What is the OECD Due Diligence Guidance for Responsible AI?
AI regulation: concepts, institutions and standards
The OECD Due Diligence Guidance for Responsible AI is the OECD's 2026 practical guide for how organisations should identify, assess, prevent, mitigate, track, disclose and, where appropriate, help remedy harmful impacts linked to AI across the full value chain. It is not a treaty, a certification scheme or a stand-alone law. It is implementation guidance built on the OECD AI Principles and the OECD responsible business conduct framework for enterprises that build, supply, finance, sell or use AI.
What this means
In plain terms, the guidance tells businesses to treat AI as a responsible business conduct issue, not just a technical or product issue. It asks organisations to look at how AI can affect people, workers, communities, markets and the environment, then manage those risks through an ongoing due diligence process.
It is broad by design. It covers companies that supply data, compute, hardware, code or finance; companies that design, deploy and operate AI; and ordinary firms that buy or use AI in functions such as recruitment, customer service, fraud checks or workplace management.
Its practical value is that it turns high level OECD principles into a working method. It tells organisations what to document, when to involve stakeholders, how to deal with third party relationships, and when they may need to stop a practice, change a product, improve controls or cooperate in remedy.
Why it matters
AI risk rarely sits in one place. Training data, cloud infrastructure, model design, deployment choices, user prompts, reseller practices and downstream use can all create or amplify harm. Many organisations are not pure developers or pure users, they sit in several roles at once. The OECD guidance gives boards, founders, buyers and governance leads a common frame for managing that complexity.
It also matters because the global rulebook is getting denser. Domestic AI laws, privacy rules, labour standards, consumer protection, sector supervision and procurement controls increasingly expect evidence of risk management, transparency, incident handling and supplier discipline. The OECD approach helps create that evidence, and it adds two points that many technical frameworks handle less fully: meaningful stakeholder engagement and remediation.
How it works
Foundations in OECD standards
The 2026 guidance is built on three older parts of the OECD architecture. First, the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct set the broad expectation that enterprises should address adverse impacts linked to their operations, products, services and business relationships. Second, the 2018 OECD Due Diligence Guidance for Responsible Business Conduct turns that expectation into a six part due diligence method. Third, the OECD Recommendation on Artificial Intelligence, first adopted in 2019 and revised in 2024, provides the values based baseline for trustworthy AI and common terms such as "AI system" and "AI system lifecycle".
Institutionally, the project was jointly overseen by the Digital Policy Committee through the Working Party on AI Governance and by the Investment Committee through the Working Party on Responsible Business Conduct, drawing on the OECD.AI Expert Group on Risk and Accountability. As of June 2026, the OECD AI Principles have 47 adherents, including the European Union. Like other OECD recommendations, the underlying AI and responsible business conduct instruments are not statutes. They are political commitments that governments are expected to promote. The 2026 text itself operates as practical guidance for enterprises, not as a stand-alone licensing regime.
Whole value chain coverage
The guidance is expressly whole of value chain. It groups enterprises into three broad roles: suppliers of AI inputs; enterprises active in the AI system lifecycle; and users of AI systems in any sector. Suppliers include actors providing data, annotation, code, metrics, compute, cloud, hardware, logistics, administrative services and finance. Lifecycle actors include those planning, designing, building or adapting models, testing and validating them, deploying them, operating them and monitoring them after deployment. Users include businesses and other organisations that rely on AI in products, services or internal operations.
These groups are not rigid. A cloud provider may also train models. A business user may fine tune and re deploy a model. A platform may be both distributor and operator. The point is to stop organisations from assuming that responsibility sits only with the model developer. The guidance is also clear that enterprises outside the technology sector still need to examine AI as part of their wider responsible business conduct work.
The due diligence cycle
The core mechanism is the familiar OECD six step cycle, applied to AI. Organisations should embed responsible business conduct in policies and management systems; identify and assess actual and potential adverse impacts; cease, prevent and mitigate impacts; track implementation and results; communicate how impacts are being addressed; and provide for or cooperate in remediation when appropriate.
OECD depicts these steps as simultaneous and iterative, not a linear checklist. In practice, that means an AI inventory, role and responsibility mapping, risk scoping, prioritisation, testing and validation, supplier controls, incident escalation, board reporting, public or stakeholder communication and grievance handling should all feed into each other over time. The process tends to generate governance evidence such as system registers, testing, evaluation, verification and validation records, impact assessments, stakeholder engagement notes, contract clauses, monitoring logs, incident reports and corrective action plans.
