Voluntary AI Framework Obligation Mapping
Map voluntary AI commitments (industry pledges, government agreements, sandbox conditions) against sector-specific regulatory requirements to identify where voluntary obligations create compliance risk or regulatory uplift.
Objective
Prevent voluntary AI commitments from creating untracked legal or reputational exposure by maintaining a structured map of each commitment, its scope, and its relationship to binding regulatory obligations.
Maturity Levels
Initial
Voluntary commitments are signed at the executive level with no systematic tracking of obligations.
Developing
A list of signed voluntary commitments exists, but no structured review of what each requires operationally.
Defined
Each voluntary commitment is mapped to specific operational obligations, assigned an owner, and reviewed annually or when the commitment is renewed or expanded.
Managed
Voluntary commitment obligations are cross-referenced against regulatory requirements. Where a voluntary commitment goes beyond regulatory minima, the delta is documented and resourced. Status is reported to the board annually.
Optimizing
Voluntary commitment terms are reviewed by Legal before signing. Obligations feed into the unified compliance register alongside regulatory obligations.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Voluntary commitment register listing each commitment, signing entity, date, key obligations, regulatory relationship, owner, and last review date.
- —Annual board or senior leadership report summarizing voluntary commitment status and any obligations that exceed regulatory minima.
Implementation Notes
Key steps
- Compile a full list of voluntary AI commitments the organization has signed: government-facilitated pledges (US OSTP, EU AI Pact, UK DSIT), industry body commitments (Partnership on AI, Frontier Model Forum), and any sandbox or pilot program conditions.
- For each commitment, extract the specific operational obligations: what the organization must do, by when, and how it must evidence compliance.
- Map each obligation to the existing control framework. Identify which existing controls satisfy it and which obligations have no control coverage.
- Flag commitments where non-compliance carries reputational or legal consequences (e.g., voluntary commitments that regulators have indicated they will use as de facto standards in enforcement).
- Assign owners and review dates for each commitment. Voluntary commitments often have quieter renewal cycles than regulations.
- When a commitment is publicly cited by a regulator or incorporated into legislation, escalate its status to binding.
What to watch for
- Voluntary commitments made by parent companies or subsidiaries that the organization may be unaware of.
- Government-facilitated pledges that regulators treat as binding even though they are technically voluntary (this is a documented pattern in EU and US AI governance).
- Sandbox exit conditions that create ongoing post-sandbox obligations.
Example Implementation
Voluntary AI Commitment Register (excerpt)
| Commitment | Signed By | Date | Key Obligations | Regulatory Relationship | Owner | Status |
|---|---|---|---|---|---|---|
| US OSTP Voluntary AI Commitments | CEO | 2023-07 | Red-team before deployment, publish transparency report, research on societal risks | Cited by NIST AI RMF; potential regulatory uplift | AI Governance Lead | Active — annual review due |
| EU AI Pact (Wave 1) | Legal | 2024-09 | Publish GPAI model policy, comply with EU AI Act ahead of schedule | Directly linked to EU AI Act obligations | EU Compliance | Active — report due Q4 |
| Partnership on AI membership | Corp Affairs | 2022-01 | Adhere to PAI tenets, participate in working groups | Informational only | Corp Affairs | Active |
| UK AI Safety Commitments | CEO | 2023-11 | Pre-deployment safety evaluations for frontier models | Referenced by UK DSIT guidance | UK Legal | Active |