OpenAI publishes Frontier Governance Framework to map safety practices to EU and California law
The public document translates the company's internal Preparedness Framework into specific obligations under the EU AI Act's GPAI Code of Practice and California's Transparency in Frontier AI Act.
OpenAI on Wednesday published its Frontier Governance Framework, a public compliance document that maps the company’s internal safety practices onto two specific legal regimes: California’s Transparency in Frontier AI Act and the EU AI Act’s Code of Practice for General Purpose AI. The structural move is the news. OpenAI is splitting its safety apparatus into an internal layer and an external, legible layer designed to satisfy regulators on their own vocabulary.
The company says the older Preparedness Framework “remains the foundation” and continues to “go beyond current legal requirements,” while the new document “applies relevant parts of that approach into a public governance document focused on specific regulatory obligations.” Four risk domains are covered: cyber offense, CBRN, harmful manipulation, and loss of control. Model reporting, security risk management, incident response, external expert input, and framework-update procedures sit alongside them.
The timing isn’t coincidental. GPAI obligations under the EU AI Act became applicable on 2 August 2025, and transparency rules take effect in August 2026. Political agreement on the AI omnibus was reached on 7 May 2026, with a European Parliament plenary vote scheduled for 14–17 June that could reshape when high-risk obligations actually bite. A public framework written in regulator-legible language is what you publish when you’re trying to shape how those obligations get interpreted.
The Preparedness Framework update earlier introduced Capabilities Reports (formerly the Preparedness Scorecard) and Safeguards Reports, and disclosed that OpenAI “may adjust our requirements” if a rival ships a high-risk system without comparable safeguards. METR’s Frontier AI Safety Policies tracker now catalogues the document alongside policies from Anthropic, Google DeepMind, Microsoft and Meta.
CDT Europe reported in May 2026 that OpenAI is in discussions with EU officials to grant authorities access to a model capable of identifying software vulnerabilities, calling the posture a “stark contrast” to Anthropic’s. Compliance, in other words, is becoming a competitive surface.