The OECD AI Due Diligence Framework: A Compliance Team's Guide

The practical challenge for compliance teams is not understanding the OECD framework in theory — it's integrating it with existing compliance programme structures without creating a parallel governance universe. Organisations already managing BSA/AML, sanctions, anti-corruption, and data privacy compliance cannot afford to build entirely separate AI governance frameworks.

The good news is that the OECD framework maps naturally to existing compliance programme elements. The discipline of risk assessment, policy documentation, monitoring, and reporting that compliance teams already practice provides a robust foundation for AI governance:

• Risk assessment alignment: Step 2 (identify adverse impacts) parallels the enterprise-wide risk assessments already required by AML and sanctions programmes — AI risk can be integrated as an additional risk category
• Policy integration: Step 1 (embed into policies) maps to existing compliance policy hierarchies — AI-specific requirements can be added to existing policy documents rather than creating standalone AI policies that nobody reads
• Monitoring frameworks: Step 4 (track implementation) aligns with existing transaction monitoring and quality assurance programmes — AI system monitoring can leverage existing reporting infrastructure
• Board reporting: Step 5 (communicate) connects to existing board-level compliance reporting — AI governance metrics can be incorporated into quarterly compliance dashboards

The organisations that will manage AI governance most effectively are those that treat it as an extension of mature compliance programme management, not as an entirely new discipline requiring entirely new infrastructure.

Regulatory expectations around AI governance are crystallising rapidly. While no single global standard exists, a clear consensus is emerging across the EU AI Act, the NIST AI Risk Management Framework, the UK's pro-innovation approach, and sector-specific guidance from financial regulators.

The core requirements that compliance teams should prepare for, regardless of jurisdiction, include:

• AI system inventory: Organisations must know what AI systems they use, what they do, and where they are deployed — regulators are requiring documented inventories of AI applications
• Risk classification: AI applications must be assessed against risk frameworks, with higher-risk applications (those affecting legal rights, financial access, or safety) subject to more rigorous governance
• Human oversight: High-risk AI systems must include meaningful human oversight — not rubber-stamp review, but genuine human decision-making authority at critical junctures
• Transparency and explainability: Stakeholders affected by AI decisions must be informed that AI was used and, where feasible, how the system reached its output
• Bias and fairness testing: AI systems must be evaluated for discriminatory outcomes, with documented testing methodologies and results

Financial regulators are moving particularly quickly. The OCC, Fed, and FDIC have issued joint guidance on AI in banking. The SEC has proposed rules on AI conflicts of interest in investment management. The FCA has published discussion papers on AI governance expectations. The direction of travel is clear: regulated entities will be expected to demonstrate that their AI governance meets a standard comparable to their existing compliance programme maturity.

Translating the OECD framework and regulatory expectations into an operational AI governance programme requires concrete steps. Compliance teams should resist the temptation to build comprehensive, multi-year programmes and instead focus on establishing foundational elements that can be iterated and expanded.

A practical implementation roadmap for compliance teams:

• Phase 1 — Inventory and assessment (1-3 months): Document all AI systems in use, classify them by risk level, and identify governance gaps against the OECD framework
• Phase 2 — Policy and governance (2-4 months): Update compliance policies to address AI risks, establish an AI governance committee or integrate AI oversight into existing risk committees, and define approval processes for new AI deployments
• Phase 3 — Monitoring and testing (ongoing): Implement monitoring frameworks for AI system performance, establish testing protocols for accuracy, bias, and reliability, and build reporting dashboards for board and regulatory visibility
• Phase 4 — Remediation and improvement (ongoing): Create incident response procedures for AI failures, establish feedback loops between monitoring results and governance decisions, and continuously improve based on operational experience

The critical success factor is avoiding perfectionism. Regulators evaluate the maturity and good faith of governance programmes, not their completeness against a theoretical ideal. An organisation with a documented, actively managed AI governance programme that acknowledges its limitations and improvement plans is in a far stronger regulatory position than one still working on a comprehensive framework that hasn't been implemented.

Grep's architecture was designed with the transparency, accountability, and human oversight principles embedded in the OECD framework. For organisations deploying AI research tools, Grep demonstrates what OECD-aligned AI governance looks like in practice.

• Transparency (Step 5): Every Grep research output includes full citation chains — users can see exactly what sources were consulted, what information was found, and how conclusions were derived. There is no black-box reasoning
• Human oversight (Step 3): Grep is designed as a research tool that augments human decision-making, not an autonomous decision engine. Findings are presented to human analysts who retain full decision authority
• Accountability (Step 1): Complete audit trails document every research action, enabling regulatory examination of both the AI's process and the human decisions that followed
• Risk identification (Step 2): Grep's citation verification and confidence scoring explicitly identify areas of uncertainty, rather than presenting all output with uniform confidence
• Remediation (Step 6): When findings are challenged or corrected, the audit trail enables identification of the failure point and systematic improvement

For compliance officers evaluating AI tools against the OECD framework, Grep provides a concrete example of how AI research can be deployed within a governance framework that meets emerging regulatory expectations. The transparency and auditability that OECD principles demand are not add-on features — they are the core architecture.