Back to Dashboard
Operationalization / 7.1

7.1 Translation of Governance Goals into Policies and Requirements

2026 Governance Status: Operationalized in legal and guidance infrastructure; objective measurement remains open

Original Problem in the Paper

Paper motivation/open problem: policies are often formulated with aims such as consumer safety, fairness, and accountability, but rule-based regulation must translate those aims into concrete rules. The paper says this translation requires technical expertise about whether proposed rules are feasible and whether they achieve the stated aims. It identifies open problems including: finding system properties that reliably indicate risk; assessing whether training-compute thresholds remain suitable when smaller models can outperform larger ones with targeted training; handling unclear auxiliary FLOP accounting and complications from quantization or dropout; and making standards and reporting artifacts specific enough for objective assessment.

July 2026 Update & Trajectory

Operationalization has moved from high-level principles toward a mix of binding obligations and implementation infrastructure: EU AI Act obligations and timelines; the voluntary but Commission/AI Board-endorsed GPAI Code; NIST AI RMF and GenAI Profile resources; NIST critical-infrastructure profile and consortium work; the OECD Hiroshima AI Process reporting framework; and CEN/CENELEC harmonised-standard development. But the core technical problem is not solved. Many AI Act standards are still in development. The Commission’s 2026 AI Act implementation page states that, following the political agreement on simplification, high-risk AI rules would apply on 2 December 2027 for Annex III systems and 2 August 2028 for product-integrated systems, so companies have support tools such as standards available. Across the source paper, AI Act materials, OECD reporting, and NIST resources, risk operationalization still uses multiple context-dependent proxies and structures—such as compute or capability thresholds, widespread use, risk categories, evaluations, and reporting fields—rather than a single validated universal risk indicator. Objective conformity testing remains uneven: the source paper highlights unresolved fairness metrics and lack of technical specificity in standards, while NIST’s GenAI Profile describes immature AI measurement and safety science and identifies difficult-to-scope risks including CBRN, bias, information security, and environmental impacts. I did not verify a finalized 2026 ISO AI management-system update beyond public EU references to ISO/IEC SC 42 work, so ISO claims are limited to publicly accessible references.

Deployed / Operationalized

  • EU AI Act: a risk-based legal framework with prohibited-practice rules applying from February 2025, GPAI rules applying from August 2025, transparency rules scheduled for August 2026, and Commission-stated high-risk dates of 2 December 2027 for Annex III systems and 2 August 2028 for product-integrated systems following the 2026 political agreement on AI Act simplification. Practical support includes the AI Act Service Desk, guidelines, the GPAI Code, a public-summary template for GPAI training content, and transparency/code instruments.
  • GPAI Code of Practice: a voluntary tool, endorsed by the Commission and AI Board as adequate for providers to demonstrate compliance with AI Act GPAI obligations. Its chapters cover Transparency, Copyright, and Safety and Security, and a Signatory Taskforce chaired by the AI Office facilitates coherent application of the Code.
  • NIST AI RMF ecosystem: AI RMF 1.0 is voluntary and is being revised; NIST provides a Playbook, Roadmap, Crosswalks, Resource Center, and Perspectives; NIST AI 600-1 gives a Generative AI Profile with risks and suggested risk-management actions; and NIST released a concept note in April 2026 for an AI RMF Profile on Trustworthy AI in Critical Infrastructure.
  • European harmonised-standard development: the Commission requested CEN/CENELEC JTC 21 to develop standards in ten AI Act areas—risk management, dataset governance and quality, record keeping, transparency, human oversight, accuracy, robustness, cybersecurity, quality management, and conformity assessment. Draft standards remain in development, and prEN 18286, a quality-management-system standard for EU AI Act regulatory purposes, entered public enquiry on 30 October 2025. Legal presumption of conformity attaches only after harmonised standards are published and referenced in the Official Journal of the EU.
  • NIST AI Consortium: NIST says the Consortium brings together more than 280 organizations to develop science-based, empirically backed guidelines and standards for AI measurement, and that its expanded scope was announced on 29 May 2026.
  • OECD Hiroshima AI Process reporting: the OECD page says the reporting framework provides a standardized structure for organizations to report alignment with the Hiroshima AI Process International Code of Conduct, supports transparency and comparability of risk-mitigation practices, and accepts rolling submissions.

