Why multinational AI governance documentation built framework-by-framework produces redundancy, inconsistency, and maintenance overhead — and a preliminary architecture for designing from the intersection instead.
Multinational organizations deploying AI systems face an AI governance documentation challenge that jurisdiction-by-jurisdiction compliance cannot solve. The EU AI Act, the NIST AI RMF, UK sector-led AI governance, and Canada's proposed AIDA create documentation obligations that are structurally different from each other — different evidence formats, different documentation scope, different assessment methodologies — but substantially overlapping in the governance outcomes they require. A multinational organization that builds separate AI governance documentation programs for each jurisdiction will produce four documentation programs with 60–70% overlapping content, managed separately, with 40% duplicated maintenance overhead and no mechanism for ensuring consistency across programs when the underlying AI system or regulatory requirements change.
This working paper argues that multinational AI governance documentation requires a unified architecture approach — designing from the intersection of regulatory requirements rather than from each regulatory requirement independently. It presents a preliminary cross-border AI governance documentation architecture and identifies the research questions that require further investigation before the architecture can be validated as a formal methodology.
The fundamental challenge of cross-border AI governance documentation is that the four major governance frameworks — EU AI Act, NIST AI RMF, UK sector-led AI governance, ISO/IEC 42001 — were developed independently, use different terminology for equivalent concepts, and require documentation at different levels of specificity for governance outcomes that are substantively similar.
Consider the governance outcome of human oversight of high-consequence AI decisions. EU AI Act Article 14 requires that high-risk AI systems be designed to allow human oversight — including the ability of natural persons to understand the system's outputs, decide not to use them, and intervene or interrupt. NIST AI RMF GOVERN function requires that organizational policies specify human oversight requirements for AI systems by risk category. ISO/IEC 42001 Annex A.6.2 requires that the organization plan and implement human oversight mechanisms for AI systems. UK FCA guidance on model risk management requires that significant AI models have human oversight mechanisms commensurate with their risk.
These four requirements are substantively equivalent: all require documented human oversight of high-consequence AI decisions. But they use different terminology, require documentation at different levels of specificity, and reference different evidence standards. A documentation program designed to satisfy each requirement independently will produce four separate human oversight documentation artefacts — AI Act technical documentation (Article 11, Annex IV), NIST AI RMF GOVERN documentation, ISO 42001 Annex A.6.2 records, and FCA model risk management documentation — that describe the same organizational capability in different formats for different regulatory audiences.
"The AI governance documentation challenge for multinationals is not regulatory complexity — it is architectural. Four frameworks requiring the same capability documented differently produce four programs, not one."
The intersection architecture approach designs AI governance documentation from the intersection of all applicable frameworks' requirements, producing primary documentation that satisfies all frameworks simultaneously and jurisdiction-specific supplementary documentation only where frameworks diverge materially.
The approach requires three analytical steps before documentation production begins.
Step 1: Governance capability mapping. Identify the governance capabilities that all applicable frameworks require — the substantive things the organization must be able to do and demonstrate — regardless of which framework requires them or how each framework labels them. For the four major AI governance frameworks, preliminary analysis suggests approximately 15 core governance capabilities: risk assessment, model documentation, data governance, human oversight, testing and validation, ongoing monitoring, incident response, change management, governance policy, accountability assignment, training and awareness, third-party risk management, conformity assessment, post-market surveillance, and regulatory reporting. Each framework requires all or most of these capabilities; the differences are in specificity, evidence format, and assessment methodology, not in the fundamental governance requirement.
Step 2: Requirement intersection analysis. For each governance capability, map the requirements from each applicable framework side by side, identifying where requirements are substantively equivalent (can be satisfied by a single documented artefact), where requirements overlap but differ in specificity (can be satisfied by a single artefact that meets the most specific requirement), and where requirements are genuinely distinct (require separate documentation because the frameworks require different things).
Step 3: Architecture design. Design the documentation architecture with primary artefacts (satisfying the intersection of all requirements) and jurisdiction-specific supplementary artefacts (satisfying requirements that are genuinely distinct across frameworks). Primary artefacts are maintained once and referenced by all frameworks' documentation structures. Supplementary artefacts are maintained separately for each jurisdiction where they are required.
Preliminary analysis suggests a three-layer architecture for cross-border AI governance documentation.
Layer 1 — Universal governance documentation (satisfies the intersection of all frameworks): AI system inventory and risk classification, governance accountability structure, AI governance policy suite, risk management process documentation, human oversight policy and implementation records, incident response procedures, and ongoing monitoring framework. These artefacts can be written once in a format that satisfies EU AI Act, NIST AI RMF, ISO 42001, and UK sector requirements simultaneously, with the primary variable being the labeling convention used to reference each artefact in each framework's documentation structure.
Layer 2 — Framework-aligned documentation (format varies by framework, content is equivalent): Technical documentation (EU AI Act Annex IV) and model documentation (NIST AI RMF MAP/MEASURE) require the same information in different formats. Conformity assessment documentation (EU AI Act Articles 43–49) and third-party audit documentation (ISO 42001) address the same governance requirement through different assessment architecture. Risk management records (EU AI Act Article 9) and risk characterization documentation (NIST AI RMF MAP) describe the same risk management program in different terminology. Layer 2 artefacts require format variation but not content duplication — the underlying information is produced once and presented in the format required by each framework.
Layer 3 — Jurisdiction-specific documentation (genuinely distinct requirements): EU AI database registration (EU AI Act Article 49), NIST sectoral profile documentation (sector-specific extensions of the AI RMF), and UK FCA significant model designation documentation are genuinely jurisdiction-specific requirements with no equivalent in other frameworks. Layer 3 artefacts must be developed and maintained separately for each jurisdiction requiring them.