The OECD turns its AI Principles into a checklist: Due Diligence Guidance for Responsible AI

The OECD AI Principles have always had a peculiar fate: endlessly cited, rarely operationalised. They gave the world its first intergovernmental definition of an AI system — the one the AI Act borrowed — but they told an enterprise what to value, not how to act on it. In February 2026 the OECD closed that gap. Its Due Diligence Guidance for Responsible AI is not a new declaration of principle; it is a procedure. It takes the high-level commitments and turns them into the same six-step diligence loop the OECD already asks of companies on labour, the environment and human rights.

One procedure on top of two existing instruments

The guidance rests on two documents the OECD adopted earlier. The first is the Recommendation of the Council on AI — the "AI Principles" — revised in May 2024. The second is the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (the "MNE Guidelines"), updated in 2023, which already require enterprises to carry out risk-based due diligence on the adverse impacts of their activities, explicitly including those related to "science, technology and innovation". The new text borrows its skeleton from the OECD's 2018 Due Diligence Guidance for Responsible Business Conduct and aligns itself with the UN Guiding Principles on Business and Human Rights and the ILO Tripartite Declaration. It was approved and declassified by the OECD's Digital Policy Committee and Investment Committee on 26 January 2026 and published the following month.

Nothing here is binding. The MNE Guidelines and the related responsible business conduct (RBC) standards are, in the OECD's own words, "voluntary principles" — recommendations from governments to enterprises that "may go beyond what enterprises are legally required to comply with". That is the familiar posture of the international layer: the Council of Europe Convention binds states, the G7 Hiroshima Code is voluntary, and the OECD supplies the connective tissue between them.

The six steps

The procedure is a single, deliberately iterative loop:

1. Embed responsible business conduct into policies and management systems.
2. Identify and assess actual and potential adverse impacts.
3. Cease, prevent and mitigate adverse impacts.
4. Track the implementation and results of due diligence activities.
5. Communicate how impacts are being addressed.
6. Provide for or cooperate in remediation where appropriate.

The OECD stresses that the steps run simultaneously, not in sequence: diligence is "ongoing, proactive and reactive". The notable additions, relative to most AI risk-management frameworks, are at the ends of the loop — meaningful stakeholder engagement when assessing impacts, and remediation when harm has occurred. The OECD argues these are precisely the elements "less comprehensively addressed in existing frameworks".

Who owes what: three groups in the value chain

Rather than the AI Act's provider/deployer split, the guidance sorts enterprises by what they actually do, mapping the duty onto the whole "value chain":

• Group 1 — suppliers of AI inputs: the upstream segment, providing data,

compute, hardware or annotation services.

• Group 2 — those who design, develop, deploy and operate AI systems:

planning, building or adapting models, testing and validating them, deploying them (open-source distribution included) and monitoring them in use.

• Group 3 — users of AI systems: the downstream "real economy" —

manufacturers, sellers and financial institutions that use AI in their operations and should weigh AI risks against the other risks they already manage.

The framework is risk-based and proportionate: it tells SMEs to focus on the most relevant risks within their capacity, and tells larger enterprises to help their smaller business relationships meet the same expectations.

The real contribution: an interoperability layer

The guidance is most useful not as another rulebook but as a map between the rulebooks that already exist. Each of the six steps opens with a "roadmap of related provisions in existing frameworks" — a cross-walk showing where the same expectation appears elsewhere. For the impact-assessment step alone, the table points to Article 9(2) of the EU AI Act (risk management) and Article 55(1) (systemic-risk GPAI), Article 34 of the EU Digital Services Act, Articles 8–9 of the EU Corporate Sustainability Due Diligence Directive, the Council of Europe's HUDERIA/COBRA method, the G7 Hiroshima Code of Conduct, ISO/IEC 42001 and ISO 31000 / ISO/IEC 23894, plus IEEE 7000 and the ASEAN, Australian and Canadian guides. The OECD is careful that this is "not an equivalency framework" — the scope of each instrument differs — but the intent is plain: a company that has implemented one serious framework can see, line by line, how far it already meets the others.

Why a voluntary instrument still bites

Two features stop this being a paper exercise. The first is the National Contact Points (NCPs) — the grievance mechanism unique to the MNE Guidelines. Every adhering government runs an NCP where a trade union, NGO or affected party can file a "specific instance" alleging that an enterprise has breached the Guidelines. An NCP is not a court and cannot fine, but it investigates, mediates and publishes — a reputational and quasi-accountability channel that now reaches explicitly to AI conduct. The guidance states it can inform NCPs "in promoting the MNE Guidelines and informing decisions related to accountability for alleged violations". The second is convergence: as the OECD positions this as "a common reference point for AI risk management frameworks across different jurisdictions", it becomes the vocabulary in which a multinational documents one diligence process and defends it everywhere at once.

For an organisation already building an AI Act risk-management system or an ISO/IEC 42001 management system, the practical reading is encouraging: the OECD has, in effect, certified that this work counts twice. The two genuinely new asks are to put stakeholders into the impact assessment and to have a remediation route ready before, not after, the first harm. This is the same non-binding layer where the UN's new Scientific Panel and the OECD Principles sit — the place where the next generation of binding rules quietly assembles its vocabulary.