Is the Centre for the Governance of AI a regulator?

No. GovAI is a research organization. It publishes research, contributes to policy consultations, and informs the work of regulators and standards bodies. Regulators (EU AI Office, member-state authorities, US federal agencies) enforce; GovAI researches.

How does GovAI work differ from think tank work?

GovAI is academic-affiliated research with peer-reviewed publication output. The work appears in academic journals, conference proceedings, and policy submissions. The output is more methodologically rigorous than typical think tank policy briefs and is intended for policy makers and researchers rather than industry advocacy.

Should an enterprise CISO read GovAI research?

A CISO who wants to understand the intellectual lineage of the EU AI Act, the NIST AI RMF, and adjacent frameworks will find the research useful. The work explains where the obligations come from and what the regulators are trying to achieve. The work does not tell the CISO what enforcement layer to deploy.

Does GovAI offer enterprise certifications?

GovAI does not certify enterprises. Certifications under the EU AI Act conformity assessment regime come from notified bodies. The AI Governance Professional (AIGP) certification from IAPP is the closest enterprise-relevant individual credential.

How does GovAI relate to the AI Safety Institutes?

The AI Safety Institute network (UK AI Security Institute, US AISI, EU AI Office's safety unit, the recently announced Asian and African nodes) overlaps in mission and personnel with GovAI. GovAI does academic research; the safety institutes do government-mandated evaluation work. The two communities share methodology.

Where does the GovAI body of work fit relative to OECD and IEEE work?

The OECD AI Principles and the IEEE Standards Association's AI ethics work occupy adjacent surfaces. OECD focuses on the international policy framework. IEEE focuses on engineering standards. GovAI sits between them on methodology and policy-design research. The three feed each other.

The Centre for the Governance of AI: What GovAI Research Tells Enterprise CISOs and Where the Gap Sits

The Centre for the Governance of AI, commonly abbreviated GovAI, is an Oxford-affiliated research organization that has published some of the most-cited work on frontier model governance, AI policy design, model evaluations, and international AI agreements since its founding in 2018. The research output appears in EU Commission consultations, NIST AI RMF working drafts, OECD AI policy papers, and the academic literature that feeds national AI strategies. The G7 Hiroshima Process on AI cites GovAI work. The Bletchley Park declaration grew out of conversations that included GovAI researchers.

The work is policy-and-research focused rather than operational. Enterprise CISOs reading the research will recognize the intellectual scaffolding under the text of the EU AI Act and the NIST AI RMF. The gap between the policy framework and an enterprise control is the gap between "the regulation expects an audit-ready record" and "the enforcement layer produces it." I want to walk through what GovAI publishes, where the research framework lands in enterprise practice, and the architectural pattern that closes the gap.

What GovAI publishes

GovAI's research output spans several recurring themes that show up in policy documents the enterprise has to comply with.

Frontier model governance

Research on the governance of frontier AI systems: model evaluations, dangerous capability evaluations, model release decisions, third-party audit access. The work feeds the EU AI Act's Chapter V general-purpose AI model obligations, the GPAI Code of Practice, and the AI Safety Institute network's evaluation methodology.

AI policy design

Research on the design of national AI policy: risk-tiered classification, sectoral regulation, certification and conformity assessment regimes, incident reporting systems. The work appears in the OECD AI Principles and the EU AI Act's risk-tiered structure.

International AI agreements

Research on the design of international AI agreements: model evaluation standards across jurisdictions, third-party audit reciprocity, incident sharing arrangements. The work feeds the G7 Hiroshima Process and the international AI safety summit declarations.

Model evaluations and safety case methodology

Research on model evaluation methodology: dangerous capability evaluations, deployment context evaluations, safety case construction. The work is becoming the methodology spine for the conformity assessment process under the EU AI Act.

The output is distinct from "industry analyst" work. GovAI publishes research papers, policy submissions, and academic articles. The output is intended to inform policy makers and the research community, not to be installed in an enterprise deployment.

