Standards and Double Standards in AI Governance
- Standards and Double Standards are frameworks defined by formal rules and procedures that govern quality, interoperability, and accountability across various sectors.
- They function as trust instruments by creating a shared technical language and ensuring evidence comparability among diverse actors and regulatory bodies.
- Double standards arise when similar regulatory regimes impose uneven obligations, underscoring the need for explicit, risk-based, and calibrated governance.
Searching arXiv for papers on AI standards, audit standards, and double standards. Standards are documented rules, procedures, evidence structures, and governance devices used to make quality, safety, interoperability, compliance, and trust auditable across technical and professional domains. In the European Union, once cited as harmonized standards, they become part of the legal machinery of the AI Act and can create a presumption of conformity; in other settings they function as technical baselines, audit criteria, professional codes, or lifecycle controls. “Double standards” arise when formally similar regimes produce uneven obligations, scrutiny, or protection across actors, sectors, lifecycle stages, jurisdictions, or categories such as humans and AIs. Taken together, the literature treats the central problem not as whether differentiation should exist, but whether differences are explicit, risk-based, and accountable rather than arbitrary, opaque, or selectively enforced (Bisconti et al., 21 Jan 2026, Imperial et al., 3 Feb 2025, Manoli et al., 2024).
1. Standards as instruments of coordination, verification, and trust
Across the cited work, standards are broader than style guides or aspirational best practices. They include formal directives and tradecraft rules, technical standards and best practices, structured documentation artifacts, lifecycle practices such as verification and validation and operations and monitoring, and management-system requirements. In national security, for example, standards encompass Intelligence Community Directive 203, ICD 206, STANAG 2511, benchmark datasets, metrics, datasheets, model cards, factsheets, and lifecycle practices. In GenAI compliance work, standards are “expert-defined, documented specifications, rules, and procedures” used to measure quality and performance, check regulatory and operational compliance, and ensure interoperability, safety, and accuracy (Blasch et al., 2019, Imperial et al., 3 Feb 2025).
The literature repeatedly assigns standards three functions. First, they provide a shared technical language. The EU AI Act is framed in outcome and process terms such as robust, accurate, secure, risk-managed, and transparent; harmonized standards supply the engineering vocabulary and test methods that make those obligations assessable. Second, they make evidence comparable across providers, assessors, and authorities. Without common standards, providers build idiosyncratic evidence, assessors evaluate one-off methods, and enforcement becomes uneven. Third, they are trust instruments: ICD 203 is expressly oriented toward engendering trust in intelligence analysis, while AI governance papers treat standards as prerequisites for auditable and scalable assurance rather than mere declarations of intent (Bisconti et al., 21 Jan 2026, Blasch et al., 2019).
This suggests that standards operate simultaneously at legal, technical, and organizational levels. They do not replace substantive judgment, but they specify how judgment is to be structured, documented, challenged, and repeated. Where standards are absent, weak, or fragmented, the result is not neutrality; it is a shift toward ad hoc interpretation and unequal enforcement.
2. How double standards emerge
The most direct formulation appears in work on the EU AI Act: double standards arise when some actors or sectors face tough, precise obligations while others face vague, unenforceable ones; when providers are tightly regulated but assessors or authorities are weakly specified; or when detailed legal obligations are not matched by concrete, auditable engineering practices. Other papers restate the same pattern in different vocabularies: a patchwork of unheeded and inconsistent audit standards, uneven treatment of physical safety and discrimination, voluntary standards with weak enforcement in some jurisdictions, or phase-based asymmetries between pre-deployment and post-deployment oversight (Bisconti et al., 21 Jan 2026, Manheim et al., 2024, Becker et al., 2021, Sankaran, 22 Apr 2025).
AI intensifies these risks because the objects being standardized are not static. Four technical difficulties recur. The first is stochastic behaviour and reproducibility: identical outputs across runs are often unrealistic, so reproducibility must be redefined as stability of measured properties within declared variance bounds. The second is data dependency: behaviour depends on training, validation, test, and operational data, including provenance, representativeness, and label quality. The third is immature evaluation practice: single-number scores are inadequate for context-dependent properties such as fairness, manipulation risk, misuse potential, or robustness under distribution shift. The fourth is lifecycle dynamics: retraining, fine-tuning, drift, and deployment into new contexts make one-time conformity assessment insufficient (Bisconti et al., 21 Jan 2026).
The resulting technical problem is not simply lack of determinism. It is that traditional testing assumptions can create false symmetry: systems appear to be held to the same standard, but in practice some actors can satisfy shallow tests while others bear the burden of deeper evidence. The EU standards paper therefore proposes that conformance be judged through stable measures rather than byte-identical outputs, for example by requiring that a safety-relevant metric satisfy
and that reported performance be accompanied by confidence intervals rather than treated as exact. This reframing is intended to prevent a formal standard from becoming a loophole for practically incomparable results (Bisconti et al., 21 Jan 2026).
