AI 底层逻辑 / 经典论文

AI Regulatory Horizon：义务情报架构

一句话:

221 行ai-foundations/papers/111-ai-regulatory-horizon-obligation-intelligence-architecture.md

AI Regulatory Horizon / Obligation Intelligence Architecture 解读

面向对象: AI Product Architect / Enterprise Architect / AI Governance PM / Senior BA / Compliance Technology Lead / Financial Services Product Owner。核心问题: AI laws、guidance、regulatory speeches、supervisory priorities、standards 和 vendor notices 会持续变化。团队需要把外部变化转成可维护的 obligation intelligence system, 而不是等检查或事故后临时响应。学习目标: 建立 source monitoring、applicability triage、obligation extraction、impact mapping、owner assignment、control/eval/change linkage、evidence 和 management reporting 的完整架构。

Source Anchors

Source	Link	用途
EU AI Act, Regulation (EU) 2024/1689	https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng	AI risk-based obligations、provider/deployer responsibilities、transparency、high-risk AI、post-market monitoring
NIST AI RMF	https://www.nist.gov/itl/ai-risk-management-framework	用 Govern / Map / Measure / Manage 组织 AI risk management 和 obligation-to-control translation
ISO/IEC 42001	https://www.iso.org/standard/42001	用 AIMS 管理体系连接政策、职责、运行控制、绩效评价和持续改进
Federal Reserve SR 26-2	https://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm	Revised model risk management guidance。SR 26-2 于 2026-04-17 supersedes SR 11-7 和 SR 21-8
CFPB circulars / guidance index	https://www.consumerfinance.gov/compliance/circulars/	Consumer finance circular、bulletin、advisory opinion、interpretive rule 和 supervisory signal 监控入口
一句话:

Obligation Intelligence Architecture 是把不断变化的监管信号转成内部可查询、可分派、可测试、可上线门禁、可审计和可汇报的 obligation-to-control graph。

1. Thesis: Horizon 不是 Response

Regulatory response 关注已经发生的 exam、incident、audit finding、regulator request。 Regulatory horizon / obligation intelligence 关注更早的问题:

哪些 laws、guidance、speeches、priorities、standards、vendor notices 和 peer incidents 正在变化。
哪些变化可能适用于哪些 AI assets、产品、客户、地区、流程、模型和供应商。
哪些文本应被抽取为 obligation、expectation、control implication 或 watch item。
哪些 owner 需要更新 control、eval、release gate、evidence 或 management reporting。核心转译:

source monitoring
-> signal intake and versioning
-> applicability triage
-> obligation extraction
-> obligation ontology
-> impact mapping
-> owner assignment
-> control / eval / change linkage
-> evidence and reporting

2. Why It Matters

金融零售 AI 的义务不是单一法规，而是叠加系统:

Change surface	例子	没有 obligation intelligence 的后果
AI law	EU AI Act phases, high-risk AI, GPAI	legal memo 停留在文档，没有进入 inventory、control 和 release gate
Supervisory guidance	SR 26-2、third-party、operational resilience	把 GenAI 硬塞进旧模型风险表，忽略 agent、RAG、tool 和 workflow 风险
Consumer protection	CFPB circulars、adverse action、complaints、UDAAP	客户伤害信号没有转成 eval、escalation 和 monitoring
Standards	NIST AI RMF、ISO/IEC 42001	框架只用于培训，没有转成 AIMS control library
Speeches / priorities	exam priority、supervisory focus	管理层知道趋势，但 backlog 没有 action
Peer incidents	misleading chatbot、biased model、vendor outage	只做新闻分享，没有触发 red-team 和 control update
高级 PM / BA / Architect 的价值是把“外部变化”变成“内部设计变化”。

3. Core Concepts

Concept	定义	产物
Regulatory signal	外部来源中的潜在变化或监管关注	signal record, URL, access date
Applicability triage	判断信号是否可能影响实体、产品、地区、use case、角色	triage decision, legal questions
Obligation	组织必须、应当或需要证明的要求	obligation object
Expectation	非硬性法规但影响监管判断的 supervisory expectation	expectation object
Control implication	义务对流程、系统、数据、评测、证据的设计影响	control objective
Obligation ontology	义务的分类、属性、关系和状态模型	ontology dictionary
Impact graph	signal/obligation 到 AI asset、control、eval、change、owner 的图	graph query, dashboard
Horizon cadence	周期性扫描和事件驱动触发机制	weekly/monthly/quarterly workflow
关键区分:

Law is not control.
Guidance is not product requirement.
Obligation is not evidence.
Evidence is not control operation unless it proves the control ran.

