Five Dimensions of Regulator-Grade AI Governance — Mapping Sue Eze's Operational Test Against the AI Act, ISO/IEC 42001 and NIST AI RMF

1. What a National Competent Authority Will Actually Test

The text of Regulation (EU) 2024/1689 does not, in any single Article, set out a five-part test for whether a high-risk AI system is operationally governed. Article 9 obliges a risk management system. Article 11 obliges technical documentation. Article 12 obliges logging. Article 13 obliges transparency to the deployer. Article 14 obliges human oversight. Article 17 obliges a quality management system. None of those obligations is itself phrased as a test a regulator could put to a system on a Friday afternoon.

That gap — between what the Regulation obliges and what a 2027 inspection will functionally test — is the gap Sue Eze, an AI Governance and Technology Risk Lead working at the ISO/IEC 42001, EU AI Act and runtime risk-and-model-assurance intersection, named publicly on 16 May 2026 in a single comment under a thread about the architecture-layer of the EU AI Act audit-trail stack. Eze's formulation is reproduced below, verbatim.

Five operational properties sit inside that sentence: authorised, governed, reproducible, defensible, and evidence-state-preserved (Eze's phrase “given the evidence state that existed at the time” is the fifth, named as a state condition rather than as an adjective). NiTiN Grover added the temporal dimension two days earlier, on 14 May 2026:

Grover's contribution moves the test from a single point in time into a continuum: the system must be governable at every point along its operational life, not just at the moment of inspection. The five dimensions Eze named are the operational properties that have to hold at every point on that continuum.

2. The Five Dimensions, in Detail

3. The Counter-Argument the Five-Dimension Framing Has to Address

A regulator, a standards committee member, or an academic critic could reasonably object that the five-dimension framing presented in Sections 1 and 2 is not the organising taxonomy of any of the three regulatory regimes it claims to map. The EU AI Act organises its obligations by provider/deployer role, risk class, and lifecycle. ISO/IEC 42001 organises around a management-system structure and the PDCA cycle. NIST AI RMF organises around four functions named GOVERN, MAP, MEASURE, MANAGE. None of those native taxonomies decomposes into Eze's five operational properties. The five-dimension framing is, on the strict view, an analytical overlay imposed from outside the regimes rather than read from inside them.

Counter-argument stress test

The five dimensions are an analytical overlay, not a native statutory architecture

On the strict reading, the objection succeeds. The five labels — authorised, governed, reproducible, defensible, evidence-state-preserved — appear in none of the three regimes. They are cross-regime analytical abstractions, not statutory categories. A reader who expects the framing to be derivable from the text of any single Article or clause will not find it there.

The reason the objection does not undermine the framing is that the operational test a national competent authority will functionally apply in a 2027 high-risk inspection is itself an overlay on the regime, not a recitation of it. An inspection is not a reading aloud of Article 9; it is an assessment of whether the risk-management system Article 9 obliges is actually functioning. The five-dimension framing is an attempt to write down what that operational assessment will materially examine, drawing on the obligations the three regimes establish in their own taxonomies and translating them into the language an operator can apply at the point of execution.

The defensible position is therefore narrower than “the regulation requires these five dimensions” and stronger than “these are opinions worth considering”: the five dimensions are the operational consequences of the obligations the three regimes establish, expressed in terms an operator can test rather than in terms a statute drafts. They are the operationalisation, not the law.

Analytical method: the strongest version of the analytical-overlay objection was stress-tested against the regulatory text of Articles 9, 11, 12, 13, 14, 15 and 17, the ISO/IEC 42001 clause structure, and the NIST AI RMF functions using the GraQle reasoning substrate (synthesis confidence 74 % over 50 activated corpus nodes). The conclusion that the five dimensions are an operational synthesis rather than a native statutory category is the author's; the substrate identified the structural mismatch between Eze's framing and the regimes' own taxonomies.

The honest reading is therefore: the five dimensions are an operational translation of what the EU AI Act, ISO/IEC 42001 and NIST AI RMF jointly require, expressed in the register an operator can apply rather than the register a statute drafts. The translation is correct in direction and useful in practice; it is not derivable line-by-line from any single regime. That is the right standard to hold the framing to.

4. The Cross-Regime Mapping at a Glance

The five dimensions map across the three regimes as follows. Each cell identifies the principal regulatory anchor; secondary anchors are noted in the prose for each dimension in Section 2.

The table is not a statutory mapping. It is the synthesis of how Eze's five operational properties most naturally engage with the obligations the three regimes establish. Where the regimes overlap (the QMS obligations of EU AI Act Article 17 and ISO/IEC 42001's management-system clauses, for example), the operational dimension draws from both. Where the regimes diverge in emphasis, the dimension takes its operational substance from the regime that addresses it most directly.

5. The Second-Order Observation: LLM Governance Decomposes by Invocation, Not by Model Version

The five-dimension framing is, on its face, system-agnostic: it should apply equally to a traditional supervised-learning credit-scoring model deployed inside a bank, a transformer-based document-classification system in a legal-services firm, and a large-language-model-mediated triage assistant in a hospital. The operational test is the same in each case.

On closer inspection, the test is the same but the unit of governance is not. That observation has not been raised on the public LinkedIn thread that produced the five-dimension framing, and it has consequences for how a CRO, CISO, or Head of AI Risk should design the operational controls that satisfy each dimension.

