Back to Dashboard
Operationalization / 7.1

7.1 Translation of Governance Goals into Policies and Requirements

2026 Governance Status: Narrowly operationalized; objective measurement open

Original Problem in the Paper

Paper motivation/open problem: “Policies are often formulated with specific aims” such as consumer safety, fairness, accountability; rule-based regulation must translate aims into “rules” and needs technical expertise on feasibility and whether rules achieve aims. Open problems: identify “system properties” that are reliable risk indicators; current training-compute thresholds may be unsuitable because “smaller models can outperform larger ones,” auxiliary FLOP accounting is unclear, and quantization/dropout complicate counts; standards such as NIST RMF/ISO guidance “often lack the technical specificity required for objective assessment” and reporting artifacts need standardized content.

July 2026 Update & Trajectory

Operationalization moved from principles to binding/semibinding instruments: EU AI Act obligations and timelines, GPAI Code, NIST AI RMF GenAI Profile, AI RMF critical-infrastructure concept note, NIST AI Consortium, and CEN/CENELEC harmonised-standard work. But the core technical problem is not solved: standards remain in development for many AI Act obligations; high-risk AI dates were pushed to align with support tools/standards; system-risk proxies are still mixed (compute, deployment scale, capability evaluations, systemic-risk categories) rather than validated universal indicators; objective test methods for fairness, robustness, cyber, autonomy, CBRN, and environmental claims are still immature. I verified 2026 status for EU standardisation and NIST consortium/RMF pages; I did not verify a finalized 2026 ISO AI management-system update beyond the inaccessible ISO pages, so ISO claims are limited to known existing standards and EU references.

Deployed / Operationalized

  • EU AI Act: risk tiers, prohibited practices effective February 2025, GPAI obligations effective August 2025, high-risk obligations scheduled/extended into 2027-2028; practical guidance via AI Act Service Desk, Guidelines, GPAI Code, training-data summary template, and transparency/code instruments.
  • GPAI Code of Practice: voluntary but Commission/AI Board-endorsed compliance route for transparency, copyright, and safety/security obligations; signatory taskforce operationalizes coherent application.
  • NIST AI RMF ecosystem: RMF 1.0, Playbook, Crosswalks, GenAI Profile NIST AI 600-1 with concrete suggested actions; RMF revision underway; Critical Infrastructure profile concept note released April 2026.
  • European harmonised standards: CEN/CENELEC JTC 21 requested to develop standards in ten AI Act areas; prEN 18286 quality-management standard entered public enquiry in October 2025.
  • NIST AI Consortium expanded in 2026 to build empirically backed guidelines and standards for AI measurement with 280+ organizations.

New Tractable Vectors

  • Mapping legal obligations to machine-readable controls/crosswalks is now tractable because RMF, AI Act, GPAI Code, HAIP/OECD reporting, and CEN/CENELEC scopes give common vocabularies.
  • Risk-tier compliance automation is more tractable using AI-SBOM/model-card/data-card structures, standardized training-content summaries, and NIST suggested-action IDs.
  • Sector profiles are tractable: NIST critical-infrastructure AI RMF profile work narrows context-specific requirements instead of relying on generic principles.
  • Standards-gap analysis is tractable by comparing AI Act ten standardisation areas against available CEN/CENELEC/ISO/NIST artifacts.

Key Open Questions

  • Validate risk indicators that remain predictive under algorithmic progress, fine-tuning, tool use, inference-time scaling, model distillation, and post-deployment capability gains.
  • Turn broad obligations like robustness, human oversight, cybersecurity, fairness, and systemic-risk mitigation into reproducible, objective conformity tests.
  • Avoid regulatory gaming around compute thresholds, model-family fragmentation, and opaque post-training or deployment enhancements.
  • Keep standards current without requiring law to chase model architectures and deployment patterns.
  • Quantify tradeoffs between legal certainty from harmonised standards and lock-in to inadequate early technical measures.

Evidence & Primary Sources