Principios de IA de la OCDE

Why the OECD Principles matter more than they look The OECD AI Principles are routinely described as "non-binding" and "high-level". Both descriptions are technically correct and obscure why the instrument is structurally important. The Principles are the document from which…

Resumen ejecutivo

Why the OECD Principles matter more than they look

The OECD AI Principles are routinely described as «non-binding» and «high-level». Both descriptions are technically correct and obscure why the instrument is structurally important. The Principles are the document from which most other AI governance frameworks inherit their vocabulary.

The dominant narrative treats the Principles as ethical guidance: aspirational, useful for policy speeches, but operationally secondary to instruments like the EU AI Act or the NIST RMF. That framing misses the connective role the document plays. The OECD definition of an AI system is the definition used in the EU AI Act, in NIST publications, in the Council of Europe AI Convention, and in the legislative work of multiple national governments. The OECD lifecycle definition appears in the same instruments. The five values-based principles provide the categorical structure that national frameworks then operationalise into binding rules.

What the OECD Principles do, then, is not regulate AI. They define the conceptual perimeter within which AI is regulated, in a way that allows different jurisdictions to remain interoperable as they develop their own binding instruments. That role is invisible in any single national regulation because each national regulation reads as self-contained. It becomes visible only when one steps back and asks why disparate frameworks share the same definitions, the same risk language, the same accountability structure. The answer, in most cases, is that the OECD got there first and its definitions stuck.

The May 2024 update extended this connective role to the generative and general-purpose AI era. The original 2019 text was written before ChatGPT and before agentic AI became operational concerns. The 2024 revisions added explicit treatment of information integrity, mis- and disinformation amplified by AI, intellectual property risks in training and output, environmental sustainability of AI systems, and safety mechanisms that allow AI systems to be overridden, repaired, or safely decommissioned when they exhibit undesired behaviour. These additions kept the Principles current with the technology and preserved their function as the shared conceptual baseline.

Subjective and material scope

Who it addresses. The Principles speak to two distinct audiences with different obligations.

The values-based principles address AI actors — the broad category that includes anyone playing an active role in the AI system lifecycle: developers, deployers, operators, users with material decision authority over the system. The Principles describe the responsibilities that flow from that role: respect for human-centred values and rule of law, transparency and explainability appropriate to the context, robustness and safety, and accountability for the system’s behaviour.

The five recommendations address national governments and policymakers. The Principles set out what governments should do to enable trustworthy AI: invest in AI research and development, foster an inclusive AI-enabling ecosystem, shape an enabling and interoperable policy environment, build human capacity and prepare for labour market transformation, and cooperate internationally for trustworthy AI.

The distinction matters because adherent governments do not implement the Principles by enacting them as law. They implement them by translating them into national policy that reflects the Principles’ structure. The European Union has implemented them most visibly through the AI Act. Japan, Canada, the United Kingdom, and the United States have implemented them through varied combinations of legislation, executive orders, sectoral regulation, and voluntary codes of practice. The G20 has endorsed AI Principles drawn directly from the OECD framework, which extends the Principles’ reach to major economies outside OECD membership including China, India, Indonesia, Saudi Arabia, and South Africa.

What it covers. The Principles cover the AI system lifecycle in its entirety, not specific use cases or sectors. They are technology-agnostic and use-case agnostic by design. The values address how AI should be developed and used; the recommendations address what national policy should support. Specific application to sectors, use cases, and risk categories is left to national implementation.

The five values-based principles

1.1 Inclusive growth, sustainable development and well-being. AI should benefit people and the planet by contributing to inclusive economic growth, sustainable development, social and environmental well-being. The 2024 update gave additional weight to the environmental sustainability dimension, reflecting growing concern about AI’s energy and resource footprint.

1.2 Respect for the rule of law, human rights and democratic values, including fairness and privacy. AI systems should respect rule of law, human rights, democratic values, fairness, privacy, non-discrimination, freedom from bias, and the protection of internationally recognised labour rights. The 2024 update added an explicit reference to addressing mis- and disinformation amplified by AI while respecting freedom of expression — a direct response to the generative AI threat surface.

1.3 Transparency and explainability. AI actors should commit to transparency and responsible disclosure regarding AI systems. People should be informed when they are interacting with an AI system, should be able to understand AI-generated outputs that affect them, and should be able to challenge those outputs. The 2024 update explicitly added the right to challenge, sharpening what had been a more passive right to understand.

