AI Regulatory Capability Framework and Self-Assessment Tool

Summary

The AI Regulatory Capability Framework, developed jointly by the Alan Turing Institute and the UK Department for Science, Innovation and Technology, gives regulators and governance bodies a structured method for evaluating their readiness to oversee AI systems. Published in 2026, the framework recognizes a problem that many organizations face but few have tools to address: knowing whether your regulatory or governance function has the institutional capacity to keep pace with AI development. The accompanying self-assessment tool translates the framework into a practical diagnostic that any organization can use to identify capability gaps and prioritize investments in regulatory capacity.

The Six-Stage Regulatory Lifecycle

At the core of the framework is a six-stage model of the regulatory lifecycle, each stage representing a distinct phase of oversight activity that governance bodies must perform.

Stage 1: Horizon Scanning and Intelligence Gathering

The first stage focuses on an organization's ability to monitor AI developments proactively. This includes tracking technological progress, identifying emerging use cases within the organization's remit, and maintaining awareness of regulatory approaches in other jurisdictions. Effective horizon scanning requires both technical literacy and established channels for receiving information from industry, academia, and civil society.

Stage 2: Policy Development and Design

This stage assesses the capacity to translate understanding of AI developments into appropriate policy responses. It covers the ability to conduct impact assessments, develop proportionate regulatory approaches, and design rules that are technically feasible to implement and enforce. Policy design for AI requires interdisciplinary teams that combine legal expertise with technical understanding.

Stage 3: Implementation and Communication

The third stage evaluates how effectively an organization can put policies into practice and communicate expectations to regulated entities. This includes producing guidance documents, developing compliance tools, running consultation processes, and making sure regulated organizations understand what is expected of them. AI regulation often requires more intensive communication than traditional regulatory domains because the technology and its risks are less familiar to many regulated entities.

Stage 4: Monitoring and Supervision

Ongoing oversight of AI systems requires capabilities that differ significantly from traditional regulatory monitoring. This stage assesses whether an organization can conduct technical audits of AI systems, interpret model behavior, evaluate training data practices, and maintain effective reporting mechanisms. AI monitoring often requires access to specialized tools and expertise that many regulatory bodies currently lack.

Stage 5: Enforcement and Compliance

When regulated entities fail to meet requirements, governance bodies must respond effectively. This stage covers investigation capabilities, the ability to assess technical evidence of non-compliance, and the capacity to impose and follow through on enforcement actions. For AI-specific enforcement, the framework highlights the need for forensic capabilities that can determine whether an AI system's behavior violates regulatory requirements.

Stage 6: Evaluation and Learning

The final stage focuses on the organization's ability to assess whether its regulatory approach achieves its intended outcomes and to adapt based on experience. This includes conducting retrospective reviews, measuring the effectiveness of interventions, and incorporating lessons learned into future regulatory cycles.

The 28 Regulatory Activities

Within these six stages, the framework identifies 28 specific activities that collectively represent the full scope of AI regulatory work. These range from concrete operational tasks, such as maintaining a register of AI systems under oversight, to strategic functions like contributing to international standards development. Each activity is described with enough specificity that organizations can assess whether they currently perform it, perform it partially, or lack the capability entirely.

The 28 activities are not a minimum compliance list. The framework recognizes that not every organization needs every capability. The activities serve as a map that organizations can use to determine which capabilities are relevant to their specific mandate and context.

The 6 Capability Factors

The framework identifies six cross-cutting factors that determine an organization's ability to perform regulatory activities effectively.

Technical Expertise

The depth and breadth of technical knowledge within the organization, including AI and data science skills, domain expertise, and the ability to evaluate technical claims made by regulated entities.

Institutional Infrastructure

The organizational structures, processes, and systems that support regulatory work, including governance arrangements, decision-making procedures, and information management systems.

Stakeholder Relationships

The quality and breadth of relationships with regulated entities, affected communities, other regulators, academia, and international counterparts.

Legal and Regulatory Authority

The formal powers and mandates available to the organization, including whether existing legal frameworks adequately address AI-specific challenges.

Resources and Funding

The financial and human resources available for AI regulatory work, including the ability to recruit and retain staff with relevant expertise.

Organizational Culture and Leadership

The degree to which the organization's leadership prioritizes AI governance and fosters a culture of continuous learning and adaptation.

The 17 Capability Statements

The self-assessment tool operationalizes the framework through 17 capability statements that organizations rate themselves against. Each statement describes a specific capability at multiple maturity levels, so organizations can identify not just whether they have a capability but how developed it is. The maturity levels are designed to be aspirational but achievable, providing a clear path for improvement.

For example, a capability statement on technical audit capacity might range from "the organization has no internal capacity to conduct technical assessments of AI systems" at the lowest level to "the organization maintains a dedicated team with current expertise in AI evaluation methodologies and conducts regular technical audits" at the highest level.

Who Should Use This Framework

The primary audience is regulatory bodies and government agencies with oversight responsibilities that intersect with AI. This includes sector-specific regulators in financial services, healthcare, telecommunications, and employment, as well as cross-cutting bodies responsible for data protection, competition, or consumer rights.

The framework is equally valuable for private sector governance teams, particularly in large organizations that operate internal AI governance functions. The capability factors and maturity assessments translate directly to corporate AI governance programs that need to evaluate whether their oversight functions are adequately resourced and structured.

Consultancies and advisory firms supporting organizations with AI governance can use the framework as a diagnostic tool for client engagements, providing a structured basis for gap analysis and improvement recommendations.