AI Governance Umbrella Across Regulatory Regimes

Regulatory and Domain Context

The EU AI Act establishes a four-tier risk classification (unacceptable, high, limited, minimal) with binding obligations for high-risk systems including risk management (Article 9), data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency (Article 13), human oversight (Article 14), and accuracy, robustness, and cybersecurity (Article 15). General-purpose AI model obligations under Articles 53 and 55 apply from August 2, 2025, while high-risk system obligations apply from August 2, 2026, with embedded-component high-risk systems extending to August 2, 2027. The Act's extraterritorial scope under Article 2 reaches any provider placing systems on the EU market or any deployer whose output is used in the Union, drawing U.S. and Asian providers into the regime regardless of their domicile.

In the United States, Executive Order 14110 directed agencies including NIST, OMB, and sectoral regulators to issue guidance on safety testing, watermarking, civil rights, and federal procurement of AI. Executive Order 14179, issued January 23, 2025, revoked portions of EO 14110 and redirected federal AI policy toward a deregulatory posture, but agency-level artifacts produced under EO 14110 (NIST's Generative AI Profile, OMB Memorandum M-24-10 on federal agency AI use, and the AI Bill of Rights Blueprint from OSTP) remain operative reference documents. The NIST AI RMF organizes governance around four functions (Govern, Map, Measure, Manage) and is referenced by the EU AI Act's harmonized standards process and by ISO/IEC 42001 conformity programs. The FDA's predetermined change control plan guidance for AI/ML-enabled device software functions, finalized December 2024, establishes a parallel sectoral regime for medical AI that intersects with the broader frameworks at every regulated device.

Layered onto these are the OECD AI Principles (revised May 2024 to address generative AI), the Council of Europe Framework Convention on AI opened for signature September 5, 2024, the UK's pro-innovation regulatory approach distributing AI oversight across existing regulators, Singapore's Model AI Governance Framework for Generative AI (May 2024), and China's Interim Measures for Generative AI Services (effective August 15, 2023). A single foundation model deployed globally is now governed by at least five overlapping regimes, each with its own evidentiary expectations.

Architectural Requirement

An AI governance umbrella must do more than aggregate compliance artifacts. It must allow a single operational record of a model's training, evaluation, deployment, and incident history to be admissible under each regime's distinct evidentiary rules. The EU AI Act demands documented risk management and post-market monitoring; the FDA demands a predetermined change control plan with locked performance specifications; ISO/IEC 42001 demands a management system with documented controls and continual improvement; the NIST AI RMF demands traceable mapping from organizational context through measured outcomes. These demands are not contradictory, but they are not procedurally aligned, and an organization meeting them through separate evidence pipelines pays the integration cost on every audit.

The architectural requirement is therefore a single record of AI system observations, decisions, and authority actions whose primitives are weighted, admitted, actuated, and traced under properties strong enough to satisfy each regime simultaneously. Authority must be credentialed at the observation level so that the same training data lineage can be presented to a notified body under the EU AI Act and to an FDA reviewer without reconstruction. Provenance must be lineage-recorded so that a model card, a Article 11 technical documentation file, and a 510(k) submission draw from the same root.

Why Procedural Compliance Fails Across Regimes

Procedural compliance for AI systems means producing the artifacts each regime names: a conformity assessment dossier for the EU, a Special 510(k) or De Novo submission for the FDA, an ISO/IEC 42001 management system manual for the certification body, an AI RMF crosswalk for federal procurement. Each artifact is internally coherent and externally legible only to its intended reader. When a model is updated, when a training data subset is retired under a GDPR erasure request, when a measured fairness metric drifts, the change must be propagated independently into each artifact, and the reconciliation cost grows with the number of regimes and the velocity of model iteration.

The deeper failure is that procedural artifacts do not survive the model's evolution. A 2024 conformity assessment for a high-risk system describes the system as it was assessed; a 2026 incident involving the same model under a different deployer's configuration cannot be settled against the 2024 dossier without bridging artifacts that were never required at the time of assessment. The EU AI Act's post-market monitoring (Article 72) and serious incident reporting (Article 73) presuppose a continuous record that the conformity assessment regime does not itself produce. Procedural compliance certifies a snapshot; AI governance requires a continuous, joint record across regimes that no single procedural regime is structured to produce.

What the Governance-Chain Primitive Provides

The governance-chain primitive supplies five properties to every observation, decision, and actuation in the AI system's lifecycle. Authority-credentialed observation means each training data record, evaluation result, and deployment telemetry entry carries the credentials of the authority that produced it (a data steward, a red-team lead, a deploying customer's compliance officer), so that the same observation can be presented under the EU AI Act, FDA, and ISO/IEC 42001 without re-attestation. Evidential weighting allows observations to carry their measurement uncertainty and methodological provenance forward, so that a fairness metric reported under the NIST AI RMF Measure function and the same metric reported in an EU Article 15 accuracy disclosure are weighted consistently.

Composite admissibility allows a single record to satisfy concurrent regimes: an incident report admissible under EU AI Act Article 73, FDA Medical Device Reporting under 21 CFR 803, and a state attorney general inquiry under a UDAP statute draws from one record rather than three. Governed actuation means model updates, data retirements, and deployment changes are themselves recorded as authorized actions tied to their predicate observations and to the authority that approved them. Lineage-recorded provenance ensures that every output of the system, including a current inference, traces back through the chain of training data, evaluations, deployment decisions, and authority approvals that produced it.

Compliance Mapping

EU AI Act Article 9 risk management maps onto evidential weighting and lineage-recorded provenance, because risk identification and mitigation must be defensible against the observations that revealed each risk. Article 10 data governance maps onto authority-credentialed observation, since each training data record's source authority is the basis for lawful processing claims. Articles 11, 12, and 13 technical documentation, record-keeping, and transparency map onto the chain itself, which is the documentation in continuous form. Article 14 human oversight maps onto governed actuation, where every override or intervention is recorded as an authorized act. Articles 72 and 73 post-market monitoring and serious incident reporting map onto composite admissibility.

NIST AI RMF Govern, Map, Measure, and Manage functions map onto the chain's authority, observation, weighting, and actuation properties respectively. ISO/IEC 42001 Annex A controls (data quality, system impact assessment, third-party relationships) map onto the same primitives without separate documentation. FDA predetermined change control plans map onto governed actuation, where each anticipated modification is bound to its predicate evaluation. OECD Principles, the Council of Europe Convention, and sector-specific frameworks (NIST SP 800-218A for secure software development, OMB M-24-10 for federal agency use) all draw on the same record without requiring parallel evidentiary tracks.

Adoption Pathway

Adoption begins with a single high-risk system under EU AI Act scope where the deployer faces concurrent obligations under at least two regimes (typical examples: a clinical decision support system facing both EU AI Act and FDA scrutiny, an employment screening system facing EU AI Act and U.S. EEOC enforcement under existing civil rights statutes). The first deliverable is a single chain spanning training data acquisition through current production inference, presented as the source of truth for both the conformity assessment dossier and the FDA submission. Existing artifacts are generated as projections of the chain rather than as independent documents.

From a single-system pilot, adoption extends to the deployer's full AI portfolio, then to the provider's full set of deployments across customers, and finally to upstream foundation model providers whose obligations under EU AI Act Articles 53 and 55 cascade into every downstream high-risk deployment. The endpoint is a substrate on which EU AI Act conformity, FDA submissions, ISO/IEC 42001 certification, NIST AI RMF crosswalks, and incident reporting under multiple regimes settle against the same chain, replacing the current arrangement in which each regime drives its own evidence pipeline.