1.4 Robustness, security and safety. AI systems should function appropriately and safely throughout their lifecycle, with risks continually assessed and managed. The 2024 update added explicit reference to mechanisms that bolster information integrity. It also added the requirement that mechanisms exist to override, repair, and safely decommission AI systems that exhibit undesired behaviour or risk causing undue harm — the most operational addition in the update.

1.5 Accountability. AI actors should be accountable for the proper functioning of AI systems and for respect of the principles, based on their roles, the context, and consistent with the state of the art. The 2024 update emphasised systematic risk management approaches across the lifecycle and cooperation between AI actors, suppliers, users, and other stakeholders. Risk-related provisions were consolidated under accountability.

The five recommendations to policymakers

2.1 Investing in AI research and development. Governments should support long-term public and private investment in AI R&D, including basic and applied research, with attention to socially beneficial uses, ethical considerations, and challenges associated with reliability, robustness, and safety.

2.2 Fostering a digital ecosystem for AI. Governments should foster the development of, and access to, a digital ecosystem that supports trustworthy AI, including data, digital infrastructure, technologies, and mechanisms to share data and knowledge.

2.3 Shaping an enabling policy environment for AI. Governments should review and adapt their policy and regulatory frameworks to encourage innovation while safeguarding human rights and democratic values. Frameworks should be flexible, risk-based, and interoperable across borders — a structural argument against regulatory fragmentation.

2.4 Building human capacity and preparing for labour market transformation. Governments should empower people with AI skills, support workers through transitions, and ensure fair distribution of AI benefits across populations.

2.5 International co-operation for trustworthy AI. Governments should cooperate across borders to advance trustworthy AI, including through global and regional fora, multi-stakeholder initiatives, consensus-driven technical standards, and internationally comparable indicators.

The 2024 update in operational terms

The May 2024 update was the first major revision since adoption in 2019. It introduced new provisions, amended existing ones, and relocated risk-related provisions for clarity. The most operationally significant changes are:

  • Information integrity. Explicit treatment of mis- and disinformation amplified by AI, with safeguards required while respecting freedom of expression. This brings synthetic content, deepfakes, and AI-driven manipulation into the scope of the Principles.
  • Override, repair, decommission. Explicit requirement that mechanisms exist to override, repair, and safely decommission AI systems exhibiting undesired behaviour. This is the strongest operational language in the document.
  • Right to challenge AI outputs. Sharpened from the right to understand to the right to challenge, with implications for redress mechanisms in national implementation.
  • Environmental sustainability. Explicit recognition of AI’s environmental footprint as a dimension of sustainable development.
  • Intellectual property. Explicit reference to IP risks across training data, model outputs, and use, reflecting the unresolved IP questions raised by generative AI.
  • Lifecycle cooperation. Risk management responsibilities extend across the lifecycle and require cooperation between actors — model developers, deployers, knowledge suppliers, users — a structural recognition that AI risk cannot be managed by any single actor in isolation.

The update was unanimous among the 47 adherents at the time of adoption. It now serves as the baseline against which national AI frameworks are measured for OECD interoperability.

Governance and review cycle

The Principles are governed by the OECD Council, supported by the OECD Digital Policy Committee which is responsible for monitoring implementation, and by the OECD.AI Network of Experts which provides technical input. The OECD AI Policy Observatory tracks national policy initiatives across adherent jurisdictions and produces public reporting that allows comparison across implementations.

The Principles are reviewed every five years. The first review concluded in 2024 and produced the update described above. The next formal review is expected around 2029. Between formal reviews, the OECD.AI ecosystem produces interpretive guidance, indicator work, and dialogue forums that shape how the Principles are operationalised in practice.

The OECD has a Category A Liaison with ISO/IEC JTC 1/SC 42, the joint technical committee responsible for ISO/IEC 42001, ISO/IEC 23894, and the broader AI standards portfolio. This liaison ensures alignment between the OECD Principles and the international technical standards that operationalise AI governance, and it is one of the mechanisms by which the OECD definition of an AI system has propagated across international standards work.

Intersections with binding instruments

The OECD Principles do not impose obligations on AI actors directly. Their operational weight comes from the binding instruments that implement them.