Second-order observation

Not raised on the public LinkedIn thread · surfaces only when the five dimensions are composed with Articles 9 + 17 and the LLM control stack

For traditional ML systems, the unit of governance is the model artefact. For LLM-based deployments, the unit of governance shifts to the decision event. The five dimensions still apply — but they have to be satisfied per invocation rather than per model version, and the operational controls that produce them change shape accordingly.

For traditional ML, the control stack is well understood: dataset provenance, training approval, validation, versioning, release gating, post-deployment monitoring. Each control attaches to a model artefact, and the artefact is the unit the QMS under Article 17 governs. The five dimensions are satisfied by validating the model artefact and then keeping the model artefact stable under production change control.

For LLM-based deployments, the control stack has to add an execution-time layer the model-artefact controls do not cover: prompt authorisation, context-window control, retrieval-source control, tool-call authorisation, runtime policy state, per-inference evidence binding. Each of these can vary between invocations of the same underlying model. A QMS that governs only the model artefact will fail every one of the five dimensions on the first invocation where the prompt changed, the retrieval index updated, or a tool became available that was not available at validation time.

The operational consequence is what one might call decision-time evidence binding: each invocation of an LLM-mediated decision must produce, at the moment of the decision, a signed evidence record that captures the full execution context. The record is what makes the dimensions of reproducibility and evidence-state-preservation achievable in a system where the model artefact is no longer the authoritative governance unit. Article 9 obliges that risk controls be active and effective; Article 17 obliges that those controls sit inside a working QMS; ISO/IEC 42001's PDCA cycle obliges that the QMS actually run. For LLM-based systems, the only place those obligations can be operationally discharged is the per-invocation evidence record.

Analytical method: the ML-versus-LLM control-unit distinction was surfaced through GraQle's reasoning substrate during a query about how Articles 9 and 17 compose with the ISO/IEC 42001 PDCA cycle (synthesis confidence 74 % over 50 activated nodes). The pattern has not been raised by any contributor (Eze, Grover, Borner, Matiash, Picard, Miller, Ali, Jones, Brown, Chapman) on the public LinkedIn thread of 11–17 May 2026.

6. What This Means for an Enterprise Reader

For a CRO, CISO or Head of AI Risk applying the five dimensions to an actual AI governance programme, the practical consequences fall into three working requirements that have to be reflected in the deployer's control framework regardless of which AI system the framework is applied to.

1. The QMS has to be specific to the AI system at execution time. A general AI-governance policy document satisfies the governed dimension on its face, but not in substance, unless the policy is anchored to a specific system, a specific deployment configuration, and a specific operational moment. The policy and the deployment have to move together.
2. The evidence chain has to be designed for the invocation pattern of the system in production. For traditional ML, that means model-artefact provenance and inference-time logging tied to the model version. For LLM-based systems, that means per-invocation evidence binding sufficient to reconstruct the prompt, context, retrieval state and tool-call state at the moment of the decision. The evidence chain a CRO inherits from a model-centric vendor is not adequate for an invocation-centric deployment.
3. The defensibility test has to be run before the regulator runs it. The five-dimension framing reads as five operational properties, but in inspection practice the regulator tests defensibility by asking the other four questions and watching whether the answers hold up. The defensibility dimension is therefore an emergent property of the other four operating together; it cannot be evidenced on its own. The implication is that the only meaningful internal preparation for inspection is to run the four substantive dimensions against the same evidence the regulator will see, in the same form, under the same time pressure.

For a working procurement-side preview of how the five dimensions decompose into vendor-evaluation questions, see Cluster 2 on the five-question procurement diagnostic. For the architecture-layer reading of why reproducibility in particular is operationally harder than it sounds, see Cluster 1 on recall versus verifiability.

7. What Is Still Unsolved

Three gaps remain in the five-dimension framing that Eze's public formulation does not close, and that no contributor on the broader thread has resolved.

First, the harmonisation gap between Article 17 and ISO/IEC 42001. The QMS obligation in Article 17 of the EU AI Act and the management-system obligation in ISO/IEC 42001 are closely related but not identical. Where they overlap, a single QMS implementation can satisfy both; where they diverge, the deployer faces an operational choice about whether to run two parallel control frameworks or a single hybrid framework calibrated against both standards. The CEN-CENELEC JTC 21 harmonised-standards process under Article 40 is intended to close this gap; the timeline for the harmonised standards to be published is not yet fixed against the post-Omnibus December 2027 enforcement deadline for Annex III systems.

Second, the agentic-systems extension. The five-dimension framing treats the unit of governance as a decision (for traditional ML) or an invocation (for LLM-based systems). For agentic AI systems — those that take multi-step actions over time, with behavioural drift across the action chain — the unit of governance is neither. The April 2026 working paper by Nannini, Smith, Maggini, Panai, Feliciano, Tiulkanov, Maran, Gealy and Bisconti (“AI Agents Under EU Law”, arXiv:2604.04604) makes the position unambiguous: high-risk agentic systems with untraceable behavioural drift cannot currently satisfy the AI Act's essential requirements. The five-dimension framing does not yet extend cleanly to the agentic case.

Third, the cross-jurisdictional alignment problem. The five dimensions are framed against the EU AI Act, ISO/IEC 42001 and NIST AI RMF. For an enterprise operating across EU, US, UK and APAC jurisdictions, the operational controls that satisfy the five dimensions under the EU AI Act may not satisfy the analogous obligations under the UK AI regulatory regime, the US sector-specific regimes, or the emerging APAC frameworks. The five-dimension framing is a useful starting point but is not by itself a cross-jurisdictional compliance plan.

Frequently Asked Questions