The Commonplace
Home Dashboard Papers Evidence Digests 🎲
← Papers

AI governance is fragmented and often stuck at high-level ethics or compliance checklists rather than operational controls; synthesizing 95 studies, this paper proposes a policy-ready risk-tiering model that maps ethical principles to auditable technical safeguards for public services and critical infrastructure.

AI Governance Risk Tiering for Sustainable Digital Infrastructure: A Systematic Review of Cybersecurity Frameworks
Orjuwan Albulayhi, Ali Alkhalifah · March 18, 2026 · Sustainability
openalex review_meta n/a evidence 7/10 relevance DOI Source PDF
A systematic review finds AI governance frameworks are fragmented—dominated by ethics/privacy and compliance approaches—and proposes an integrated risk-tiering model that links ethical principles to auditable technical controls for more operational, SDG-aligned AI governance.

The rapid adoption of artificial intelligence (AI) across public services and critical infrastructure is reshaping digital governance. While AI promises efficiency and innovation, its reliance on large, high-dimensional datasets introduces privacy, bias, transparency and accountability risks that existing frameworks struggle to address. This study evaluates the maturity of current AI governance frameworks and develops an integrated risk-tiering model that connects ethical principles to auditable technical controls, aligning with Sustainable Development Goal 9 on industry, innovation and infrastructure. A systematic literature review of 450 records from major databases was conducted using PRISMA 2020 guidelines; 95 high-quality studies were analyzed using principal component analysis and k-means clustering. The analysis produced a heat map of governance frameworks, a co-occurrence network of themes, a cluster analysis of framework coverage and an integrated governance risk framework supported by a risk-tiering matrix. Findings reveal a fragmented landscape dominated by ethics/privacy-centric and compliance/risk-focused approaches, with few integrated frameworks and evident tension between privacy and security. This synthesis bridges the gap between values and practice, offering a policy-ready model for secure and sustainable AI governance.

Summary

Main Finding

The study finds that AI governance for public services and critical infrastructure is fragmented: dominated by separate ethics/privacy-centric and compliance/risk-focused approaches, with few integrated frameworks that translate ethical principles into auditable technical controls. It delivers a policy-ready integrated governance risk framework and a risk-tiering matrix designed to align governance practice with Sustainable Development Goal 9 (industry, innovation and infrastructure) and reduce the gap between values and operational controls.

Key Points

  • Rapid AI adoption in public services increases risks around privacy, bias, transparency and accountability that current frameworks inadequately address.
  • Systematic review identifies two prevailing paradigms in governance literature: (1) ethics/privacy-centric (values-first) and (2) compliance/risk-focused (controls-first). Few works bridge these paradigms.
  • There is an observable tension between privacy and security in governance recommendations, complicating unified policy approaches.
  • The study produces empirical artefacts: a heat map of governance frameworks, a co-occurrence thematic network, a cluster analysis of framework coverage, and an integrated governance risk framework with a risk-tiering matrix linking ethical principles to auditable technical controls.
  • The proposed model is intended to be policy-ready—enabling proportionate, auditable, and sustainable governance for AI in infrastructure and public services.

Data & Methods

  • Literature search: 450 records retrieved from major academic and policy databases following PRISMA 2020 guidelines.
  • Screening and selection: 95 high-quality studies were included for analysis.
  • Quantitative analysis: principal component analysis (PCA) to reduce dimensionality of framework attributes; k-means clustering to identify distinct clusters (types) of governance frameworks.
  • Outputs: heat map visualizing framework coverage across dimensions; co-occurrence network mapping thematic linkages; cluster analysis highlighting dominant schools of thought; integrated governance risk framework and risk-tiering matrix that operationalize ethics into auditable technical controls.
  • Limitations noted by the study: reliance on published frameworks and literature (possible selection/publication bias); synthesis rather than field validation—implementation and economic impacts require empirical testing.

