OECD AI Governance Framework | Anticipatory Policy 2025

Why Reactive AI Regulation Is No Longer Sufficient

The traditional approach to technology regulation—wait for problems to emerge, then respond with rules—has reached its limits in the age of artificial intelligence. As the OECD’s latest report on anticipatory governance makes clear, the rapid pace of AI development creates a fundamental mismatch between the speed of technological change and the traditionally slow pace of regulatory response.

This “pace-of-change problem” manifests in several critical ways. First, AI risk assessment frameworks become outdated before they’re fully implemented. Second, reactive regulation often addresses yesterday’s problems while today’s challenges multiply unchecked. Third, the cross-border nature of AI systems means that uncoordinated national responses create regulatory arbitrage and compliance complexity.

The solution, according to research from Stanford’s Human-Centered AI Institute and other leading institutions, lies in building governance mechanisms that are designed from the ground up for durability and adaptability. This means creating frameworks that can evolve with technology rather than constantly playing catch-up.

Consider the European Union’s AI Act, which took years to develop and negotiate. By the time it enters full force, many of its foundational assumptions about AI capabilities and risks may already be outdated. This isn’t a failure of the legislation itself, but rather an illustration of why governance approaches must become more anticipatory and agile.

The OECD Framework for Anticipatory Governance: Five Interdependent Elements

The OECD’s response to this challenge is a comprehensive framework built on five interdependent elements that work together as an integrated system for anticipatory governance. Unlike traditional regulatory approaches that focus primarily on rules and enforcement, this framework emphasizes continuous adaptation and multi-stakeholder engagement.

The five elements are: guiding values that provide foundational principles for AI development; strategic intelligence that combines real-time monitoring with foresight capabilities; stakeholder engagement that moves beyond consultation to true collaboration; agile regulation that uses tools like sandboxes and standards to adapt quickly; and international cooperation that ensures coherent global responses.

What makes this framework unique is its systematic approach to interconnection. Traditional governance often treats values, monitoring, engagement, regulation, and international coordination as separate activities. The OECD model recognizes that effective AI governance requires these elements to reinforce and inform each other continuously.

For example, strategic intelligence from incident monitoring feeds into stakeholder engagement processes, which in turn inform the development of agile regulatory responses that are coordinated internationally based on shared values. This creates a governance ecosystem that can respond to emerging challenges while maintaining consistency and legitimacy.

Embedding Guiding Values Into AI Systems From Design to Deployment

The foundation of the OECD framework rests on what has become the world’s first intergovernmental AI standard: the OECD AI Principles, first adopted in 2019 and updated in May 2024. These principles now have unprecedented global reach, with 42+ countries formally adopting them and major international organizations like the EU, Council of Europe, US government, and UN incorporating them into their own frameworks.

The principles operate on two levels. Five are values-based principles that apply to AI systems themselves: human-centered values and fairness, transparency and explainability, robustness and security, safety, and accountability. The other five provide specific recommendations for governments on how to create enabling environments for trustworthy AI.

What distinguishes the OECD approach is its practical implementation focus. The Catalogue of Tools & Metrics for Trustworthy AI provides concrete guidance for translating abstract principles into operational practices throughout the AI lifecycle. This bridges the gap between high-level values and day-to-day engineering and business decisions.

The update to version 2.0 in 2024 reflects lessons learned from five years of implementation. Key changes include clearer guidance on AI system definition and lifecycle, stronger emphasis on human oversight throughout deployment, and more specific requirements for impact assessment and risk management.

Perhaps most importantly, the principles have achieved something rare in international governance: they’ve become default infrastructure. When the EU developed its AI Act definition of AI systems, it used the OECD definition. When the US developed its executive order on AI, it referenced OECD principles. This normative convergence creates a foundation for interoperable governance approaches worldwide.

Strategic Intelligence: From Real-Time Monitoring to Foresight

The second pillar of anticipatory governance is strategic intelligence—the systematic collection and analysis of information to inform policy decisions. The OECD approach distinguishes between two complementary types of monitoring: real-time intelligence that tracks current developments and sentinel intelligence that watches for weak signals of future trends and risks.

The centerpiece of this effort is the OECD AI Incidents Monitor (AIM), launched in November 2023 at the Paris Peace Forum. AIM represents the first systematic, international effort to track AI incidents across sectors and geographies. Unlike previous incident tracking efforts that focused primarily on safety failures, AIM covers a broader range of incidents including bias, privacy violations, misuse, and governance failures.

The evolution of AIM illustrates the maturing of AI governance infrastructure. Initially focused on collecting reported incidents from news media and research publications, the system is expanding to include direct submissions from organizations, court rulings, and decisions by oversight bodies. This creates an increasingly comprehensive picture of how AI systems fail and what governance interventions prove effective.

Beyond incident monitoring, the OECD’s approach to strategic intelligence includes systematic foresight capabilities. The OECD.AI Expert Group on AI Futures combines multiple methodologies—literature review, expert discussion, public engagement, scenario planning, and horizon scanning—to identify potential future benefits and risks before they materialize.

