UNECE / FDA Regulated-Autonomy Training Compliance

The Regulatory Framework Converging on Training-Data Provenance

Five regulatory streams now converge on the same architectural requirement. EU AI Act Article 10 obligates providers of high-risk AI systems to implement data-governance practices that cover relevant design choices, data collection processes, examination for biases, identification of data gaps, and demonstration that training, validation, and testing datasets are relevant, sufficiently representative, free of errors, and complete in light of the intended purpose. Article 15 layers on accuracy, robustness, and cybersecurity obligations that cannot be evaluated without knowing what the system was trained on. Article 26, addressed in the parallel inference-control article, then requires deployers to operate under those training-time guarantees.

GDPR Article 22, on automated decision-making, and the broader lawful-basis framework under Article 6 require that personal data used for training carry a lawful basis through the entire training and inference lifecycle. Revocation of consent or exercise of erasure rights under Article 17 must propagate to every model whose parameters were shaped by the revoked data — an obligation that is unenforceable without per-example lineage.

NIST AI RMF organizes the same obligations under its Govern, Map, Measure, and Manage functions. Map requires that the context of use, including data provenance, be documented. Measure requires that training-data characteristics be quantified against the intended use. Manage requires that adverse training-time decisions be remediable. ISO/IEC 23894 provides the AI-specific risk-management vocabulary that translates these functions into operational controls, and ISO/IEC 42001 places those controls inside an auditable AI Management System (AIMS) certifiable by accredited bodies.

Sector-specific regimes specialize the same shape. The FDA AI/ML PCCP framework, finalized for Software as a Medical Device, requires a Predetermined Change Control Plan that bounds permissible modifications and a Modification Protocol that specifies the methods used to validate any change — including changes to training data. NHTSA's AV TEST initiative and the broader UNECE WP.29 cybersecurity framework (R155) and software update regulation (R156) require traceability from fielded behavior back to the training and software process that produced it. EASA's Concept Papers on machine-learning assurance carry the same logic into airworthiness. The OECD AI Principles, which now inform domestic legislation in more than forty jurisdictions, codify the underlying expectation: traceability and accountability across the AI lifecycle.

Architectural Requirement: Per-Example Provenance, Not Per-Pipeline Documentation

Each of these regimes asks a question of the same structural form: given an observed behavior of a deployed model, which training-time inputs caused it, under what rights and what governance, and can that causal chain be reproduced under audit? That question has an architectural answer or it has none. Pipeline-level documentation describes what the engineering team intended; it does not bind any specific gradient update to any specific training example, and it cannot be replayed.

The architectural requirement is therefore that training data enter the model only through admission events that carry credentialed provenance, that gradient updates be routed at depth selectivity that is itself recorded, and that the resulting model state be reconstructible from the ordered sequence of credentialed updates. Anything weaker collapses under the kind of forensic question regulators are now empowered to ask after a vehicle incident, a medical adverse event, an algorithmic-discrimination complaint under GDPR, or a recall under FDA Section 518.

Why Procedural Compliance Fails at Fleet Scale

The procedural pattern — collect data, document collection, train a model, document training, audit the documentation — was developed for low-volume traditional ML where a single team controlled the dataset and a single training run produced a single artifact. Regulated autonomy violates every assumption of that pattern. Fleet learning aggregates contributions from thousands of vehicles, hundreds of clinical sites, or millions of devices; each contribution arrives under different consent posture, different jurisdictional rights, and different quality controls. Continuous training under the FDA PCCP framework or under the EU AI Act's post-market monitoring obligations means there is no single artifact to audit — there is a continuously evolving model whose state at any given time is the integral of an ongoing stream of updates.

Documentation cannot keep pace with this stream. The gap is not that engineers are lazy; the gap is structural. By the time an audit asks "which training contributors influenced this specific behavior," the answer must be reconstructed from logs, commit histories, dataset snapshots, and engineering memory — none of which were authored to answer that question. The reconstruction is expensive, partial, and not legally defensible at the standard the AI Act, the FDA, or NHTSA now apply. Operators discover this only when a serious incident or a regulatory inspection forces the question to be asked under adversarial conditions.

A second failure mode is revocation. GDPR Article 17 erasure, withdrawal of consent under research-ethics frameworks, or removal of a contributor under contractual termination must propagate into the model. Without per-example lineage there is no way to identify which parameter updates were tainted, and no way to remediate short of full retraining — which is operationally infeasible for fleet-scale models and therefore, in practice, not done. The regulatory exposure compounds silently.