How risk, linkage and stakeholders change the analysis
The guidance does not ask every firm to do the same depth of review for every system. It uses a risk based approach. Organisations should first scope where the most significant harms are likely to arise, then prioritise by severity and likelihood. Where a firm has many business relationships or many AI uses, it may need triage and escalation so that higher risk uses receive deeper review.
Another key concept is linkage. The OECD distinguishes between impacts a company causes, impacts it contributes to, and impacts to which it is directly linked through a business relationship. That distinction matters. If a company causes harm, it is expected to stop or prevent it and help remedy it. If it contributes, it must stop that contribution, address remaining harm and often use leverage on others. If it is directly linked, the expectation centres on leverage, contract management and influence over the relationship causing the harm.
Stakeholder engagement runs through every step. The guidance places particular weight on workers, workers' representatives and trade unions, affected communities, people whose data is used, and people exposed to high risk or vulnerable uses. In AI, this is especially important because harms can emerge quickly, at scale and in places technical teams do not routinely see. SMEs are still expected to do due diligence, but proportionate to size, involvement and severity. The guidance encourages collaborative approaches where resources are limited.
Interoperability without equivalence
One of the guidance's most useful features is the roadmap at the start of each step showing related provisions in other frameworks. The OECD maps its due diligence steps to instruments such as the EU AI Act, the Digital Services Act, the Corporate Sustainability Due Diligence Directive, NIST's AI Risk Management Framework, ISO 31000, ISO/IEC 23894, ISO/IEC 42001, Singapore AI Verify and national guidance from several countries.
But the OECD is explicit that this roadmap is not an equivalency framework. It helps organisations cross reference expectations across regimes, but it does not mean one framework automatically satisfies another. That is why the guidance is helpful for governance design, but not a short cut to legal compliance.
This is also where the boundary with management system certification matters. ISO/IEC 42001 is an AI management system standard, and certification against it is voluntary and handled by independent certification bodies, not by ISO itself. The OECD guidance is different in kind. It asks whether the enterprise is identifying, preventing, mitigating, tracking, communicating and, where needed, helping remedy adverse impacts across its own activities and business relationships. A management system can support that work, but it does not replace it.
Evidence, leverage and remedy
The guidance expects organisations to create evidence that can support internal governance, procurement, assurance and audit. Examples include AI use registries, information provided by suppliers and sales partners, records of independent testing, incident monitoring, disclosures to users, and internal decision trails showing why a risk was accepted, mitigated, paused or escalated.
It also gives unusual weight to leverage over third parties. Enterprises are encouraged to build expectations into contracts, supplier terms, sales partner arrangements and "acceptable use" materials, and to use information sharing, incentives and senior escalation where direct control is limited. The guidance even highlights "control points" in AI value chains, such as semiconductor manufacturers, foundation models and very large online platforms, where focused due diligence may be especially efficient.
Finally, the framework does not stop at prevention. Where an enterprise has caused or contributed to actual harm, the guidance looks for access to remedy. It refers to company level complaint channels, independent panels, courts and state based non-judicial mechanisms including OECD National Contact Points. In 52 adherent countries, NCPs act as the implementation mechanism for the MNE Guidelines and can handle "specific instances" alleging non-observance.
Examples
The guidance uses a scenario in which a generative AI provider trains a model on publicly scraped material and private user data, fails to explain that practice clearly, and allows personal data to leak through model outputs. OECD treats this as the provider causing privacy harm. Under the framework, the company would be expected to stop or prevent the harmful practice, fix its controls, communicate appropriately and cooperate in remedy.
Another OECD scenario concerns a vendor that sells AI surveillance tools capable of analysing worker behaviour and sentiment. When a customer uses the tool for unlawful anti-union monitoring and dismissals, the guidance treats the vendor as contributing to the harm if the product was designed for likely abusive use without sufficient safeguards. That triggers duties to cease the contribution, redesign safeguards, use leverage over the customer and support remediation where fitting.
For ordinary business use, the guidance suggests a more everyday workflow. A firm using AI in recruitment, marketing, customer service or procurement should keep an inventory of AI uses, screen for higher risk cases, identify the developer and deployment relationships behind those tools, gather risk information from suppliers, engage workers when AI shapes operational decisions, test system quality where feasible and disclose when content or significant decisions are generated or informed by AI.