Their work has already produced actionable intelligence: identification of 21 potential future benefits, 38 potential future risks, and 66 potential policy solutions. This forward-looking analysis enables policymakers to develop governance approaches that anticipate rather than merely react to technological developments.

Stakeholder Engagement: Moving From Information to Collaboration

Effective AI governance requires input from a broad range of stakeholders, but traditional consultation processes often fail to generate meaningful engagement or actionable insights. The OECD framework addresses this through a three-tier model that progresses from basic information sharing to genuine collaboration in governance processes.

The informative level focuses on transparency and public education through resources like blogs, data repositories, and research publications. The OECD.AI platform, with over 30,000 members on LinkedIn alone, demonstrates the scale of public interest in AI governance issues.

The consultative level involves structured processes for gathering stakeholder input on specific policy questions. This includes public consultations, expert workshops, and targeted engagement with specific communities affected by AI systems. The key innovation here is using AI itself as an engagement tool—platforms like Polis and Chatico enable large-scale, structured conversations that would be impossible through traditional consultation methods.

The collaborative level represents the most ambitious aspect of the framework: genuine partnership in governance processes. The ONE AI network brings together 400+ experts across government, business, academia, trade unions, and civil society to work directly on governance challenges. Seven specialized expert groups focus on areas like AI incidents, futures research, compute and climate impact, and health applications.

This collaborative approach proved its value in the OECD-GPAI merger completed in July 2024. Rather than simply absorbing GPAI as a subsidiary program, the OECD integrated its multi-stakeholder governance model throughout its AI work. This created new pathways for non-governmental actors to participate directly in international AI governance rather than merely commenting on it.

Agile Regulation in Practice: Regulatory Sandboxes for AI

Traditional regulation operates on the assumption that rules can be written in advance to cover foreseeable situations. AI governance requires more flexible approaches that can adapt to rapid technological change while maintaining essential protections. Regulatory sandboxes represent one of the most promising tools for achieving this balance.

A regulatory sandbox provides a controlled environment where companies can test AI systems with relaxed regulatory constraints for a limited time, typically around six months. The concept originated in fintech but has proven particularly valuable for AI governance because it allows regulators to learn about new technologies before writing definitive rules.

Norway’s AI sandbox, launched in autumn 2020 by the Data Protection Authority, focuses specifically on privacy and data protection issues in AI systems. Companies can test AI applications that might otherwise violate data protection rules, provided they implement appropriate safeguards and monitoring. The regulator gains real-world experience with emerging AI applications, while companies get clarity on compliance requirements and reduced regulatory uncertainty.

Spain’s AI sandbox takes a different approach, designed specifically to help companies understand and comply with the EU AI Act. The Spanish Data Protection Agency invites other EU member states to participate, creating a collaborative framework for implementing the AI Act’s requirements. This demonstrates how sandboxes can serve not just national regulatory goals but international coordination objectives.

Singapore’s generative AI sandbox, launched in October 2023 by the Infocomm Media Development Authority (IMDA), addresses one of the most rapidly evolving areas of AI technology. Companies can test generative AI applications in sectors like finance and healthcare where regulatory requirements are particularly stringent.

The benefits of sandboxes extend beyond regulatory clarity. Participating companies report reduced time to market, improved access to capital from investors who value regulatory engagement, and valuable feedback that improves their products. For regulators, sandboxes provide hands-on experience with emerging technologies that informs evidence-based rule-making.

Standards, Interoperability, and Risk Management Across Frameworks

One of the most significant developments in AI governance is the emerging convergence among different risk management frameworks. Despite being developed by different organizations using different terminology, leading frameworks like the NIST AI Risk Management Framework, ISO/IEC 23894, and IEEE 7000-21 share what the OECD calls “common DNA.”

This convergence occurs at the process level through what the OECD terms the “high-level AI risk-management interoperability framework.” All major frameworks follow roughly the same sequence: Define the AI system and its context, Assess risks and impacts, Treat risks through mitigation measures, and Govern the entire process through oversight and accountability mechanisms.

The main differences appear in the “Govern” function, where frameworks use different approaches to organizational accountability, stakeholder engagement, and ongoing monitoring. Resolving these differences represents the key opportunity for achieving full interoperability among AI governance frameworks globally.

For organizations implementing AI governance, this convergence offers both opportunities and challenges. The opportunity lies in the ability to develop governance approaches that satisfy multiple frameworks simultaneously. Companies operating across jurisdictions can design systems that meet NIST requirements in the US, ISO standards internationally, and IEEE guidelines for specific technical communities.

The challenge is that proliferating incompatible standards increase costs and complexity. The OECD advocates for harmonized standards development, particularly through the work of CEN-CENELEC in developing harmonized standards for the EU AI Act. These standards provide presumption of conformity with legal requirements, reducing compliance uncertainty.

