ELDR-WP-2026-003 · Working Paper · Early-Stage Research

Cross-Border AI Governance
Documentation Architecture:
Toward a Unified Multi-Framework Approach

Why multinational AI governance documentation built framework-by-framework produces redundancy, inconsistency, and maintenance overhead — and a preliminary architecture for designing from the intersection instead.

Working Paper · Open for Comment
Preliminary architecture presented for expert review. Regulatory landscape as of Q3 2026.
Pub IDELDR-WP-2026-003
TypeWorking Paper
StatusOpen for Comment
Reading~13 min
Submit Comment →
Contents
Abstract
1. The Multi-Jurisdiction Documentation Problem
2. The Intersection Architecture Approach
3. Preliminary Architecture: Three Documentation Layers
4. Research Questions
Working Paper · Early-Stage Research
This paper presents preliminary analysis of cross-border AI governance documentation architecture. The regulatory landscape described reflects the state of frameworks as of Q3 2026; regulatory developments may affect the analysis.
Abstract

Multinational organizations deploying AI systems face an AI governance documentation challenge that jurisdiction-by-jurisdiction compliance cannot solve. The EU AI Act, the NIST AI RMF, UK sector-led AI governance, and Canada's proposed AIDA create documentation obligations that are structurally different from each other — different evidence formats, different documentation scope, different assessment methodologies — but substantially overlapping in the governance outcomes they require. A multinational organization that builds separate AI governance documentation programs for each jurisdiction will produce four documentation programs with 60–70% overlapping content, managed separately, with 40% duplicated maintenance overhead and no mechanism for ensuring consistency across programs when the underlying AI system or regulatory requirements change.

This working paper argues that multinational AI governance documentation requires a unified architecture approach — designing from the intersection of regulatory requirements rather than from each regulatory requirement independently. It presents a preliminary cross-border AI governance documentation architecture and identifies the research questions that require further investigation before the architecture can be validated as a formal methodology.

1. The Multi-Jurisdiction Documentation Problem

The fundamental challenge of cross-border AI governance documentation is that the four major governance frameworks — EU AI Act, NIST AI RMF, UK sector-led AI governance, ISO/IEC 42001 — were developed independently, use different terminology for equivalent concepts, and require documentation at different levels of specificity for governance outcomes that are substantively similar.

Consider the governance outcome of human oversight of high-consequence AI decisions. EU AI Act Article 14 requires that high-risk AI systems be designed to allow human oversight — including the ability of natural persons to understand the system's outputs, decide not to use them, and intervene or interrupt. NIST AI RMF GOVERN function requires that organizational policies specify human oversight requirements for AI systems by risk category. ISO/IEC 42001 Annex A.6.2 requires that the organization plan and implement human oversight mechanisms for AI systems. UK FCA guidance on model risk management requires that significant AI models have human oversight mechanisms commensurate with their risk.

These four requirements are substantively equivalent: all require documented human oversight of high-consequence AI decisions. But they use different terminology, require documentation at different levels of specificity, and reference different evidence standards. A documentation program designed to satisfy each requirement independently will produce four separate human oversight documentation artefacts — AI Act technical documentation (Article 11, Annex IV), NIST AI RMF GOVERN documentation, ISO 42001 Annex A.6.2 records, and FCA model risk management documentation — that describe the same organizational capability in different formats for different regulatory audiences.

Hypothesis 01
Cross-border AI governance documentation built from the intersection of regulatory requirements — documenting the underlying governance capability once in a format that satisfies all applicable frameworks — is achievable for 60–70% of governance documentation content. The remaining 30–40% requires jurisdiction-specific documentation that cannot be unified without compromising the specificity required by at least one framework.

"The AI governance documentation challenge for multinationals is not regulatory complexity — it is architectural. Four frameworks requiring the same capability documented differently produce four programs, not one."

2. The Intersection Architecture Approach

The intersection architecture approach designs AI governance documentation from the intersection of all applicable frameworks' requirements, producing primary documentation that satisfies all frameworks simultaneously and jurisdiction-specific supplementary documentation only where frameworks diverge materially.

