Norms and AI execution control

Norms and AI execution control: an infrastructural perspective.

A technical reading of the relations among AI Act, NIS2, ISO/IEC 27001, ISO/IEC 42001 and NIST AI RMF, and of the role a system-level execution-control system may take with respect to the requirements they pose.

§ 01 · Premise

Different layers, same problem.

The AI Act, NIS2 and the ISO and NIST standards operate on different layers: legal, organisational, risk-management. Although heterogeneous, they converge on a restricted set of key requirements.

Read by principles rather than by articles, these requirements reduce to four recurring properties: preventive control of AI invocation, documented and verifiable traceability of decisions, technical auditability and accountability attributable to identifiable subjects.

The legal layer defines obligations; the organisational layer defines processes; the risk-management layer defines methods. Missing from this stratification is an explicit definition of the technical mechanisms through which such requirements can be made observable in the systems that actually execute AI.

§ 02 · Reference frameworks

What norms and frameworks require, by principles.

The table below summarises, in conceptual and non-legalistic form, the principles that each normative or framework reference makes explicit. It does not constitute a conformity analysis nor a binding interpretation of the texts.

Framework	Layer	Relevant principles
AI ActReg. (EU) 2024/1689	Legal	Ex-ante control of the use of AI systems; human oversight on decisions of significant impact; auditability of systems across the life cycle.
NIS2Dir. (EU) 2022/2555	Systemic security	Risk management of critical capabilities, continuity and security of essential services, tracking and notification of incidents.
ISO/IEC 27001Information security management systems	Organisational	Control of access to critical resources, separation of privileges, recording and review of activities.
ISO/IEC 42001Artificial intelligence management systems	Organisational	Management system for AI systems: traceability of decisions, roles and responsibilities, periodic review.
NIST AI RMF 1.0AI Risk Management Framework	Risk management	Functions Govern, Map, Measure, Manage: direction, identification of the use context, measurement and treatment of risk.

Recurring requirements

Preventive control of use.
Explicit traceability.
Verifiable auditability.
Attributable accountability.

§ 03 · Missing denominator

The missing common denominator.

The requirements listed in the reference frameworks are expressed in terms of what must be guaranteed. Their operational translation is today entrusted to heterogeneous instruments — textual rules, documentation, application controls, after-the-fact records — rarely brought back to the same architectural layer.

In particular, a technical control point is missing that jointly presents the following four properties.

Non-bypassable Authorisation of AI use cannot be ignored, rewritten or omitted by the code that requests it.
Independent The control point is decoupled from applications: it does not depend on their cooperation or on their correct configuration.
Sub-applicational It resides below the application layer, in a position the applications cannot modify.
Technical evidence It produces, as an effect of its own operation, verifiable records of the decisions taken.

The absence of such a control point is not a gap in the norms: it is a gap in the architecture of the systems. It is, in other words, an architectural problem.

§ 04 · Position

Where AIKNOCK sits.

AIKNOCK explores a possible ex-ante technical control point, at the system layer, consistent with the execution-control, auditability and risk-management requirements referenced by norms and standards, without replacing or interpreting them.

Norms and standards define obligations. AIKNOCK operates on the layer of technical mechanisms. The system operates independently of external regulatory or standard frameworks and maintains a consistent technical behaviour at execution level. The two layers are complementary: what the law and the standards prescribe as system properties, a mechanism such as the one described can contribute to making observable and verifiable.

§ 05 · Exclusions

What AIKNOCK does not do with respect to the norms.

To avoid confusion between distinct layers, it is appropriate to state explicitly the scope that AIKNOCK does not occupy.

DOES NOT it does not interpret the law,
DOES NOT it does not guarantee compliance,
DOES NOT it does not replace organisational or legal processes,
DOES NOT it does not eliminate the responsibilities of deployers,
DOES NOT it does not govern datasets or training processes.

Observance of the norms remains a responsibility of operators, implementers and competent authorities. AIKNOCK does not shift such responsibility: it describes a distinct technical layer.

§ 06 · Conclusion

Conclusion.

The norms define what must be guaranteed.

AIKNOCK sits on the layer of how a part of such guarantees can be made a technical property of the system.

The distance between the two layers is a structural feature, not an opposition: the two levels presuppose each other.