Artificial Intelligence Management System). ISO. https://www.iso.org/standard/81230.html. Accessed June 16, 2026.

9. Regulation (EU) 2024/1689 (EU AI Act), Recital 12 . European Commission. https://ai-act-service-desk.ec.europa.eu/en/ai-act/recital-12. Accessed June 16, 2026.

10. Defining AI Models and AI Systems: A Framework to Resolve the Boundary Problem (arXiv:2603.10023) . arXiv / Cornell University. https://arxiv.org/html/2603.10023v1. Accessed June 16, 2026.

11. OECD.AI Policy Navigator . OECD.AI. https://oecd.ai/en/dashboards/policy-initiatives. Accessed June 16, 2026.

12. AI Principles . OECD (topics page). https://www.oecd.org/en/topics/ai-principles.html. Accessed June 16, 2026.

13. AI Incidents and Hazards Monitor (AIM) . OECD.AI. https://oecd.ai/en/incidents. Accessed June 16, 2026.

14. Catalogue of Tools and Metrics for Trustworthy AI . OECD.AI. https://oecd.ai/en/catalogue/overview. Accessed June 16, 2026.

15. A milestone in international AI transparency: The OECD publishes initial submissions from the G7 Hiroshima AI Process Reporting Framework (24 April 2025) . OECD.AI. https://oecd.ai/en/wonk/initial-submissions-g7-hiroshima-ai-process-reporting-framework. Accessed June 16, 2026.

16. Hiroshima AI Process Reporting Framework (Version 2.0) . OECD.AI / transparency.oecd.ai. https://transparency.oecd.ai/. Accessed June 16, 2026.

17. GPAI and OECD unite to advance coordinated international efforts for trustworthy AI (3 July 2024) . OECD. https://www.oecd.org/en/about/news/speech-statements/2024/07/GPAI-and-OECD-unite-to-advance-coordinated-international-efforts-for-trustworthy-AI.html. Accessed June 16, 2026.

18. AI Policy Observatory (National AI Strategies and Dashboards). OECD.AI. https://oecd.ai/en/dashboards/national. Accessed June 16, 2026.

This article was produced from the vantage point of OpenBox, which builds runtime AI governance infrastructure for enterprise deployments.



Trustworthy AI
Starts Here

By submitting your email, you agree to our Privacy Policy and consent to receiving updates from us

Trustworthy AI
Starts Here

By submitting your email, you agree to our Privacy Policy and consent to receiving updates from us

Trustworthy AI
Starts Here

By submitting your email, you agree to our Privacy Policy and consent to receiving updates from us

Trustworthy AI
Starts Here

By submitting your email, you agree to our Privacy Policy and consent to receiving updates from us