The approach requires three analytical steps before documentation production begins.

Step 1: Governance capability mapping. Identify the governance capabilities that all applicable frameworks require — the substantive things the organization must be able to do and demonstrate — regardless of which framework requires them or how each framework labels them. For the four major AI governance frameworks, preliminary analysis suggests approximately 15 core governance capabilities: risk assessment, model documentation, data governance, human oversight, testing and validation, ongoing monitoring, incident response, change management, governance policy, accountability assignment, training and awareness, third-party risk management, conformity assessment, post-market surveillance, and regulatory reporting. Each framework requires all or most of these capabilities; the differences are in specificity, evidence format, and assessment methodology, not in the fundamental governance requirement.

Step 2: Requirement intersection analysis. For each governance capability, map the requirements from each applicable framework side by side, identifying where requirements are substantively equivalent (can be satisfied by a single documented artefact), where requirements overlap but differ in specificity (can be satisfied by a single artefact that meets the most specific requirement), and where requirements are genuinely distinct (require separate documentation because the frameworks require different things).

Step 3: Architecture design. Design the documentation architecture with primary artefacts (satisfying the intersection of all requirements) and jurisdiction-specific supplementary artefacts (satisfying requirements that are genuinely distinct across frameworks). Primary artefacts are maintained once and referenced by all frameworks' documentation structures. Supplementary artefacts are maintained separately for each jurisdiction where they are required.

3. Preliminary Architecture: Key Documentation Layers

Preliminary analysis suggests a three-layer architecture for cross-border AI governance documentation.

Layer 1 — Universal governance documentation (satisfies the intersection of all frameworks): AI system inventory and risk classification, governance accountability structure, AI governance policy suite, risk management process documentation, human oversight policy and implementation records, incident response procedures, and ongoing monitoring framework. These artefacts can be written once in a format that satisfies EU AI Act, NIST AI RMF, ISO 42001, and UK sector requirements simultaneously, with the primary variable being the labeling convention used to reference each artefact in each framework's documentation structure.

Layer 2 — Framework-aligned documentation (format varies by framework, content is equivalent): Technical documentation (EU AI Act Annex IV) and model documentation (NIST AI RMF MAP/MEASURE) require the same information in different formats. Conformity assessment documentation (EU AI Act Articles 43–49) and third-party audit documentation (ISO 42001) address the same governance requirement through different assessment architecture. Risk management records (EU AI Act Article 9) and risk characterization documentation (NIST AI RMF MAP) describe the same risk management program in different terminology. Layer 2 artefacts require format variation but not content duplication — the underlying information is produced once and presented in the format required by each framework.

Layer 3 — Jurisdiction-specific documentation (genuinely distinct requirements): EU AI database registration (EU AI Act Article 49), NIST sectoral profile documentation (sector-specific extensions of the AI RMF), and UK FCA significant model designation documentation are genuinely jurisdiction-specific requirements with no equivalent in other frameworks. Layer 3 artefacts must be developed and maintained separately for each jurisdiction requiring them.

4. Research Questions Requiring Further Investigation
  • Is the three-layer architecture (universal/aligned/jurisdiction-specific) the correct analytical structure, or does the intersection analysis reveal additional layers — for example, a regional layer (EU-specific requirements that apply across EU member states but not globally) that sits between the universal and jurisdiction-specific layers?
  • How does the intersection architecture approach handle regulatory requirement changes? If the EU AI Act implementing acts change the specificity of Annex IV documentation requirements, what is the impact on Layer 1 artefacts that were designed to satisfy both EU AI Act and NIST AI RMF requirements simultaneously?
  • Does the intersection architecture approach produce documentation that is optimal for any single framework's regulatory review, or does it produce documentation that satisfies all frameworks adequately while being optimal for none? Is "optimal for all" achievable, or is "adequate for all" the realistic target?
  • How should the intersection architecture handle frameworks at different stages of maturity? The EU AI Act implementing acts are not final; Canada's AIDA has not been enacted; NIST sectoral AI RMF profiles are in development. Should the architecture be designed for current frameworks, for anticipated final frameworks, or for both simultaneously?