Skip to content
Sandeep Kumar ChaudharySandeep
Back to BlogResponsible AI

What Is the AI Act's General-Purpose AI Code of Practice?

By Sandeep Kumar ChaudharyJul 17, 20266 min read
What Is the AI Act's General-Purpose AI Code of Practice — Responsible AI guide by Sandeep Kumar Chaudhary, full stack developer

TL;DR

This guide explains AI act's general purpose AI code clearly and practically: what it is, why it matters in 2026, and how to apply it step by step. You'll find core concepts, proven best practices, concrete data, trusted references, and a concise FAQ — everything you need in one focused place.

Key takeaways

  • Ship a model card and a data card with every model; undocumented intended use and evaluation gaps are where harm hides.
  • Classify every system by risk before building — the EU AI Act's tiers (unacceptable, high, limited, minimal) determine which obligations even attach.
  • Pick fairness metrics deliberately, because demographic parity, equalized odds, and calibration cannot all hold at once for an imbalanced base rate.
  • Use post-hoc explainers like SHAP and LIME to debug and communicate, but prefer inherently interpretable models when the stakes and the domain allow it.
  • Red-team before release and continuously after, covering prompt injection, jailbreaks, data extraction, and harmful-content generation, not just accuracy.

This is a practical, up-to-date guide to AI Act's General Purpose AI Code — what it is, why it matters in 2026, and how to apply it in real projects. It is written for developers and founders who want clear answers and proven best practices, not filler.

Whether you're just starting out or leveling up, treat this as a working reference you can return to. Every section is built to be skimmed, applied, and shared.

Model cards, data cards, and system cards

Documentation artifacts make transparency concrete and portable. Model cards, proposed by Mitchell and colleagues in 2019, summarize a model's intended use, out-of-scope uses, training and evaluation data, performance disaggregated across relevant groups, and known limitations. Datasheets for datasets and Google's data cards do the same for the data itself, capturing collection methods, consent, and composition. System cards, used by developers like OpenAI and Meta, extend the idea to whole deployed systems including safety mitigations and red-team findings. These documents are now routine on model hubs such as Hugging Face, and regulators increasingly treat comparable technical documentation as mandatory for high-risk systems.

Standards, frameworks, and how they compare

The landscape has several overlapping instruments that serve different purposes, and teams usually combine them rather than choose one. The EU AI Act is hard law with penalties; ISO/IEC 42001 is a certifiable management-system standard you can be audited against; the NIST AI RMF is voluntary, outcome-focused guidance popular in the US; and the OECD AI Principles are a values-level intergovernmental baseline that informs the others. A practical stack is to adopt NIST AI RMF or ISO 42001 as the internal operating system, use ISO/IEC 23894 for risk vocabulary, and map controls to the specific legal obligations — EU AI Act, sectoral rules, or the emerging patchwork of US state laws — that apply to a given deployment.

Red-teaming AI systems

Red-teaming is structured adversarial testing that probes a system for failures a normal test suite would miss. For generative models this means attempting jailbreaks, prompt injection, data-extraction and membership-inference attacks, and coaxing the model into producing harmful, biased, or unsafe content. Teams use manual expert probing, crowdsourced attack campaigns, and increasingly automated red-teaming where one model generates adversarial prompts against another. MITRE ATLAS catalogs real-world adversarial tactics and techniques against machine-learning systems, functioning as an ATT&CK-style knowledge base for defenders. Under the EU AI Act, adversarial testing is now a legal expectation for general-purpose models with systemic risk, cementing red-teaming as a standard release gate rather than a nice-to-have.

AI governance and how it operationalizes principles

AI governance turns abstract principles into repeatable processes, roles, and controls. It typically defines who can approve a model for production, what documentation is required, how risks are logged and escalated, and who is accountable when something goes wrong. Mature programs establish a cross-functional review body — sometimes called an AI review board or an algorithmic ethics committee — that includes legal, security, data science, and affected-domain experts. ISO/IEC 42001 gives this structure a certifiable backbone by specifying an AI management system, while the NIST AI RMF's Govern function supplies the policies and culture that make the technical work stick. Without governance, responsible-AI intentions decay into one-off, unenforced guidelines.

Common pitfalls and where programs go wrong

The most common failure is ethics-washing: publishing principles without the processes, budget, or authority to enforce them. Teams also over-rely on a single fairness metric or a single explainer and treat it as proof of safety, ignoring that SHAP explanations can be manipulated and that satisfying demographic parity can still produce unfair individual decisions. Another trap is treating governance as a one-time launch checkpoint rather than continuous monitoring, so models silently drift and degrade in production. Finally, many programs bolt on responsibility at the end, when the cheapest interventions — better data collection, an interpretable model choice, a human-oversight design — had to be made at the start. Sustained responsible AI needs real accountability, ongoing measurement, and involvement of the people the system affects.