4. Architecture Diagram

External sources
  EU AI Act | NIST | ISO | SR letters | CFPB | speeches | standards | incidents
        |
        v
Source registry and version store
        |
        v
Signal classifier
  law | supervisory expectation | standard update | enforcement pattern | vendor notice
        |
        v
Applicability triage
  jurisdiction | entity | role | product | AI capability | customer impact | data | vendor
        |
        v
Obligation extraction and ontology
  obligation | expectation | control implication | watch item
        |
        v
Obligation-to-control/eval/change graph
  AI inventory <-> controls <-> evals <-> releases <-> incidents <-> evidence
        |
        v
Workflow and reporting
  owner tasks | governance review | dashboard | board memo | audit evidence

Design principle:

Every material signal becomes one of:
no-impact rationale, watch item, obligation object, control update,
eval update, change request, or management risk acceptance.

5. Obligation Ontology

Field	说明
obligation_id	稳定编号，例如 `OBL-EUAI-HR-LOG-001`
source_id	来源、版本、URL、发布日期、access date
jurisdiction	EU、US federal、state、UK、APAC、internal policy
authority_type	law、regulation、guidance、speech、standard、supervisory priority
obligation_type	inventory、risk management、data governance、logging、human oversight、transparency、evaluation、incident、third-party
applicability_condition	适用条件，例如 deployer、creditworthiness、customer-facing、high-risk、GPAI dependency
action_verb	identify、document、monitor、test、disclose、report、retain、escalate
impacted_artifact	policy、process、system、model、prompt、RAG source、tool、workflow、evidence
owner_role	legal、compliance、risk、PM、BA、architect、data、security、vendor owner
control_link	对应 control objective 和 control activity
eval_link	对应 eval suite、threshold、review cadence
change_link	触发 change request、release gate 或 remediation
evidence_link	可证明的 artifact、log、dashboard、approval、report
status	new、triaged、mapped、implemented、monitored、retired

6. Current Nuance: SR 26-2 and GenAI

SR 26-2 superseded SR 11-7 and SR 21-8 on 2026-04-17. The architecture lesson is not “everything GenAI is just a model under the old template.” Better framing:

Predictive models, scorecards and AML models still need model risk governance.
GenAI, RAG and agentic AI include model behavior plus prompt, corpus, tool permission, workflow, human oversight, vendor and monitoring risk.
Some GenAI components may be model-risk relevant, but the system also needs broader AI governance: inventory, source governance, tool authority, eval, transparency, incident, change and evidence.
Obligation intelligence should route obligations to the right governance domain, not blindly force every item into legacy model validation.

7. Financial Retail Case

Scenario: a retail bank runs an AI customer service assistant for credit card disputes and fee questions across US and EU channels. New signals:

EU AI Act transparency and high-risk screening are reviewed for EU users.
CFPB guidance index shows changes in consumer finance circulars that may affect misleading statements, credit reporting or dispute handling.
SR 26-2 updates model risk management expectations for supervised banking organizations.
NIST AI RMF and ISO/IEC 42001 are used as governance and management-system anchors. Impact mapping: | Signal | Applicability question | Control/eval/change action | |---|---|---| | EU AI Act | Is the assistant customer-facing, high-risk, or interacting with EU users? | Update AI disclosure, role analysis, inventory and high-risk screen | | CFPB guidance | Could outputs affect dispute rights, fees, credit reporting or complaints? | Add consumer harm scenarios to eval and complaint escalation | | SR 26-2 | Does any model component support material banking decisions? | Route predictive model pieces to model risk and RAG/agent controls to broader AI governance | | NIST AI RMF | Are Govern/Map/Measure/Manage activities traceable? | Add missing risk measurement and management evidence | | ISO/IEC 42001 | Is this covered by AIMS process control and management review? | Add obligation dashboard to quarterly AIMS review |

8. PM / BA / Architect Checklist

Role	Checklist
PM	Maintain horizon backlog by product line and risk tier; convert material signals into roadmap decisions, release gates or risk acceptance; track customer harm, complaint and trust metrics as obligation signals.
BA	Translate obligations into process steps, decisions, exceptions, roles and evidence; build applicability questions Legal/Compliance can answer quickly; update requirements when jurisdiction, product, customer segment or automation level changes.
Architect	Connect obligation IDs to AI inventory, control catalog, eval registry and change tickets; version source, obligation, control, evidence and release decision; instrument evidence capture so reporting is not manual spreadsheet archaeology.