Looking ahead, the OECD sees standards interoperability as a critical enabler of international AI governance cooperation. When different countries use compatible standards for risk assessment and management, it becomes much easier to develop mutual recognition agreements and coordinate enforcement efforts.

Responsible Business Conduct: Due Diligence Across the AI Value Chain

Traditional approaches to corporate responsibility in technology often focus primarily on the companies that develop and deploy AI systems. The OECD framework takes a much broader view, extending responsible business conduct (RBC) requirements throughout the entire AI value chain.

This comprehensive approach reflects the reality that AI systems involve many different types of organizations: content creators who generate training data, data curators who process and label it, hardware manufacturers who provide the computing infrastructure, investors who finance development, and downstream users who apply AI systems in sectors like healthcare, finance, and transportation.

The OECD’s Guidelines for Multinational Enterprises (MNE Guidelines) provide the framework for RBC in AI. Unlike corporate social responsibility (CSR), which is often voluntary and philanthropic, RBC involves mandatory due diligence processes that companies must implement to identify, prevent, and mitigate adverse impacts of their activities.

A concrete example of this approach in action is Norway’s Government Pension Fund Global, with USD 1.4 trillion in assets. In 2023, the fund announced specific RBC measures for AI companies in its portfolio, requiring them to address risks related to human rights, labor rights, environmental impacts, and business ethics throughout their operations and value chains.

For AI practitioners, RBC requires moving beyond technical considerations to address broader impact questions. This includes assessing how AI systems might affect different groups differently, ensuring meaningful human oversight throughout deployment, and establishing clear accountability mechanisms when systems cause harm.

The value chain perspective also creates new responsibilities for organizations that might not consider themselves “AI companies.” A hospital using AI for diagnostic support, a bank using AI for credit decisions, or a manufacturer using AI for quality control all have RBC obligations to ensure their AI use respects human rights and meets professional standards.

International Cooperation: Building a Coherent Global AI Governance Architecture

Perhaps the most complex challenge in AI governance is achieving effective international cooperation across different levels of governance: global, regional, and multilateral initiatives. The OECD framework emphasizes the need for coherent rather than simply coordinated approaches—meaning that different governance initiatives should reinforce rather than conflict with each other.

At the global level, the UN High-Level Advisory Body on AI (HLAB) brought together 39 experts to develop recommendations for international AI governance. Their final report, published in September 2024, builds explicitly on the OECD AI Principles while proposing new mechanisms for implementation and monitoring at the UN level.

Regional approaches like the EU AI Act and the African Union’s forthcoming AI strategy provide more detailed governance frameworks for specific jurisdictions. The key to coherence is ensuring these regional approaches remain compatible with global standards rather than creating conflicting requirements.

Multilateral initiatives represent a middle ground between global consensus-building and regional implementation. The G7 Hiroshima Process on AI, the 2023 Bletchley Declaration signed by 28 countries, and the emerging network of AI safety institutes all contribute to governance coordination among like-minded countries.

The OECD-GPAI merger in July 2024 represents a particularly significant development in this architecture. By combining OECD’s policy expertise with GPAI’s multi-stakeholder approach, the merged organization creates new possibilities for translating international principles into practical implementation guidance.

Looking forward, the UN-OECD partnership on AI risk assessments announced in late 2024 signals the potential for more systematic coordination between global normative work and technical implementation efforts. This could provide a model for how different levels of governance can reinforce each other rather than compete for attention and resources.

What Remains to Be Done: Gaps and Future Priorities

Despite significant progress, the OECD report identifies several critical gaps that must be addressed to fully implement anticipatory governance for AI. Understanding these limitations is essential for organizations developing their own AI governance approaches.

The first major gap is incomplete incident data. While the AI Incidents Monitor represents significant progress, many incidents go unreported, and there’s no systematic process for learning from near-misses or early warning signs. Improving incident reporting requires both better incentives for organizations to share information and stronger protection against punitive regulatory responses to good-faith reporting.

Second, the proliferation of standards and frameworks creates confusion and compliance burdens rather than clarity. While convergence is emerging at the process level, technical standards for specific AI applications remain fragmented. Organizations often face conflicting requirements from different standards bodies, leading to either over-compliance or strategic non-compliance.

Third, metrics for key AI governance concepts like explainability, transparency, and safety remain underdeveloped. Without reliable ways to measure these qualities, it’s difficult to verify compliance with governance requirements or compare the effectiveness of different approaches.

The fourth gap involves cross-field innovation in governance approaches. The report explicitly calls for applying lessons learned from AI governance to other emerging technologies like quantum computing and biotechnology, while also learning from governance approaches in those fields. This cross-pollination could accelerate the development of more effective anticipatory governance methods.

Finally, the most fundamental challenge remains translating governance frameworks into organizational capabilities. Many organizations struggle to move from policy commitments to operational implementation. This requires new types of expertise that combine technical understanding, governance knowledge, and change management skills.