New Tractable Vectors

  • Mapping legal and voluntary obligations into structured control crosswalks is more tractable because the AI Act, GPAI Code, NIST RMF/crosswalk ecosystem, OECD Hiroshima AI Process reporting framework, and CEN/CENELEC standardisation scopes now provide overlapping vocabularies, though machine-readable mappings still require implementation work.
  • Risk-tier compliance workflows are more tractable using standardized GPAI training-content summaries and NIST GenAI Profile suggested actions, and may be further systematized with model-card, data-card, or AI-SBOM-style artifacts where those schemas are adopted.
  • Sector profiles are more tractable: NIST’s April 2026 critical-infrastructure AI RMF profile concept note narrows risk-management guidance toward critical-infrastructure operators rather than relying only on generic principles.
  • Standards-gap analysis is tractable by comparing the AI Act’s ten requested standardisation areas against available CEN/CENELEC outputs and accessible NIST or ISO/IEC-related public artifacts; specific ISO coverage should be claimed only where a public source was verified.

Key Open Questions

  • Validate risk indicators that remain predictive under algorithmic progress, fine-tuning, tool use, inference-time scaling, model distillation, and post-deployment capability gains.
  • Turn broad obligations such as robustness, human oversight, cybersecurity, fairness, and systemic-risk mitigation into reproducible conformity tests that are objective enough for compliance assessment.
  • Avoid regulatory gaming around compute thresholds, model-family fragmentation, and opaque post-training or deployment enhancements.
  • Keep standards current without requiring law to chase every model architecture or deployment pattern.
  • Quantify tradeoffs between legal certainty from harmonised standards and lock-in to inadequate early technical measures.

Evidence & Primary Sources

  • The source paper frames this topic as translating policy aims into rules and requirements; it identifies open problems around reliable risk indicators, compute-threshold suitability, auxiliary FLOP accounting, quantization/dropout complications, technical specificity of standards, and standardized reporting content: https://arxiv.org/abs/2407.14981
  • EU AI Act page: describes Regulation (EU) 2024/1689 as a comprehensive risk-based legal framework; lists risk levels and high-risk obligations; says prohibitions became effective in February 2025, GPAI rules became effective in August 2025, and transparency rules come into effect in August 2026; says that, following the political agreement on AI Act simplification, rules for Annex III high-risk systems apply from 2 December 2027 and product-integrated high-risk systems from 2 August 2028; and identifies support tools including the AI Act Service Desk, guidelines, GPAI Code, training-content summary template, and transparency instruments: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
  • EU GPAI Code page: says the Code was published on 10 July 2025; is a voluntary tool prepared through a multi-stakeholder process; was confirmed by the Commission and AI Board as an adequate voluntary tool for GPAI providers to demonstrate compliance with AI Act obligations; has Transparency, Copyright, and Safety and Security chapters; and has a Signatory Taskforce chaired by the AI Office to facilitate coherent application: https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai
  • EU standardisation page: says CEN/CENELEC JTC 21 is actively developing harmonised standards for high-risk AI systems; lists the ten requested areas of standardisation; explains that standards are voluntary and confer a presumption of conformity only once referenced in the Official Journal of the EU; says prEN 18286 entered public enquiry on 30 October 2025; and says the Digital Omnibus proposed linking high-risk-rule application to the availability of support tools including standards: https://digital-strategy.ec.europa.eu/en/policies/ai-act-standardisation
  • NIST AI RMF page: says AI RMF 1.0 was released on 26 January 2023, is intended for voluntary use, and is being revised; lists the Playbook, Roadmap, Crosswalk, Resource Center, and Perspectives; says NIST AI 600-1, the Generative AI Profile, was released on 26 July 2024 and proposes actions for generative-AI risk management; and says NIST released a concept note on 7 April 2026 for an AI RMF Profile on Trustworthy AI in Critical Infrastructure: https://www.nist.gov/itl/ai-risk-management-framework
  • NIST AI Consortium page: says the Consortium brings together more than 280 organizations to develop science-based, empirically backed guidelines and standards for AI measurement; says NIST announced an expanded scope on 29 May 2026; and describes goals including collaborative research, prioritizing evaluation requirements, and enabling assessment and evaluation of test systems and prototypes: https://www.nist.gov/artificial-intelligence/nist-ai-consortium
  • NIST GenAI Profile: NIST AI 600-1 is the Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. It identifies risks unique to or exacerbated by generative AI—including CBRN, confabulation, dangerous content, privacy, environmental impacts, harmful bias, human-AI configuration, information security, intellectual property, abusive content, and value-chain risks—and provides suggested actions mapped to AI RMF functions. It also supports the caveat that AI measurement and safety science remain immature in important respects: https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
  • OECD Hiroshima AI Process Reporting Framework page: says the framework launched in February 2025, provides a standardized structure for organizations to report alignment with the Hiroshima AI Process International Code of Conduct, promotes transparency and comparability of risk-mitigation measures, and accepts rolling submissions, with submissions received by 1 September 2026 feeding into the next analytical review: https://oecd.ai/en/transparency/overview