Score
Creating governance documents and operational policies (model risk, privacy, security, compliance) by translating regulatory requirements (e.g., GDPR, NIST) into procedures, review checklists and enforcement mechanisms and coordinating stakeholder review and audits.
Current AI governance research lacks systematic integration of diverse frameworks and practices, with notable gaps in the operationalizability of key mechanisms and the implementation of inclusive, stakeholder-centered approaches. To address this, we conduct a rapid three-tier literature review, systematically synthesizing nine authoritative IEEE/ACM reviews published between 2020 and 2024. We introduce the novel “thematic semantic synthesis” analytical paradigm to identify high-frequency governance frameworks (e.g., the EU AI Act, NIST AI Risk Management Framework), core principles (e.g., transparency, accountability), and stakeholder role distributions. Our analysis reveals four critical knowledge gaps in AI governance scholarship and practice. Based on these findings, we propose a rigorously grounded, organizationally feasible governance roadmap—bridging theoretical advancement and real-world implementation. This work contributes both empirical evidence and methodological innovation to advance AI governance research and practice.
This work addresses the error-prone and labor-intensive process of manually translating regulatory texts such as the GDPR and the EU AI Act into actionable software requirements. The authors propose Reg2Req, the first end-to-end automated pipeline that leverages natural language processing to identify regulatory provisions, generate system-agnostic software requirements accompanied by plain-language explanations, and establish traceability links. The approach supports requirement classification, use case seed generation, and cross-reference analysis, achieving macro-averaged F1 scores of 0.82 on the GDPR and 0.78 on the EU AI Act. A user study demonstrates that the generated plain-language explanations significantly enhance users’ comprehension and confidence in taking compliance actions (p < 0.001), with all participants expressing willingness to adopt the output as a starting point for compliance efforts.
Current AI systems rely heavily on manual auditing and documentation, which hinders scalable governance for automated services. This work proposes Ontological Knowledge Blocks (OKBs), a novel framework that formalizes regulatory obligations as quintuples comprising ontologies, SHACL rules, evidence requirements, and provenance links. By leveraging RDF/OWL modeling, PROV-O for provenance tracking, and an intermediate representation–driven deterministic compiler, the approach enables dynamic switching of governance configurations without modifying service code. Evaluation in an AI-assisted HPC scheduling scenario demonstrates that compliance checks are configuration-sensitive, violations accumulate strictly additively, SHACL validation incurs only 12.6–100.3 milliseconds of latency, and the Combined configuration provides the most comprehensive coverage.
This study addresses the compliance challenges faced by data practitioners in machine learning systems under regulations such as the GDPR and the AI Act, particularly concerning data quality. Through semi-structured interviews with practitioners in the European Union, combined with thematic analysis of regulatory texts and engineering workflows, the research systematically uncovers a structural disconnect between regulation-driven data quality requirements and ML engineering practices. It identifies five core challenges: misalignment between legal principles and engineering implementation, fragmented data pipelines, lack of purpose-built compliance tools, ambiguous accountability, and reactive responses to audits. Building on these findings, the work proposes directions for designing compliance-oriented tooling, establishing effective governance mechanisms, and fostering cultural transformation to bridge the gap between regulatory mandates and practical ML development.
This study addresses the persistent challenge of operationalizing AI governance requirements within software development practice, particularly at the team level. Through an embedded action research approach in an AI startup, the authors construct a translational pipeline that bridges regulatory texts and concrete engineering actions. They propose a governance implementation framework grounded in practitioners’ cognitive orientations—convergence, alignment with existing practices, and disengagement—to shift governance responsibility from externally imposed mandates toward collective team accountability. By integrating legal text analysis, cross-functional collaboration, and collective assessment, the project surfaces developers’ authentic attitudes toward regulation, identifies compliance priorities anchored in user and developer needs, and renders implicit governance work explicit and institutionalized.
