OECD AI Principles 2024. What global operators must know about the revised framework and its influence on binding law.

The OECD AI Principles were the first intergovernmental standard for responsible AI when they were adopted in May 2019. The 2024 revision extended them from five to seven principles, adding explicit obligations on security and on information integrity. Today 47 countries have adopted the framework. It shapes national legislation across three continents and functions, in practice, as the voluntary international baseline that multinationals use to anchor their cross-border governance programmes. This guide explains what changed in 2024, what the seven principles require of operators, and how they connect to the binding law that governs AI deployment in the EU, the UK, and Singapore.

The 2024 revision and what changed

The OECD AI Principles were adopted on 22 May 2019 as OECD/LEGAL/0449, "Recommendation of the Council on Artificial Intelligence." They were the first AI-specific standard adopted by an intergovernmental organisation and were developed with the participation of the G20. Their immediate influence was significant: the G20 AI Principles, adopted in June 2019, are a near-verbatim adaptation of the OECD framework. The original five principles covered inclusive growth and well-being, human-centred values and fairness, transparency and explainability, robustness and safety, and accountability.

The 2024 revision was the first substantive update to the framework since its adoption. The OECD's Working Party on AI Governance, which convened over an extended period to review the framework, concluded that two areas had developed significantly enough since 2019 to warrant new dedicated principles rather than incorporation into existing ones.

The first new area was the security of AI systems against deliberate adversarial manipulation. Since 2019, a substantial body of research had documented the ways in which AI systems can be attacked through adversarial inputs, prompt injection, training data poisoning, and model extraction. The original principle 4 (robustness, security, and safety) addressed robustness in a general sense, but the 2024 revision determined that the specific threat landscape for AI security warranted a dedicated principle. The new Principle 6, security and integrity of AI systems, addresses the obligation of AI actors to understand and manage AI-specific security risks and to design systems that are resilient against adversarial manipulation across their lifecycle.

The second new area was the integrity of information in environments where AI is used to generate, modify, or distribute content. The proliferation of generative AI systems capable of producing realistic synthetic text, images, audio, and video had created risks of manipulation and deception that had no clear anchor in the original five principles. Transparency (Principle 3) addresses disclosure of AI use to affected individuals, but it does not directly address the systemic risk that AI-generated content degrades the information environment that individuals and institutions depend on. Principle 7, information integrity in AI-enabled environments, addresses this gap. It requires AI actors to take reasonable steps to ensure that AI systems do not generate or amplify content intended to deceive or manipulate, and to support the conditions for informed public discourse.

The OECD AI Policy Observatory at oecd.ai was established alongside the original framework and continues to track national implementation. OECD Digital Economy Paper No. 323 covers the Framework for Classification of AI Systems, which is referenced in the EU AI Act's explanatory materials and provides the classification logic underlying the Act's risk-based tiering.

The seven principles explained for operators

The seven principles operate at the level of values and objectives rather than specific procedural requirements. Understanding what each one demands in practice is a precondition for translating them into a governance programme.

Principle 1, inclusive growth, sustainable development and well-being, requires that AI actors consider the broader societal and economic effects of the systems they develop and deploy. For operators, this translates most directly into impact assessment: before deploying an AI system in a new market or use case, the operator should have a considered view of who benefits, who bears the risks, and whether the deployment contributes to or detracts from equitable economic participation. This principle is the least prescriptive of the seven and the most likely to be addressed through existing environmental, social, and governance frameworks rather than AI-specific procedures.

Principle 2, human-centred values and fairness, requires that AI systems respect human rights, democratic values, and the rule of law, and do not engage in unlawful discrimination. For operators, this means having procedures to identify and mitigate discriminatory outputs, particularly in consequential decisions affecting individuals. It intersects directly with data protection law and anti-discrimination regulation in all major jurisdictions. A documented bias assessment and mitigation process is the practical instrument this principle calls for.

Principle 3, transparency and explainability, requires that AI actors be transparent about AI capabilities and limitations and that AI outputs be explainable to affected parties to the extent practicable. For operators, this requires both disclosure (telling users that they are interacting with or being affected by an AI system) and explainability (being able to provide a meaningful account of how a consequential AI-assisted decision was reached). The degree of explainability the principle requires is qualified by what is technically feasible for the system type: the principle does not mandate full algorithmic transparency where that is technically impossible, but it does require that operators not use technical complexity as a reason to avoid accountability.

