AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← News
Research2026-04-25

Multi-Jurisdictional AI Governance Gaps Threaten Enterprise Compliance, arXiv Study Finds

Source

arXiv

What happened

A research preprint published on arXiv, available at https://arxiv.org/html/2512.02046v1, provides a structured comparative analysis of AI governance requirements across the United States, European Union, and Asia-Pacific region. The study catalogs areas where regulatory frameworks including the EU AI Act, the NIST AI Risk Management Framework, and various national and state-level mandates converge or conflict, identifying specific implementation gaps that organizations face when translating legal obligations into operational controls. The preprint does not carry binding legal force but offers compliance practitioners a detailed mapping of control requirements across major regulatory regimes. The EU AI Act imposes risk-based obligations tied to specific use-case classifications, with prohibitions on unacceptable-risk systems already in effect and obligations for high-risk systems phasing in through 2026 and 2027. The research is intended to serve as a diagnostic tool for enterprises assessing the completeness of existing AI governance programs operating across multiple jurisdictions simultaneously.

Why it matters

  • ·Organizations subject to the EU AI Act face binding and time-sensitive compliance deadlines through 2027, and failure to close identified gaps in areas such as transparency obligations and high-risk system classification could result in direct regulatory exposure and financial penalties.
  • ·Enterprises operating internationally must reconcile structurally different frameworks, such as the mandatory risk-based EU AI Act and the voluntary NIST AI RMF, creating operational complexity when designing unified governance programs that satisfy divergent documentation, oversight, and enforcement requirements.
  • ·Compliance teams that rely on control inventories built around a single jurisdiction may face significant organizational risk when audited under a second or third framework, as gaps identified in the preprint suggest existing controls frequently fail to satisfy the full scope of overlapping mandates.

Governance controls affected

What to do now

  • Map your organization's current AI control inventory against the gap areas identified in the arXiv preprint, with priority given to transparency obligations, human oversight mechanisms, and high-risk system classification criteria.
  • Conduct a jurisdiction-by-jurisdiction review of which EU AI Act high-risk obligations apply to your deployed AI systems and confirm readiness against the phased compliance timeline running through 2026 and 2027.
  • Assess whether your existing HOC-001 risk classification methodology aligns with the use-case-based classification logic required under the EU AI Act as compared to the voluntary NIST AI RMF structure.
  • Review and update model documentation and audit logging practices to ensure they satisfy the most stringent documentation requirements across all jurisdictions in which your organization operates.
  • Track whether the arXiv preprint is accepted for peer-reviewed publication, as that status would increase its utility as a reference point in regulatory discussions and external audit contexts.

What to watch next

Compliance teams should monitor the phased implementation schedule of the EU AI Act, particularly the obligations for high-risk AI systems coming into effect through 2026 and 2027, to ensure remediation timelines are aligned with binding legal deadlines. Teams should also track the development of national AI frameworks in Asia-Pacific jurisdictions and any new state-level initiatives in the United States that may introduce additional divergence from existing federal guidance such as the NIST AI RMF. The potential peer-reviewed publication of this arXiv preprint warrants monitoring, as a formally published version could carry greater weight in regulatory and audit discussions. Broader enforcement signals from EU supervisory authorities as the AI Act matures will also provide important guidance on how gap analysis findings of this type are weighted in practice.

Related Coverage

Research2026-06-15

S&P Global Report Frames AI Governance as a Principle-Based Risk Discipline, Raising the Bar for Enterprise Compliance Programs

S&P Global has published a research report titled 'The AI Governance Challenge,' arguing that enterprise AI governance should be anchored in five core principles: transparency, fairness, privacy, adaptability, and accountability. The report documents common organizational practices including ethical review boards, impact assessments, algorithmic transparency mechanisms, and risk-focused controls. Its findings map directly to compliance, model governance, and privacy programs across industries.

Research2026-07-09

Design-Level Accountability Gap: Why Post-Deployment Oversight Cannot Substitute for Upstream AI Governance

A July 2026 analysis published in Tech Policy Press argues that AI governance frameworks systematically misplace accountability by focusing on runtime human overrides rather than the design, validation, and authorization decisions that determine whether a system should have been deployed at all. The author contends that separate accountability tracks for data integrity and system integrity are necessary to conduct complete failure investigations. Without upstream controls, catastrophic AI failures will continue to be misattributed and governance gaps will persist.

Research2026-07-09

EU Municipal AI Registers and Mandatory Audits Set a New Procurement Bar for Enterprise AI Vendors

A CIDOB research chapter on urban AI governance documents how EU municipalities are implementing Algorithm Lifecycle Approaches that include mandatory audits for high-risk systems, public algorithm registers, and vendor fact sheet requirements. The framework draws on live municipal case studies and provides a practical implementation model that cities can adopt directly. Enterprises selling AI systems to public sector buyers in the EU should treat these mechanisms as emerging procurement conditions, not optional transparency gestures.