OpenAI Releases Frontier Governance Framework to Align With New AI Laws

OpenAI published its Frontier Governance Framework on Friday, a public document mapping how the company's internal safety practices line up with two of the most consequential AI laws now in effect: California's Transparency in Frontier AI Act (SB 53) and the EU AI Act's Code of Practice for General-Purpose AI. The framework is OpenAI's first attempt to formalize, in regulator-readable language, what it does about frontier risk — and where it draws the lines.

The release lands at a sensitive moment. SB 53 took effect on January 1, 2026, and the EU Code of Practice obligations are tightening through this year. Both regimes apply most stringently to the handful of labs running models above defined compute and capability thresholds. OpenAI is, by any reading, one of them.

What's in the document

The Frontier Governance Framework is built on top of OpenAI's existing Preparedness Framework — the internal policy that defines tracked risk categories, evaluation thresholds, and mitigation triggers. The new document takes the parts of that internal process that map to specific regulatory obligations and publishes them in a structured form regulators can audit.

The framework covers four risk domains: cyber offense (the use of AI to plan or carry out cyberattacks), CBRN risks (chemical, biological, radiological, and nuclear weapons), harmful manipulation (large-scale persuasion and influence operations), and loss of control (scenarios where AI systems operate outside their intended bounds).

Around those risks, the document specifies how OpenAI handles risk assessment and mitigation, model reporting, security risk management, incident response, external expert input, and process updates. Each section is written to be readable by both technical and legal audiences.

Why this matters

The Frontier Governance Framework is doing two jobs at once. First, it's compliance documentation — the kind of structured disclosure California's SB 53 and the EU Code of Practice require from large frontier developers. Second, it's a positioning document: by publishing the framework, OpenAI is staking out its preferred reading of what counts as adequate frontier-AI governance.

That second job is where the political weight sits. SB 53 applies to companies with more than $500 million in annual revenue developing frontier models — which means OpenAI, Anthropic, Google DeepMind, Meta, and a few others. How OpenAI structures its public framework will influence how other labs structure theirs, and how regulators interpret what compliance looks like.

For enterprise customers, the framework is also a procurement signal. Major buyers — banks, defense contractors, healthcare systems — increasingly require vendors to document their AI safety practices. A published, regulator-aligned framework makes OpenAI easier to put through enterprise vendor review.

The regulatory backdrop

California Governor Gavin Newsom signed SB 53 on September 29, 2025, and it took effect January 1, 2026. The law requires large frontier developers to publish a safety and security protocol, report critical safety incidents, and submit transparency reports to the state's Office of Emergency Services. Crucially, SB 53 was a narrower, scaled-back version of SB 1047 — the more stringent California bill Newsom vetoed in 2024 after intense lobbying from AI labs, including OpenAI.

The EU AI Act's Code of Practice for General-Purpose AI is the parallel European obligation. It applies to providers of general-purpose AI models with systemic risk — the same handful of frontier labs — and requires structured documentation of evaluations, incident reporting, and supply-chain transparency.

The Frontier Governance Framework is OpenAI's attempt to comply with both regimes in a single coherent document, rather than maintaining separate California and EU disclosures.

Industry reaction

Reaction across the policy community was mixed. Several AI-governance researchers praised the framework's structured coverage of the four risk categories and noted that it goes further than what the letter of either SB 53 or the EU Code requires. Others pointed out that OpenAI has, in the past, lobbied to weaken both California's frontier-AI bills and the EU AI Act — making the company's voluntary documentation only as meaningful as its enforcement-time behavior.

OpenAI's own framing emphasizes alignment with emerging law rather than going beyond it. The company describes the framework as a way to make its existing Preparedness practices legible to regulators, not as a commitment to additional restrictions.

The "loss of control" risk category drew the most attention from safety researchers. It's the first time OpenAI has formally codified loss-of-control scenarios — situations where AI systems take actions outside their intended bounds — as a publicly disclosed tracked risk on par with CBRN and cyber.

What's next

The framework will be updated as both California's and the EU's implementation rules evolve. SB 53 requires updates on a fixed cadence; the EU Code of Practice runs on a separate review cycle. OpenAI says external expert input will feed into framework updates, but the document doesn't specify which external bodies or on what timeline.

Other labs are expected to publish parallel frameworks in the coming weeks. Anthropic already maintains a public Responsible Scaling Policy that covers similar ground; Google DeepMind has published its Frontier Safety Framework. Meta and xAI have been quieter, and the gap between their disclosures and OpenAI's may now become a flashpoint with regulators.

Bottom line

The Frontier Governance Framework is a real piece of public-facing safety documentation, and it's the kind of thing AI governance researchers have been asking for since 2023. It's also a political document, written to shape how SB 53 and the EU AI Act get enforced. Both things can be true. For enterprise buyers, the practical effect is immediate: OpenAI is now easier to procure against rigorous vendor-review checklists. For regulators, the framework gives them something concrete to audit against.