Principle 4, robustness, security, and safety, requires that AI systems operate reliably and safely throughout their lifecycle and that risks be identified, assessed, and mitigated. In combination with the new Principle 6, this principle covers the full range of technical governance obligations: performance monitoring, failure mode analysis, safety testing prior to deployment, and ongoing monitoring in production. For operators, the practical expression of this principle is a documented system lifecycle management process that includes pre-deployment testing, threshold-based monitoring, and defined escalation procedures.

Principle 5, accountability, requires that AI actors be accountable for the proper functioning of AI systems and that appropriate oversight mechanisms exist. For operators, this means having defined roles and responsibilities for AI governance, clear lines of accountability when systems cause harm, and documented processes for investigating and remediating AI-related incidents. This principle is the foundation of the AI governance structures that most compliance frameworks call for.

Principle 6, security and integrity of AI systems (added 2024), requires that AI actors understand and actively manage AI-specific security risks, including adversarial attacks, data poisoning, and model theft. For operators, this translates into security testing procedures that go beyond standard application security to address the specific vulnerabilities of AI systems: robustness testing against adversarial inputs, assessment of supply chain risks in pre-trained models and third-party components, and procedures for detecting and responding to security incidents that exploit AI-specific attack surfaces.

Principle 7, information integrity in AI-enabled environments (added 2024), requires that AI actors take reasonable measures to prevent AI systems from generating or amplifying false, misleading, or manipulated content at scale, and that they support transparency about AI-generated content. For operators deploying generative AI systems, this principle directly implicates output filtering, content authentication, and watermarking or labelling of AI-generated material. It also addresses the broader systemic obligation: operators whose systems contribute to the information environment bear some responsibility for that contribution.

How the Principles map to binding regulation

The OECD Principles are values-based; binding AI regulation is rules-based. The distinction matters for compliance planning. The Principles describe what good AI governance achieves; binding regulations specify what procedural steps operators must take to demonstrate compliance. A governance programme built around the Principles will generally provide the substantive foundation that binding compliance requirements are trying to produce, but it will not substitute for the specific procedural obligations those requirements impose.

The EU AI Act, in force since August 2024, is the most comprehensive binding AI regulation currently in effect. Its risk tiering applies to high-risk systems across fourteen categories and imposes mandatory technical documentation, conformity assessments, and registration obligations. An operator that fully complies with the EU AI Act will substantially satisfy OECD Principles 2 through 5. The Act's requirements for bias testing and non-discrimination address Principle 2; its transparency and logging obligations address Principle 3; its robustness and accuracy requirements address Principle 4; its accountability provisions and market surveillance rules address Principle 5.

Principles 6 and 7 go further than the current EU AI Act's explicit text. The Act requires that high-risk systems be accurate, robust, and cybersecure, which engages with Principle 6, but it does not yet impose the detailed adversarial security testing and supply chain security requirements that Principle 6's logic implies. Principle 7 finds its most direct regulatory expression outside the EU AI Act entirely. The NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative AI Profile, published in July 2024, provides a detailed technical framework for managing the information integrity risks of generative AI outputs. Operators of generative AI systems with European market exposure should treat the NIST AI 600-1 as the technical instrument that Principle 7 calls for, pending the development of equivalent EU guidance. For EU-specific implementation of Principles 2 through 5, the analysis at agentliability.eu provides a structured starting point.

In the United Kingdom, the AI Regulation White Paper published in March 2023 set out a principles-based, sector-led approach to AI governance. The five cross-sector principles it identified (safety, transparency, fairness, accountability, and contestability) align closely with OECD Principles 2 through 5. The UK government assigned responsibility for implementing these principles to existing sector regulators: the Information Commissioner's Office, the Financial Conduct Authority, the Competition and Markets Authority, Ofcom, and the Medicines and Healthcare products Regulatory Agency. The AI Safety Institute (now the AI Security Institute) was established to conduct evaluations of frontier AI models. For operators with UK exposure, compliance with sector-regulator AI guidance plus the general data protection framework covers the substantive ground of Principles 2 through 5. As in the EU, Principles 6 and 7 go beyond current UK statutory requirements, though the AISI's evaluation work increasingly addresses adversarial security and information integrity for frontier models.

