Enterprise AI Governance

What are general-purpose AI models (GPAI)?

General-purpose AI models (GPAI) are AI models trained on broad data that can perform a wide range of tasks — such as large language models, foundation models, and multimodal systems. The EU AI Act creates specific obligations for GPAI providers, including transparency, documentation, copyright compliance, and additional rules for models with systemic risk.

Most organizations using GPAI-based tools are deployers, not GPAI providers. But they still need governance over how these systems are used, evidenced, and integrated into their compliance framework.

Key points

  • GPAI providers have specific obligations: technical documentation, transparency to downstream providers, copyright policy documentation, and (for systemic risk models) adversarial testing and incident reporting.
  • Organizations that integrate GPAI models into their own products may become providers of AI systems built on GPAI — shifting their actor role and obligations.
  • Deployers using GPAI-based tools (e.g., enterprise ChatGPT, AI assistants) must still govern the use context, document the deployment, and manage evidence.
  • The GPAI provider's documentation does not automatically satisfy the deployer's governance requirements. The deployer must assess and document independently.

Why it matters

GPAI models are becoming pervasive in enterprise environments. Many organizations deploy them without structured governance — treating them as general-purpose tools rather than AI systems with regulatory implications. The EU AI Act makes clear that GPAI-based systems are within scope, and the governance requirements apply regardless of whether the underlying model was built in-house or purchased from a vendor.

How EAB approaches this

EAB treats GPAI-based systems like any other AI system in the AI System Registry. The AI Screening process evaluates the use context and risk classification. The Actor Role Assessment determines whether the organization is a deployer or has crossed into provider territory through customisation or integration.

Get in Touch
Request More Information

Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.