EU AI Act. Uses the OECD definition of an AI system. The risk-based framework structurally reflects the OECD recommendation that policy frameworks be flexible, risk-based, and interoperable. Many of the AI Act’s substantive obligations — transparency, robustness, human oversight, accountability — trace conceptually to the OECD values.

Council of Europe Framework Convention on AI. The first international legally binding treaty on AI. Adopted in 2024 and signed by multiple states including the United States, the United Kingdom, and the European Union. Uses OECD-aligned definitions and reflects the OECD principles in legally binding form for signatories.

NIST AI Risk Management Framework. Operationalises the OECD definition of an AI system and aligns its trustworthiness characteristics with the OECD values-based principles. NIST publications cite the OECD work explicitly.

ISO/IEC 42001 and ISO/IEC 23894. Both standards reflect the OECD conceptual baseline through the ISO/IEC JTC 1/SC 42 liaison. The risk-based methodology and the values that the standards operationalise share substantial conceptual ground with the OECD Principles.

National frameworks. Japan’s AI Guidelines for Business, the United Kingdom’s AI Regulation white paper and pro-innovation approach, Canada’s Directive on Automated Decision-Making and AIDA, and various United States executive orders and sectoral guidance all reference or align with the OECD Principles to maintain interoperability with the international baseline.

G7 and G20 declarations. The G7 Hiroshima Process and the G20 Osaka declaration build on the OECD framework. The Hiroshima International Code of Conduct for Organisations Developing Advanced AI Systems is conceptually a more operational extension of the OECD Principles for frontier AI development.

The practical implication is that an organisation operating under the OECD Principles is not operating under a separate compliance regime. It is operating under the conceptual baseline that most binding regimes share. Compliance with the binding regime in any specific jurisdiction will, by construction, satisfy most of what the Principles demand.

## ⚖️ How Zertia operates within the OECD AI Principles

Built around OECD AI Principles from day one

Accreditations and memberships: 🎖️ ANAB-accredited (US) · 🎖️ UKAS process (UK) · 🎖️ ENAC process (EU) · 🏛️ IAPP member · 🏛️ INCITS member · 🏛️ UKAI member · 📜 EU AI Pact signatory

Zertia is an ANAB-accredited AI management system certification body. The OECD AI Principles do not produce direct certification engagements because the instrument is non-binding, but they shape how we structure conformity assessment work across multiple frameworks.

Regulatory frameworks — EU AI Act Conformity Assessment, NIST AI RMF Attestation, ISO/IEC 23894 Risk Assessment, Algorithmic Impact Assessment, Pre-Certification Assessment. Where clients operate across multiple jurisdictions and need coherent conformity positioning, the OECD Principles provide the conceptual scaffolding that makes multi-framework alignment possible. Our regulatory frameworks team uses OECD-aligned definitions to ensure that EU AI Act documentation, NIST attestations, and ISO risk assessments share consistent conceptual language across deliverables.

Certification — ISO/IEC 42001, AIUC-1, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 22301. Through ISO/IEC JTC 1/SC 42’s liaison with the OECD, certification under ISO/IEC 42001 reflects the OECD conceptual baseline. AIUC-1 operationalises principles articulated by the OECD into agent-specific testable controls.

Audit — AI Management System audits, High-Risk AI System audits, AI Model audits, EU AI Act audits, NIST AI risk audits. Independent technical review structured around OECD-aligned definitions of AI system and lifecycle, ensuring audit findings are comparable across frameworks.

Training — AI Governance, Data Governance, Privacy Governance through Zertia Academy. Programmes ground their conceptual framework in the OECD definitions and values, then map to specific national and sectoral frameworks for operational application.

Zertia operates from Boston, Madrid, and London, with ANAB accreditation in the United States and active accreditation processes with UKAS (United Kingdom) and ENAC (Spain/EU). Member of IAPP, INCITS, and UKAI. Signatory to the EU AI Pact.

🎯 Take action

🔍 Diagnose your gap 📊 Operationalise the principles
Pre-Certification Assessment → ISO/IEC 42001 Certification →
Map your AI governance against the OECD AI Principles and the operational frameworks (ISO/IEC 42001, NIST AI RMF) that operationalise them. Accredited certification of the AI management system that operationalises OECD principles into auditable practice. International recognition through the IAF MLA.

Discuss multi-framework conformity positioning →

Regulación que entiendes es regulación que puedes convertir en ventaja competitiva.

¿No estás seguro de si este marco aplica a tu organización? Hablemos.