Key facts
- Most organisations are GPAI deployers, not GPAI providers.
- Deployer obligations focus on how the tool is configured, overseen and used, not the model's own compliance.
- Understand the intended use and known limitations of any GPAI-based tool you deploy.
- Human oversight obligations apply to deployers using GPAI-based tools for material decisions.
- Vendor due diligence should confirm the underlying GPAI provider's compliance posture.
What deployers are responsible for
As a deployer, your core responsibilities include maintaining human oversight over how the tool is used (particularly where it influences decisions about people), using the tool within its intended purpose, and understanding its known limitations well enough to spot when output looks wrong.
What deployers are not responsible for
You are not directly responsible for the underlying GPAI model's own compliance obligations — that responsibility sits with the model's provider. However, you should still perform reasonable due diligence on your suppliers to understand their compliance posture, since problems at the provider level can still affect you.
Practical due diligence questions
Ask suppliers whether the underlying GPAI model adheres to the GPAI Code of Practice, what documentation is available about the model's capabilities and limitations, and what support they provide if the model produces problematic output that affects your organisation.
Where this fits your wider AI governance
Treat any GPAI-based tool like any other AI system for inventory and risk classification purposes — the fact that it is built on general-purpose AI rather than a narrow model doesn't exempt it from your standard AI governance process.
Frequently asked questions
Are most organisations GPAI providers or deployers?
Deployers — most organisations use tools built on top of general-purpose AI models rather than building the models themselves.
What are a GPAI deployer's main obligations?
Maintaining human oversight, using the tool within its intended purpose, and understanding its known limitations.
Is a deployer responsible for the underlying GPAI model's compliance?
No — that sits with the model's provider, though deployers should still perform reasonable supplier due diligence.
What should due diligence on a GPAI-based tool cover?
Whether the underlying model adheres to the GPAI Code of Practice, available documentation, and support for problematic output.
Should GPAI-based tools be included in the AI inventory?
Yes — treat them like any other AI system for inventory and risk classification purposes.
Related pages
Sources
Last updated 19 June 2026.