Bias mitigation across the model lifecycle

Harmful bias can enter through skewed training data, proxy features that encode protected attributes, biased labels, or feedback loops in deployment, so mitigation must span the whole lifecycle. Pre-processing methods reweight or resample data to balance representation; in-processing methods add fairness constraints or adversarial debiasing terms to the training objective; post-processing methods adjust decision thresholds per group to equalize outcomes. Open-source toolkits such as IBM's AI Fairness 360, Microsoft's Fairlearn, and Google's What-If Tool implement many of these alongside dozens of fairness metrics. Crucially, no method removes bias for free — improving one group's outcome or one fairness metric usually trades off against accuracy or against a different notion of fairness, so the choice must be justified for the specific context.

AI Act's General Purpose AI Code: Key Facts and Data

According to recent industry research and the official documentation linked below:

  • As of 2025, red-teaming has moved from optional to expected: frontier developers including OpenAI, Anthropic, and Google DeepMind run internal and external red-team programs, and the EU AI Act requires adversarial testing for systemic-risk GPAI models.
  • The NIST AI Risk Management Framework (AI RMF 1.0) was released on January 26, 2023 as voluntary guidance, and NIST published a Generative AI Profile (NIST AI 600-1) in July 2024 to extend it to foundation models.
  • The OECD AI Principles, first adopted in 2019 and updated in 2024, have been adhered to by dozens of countries and shaped the G7 Hiroshima Process, the EU AI Act, and the US executive actions on AI.

Quick-Reference Summary

A map of what this guide covers:

TopicWhat you'll learn
Model cards, data cards, and system cardsDocumentation artifacts make transparency concrete and portable.
Standards, frameworks, and how they compareThe landscape has several overlapping instruments that serve different purposes
Red-teaming AI systemsRed-teaming is structured adversarial testing that probes a system for failures a normal test suite would miss.
AI governance and how it operationalizes principlesAI governance turns abstract principles into repeatable processes, roles, and controls.
Common pitfalls and where programs go wrongThe most common failure is ethics-washing
Bias mitigation across the model lifecycleHarmful bias can enter through skewed training data

How to Get Started with AI Act's General Purpose AI Code

A simple path that works:

  1. Learn the fundamentals of AI Act's General Purpose AI Code from primary sources, not just tutorials.
  2. Build one small, real project end to end.
  3. Get feedback, refactor, and add tests.
  4. Ship it publicly and document what you learned.
  5. Repeat with a slightly harder project each time.

Build It with a World-Class Full Stack Developer

Sandeep Kumar Chaudhary is a full stack world-class developer. If you want to turn this into a real, production-ready product, get in touch — message directly on WhatsApp at +9779802348957 for a fast, no-pressure consult.

You can also explore the projects already shipped to thousands of users, or start a conversation here.

Final Thoughts

Ship a model card and a data card with every model; undocumented intended use and evaluation gaps are where harm hides. The developers and teams who win in 2026 pair strong fundamentals with consistent shipping. Start small, stay curious, build in public, and revisit this guide as your skills grow.

Sources and Further Reading

#responsible ai#ai governance#explainable ai#ai ethics

Frequently Asked Questions

What Is the AI Act's General-Purpose AI Code of Practice?

The landscape has several overlapping instruments that serve different purposes, and teams usually combine them rather than choose one. The EU AI Act is hard law with penalties; ISO/IEC 42001 is a certifiable management-system standard you can be audited against; the NIST AI RMF is voluntary, outcome-focused guidance popular in the US; and the OECD AI Principles are a values-level intergovernmental baseline that informs the others. This guide covers AI act's general purpose AI code end to end — core concepts, best practices, concrete data, and a step-by-step approach you can apply right away.

What is AI red-teaming?

AI red-teaming is structured adversarial testing where experts or automated systems try to make a model fail or behave harmfully. For generative models this includes jailbreaks, prompt injection, data-extraction attacks, and attempts to elicit unsafe or biased content. It is now a standard pre-release and continuous-monitoring practice, and the EU AI Act requires it for general-purpose models that carry systemic risk.

What is the difference between responsible AI and AI ethics?

AI ethics is the philosophical and normative study of what AI systems should and should not do, covering questions of fairness, autonomy, and harm. Responsible AI is the applied practice of implementing those ethical commitments through concrete engineering, governance, and operational controls. In short, ethics defines the goals and responsible AI is how organizations actually achieve them in shipped products.

How is SHAP different from LIME?

Both explain individual predictions by attributing them to input features, but they work differently. LIME fits a simple interpretable model to the neighborhood around one prediction, which is fast but can be unstable. SHAP computes Shapley values from cooperative game theory, giving attributions with consistency guarantees at higher computational cost. In practice teams use SHAP when they need theoretically grounded, consistent explanations and LIME for quick local intuition.

What is ISO/IEC 42001?

ISO/IEC 42001, published in December 2023, is the first international standard for an AI management system, and it is certifiable. It specifies how an organization should establish, implement, maintain, and continually improve governance of its AI systems, much as ISO 27001 does for information security. Certification gives customers and regulators auditable evidence that AI risk is being managed systematically.

Sandeep Kumar Chaudhary

Sandeep Kumar Chaudhary

Full Stack Software Developer· Nepal's SEO, AEO, GEO & AIO expert and share-market educator. More about me