Implications for AI Economics

  • Compliance and adoption costs: Fragmented governance raises regulatory uncertainty and potentially higher compliance costs—especially for smaller firms—affecting entry, competition, and rates of innovation in AI markets for public services.
  • Investment and infrastructure financing: Clear, integrated and auditable governance (like the risk-tiering model) can lower information and transaction costs for investors, enabling more targeted public and private investment aligned with SDG9 goals.
  • Regulatory design and market structure: A tiered, risk-proportionate approach can reduce over-compliance for low-risk applications while concentrating resources on high-risk systems—improving allocative efficiency and reducing barriers to entry.
  • Security/privacy trade-offs and welfare: Tension between privacy and security implies policymakers face trade-offs that have distributional effects (e.g., marginalized groups may bear disproportionate harms from biased systems). Economists should quantify welfare impacts of different governance choices.
  • Standardization and externalities: Translating ethical principles into auditable technical controls creates standards that reduce informational asymmetries and negative externalities (e.g., biased outputs), facilitating safer market expansion and cross-jurisdictional interoperability.
  • Research and measurement agenda for AI economics:
    • Estimate direct compliance costs and dynamic effects on startup formation and R&D.
    • Model diffusion of AI in public services under alternative governance regimes (risk-tiered vs. one-size-fits-all).
    • Quantify welfare trade-offs from privacy–security tensions and from bias mitigation measures.
    • Assess the value of auditable controls in lowering insurance premiums, liability costs, or public procurement risk premia.
    • Evaluate how integrated governance frameworks affect productivity gains in public services and infrastructure investment multipliers.
  • Policy recommendations with economic rationale:
    • Adopt risk-tiered regulation to balance safety and innovation, minimizing unnecessary compliance costs.
    • Prioritize development of auditable controls and measurable standards to reduce uncertainty and transaction costs.
    • Provide targeted support (grants, shared compliance tooling, certification bodies) for smaller firms to avoid consolidation and preserve competition.
    • Use pilot implementations in public procurement to generate data on costs/benefits and guide scaled policy adoption.

If you want, I can convert this into a short policy brief for public finance teams or outline specific empirical models to estimate the compliance-cost and diffusion effects described above.

Assessment

Paper Typereview_meta Evidence Strengthn/a — This is a systematic literature review and framework synthesis rather than a study producing causal estimates; it aggregates and classifies existing governance frameworks but does not provide causal identification of economic effects. Methods Rigormedium — The study follows PRISMA 2020 and screens a large initial set (450 records) down to 95 high-quality sources, and applies quantitative techniques (principal component analysis and k-means clustering) to identify patterns—strengths that support transparency and reproducibility. However, rigor is limited by likely subjectivity in coding and inclusion criteria, potential biases from excluding grey or non-English sources, the appropriateness of PCA/k-means for heterogeneous qualitative framework features, sensitivity to clustering parameters, and lack of external/operational validation of the proposed integrated model. SampleA systematic literature review of 450 records from major databases following PRISMA 2020, with 95 high-quality studies retained for analysis; the corpus appears to include academic articles, policy reports, ethics guidelines and governance frameworks relevant to AI in public services and infrastructure, analyzed via feature coding, principal component analysis, and k-means clustering. Themesgovernance adoption innovation GeneralizabilityLimited to published sources from major databases—likely excludes internal government documents, proprietary frameworks, and some grey literature, Possible language and publication bias (no mention of non-English or non-peer-reviewed inclusions), Heterogeneity across jurisdictions, sectors, and stages of AI maturity reduces direct applicability of clustered findings to specific national or sectoral contexts, Mapping high-level ethical principles to auditable technical controls may not generalize to operational deployments without empirical testing, Findings are time-sensitive given rapid evolution of AI capabilities, standards, and regulation

Claims (8)

ClaimDirectionConfidenceOutcomeDetails
A systematic literature review of 450 records from major databases was conducted using PRISMA 2020 guidelines. Governance And Regulation null_result high number of records screened in systematic review
n=450
0.4
Ninety-five high-quality studies were analyzed using principal component analysis and k-means clustering. Governance And Regulation null_result high number of studies analyzed and analytical methods applied
n=95
0.4
The analysis produced a heat map of governance frameworks, a co-occurrence network of themes, a cluster analysis of framework coverage and an integrated governance risk framework supported by a risk-tiering matrix. Governance And Regulation positive high analytical outputs and resultant governance model
n=95
0.24
Findings reveal a fragmented landscape dominated by ethics/privacy-centric and compliance/risk-focused approaches. Governance And Regulation negative high dominant thematic focus of governance frameworks
n=95
0.24
There are few integrated frameworks (bridging ethics and technical controls) in the current AI governance landscape. Governance And Regulation negative high prevalence of integrated governance frameworks
n=95
0.24
There is an evident tension between privacy and security in existing AI governance approaches. Governance And Regulation mixed high presence of trade-offs/tensions between privacy and security in frameworks
n=95
0.24
The study aligns its integrated risk-tiering model with Sustainable Development Goal 9 on industry, innovation and infrastructure. Governance And Regulation positive high conceptual alignment of the model with SDG 9
n=95
0.04
This synthesis bridges the gap between values and practice, offering a policy-ready model for secure and sustainable AI governance. Governance And Regulation positive high policy-readiness and practical applicability of the proposed model
n=95
0.04

Notes