OpenAI Secures Enterprise AI Expansion with New Framework
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
A Governance Framework to Secure AI in Business
OpenAI has recently introduced its Frontier Governance Framework (FGF), a tool designed to help businesses deploy artificial intelligence securely and in compliance on a global scale. This framework addresses the growing demand for a sustainable and commercially viable AI architecture by providing a structured approach to assess and mitigate systemic risks.
The FGF aligns with key regulations, such as the EU General AI Act and California's Transparency in Frontier AI Act (TFAIA). It offers a practical model for structuring internal systems and deployment pipelines, ensuring that high-capacity machine learning models are deployed safely.
Threat Categorization and Risk Management
OpenAI's framework begins with a thorough understanding of defined threat categories. It identifies systemic risk as severe, foreseeable harm, including extreme scenarios such as incidents causing more than 50 deaths or $1 billion in property damage.
Although these scenarios are unlikely, their inclusion allows businesses to implement adequate protections. By defining these thresholds, companies can effectively allocate their resources for ongoing post-deployment monitoring and third-party audits, ensuring compliance throughout the application lifecycle.
Risk Assessments by Levels
OpenAI employs a tiered system to categorize threats in specific areas, such as cyberattacks and CBRN (chemical, biological, radiological, and nuclear) risks. For instance, a Level 3 model in cyberattacks could identify and develop zero-day exploits without human intervention.
In the CBRN category, a Level 3 model could enable an expert to create a threat vector comparable to a CDC class A biological agent or complete the synthesis cycle of a regulated biological threat.
Harmful Manipulation and Information Security
The framework also addresses the risks of harmful manipulation, such as electoral influence. OpenAI recommends system-level mitigations, such as post-deployment monitoring, rather than pre-deployment assessments.
For information security, OpenAI adheres to ISO 27001, 27017, 27018, and 27701 standards and conducts SOC 2 Type II assessments. Measures such as data encryption and multi-factor authentication are implemented to protect unpublished model weights.
Maintaining Compliance and Incident Response
OpenAI seeks external expert advice to test the protections of models approaching a new risk level. These experts provide independent opinions to ensure that deployments remain within acceptable risk thresholds.
Mitigation results are documented in a Security and Safety Model Report, updated every six months if necessary. OpenAI Ireland Limited is responsible for EU compliance, while OpenAI OpCo LLC manages obligations in the United States under the TFAIA.
Model Integration and Information Security
OpenAI aligns its internal security with ISO 27001, 27017, 27018, and 27701 standards, as well as SOC 2 Type II assessments. To protect unpublished model weights, the company employs data encryption both at rest and in transit, multi-factor authentication, and strict multi-party approval protocols. Internal staff undergo regular training, and model execution occurs in an isolated environment with restricted output by default.
When companies replicate this setup, they establish a secure foundation for their internal operations.
Maintaining Ecosystem Compliance and Incident Response
To maintain accurate risk baselines, OpenAI seeks the advice of external experts and independent third-party evaluators. These external experts assist in testing protections for models approaching a new risk level and provide independent opinions to the internal advisory group on security.
CDOs within companies can also benefit from external audit contracts to independently verify that their localized model deployments remain within acceptable risk thresholds.
OpenAI documents its mitigation results in a Security and Safety Model Report. Under the provisions of the EU AI Act, the company commits to assessing whether it needs to update these reports for its highest-performing models every six months.
Report updates are deemed necessary if a model's capabilities change materially after training or if integrations into internal systems increase risk. The responsibility for EU compliance lies with OpenAI Ireland Limited, while OpenAI OpCo LLC manages obligations under the TFAIA in the United States.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.