This paper addresses the challenge of clarifying and coordinating responsibilities among six key actor roles—providers, deployers, authorized representatives, importers, distributors, users, and notified bodies—under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). Applying systematic legal text analysis, the study examines all 113 articles, 180 recitals, and 13 annexes. It proposes a dynamic role-transformation mechanism grounded in the principle that “control determines responsibility,” revealing how obligations cascade along the AI supply chain. The paper’s primary contribution is an original AI regulatory actor mapping framework that operationalizes the “responsibility follows control” principle to enable distributed, cooperative governance. This framework balances fundamental rights protection with innovation support by clarifying role-specific duties and interdependencies. It delivers actionable guidance for regulators, AI providers, deployers, and other compliance stakeholders on role identification and obligation fulfillment under the AI Act.
This study addresses the challenge fintech firms face in effectively implementing ISO/IEC 27001:2022 requirements within high-intensity information environments due to the absence of actionable implementation pathways. By analyzing a real-world case in which an organization translated the standard’s clauses and Annex A controls into eight core operational procedures, this work proposes a multi-layered, procedural Information Security Management System (ISMS) framework. The framework integrates the CIA triad as a unified evaluation criterion, a twelve-step risk assessment methodology, and role-based accountability. Through structured process modeling, role-permission mapping, and root-cause analysis of non-conformities, it establishes a closed-loop governance mechanism that is executable, measurable, and clearly assigns responsibility. The findings indicate that a tightly integrated, hierarchically structured procedural system—equipped with quantifiable risk metrics and explicit accountability—is essential for effective ISMS implementation in fintech contexts.
This study addresses the challenge of operationalizing GDPR compliance in software engineering—specifically, how to realize “Privacy by Design” (PbD) at the requirements and system specification levels while reconciling heterogeneous stakeholder interests and ensuring semantic consistency and traceability between legal provisions and technical specifications. We propose a formal modeling approach grounded in original legal concepts, systematically mapping GDPR articles to reusable privacy requirement patterns. Integrating systematic literature analysis, industry interviews, and requirements modeling, we develop a joint specification framework supporting cross-layer abstraction and transparent, bidirectional traceability. Empirical evaluation demonstrates that the framework significantly improves the accuracy of privacy requirement elicitation and the transparency of regulatory specification, thereby providing a scalable, methodology-driven foundation for law–technology co-governance.
Enterprise-scale general-purpose agents lack built-in, reusable governance mechanisms for autonomous cross-tool operation, making it difficult to satisfy requirements for compliance, auditability, and behavioral controllability. This work proposes the CUGA policy system, which embeds runtime governance capabilities into five critical checkpoints of the agent execution pipeline—intent protection, playbook guidance, tool invocation control, human approval gating, and output formatting—through a modular “policy-as-code” architecture. Without requiring model fine-tuning, CUGA enables proactive, continuous, and structured behavior control. By integrating typed governance primitives, dynamic playbook injection, and human-in-the-loop approval, the system effectively blocks malicious requests, enforces structured tool sequences, and triggers manual review for high-risk operations in healthcare scenarios, significantly enhancing policy adherence, execution consistency, and deployment safety.
AI system deployment faces three critical governance gaps: absence of use-case-level risk assessment, misalignment between high-level principles and operational controls, and lack of scalable mechanisms for governance integration. To address these, this paper introduces the Trust Integration Pillars (TIPS)—a structured governance framework that pioneers a four-dimensional closed-loop paradigm: risk profiling, control mapping, quantitative measurement, and role-based collaboration—achieving engineering-ready AI governance four years prior to the NIST AI Risk Management Framework (RMF). TIPS integrates Governance, Risk, and Compliance-as-Code (GRC-as-Code), risk-driven use-case classification matrices, multi-tier compliance dashboards, and role-specific governance dashboards to embed governance throughout the AI development lifecycle. Empirical evaluation demonstrates 100% governance coverage across cross-functional AI projects, a 47% improvement in critical risk identification accuracy, and 68% automation of governance actions—successfully deployed at scale in high-stakes domains including healthcare and finance.
This study addresses a critical gap in current AI governance, which predominantly emphasizes substantive rules while neglecting the legal and regulatory infrastructure necessary for their generation and implementation. For the first time, this work systematically positions legal infrastructure as the cornerstone of effective AI governance and proposes an institutional framework comprising a frontier model registration system, an autonomous agent identification mechanism, and a market-oriented regulatory service model. Through rigorous legal design, regulatory modeling, and policy mechanism analysis, the research delivers an actionable institutional pathway that significantly enhances the flexibility, scalability, and enforcement efficacy of AI governance rules.