A related asymmetry appears in global ISO governance. The Comparative Risk-Impact Assessment Framework scores risks by
and then compares that score with a standard’s mitigation score in a given jurisdiction. The framework shows that the same ISO document can have strong practical effect in the EU, weak practical effect in Colorado because the standard remains voluntary, and partial misalignment in China where privacy and social stability are weighted differently. Here the double standard is not textual inconsistency inside the standard itself, but unequal real-world protection under nominally shared benchmarks (Sankaran, 22 Apr 2025).
3. Structured differentiation: layers, risk tiers, and calibrated obligations
The most developed response is a layered architecture. In the EU AI Act context, horizontal standards define generic obligations and evidence structures across the lifecycle: intended purpose, operating conditions, reasonably foreseeable misuse, risk management, data governance, model documentation, evaluation planning, performance statements with uncertainty and conditions of validity, deployment controls, post-market monitoring, technical documentation, assurance case structure, and change logs. Sectoral profiles then refine this horizontal layer through domain-specific metrics, thresholds, acceptance criteria, and additional controls tied to sector regulation and practice. The key claim is that differentiation is necessary, but it must be principled and documented rather than implicit or arbitrary (Bisconti et al., 21 Jan 2026).
This architecture is explicitly designed to avoid two forms of double standards. Between sectors and risk levels, all systems share the same generic risk management and evidence structure, while sectors differ only in calibrated and justified thresholds. Between law and engineering practice, horizontal standards provide a common scaffold for what robustness, human oversight, logging, documentation, and post-market monitoring must look like in auditable form. The same legal requirement is thus instantiated through the same evidence grammar even where acceptance criteria differ (Bisconti et al., 21 Jan 2026).
A parallel classification appears in work on GenAI compliance through the Criticality and Compliance Capabilities Framework. Standards are ranked as Minimal, Moderate, High, or Extreme according to allowable error margin and consequences of violation, while models are ranked as Baseline, Specialized, Advanced, or Adaptive according to documented ability to perform standard-compliance tasks. The normative point is the same as in the layered EU model: not all standards are equal in risk, and not all models are equally suited to compliance tasks. High and Extreme criticality standards require low error tolerance and mandatory human expert oversight; Baseline models are appropriate only for lower-criticality tasks and always under review (Imperial et al., 3 Feb 2025).
Taken together, these frameworks suggest a general principle: valid differentiation is not the opposite of equality. A system for rail transport, a clinical decision support tool, and a CEFR-aligned content generator should not be forced into identical thresholds. What must remain common are the structures of justification, documentation, testing families, logging, and accountability by which differentiated thresholds are defended.
4. Domain-specific manifestations
The standardization problem changes form across domains, but the tension between standards and double standards remains visible.
In national security, the central proposal is to subject machine analysis to “the same rigorous standards as analysis performed by humans” under ICD 203. Human analysts are already required to describe source quality and credibility, express and explain uncertainty, distinguish evidence from assumptions and judgments, use clear and logical argumentation, make accurate judgments, explain changes over time, incorporate analysis of alternatives, use effective visual information, and demonstrate customer relevance and implications. AI systems, by contrast, are often treated as opaque black boxes with weaker expectations of sourcing, uncertainty disclosure, and explanation. The proposed remedy is explicit parity: AI-enabled analysis must reflect the standards if it is to be tradecraft-compliant (Blasch et al., 2019).
In workplace AI, the contrast is between a mature functional safety regime in production automation and a much thinner fairness regime in human resources and algorithmic management. Industrial robots, AGVs, and safety-related control systems are embedded in a dense architecture of Type A, B, and C machinery standards, IEC 61508, DIN EN 62061, DIN EN ISO 13849, DIN EN ISO 10218, and related conformity assessment routes. By contrast, HR AI relies on a much smaller and more nascent set of standards, such as ISO/IEC DTR 24027, IEEE P7003, and DIN SPEC 91426 for video-based personnel selection. The result is a governance imbalance: physical harms are formalized and audited with quantitative risk acceptance frameworks, while discrimination and psychosocial harms remain under-specified and largely procedural (Becker et al., 2021).
In embedded software, the coexistence of BARR-C:2018 and MISRA C:2012 illustrates a different possibility: multiple standards need not create harmful double standards if their scopes are explicit and their incompatibilities are removed. MISRA C:2012 defines a stricter safety- and security-oriented subset of C and deliberately leaves programming style to local organizations. BARR-C:2018 defines a broader language subset plus a detailed style regime aimed at minimizing programming errors. Because BARR-C:2018 removed the incompatibilities that existed with respect to MISRA C:2012 in BARR-C:2013, the two standards can be adopted in parallel or serially: BARR-C style can function as the local style guide that MISRA expects but does not supply, and critical projects can evolve toward MISRA compliance while maintaining the BARR-C programming style (Bagnara et al., 2020).
