From Obligation to Evidence: A Methodology for Multi-Regulatory AI Governance

A single AI system rarely sits under a single rulebook. A clinical decision support tool can fall under the EU AI Act, the Medical Devices Regulation, the GDPR, and NIS2 at the same time, while also carrying ISO 42001 and ISO 27001 commitments. The obligation set for one system can run to hundreds of discrete requirements drawn from seven or more instruments.

This is a structural problem, not an incidental one. The EU AI Act was designed to sit alongside existing sectoral, data protection, cybersecurity, and product safety law, so horizontal AI rules layer on top of vertical ones rather than replacing them. Compliance programmes that tackle each framework separately duplicate documentation, leave gaps where obligations fall between frameworks, and classify the same system inconsistently.

The pressure is live. EU AI Act prohibitions have applied since February 2025, general-purpose AI obligations since August 2025, and high-risk obligations apply from August 2026. ISO 42001 is becoming a procurement requirement, and the revised Product Liability Directive now treats AI systems as products under strict liability, which makes a demonstrable compliance history part of an organisation's litigation defence.

TRACE is a five-phase governance lifecycle that responds to this. Triage scopes which rules apply to each system. Rate classifies risk and decomposes obligations. Architect builds controls into the system. Control runs monitoring and oversight continuously. Evidence maintains audit-ready proof of conformity. The methodology is obligation-centric rather than framework-centric, so a single control action can be mapped to the EU AI Act, the GDPR, and ISO 42001 at once, and it runs as a continuous loop rather than a point-in-time audit.

A five-level maturity model, from Ad Hoc to Leading, lets an organisation locate its capability across distinct domains and plan a proportionate path forward. The full paper covers the design principles, the governance cadence, interoperability with ISO 42001, NIST AI RMF, and ISO 27001, board-level accountability, and worked scenarios across healthcare, financial services, and enterprise technology.