Common misunderstandings
It only applies to frontier model developers. It does not. The guidance also covers suppliers of data, compute, cloud, hardware and finance, plus downstream users in every sector.
It is the same thing as ISO/IEC 42001 certification. It is not. An AI management system can support due diligence, and a certificate may provide comfort on that management system, but the OECD guidance is a broader method for managing adverse impacts across operations and business relationships.
If the AI supplier says a tool is safe, the buyer's work is done. No. Users still need to understand their own use case, gather risk information, engage affected stakeholders where relevant, test where feasible and use contracts and leverage with third parties.
It only matters where a local law expressly names it. No. The guidance is voluntary, but it is designed to work alongside a growing mix of AI rules, due diligence laws, procurement controls, investor expectations and the OECD grievance system.
Remedy only matters after a court has found unlawful conduct. Not under this framework. Where a company has caused or contributed to actual harm, it should provide for or cooperate in remediation, and where harm is directly linked through third parties it should use leverage to help secure remedy.
Risks and boundaries
The guidance is not a global AI law, a treaty, a safe harbour or a licence to operate. There is no single commencement date or OECD penalty schedule attached to this 2026 text. Legal duties still come from domestic law, contract, sector rules, procurement terms, investor pressure and, in the OECD system, the wider MNE Guidelines and National Contact Point process.
It is also not a substitute for specialist legal analysis where higher risk uses are involved. A company may follow the OECD method and still need to meet separate duties under privacy, employment, consumer, discrimination, product safety, sector and national AI rules. The guidance itself says its cross references are not an equivalency framework. It also focuses on AI systems, not on every upstream hardware or raw material issue in the digital economy, because those topics are addressed through other OECD due diligence work.
A final boundary is practical rather than legal. Teams sometimes reduce due diligence to paperwork or a vendor questionnaire. That misses the point. The OECD model is about real governance of impacts, especially where harms travel through third parties, fast changing models, worker management, data practices or high leverage control points. As of 4 June 2026, the guidance has been published and is current, but its day to day effect still depends on how governments, buyers, boards and counterparties decide to use it.
What to do next
If you lead an organisation that builds, buys or governs AI, start by locating your role or roles in the value chain and naming an executive owner for AI due diligence. Then build one current register of AI systems, uses and key third parties; screen for the most significant risks; and decide where deeper review is required.
From there, tighten the basics: refresh AI and responsible business conduct policies, update procurement and sales terms, define what risk information suppliers must provide, create a path for workforce and user concerns to be raised, and make sure testing, monitoring and incident reporting feed into board level review. If you already run an AI management system or assurance programme, use it as evidence for due diligence, but do not mistake certification, audits or model tests for the full OECD process.
FAQs
Is the OECD Due Diligence Guidance for Responsible AI legally binding?
No. It is practical guidance built on OECD responsible business conduct and AI instruments. Its practical weight comes from government adoption, contracts, procurement, investor expectations, domestic law and, in some cases, OECD grievance processes.
Who does it apply to?
It applies across the AI value chain: suppliers of inputs such as data, compute, cloud, hardware and finance; enterprises that design, build, deploy or operate AI; and users of AI in any sector. A single organisation may sit in more than one role.
Is it only for large multinationals?
No. It is written for multinational enterprises, but the OECD framework expects SMEs to carry out due diligence too, in a way that is proportionate to their size, their involvement with the risk and the severity of possible harm.
How is it different from ISO/IEC 42001?
ISO/IEC 42001 defines an AI management system. Voluntary certification may confirm that a management system meets that standard. The OECD guidance is a due diligence method for managing adverse impacts across an enterprise's own activities and its business relationships.
What if we buy AI from third parties rather than build it?
You still have work to do. The guidance expects buyers and deployers to inventory uses, gather risk information from suppliers, look at higher risk applications, build leverage through contract terms and responsible use materials, and engage affected stakeholders where relevant.
Does following the guidance prove compliance with the EU AI Act or other laws?
No. The OECD says its roadmap is not an equivalency framework. The guidance can help organise governance and evidence across regimes, but legal duties still need to be checked against each applicable law and sector rule.
Can someone raise an OECD complaint about AI related conduct?
Potentially yes. In adherent countries, National Contact Points can receive "specific instances" alleging non-observance of the MNE Guidelines. They are non-judicial mechanisms and do not replace courts or regulators, but they can investigate, mediate and publish statements.