In mathematics, the adaptation of ASA and ACM ethical practice standards reveals yet another pattern. Survey respondents strongly endorsed obligations around validity, interpretability, reproducibility, conflicts of interest, plagiarism, correction of errors, confidentiality, anti-harassment, anti-retaliation, and non-exclusionary practices. They were markedly less likely to endorse items about making new mathematical knowledge widely available, recognizing mathematics as socially and culturally contextual, improving public awareness of mathematics and its consequences, or encouraging recognition that mathematics is practiced in a social context rather than value-free isolation. This suggests a disciplinary double standard between internal professional integrity, which is readily recognized as ethical, and external social responsibility, which remains contested (Buell et al., 2022).
5. Governance architectures designed to prevent double standards
A recurring conclusion is that standards alone are insufficient unless they are embedded in institutions that can interpret, update, and enforce them. Under the EU AI Act, the legal pathway runs through standardisation requests, technical work in CEN/CENELEC JTC 21, controlled drafting with normative and informative clauses, Annex Z mappings from standard requirements to AI Act provisions, public enquiry and formal vote, and citation in the Official Journal. Clause-level Annex Z mapping is treated as particularly important: if the mapping is vague, providers do not know what supports presumption of conformity, assessors cannot judge reliably, and courts and regulators confront a gap between law and technical standard. Precision at this interface is therefore a mechanism against legal-technical double standards (Bisconti et al., 21 Jan 2026).
A second governance proposal is the AI Audit Standards Board. The argument is not merely that more standards are needed, but that proliferating one-off standards can be actively harmful by producing a patchwork of inconsistent and rapidly outdated documents. A standing board would continuously develop and update audit standards, clarify what is appropriate in each domain and use case, embed process-wide oversight across development and deployment, ensure independence from any single firm, and issue interpretive guidance and application-specific standards through domain working groups. The institutional analogies are FASB, IASB, the FDA, OSHA, the FAA, and ISO bodies; the objective is to replace fragmented self-definition with coherent, adaptable standard setting (Manheim et al., 2024).
The comparative ISO paper reaches a similar conclusion from a different angle. Because voluntary standards travel unevenly across legal and political contexts, their global use should be supplemented by mandatory risk audits for high-impact AI systems, region-specific annexes to core standards such as ISO/IEC 24368 and 24028, and a strengthened privacy module. The aim is to preserve a common global core while making local differences explicit and structured, rather than allowing enforcement gaps or selective adoption to produce hidden asymmetries (Sankaran, 22 Apr 2025).
These proposals share a common structure. Standards must be living rather than static; process-wide rather than confined to final products; shared across providers, auditors, and authorities; and supported by documentation templates, logging requirements, and assurance cases that evolve through the lifecycle. Where those conditions are absent, double standards tend to reappear as private interpretations, weak post-market monitoring, or symbolic compliance.
6. Moral and social double standards in judgments about AI
The phrase “double standard” also has a social-psychological meaning distinct from regulatory asymmetry. In two preregistered experiments on moral spillover, participants judged how immoral or neutral behaviour by an AI or human agent affected attributions of moral agency and moral patiency to the individual and to the broader group. Moral spillover was defined as the effect of an agent’s action valence on group-level moral attributions, and the AI double standard was operationalized as the interaction between action valence and agent type on group-level measures:
The results differentiate narrow and broad group judgments. In the first study, immoral behaviour by one assistant produced spillover to the corresponding narrow group, whether the assistant was a chatbot or a human; there was no significant difference between AI and human contexts. In the second study, where the agent was individuated and participants rated “AIs in general” and “humans in general,” spillover persisted in the AI context but not in the human context. One immoral AI increased attributions of negative moral agency and reduced attributions of positive moral agency and moral patiency for AIs in general, whereas one immoral human did not comparably alter judgments of humans in general. The proposed explanation is perceived homogeneity of AIs as an outgroup relative to humans (Manoli et al., 2024).
This is not a standards architecture in the legal sense, but it is a standards problem in the normative sense. The same evidentiary input is used differently across categories: one bad human does not taint humanity, whereas one bad AI can taint AI as a class. A plausible implication is that even well-designed technical and legal standards may operate in a public environment where AIs are judged under stricter generalization rules than humans. That matters for trust, because failures of one system can spill over to perceptions of unrelated systems, intensifying the demand for transparent, auditable, and visibly differentiated governance.
Standards and double standards are therefore best understood as a coupled problem. Standards are needed to translate high-level norms into repeatable technical and organizational practice. Yet the literature shows that standards can themselves become vehicles of unequal treatment when they are fragmented, weakly enforced, static in fast-moving domains, or detached from governance institutions. The durable solution is not uniformity in every threshold or method, but structured differentiation: common evidence structures, lifecycle controls, logging, documentation, and assurance mechanisms, paired with explicit risk- and domain-based calibration. Where that architecture exists, differences become intelligible and justifiable. Where it does not, double standards proliferate—between sectors, jurisdictions, lifecycle stages, professions, and even between judgments of humans and judgments of AIs (Bisconti et al., 21 Jan 2026, Manheim et al., 2024, Sankaran, 22 Apr 2025).