7.1 Translation of Governance Goals into Policies and Requirements
Original Problem in the Paper
Paper motivation/open problem: “Policies are often formulated with specific aims” such as consumer safety, fairness, accountability; rule-based regulation must translate aims into “rules” and needs technical expertise on feasibility and whether rules achieve aims. Open problems: identify “system properties” that are reliable risk indicators; current training-compute thresholds may be unsuitable because “smaller models can outperform larger ones,” auxiliary FLOP accounting is unclear, and quantization/dropout complicate counts; standards such as NIST RMF/ISO guidance “often lack the technical specificity required for objective assessment” and reporting artifacts need standardized content.
July 2026 Update & Trajectory
Operationalization moved from principles to binding/semibinding instruments: EU AI Act obligations and timelines, GPAI Code, NIST AI RMF GenAI Profile, AI RMF critical-infrastructure concept note, NIST AI Consortium, and CEN/CENELEC harmonised-standard work. But the core technical problem is not solved: standards remain in development for many AI Act obligations; high-risk AI dates were pushed to align with support tools/standards; system-risk proxies are still mixed (compute, deployment scale, capability evaluations, systemic-risk categories) rather than validated universal indicators; objective test methods for fairness, robustness, cyber, autonomy, CBRN, and environmental claims are still immature. I verified 2026 status for EU standardisation and NIST consortium/RMF pages; I did not verify a finalized 2026 ISO AI management-system update beyond the inaccessible ISO pages, so ISO claims are limited to known existing standards and EU references.
Deployed / Operationalized
- EU AI Act: risk tiers, prohibited practices effective February 2025, GPAI obligations effective August 2025, high-risk obligations scheduled/extended into 2027-2028; practical guidance via AI Act Service Desk, Guidelines, GPAI Code, training-data summary template, and transparency/code instruments.
- GPAI Code of Practice: voluntary but Commission/AI Board-endorsed compliance route for transparency, copyright, and safety/security obligations; signatory taskforce operationalizes coherent application.
- NIST AI RMF ecosystem: RMF 1.0, Playbook, Crosswalks, GenAI Profile NIST AI 600-1 with concrete suggested actions; RMF revision underway; Critical Infrastructure profile concept note released April 2026.
- European harmonised standards: CEN/CENELEC JTC 21 requested to develop standards in ten AI Act areas; prEN 18286 quality-management standard entered public enquiry in October 2025.
- NIST AI Consortium expanded in 2026 to build empirically backed guidelines and standards for AI measurement with 280+ organizations.
New Tractable Vectors
- Mapping legal obligations to machine-readable controls/crosswalks is now tractable because RMF, AI Act, GPAI Code, HAIP/OECD reporting, and CEN/CENELEC scopes give common vocabularies.
- Risk-tier compliance automation is more tractable using AI-SBOM/model-card/data-card structures, standardized training-content summaries, and NIST suggested-action IDs.
- Sector profiles are tractable: NIST critical-infrastructure AI RMF profile work narrows context-specific requirements instead of relying on generic principles.
- Standards-gap analysis is tractable by comparing AI Act ten standardisation areas against available CEN/CENELEC/ISO/NIST artifacts.
Key Open Questions
- Validate risk indicators that remain predictive under algorithmic progress, fine-tuning, tool use, inference-time scaling, model distillation, and post-deployment capability gains.
- Turn broad obligations like robustness, human oversight, cybersecurity, fairness, and systemic-risk mitigation into reproducible, objective conformity tests.
- Avoid regulatory gaming around compute thresholds, model-family fragmentation, and opaque post-training or deployment enhancements.
- Keep standards current without requiring law to chase model architectures and deployment patterns.
- Quantify tradeoffs between legal certainty from harmonised standards and lock-in to inadequate early technical measures.
Evidence & Primary Sources
- EU AI Act is a comprehensive risk-based legal framework; prohibitions applied February 2025, GPAI obligations August 2025, and high-risk AI timelines extend into 2027-2028 after 2026 political agreement. (Page includes latest news through June 2026 and implementation timeline updated for 2026 agreement): https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
- EU GPAI Code was published July 10, 2025 and endorsed as an adequate voluntary compliance tool; transparency/copyright/safety-security chapters operationalize AI Act GPAI obligations. (Last update 23 April 2026): https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai
- EU standardisation work requests CEN/CENELEC standards in ten areas; prEN 18286 became first harmonised AI standard to enter public enquiry on 30 October 2025; page updated 1 July 2026. (Last update 1 July 2026): https://digital-strategy.ec.europa.eu/en/policies/ai-act-standardisation
- NIST AI RMF page says RMF 1.0 is being revised, GenAI Profile was released July 26 2024, and Critical Infrastructure profile concept note was released April 7 2026. (Modified 10 June 2026): https://www.nist.gov/itl/ai-risk-management-framework
- NIST AI Consortium brings together 280+ organizations to develop science-based, empirically backed AI measurement guidelines and standards; expanded scope announced May 29 2026. (Published 5 June 2025; modified 29 May 2026): https://www.nist.gov/artificial-intelligence/nist-ai-consortium
- NIST GenAI Profile defines concrete risks and suggested AI RMF actions for generative AI risk management. (July 2024): https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf