The G7 Hiroshima AI Process Reporting Framework 2.0: voluntary transparency, now built for deployers

The voluntary side of AI governance rarely makes headlines, but it is where the largest model developers actually disclose how they manage risk. On 28 May 2026 the OECD launched version 2.0 of the Hiroshima AI Process (HAIP) Reporting Framework — the instrument the G7 uses to hold its own voluntary code of conduct to account. The launch took place in Paris, at a Tech7 event on the margins of the G7 Digital and Tech Ministerial Meeting under the French G7 Presidency.

From code of conduct to reporting

The lineage matters. During Japan's 2023 G7 Presidency the group agreed the Hiroshima Process International Code of Conduct for Organisations Developing Advanced AI Systems — a set of voluntary commitments on risk identification, transparency, security and content authentication. A code without reporting is an aspiration; the HAIP Reporting Framework, run by the OECD, is the mechanism that turns those commitments into comparable public disclosures. The OECD describes it as "the only international framework for organisations to report on their efforts to promote trustworthy AI." Reports are submitted on a rolling basis through oecd.ai and organisations are expected to update them annually.

What changed in 2.0

The first framework was built for frontier model developers. Version 2.0 broadens the base, and the change is structural rather than cosmetic:

• Role-based questions. The framework now distinguishes **model developers,

application developers and deployers**, so each answers only what is relevant to its place in the value chain. This is the same provider/deployer logic that runs through the EU AI Act, and it lowers the entry cost for organisations that build on or merely use AI rather than train it.

• A deliberate reach for SMEs. The OECD's stated aim is to broaden

participation "especially by small and medium-sized enterprises," the cohort that voluntary regimes usually leave behind.

• Connection to tooling. Reports now link to the **OECD.AI Catalogue of

Tools and Metrics for Trustworthy AI**, so a commitment can point to the method that backs it.

• Agentic AI. The questions now address **agentic AI and other emerging

capabilities** — the same frontier that NIST's COSAiS overlays single out for security controls.

More than 50 organisations have already pledged to report under the new framework. To be included in the next planned analytical review, organisations are encouraged to submit by 1 September 2026.

Where it sits in the landscape

The HAIP framework is voluntary and carries no penalty, which invites the same question as every soft-law instrument: why bother? The answer is that voluntary transparency has become a competitive and contractual signal. A frontier developer that files a HAIP report is making claims a counterparty can read against the OECD AI Principles and against its rivals' filings. For an organisation inside the EU the framework is not a substitute for AI Act obligations — those bind regardless — but it is increasingly the lingua franca in which non-EU suppliers describe their governance, much as the GPAI Code of Practice does within the Union. The significance of 2.0 is that it stops being a frontier-lab instrument and starts speaking to the deployers and SMEs who make up the bulk of the AI economy — exactly the audience that binding regimes reach last.