What the AQ Training-Governance Primitive Provides

The Adaptive Query training-governance primitive treats every training contribution as a credentialed observation. Each example admitted into the training stream carries a signed attestation from a credentialing authority — a fleet operator, a clinical site, a data-rights authority — binding the example to its rights envelope, quality posture, and admission policy. Depth-selective gradient routing then admits the contribution into specific layers or adapters of the model under a routing policy that is itself a credentialed object. The result of each update is a credentialed update event that references both the contributing observation and the routing policy that admitted it.

The model state at any time is therefore the ordered composition of credentialed update events. Audit replay reconstructs the events that produced any specific model behavior; revocation of a contributing observation propagates structurally because the update events that depend on it are identifiable; depth-selective routing means that revocation can often be remediated by adapter rollback rather than full retraining. The compliance pathway shifts from procedural reconstruction to architectural query.

Compliance Mapping

EU AI Act Article 10 data-governance obligations map onto credentialed admission: each training example arrives with a signed rights and quality envelope, and the admission policy enforces representativeness and bias-examination requirements at the moment of admission rather than retrospectively. Article 15 accuracy and robustness obligations map onto the depth-selective routing record, which makes the relationship between training inputs and model behavior reproducible for evaluation. GDPR Article 17 erasure and Article 22 automated-decision obligations map onto the revocation propagation that per-example lineage enables.

NIST AI RMF Map and Measure functions map directly onto the credentialed-observation record; Manage maps onto the audit-replay and adapter-rollback capabilities. ISO/IEC 23894 risk controls and ISO/IEC 42001 AIMS clauses on data management, lifecycle traceability, and corrective action are satisfied architecturally rather than through a separate documentation layer. The FDA PCCP Modification Protocol becomes executable: the bounded modifications are bounded by routing policy, and the validation methods are reproducible against the credentialed update record. UNECE R155 cybersecurity-management traceability and R156 software-update integrity obligations map onto the same primitive. EASA learning-assurance objectives — particularly the Data Management and Learning Process Management objectives in the EASA Concept Paper — gain a structural implementation.

Adoption Pathway

Adoption proceeds in three stages. First, operators wrap existing training pipelines with credentialed admission at the dataset boundary, producing a per-example provenance record without modifying the training algorithm. This step alone closes the most acute audit gap. Second, operators introduce depth-selective routing for incremental updates — fleet-learning increments, post-market updates under FDA PCCP, or fine-tuning under continuous learning — so that updates carry the routing record that makes revocation tractable. Third, operators integrate the audit-replay path into their AIMS under ISO/IEC 42001, so that regulator queries are answered by query against the lineage rather than by manual reconstruction.

Cross-jurisdictional operation — a vehicle platform fielded under UNECE in Europe, NHTSA in the United States, and equivalent frameworks in Japan and Korea; a medical-device platform under FDA, EU MDR with AI Act overlay, and PMDA — gains the same architectural foundation in every jurisdiction. The primitive is positioned at exactly the layer where regulated autonomy is converging, and it gives operators a compliance posture that procedural approaches structurally cannot reach.

Concretely, a vehicle program adopting the primitive begins by treating each fleet-collected scenario contribution — a corner-case event, a sensor-anomaly capture, a driver-disengagement sequence — as a credentialed observation signed by the contributing vehicle and counter-signed by the fleet operator's data-rights authority. The training pipeline then admits the contribution into specific perception, prediction, or planning subsystems through depth-selective routing, recording the routing decision and the policy that authorized it. When NHTSA later issues a Standing General Order request, when a UNECE R155 audit asks how a software update was validated, or when an EU AI Act post-market incident report must be filed under Article 73, the operator answers by query against the lineage rather than by reconstruction from scattered engineering artifacts.

A medical-device program follows an analogous path. Each clinical-site contribution carries the IRB approval, consent posture, and dataset characterization as part of the credential. PCCP-bounded modifications are admitted only when the proposed update is consistent with the routing policy declared in the Modification Protocol; modifications that fall outside the bound are refused at the architectural boundary, not caught by a downstream review process that may or may not occur. When an FDA inspection asks why a particular device behavior emerged after a particular update, the audit-replay path produces an answer at per-example resolution. The primitive does not replace the regulatory dialogue with FDA, UNECE, EASA, or national authorities; it replaces the structural gap that currently makes that dialogue an exercise in reconstruction with a structural foundation that makes the dialogue an exercise in query.