9. Code-Lite Experiment

Build a tiny obligation triage prototype with structured data:

source:
  id: SRC-FED-SR26-2
  url: https://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm
  type: supervisory_guidance
  access_date: 2026-06-30
signal:
  text: revised model risk management guidance supersedes SR 11-7 and SR 21-8
  jurisdiction: US federal banking
triage:
  product: credit_card_ai_assistant
  ai_capability: predictive_score + rag + llm_draft
  customer_impact: medium
  decision_role: recommend_and_draft
obligation_object:
  type: model_risk_and_ai_governance_alignment
  action: map components to model risk, AI governance, vendor risk, eval and change controls
  owner: ai_governance_owner
  due: 2026-07-31

Pseudo-query:

SELECT ai_asset_id, control_id, eval_id, owner_role
FROM obligation_graph
WHERE source_id = 'SRC-FED-SR26-2'
  AND status IN ('new', 'triaged', 'mapped')
  AND risk_tier IN ('Tier1', 'Tier2');

Pass condition: every material signal produces an owner, a decision, and a traceable graph edge.

10. Interview Questions

Question	Strong answer angle
How is horizon scanning different from regulatory response?	Horizon scanning is proactive: identify signals, triage applicability, extract obligations, map impacts and update controls before an exam or incident. Regulatory response is reactive or event-driven.
How do you prevent regulatory tracking from becoming a legal newsletter?	Require every material signal to resolve into no-impact rationale, watch item, obligation, control update, eval update, change request or risk acceptance.
How do you handle multi-jurisdiction AI obligations?	Use jurisdiction, entity, product, user location, data location, AI role and decision impact as applicability dimensions. Never assume one global answer.
How would you treat SR 26-2 for GenAI?	Use it where model risk principles apply, but govern GenAI/agentic systems through broader AI governance covering prompt, RAG, tools, workflow, vendor, eval, monitoring and evidence.
What artifact proves the system works?	An obligation-to-control/eval/change graph with source version, owner, status, evidence and dashboard metrics.

11. Common Pitfalls

Pitfall	Fix
Monitoring only laws, not speeches, priorities, standards and enforcement patterns	Use a source taxonomy and confidence level
Copying legal text into a control library	Extract action verbs, applicability conditions and evidence requirements
One global applicability answer	Apply jurisdiction/product/use-case segmentation
Treating standards as optional reading	Use NIST and ISO as internal operating-system anchors
Forcing every AI system into legacy model risk	Split model-risk controls from broader AI governance controls
No owner for horizon signals	Assign legal interpretation, product impact, control update and evidence owners separately
No change linkage	Material obligation updates must trigger release governance and regression eval
Dashboard shows counts only	Report aging, coverage, overdue owners, impacted Tier 1 assets and unresolved applicability decisions

12. 面试表达

30 秒版本:

我会把 AI regulatory horizon 做成 obligation intelligence architecture, 不是每周转发法规新闻。系统从法规、guidance、speech、supervisory priority、标准和行业事件采集 signal, 再做 applicability triage、义务抽取、impact graph、owner assignment, 最后连接 control、eval、change gate、evidence 和 management reporting。 2 分钟版本: 在金融零售 AI 里，义务会随 jurisdiction、产品、use case、客户群、AI 自动化程度、数据和供应商而变化。我会先建立 source taxonomy 和 source registry，确保 EU AI Act、NIST AI RMF、ISO/IEC 42001、SR letters、CFPB circulars 等来源有版本和访问日期。然后每个 signal 进入 triage: 判断地区、实体角色、产品、AI 能力、客户影响和数据边界。如果 signal material, 就抽取成 obligation object: action verb、applicability condition、owner、control objective、eval link、change link 和 evidence link。架构上维护 obligation-to-control/eval/change graph, 回答“这个新义务影响哪些 AI assets、哪些 release gate、哪些控制和哪些证据”。对 SR 26-2 这类更新，我不会把 GenAI/agentic AI 机械塞进旧模型风险框架，而是把模型部分路由到 model risk, 同时用 broader AI governance 管 prompt、RAG、tool、workflow、vendor、eval、monitoring 和 incident。

13. Portfolio Exercise

选择一个金融零售 AI use case: 信贷解释助手、AML narrative copilot、客服 RAG、财富 advisor copilot 或支付异常 agent。输出一套 obligation intelligence artifact:

Source registry with five official anchors.
Applicability triage worksheet for two jurisdictions.
Obligation ontology with 12 obligation objects.
Obligation-to-control/eval/change graph.
Dashboard mock with overdue obligations, Tier 1 impact and evidence coverage.
Management memo explaining three material horizon signals and decisions. 评价标准: 能区分 law、guidance、standard、speech、priority、incident, 说明义务如何进入产品、流程、架构、控制和证据, 处理 jurisdiction/product/use-case 变化, 并把 SR 26-2 与 broader AI governance 做正确边界划分。