Two things happened within 24 hours this week. The Illinois House passed SB 315 by a vote of 110-0, the first mandatory independent AI safety audit requirement in US state law, and OpenAI published what it calls the Frontier Governance Framework, a corporate document mapping its internal safety practices to two specific regulatory targets: California’s Transparency in Frontier AI Act and the EU AI Act’s GPAI Code of Practice.
Read those events separately and you get two news items. Read them together and you see a pattern that compliance professionals need to understand before the implementing regulations arrive.
The document and its limits
Start with what OpenAI’s framework is, and what it isn’t.
According to OpenAI’s publication, the framework maps the company’s existing Preparedness Framework to obligations under California’s and the EU’s emerging AI rules. OpenAI states the framework addresses four risk categories, cyber offense, CBRN threats, harmful manipulation, and loss of control, and formalizes processes for model reporting, security risk management, critical incident response, and external expert input. The Preparedness Framework itself is a real, publicly documented instrument. The specific contents of the Frontier Governance Framework are attributable only to OpenAI’s publication; the primary source URL was unavailable at time of production and the document hasn’t been independently audited.
That last point is the one to hold onto. The Frontier Governance Framework is self-regulated. OpenAI defines the scope, the standards, the measurement methodology, and the update cadence. No external body has verified it. The EU AI Act’s conformity assessment process and Illinois’s independent audit mandate both exist specifically because voluntary self-certification was deemed insufficient. OpenAI’s framework is a sophisticated version of exactly the instrument those laws were designed to replace.
And yet.
Why publishing first matters anyway
Voluntary frameworks shape mandatory rules. This isn’t speculation, it’s the documented pattern of how safety standards develop across regulated industries. The entity that publishes a detailed, structured compliance framework before the mandate exists becomes the reference point when legislators and rulemakers need to define what compliance looks like.
The EU AI Act’s GPAI Code of Practice is the most live example. The Code is being developed through a structured consultation process, with a June 23 deadline for high-risk classification feedback. Frontier AI developers, including OpenAI, are active participants in that process. A company that arrives at a Code consultation having already published a detailed governance framework is in a structurally different position than one that hasn’t. Its terminology, its risk categories, its process definitions are already on the table. Rulemakers reaching for a working definition will encounter OpenAI’s version before they encounter a blank page.
Who's Positioned in the Frontier AI Compliance Rulemaking Window
What to Watch
Illinois’s implementing regulations tell the same story from the state side. SB 315 passed with a mandate for annual independent audits but left the definition of “independent” and the audit methodology to implementing regulation. According to the bill as reported, both OpenAI and Anthropic reportedly supported the finalized legislation, a positioning choice that tells compliance teams something important. Labs that shape the statute also shape the implementing rules. Labs that oppose the statute are outside the room when those rules get written.
The audit infrastructure gap, and who it favors
The Computer & Communications Industry Association has argued that no standardized ecosystem currently exists for the mandated independent audits. That’s correct, and it’s a real implementation problem. But notice who benefits from that gap in the short term.
A lab with a detailed published governance framework can point to documented standards, processes, and risk categories while the independent audit methodology is being developed. A lab without one cannot. The gap in audit infrastructure doesn’t eliminate the compliance obligation, it creates a 12-to-18-month window in which companies with documented voluntary frameworks are better positioned to argue they’re making good-faith progress than companies that are starting from scratch.
January 1, 2028 is the Illinois deadline. The auditors who will certify compliance with that deadline don’t yet have a standardized methodology. When they develop one, the most likely reference points will be the frameworks that are already documented and publicly available. The compliance moat isn’t impenetrable, but it’s real, and it’s being dug right now.
Three regulatory targets, one strategic play
Map the current regulatory landscape OpenAI is navigating:
California’s Transparency in Frontier AI Act creates disclosure and documentation obligations for large frontier developers. The EU AI Act’s GPAI Code of Practice creates conformity obligations for general-purpose AI models deployed in the EU, with a consultation process actively soliciting industry input. Illinois’s SB 315 creates mandatory independent audit obligations for frontier developers above the revenue threshold, with implementing rules still to be written.
All three regulatory instruments have something in common: they require covered entities to document their safety practices, risk categories, and governance processes. OpenAI’s Frontier Governance Framework provides documentation across all three, in a single published instrument, before any of the three formally required it.
Opportunity
The window for influencing GPAI Code of Practice terminology closes June 23. Frontier AI developers without published governance frameworks are now in a reactive posture for the EU rulemaking process, whatever terminology enters the final Code will be the standard they're measured against, not the standard they helped define.
That’s not compliance. It’s positioning. The compliance comes later, with independent verification, conformity assessments, and third-party audits that the framework alone can’t substitute for. But it’s positioning that creates real advantages during the window when implementing rules are being written and auditors are developing their methodologies.
The Anthropic parallel
OpenAI isn’t alone in this pattern. The hub’s registry includes prior coverage of Anthropic’s RSP (Responsible Scaling Policy), which performs a similar function, a detailed, structured safety commitment published voluntarily ahead of mandatory requirements. Both companies reportedly supported Illinois SB 315. Both have published governance frameworks that their competitors haven’t. The pattern isn’t one company’s strategy. It’s an industry approach.
The real question is what it means for companies that haven’t published equivalent frameworks. If you’re a frontier AI developer subject to the $500 million revenue threshold and you don’t have a documented governance framework, the clock is now running on two tracks: the statutory deadline in January 2028, and the softer deadline of the implementing rulemaking process, during which the standards you’ll eventually be audited against are being defined without your input.
TJS synthesis
The window between voluntary publication and mandatory compliance is closing. The GPAI Code of Practice consultation closes June 23, that’s the most proximate moment where industry-defined terminology either enters the official record or doesn’t. After that, the EU’s definitions will become the reference point, and the question will shift from “what do you think the standard should be?” to “can you demonstrate compliance with the standard that was written?” Frontier labs without published frameworks are approaching that shift without the positioning advantage that OpenAI and Anthropic have already secured. That gap won’t close by waiting.