In Singapore, the IMDA's Model AI Governance Framework, updated in its 2024 edition, aligns directly with the OECD Principles. Singapore's AI Verify testing framework maps specifically to Principles 3 and 4: its test suite covers explainability, robustness, and reliability. The IMDA's approach is deliberately compatible with international frameworks, including the OECD Principles, as part of Singapore's strategy for mutual recognition of AI governance certifications across trading partners. For operators active in Southeast Asia, Singapore's framework provides a well-documented implementation path for the OECD Principles that is supported by a publicly available testing tool.

Using the Principles as a cross-jurisdictional governance baseline

The most significant practical function of the OECD Principles for global operators is not their influence on any single jurisdiction's legislation but their function as a cross-jurisdictional baseline. A multinational organisation that deploys AI systems across multiple markets faces a documentation and governance coordination challenge: each jurisdiction has its own framework, vocabulary, and procedural requirements, and building separate compliance programmes for each generates considerable overhead.

The OECD Principles, precisely because they have been adopted by 47 countries and explicitly referenced in the legislative materials of major regulatory regimes, provide a shared vocabulary and a common substantive framework. A governance programme document that structures its analysis around the seven principles will be legible and credible to regulators and auditors in the EU, the UK, Singapore, Canada, Brazil, and most other markets where AI regulation is developing. It does not substitute for jurisdiction-specific compliance work, but it provides a shared foundation that reduces the duplication involved in that work.

The ISO 42001 AI Management System standard, published in 2023, operationalises the OECD Principles into a certifiable management system. It provides the procedural scaffolding that turns the Principles from values statements into auditable processes. Organisations that have implemented ISO 42001 have, in effect, built the governance infrastructure that the OECD Principles call for, in a form that an external auditor can verify. See the ISO 42001 global operators guide for a detailed analysis of how the standard relates to the Principles and what certification requires.

At the international treaty level, the Council of Europe Framework Convention on AI (CETS No. 225) elevates the OECD Principles' substantive commitments into legally binding international obligations for signatory states. The Convention entered into force in 2025. Its requirements for risk assessment, transparency, safeguards, and accountability translate OECD Principles 2 through 5 into treaty obligations that signatory governments must implement through domestic law. For operators, this means that the OECD Principles are increasingly backed by binding law across the Convention's signatory states. See the Council of Europe Framework Convention guide for a full analysis of the Convention's obligations and their relationship to the OECD framework.

What operators should do now

The first practical step is to map your current AI governance programme against all seven OECD Principles and identify where gaps exist. For most organisations that have been building compliance programmes focused on the EU AI Act, the most significant gaps will be in Principles 6 and 7. Principle 6 calls for AI-specific security testing that goes beyond standard application security, and Principle 7 calls for information integrity measures that are specific to generative AI systems. If your organisation uses generative AI in any customer-facing or public-domain context, an honest assessment against Principle 7 is a useful diagnostic for where additional controls are needed.

The second step is to document your AI system inventory and associated governance procedures in terms that reference the OECD Principles explicitly. This documentation serves multiple functions: it provides the cross-jurisdictional baseline referenced above; it provides a starting point for ISO 42001 implementation if your organisation chooses to pursue certification; and it provides a structured framework for regulatory inquiries, which in most jurisdictions will be structured around concepts that map to the Principles even if they do not reference them by name.

The third step is to establish a monitoring process for national implementation of the Principles. The OECD AI Policy Observatory at oecd.ai publishes detailed tracking of how each of the 47 adopting countries has translated the Principles into domestic policy and regulation. For operators in multiple markets, regular review of the Observatory's country profiles is a practical intelligence tool for anticipating regulatory developments before they become compliance obligations. The Observatory's data is free and publicly accessible.

The fourth step is to connect your OECD Principles governance baseline to your sector-specific compliance obligations. For financial services operators, the Basel Committee on Banking Supervision's AI guidance and sector regulator frameworks (OSFI in Canada, the FCA in the UK, the EBA in the EU) all translate the Principles' substantive content into sector-specific requirements. For healthcare operators, the equivalent instruments are in medical device and health technology regulation. A governance programme that maps from the OECD Principles down to sector-specific obligations provides a complete and well-structured compliance architecture that is defensible in any regulatory context.

Frequently asked questions