How the research lands in enterprise compliance text

The intellectual lineage from GovAI research to enterprise compliance obligation is visible across several specific places.

EU AI Act risk-tiering

The risk-tiered classification structure (prohibited, high-risk, limited-risk, minimal-risk) traces back to AI risk-tiering research that GovAI and adjacent researchers contributed to. The structure is now in Articles 5, 6, 50, and 52 of the Act.

GPAI provider obligations

The general-purpose AI model obligations under Chapter V (model evaluation, systemic risk identification, incident reporting) draw on the frontier model governance research. GovAI researchers participated in the consultation that shaped the Code of Practice.

Conformity assessment methodology

The conformity assessment regime under Article 43 and the technical documentation requirements under Article 11 follow a methodology consistent with the safety case construction research GovAI and the AI Safety Institute network have published.

NIST AI RMF

The NIST AI RMF's MAP, MEASURE, MANAGE, GOVERN functions reflect the academic policy framing that GovAI's body of work contributed to. The framework is voluntary in the US but is referenced in the EU AI Act and is becoming the de facto baseline for many federal contractors.

International alignment

Where the EU AI Act, the NIST RMF, the OECD AI Principles, and the G7 Hiroshima Process align (model documentation expectations, incident reporting, third-party audit access), the alignment usually reflects converging research conclusions that GovAI participated in.

Where the research framework ends and enterprise practice begins

The research is policy and methodology. The enterprise has to produce running infrastructure that satisfies the obligations the policy creates. The gap is wide.

From "audit-ready evidence" to a signed record

The research framing talks about audit-ready evidence as a property of well-governed AI systems. The enterprise has to produce a specific record format, signed, retention-controlled, identity-bound, that satisfies the regulator's request when it arrives.

From "human oversight" to a policy rule

The research framing identifies human oversight as a control. The enterprise has to implement the policy rule that routes specific request types to a human reviewer, captures the reviewer's decision, and records the outcome.

From "model risk management" to running infrastructure

The research framing maps model risk to evaluation methodology. The enterprise has to operate the evaluation pipeline, maintain the inventory, and connect the model risk decisions to the per-request policy state.

From "incident reporting" to an incident workflow

The research framing identifies incident reporting as a regime element. The enterprise has to detect the incident in production, classify it against the reporting taxonomy, route it through internal review, and submit the report within the regulatory timeline.

The research is necessary for the policy framework to exist. The enterprise still has to build the infrastructure that implements it.

What the architecture pattern looks like

The architecture pattern that satisfies the obligations the GovAI-adjacent research helped codify is the same architecture pattern that satisfies EU AI Act, NIST AI RMF, and adjacent regimes.

Identity context at the AI request boundary

Every AI request carries verified identity context. Article 19 expects identity of natural persons in the log; NIST Pillar 1 expects agent identity attached at the request layer. The infrastructure produces it.

Per-request policy evaluation

Every AI request is evaluated against identity, classification, model authorization, and policy at the AI request boundary. The decision is deterministic and fast enough to be inline. Article 14 human oversight and Article 26 monitoring rest on the existence of this decision point.

Per-decision audit record

Every policy decision produces a signed audit record. Identity, classification, policy version, outcome. The record is independent of the application that consumed the AI response. The record survives application crash, retention requirements, and audit independence tests.

Fail-closed posture

On ambiguity, the enforcement layer denies. The cost of an over-permissive decision under high-risk operation is regulatory exposure. The cost of a denied legitimate request is a retry. The math favors fail-closed.

DeepInspect

DeepInspect is the policy enforcement layer that produces the running infrastructure the research-driven policy frameworks call for. Per-request decisions, per-decision audit records, identity-bound, signed, retention-controlled. Deployable in front of any HTTP-based LLM endpoint.

The body of research from GovAI and adjacent organizations created the conceptual frame. The EU AI Act, NIST AI RMF, and adjacent regimes turned the frame into enterprise obligation. DeepInspect is the enforcement layer that turns the obligation into a per-request decision and a per-decision record.

See how DeepInspect maps to EU AI Act, NIST, and DORA.