Insight: AI Ethics and Governance in Practice: An Introduction

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in AI Governance, calls attention to a critical gap facing Taiwanese enterprises: having good intentions about AI ethics is no longer sufficient. A 2024 landmark research paper from The Alan Turing Institute introduces the PBG Framework—a multi-tiered governance model that transforms ethical principles into auditable, documentable management practices directly aligned with ISO 42001, the EU AI Act, and Taiwan's emerging AI Basic Act.

About the Authors and This Research

David Leslie is a senior researcher at The Alan Turing Institute, the United Kingdom's national institute for data science and artificial intelligence, where he leads work on responsible AI methodologies. With an h-index of 2 and 14 cumulative citations, his contributions are specifically focused on translating high-level ethical frameworks into practical governance tools. Cami Rincón brings a stronger citation profile to the collaboration, with an h-index of 4 and 65 cumulative citations, reflecting broader academic influence across AI ethics application research. Morgan Briggs specializes in converting governance principles into organizationally executable operational frameworks.

The Alan Turing Institute is designated by the UK government as the central hub for responsible AI research and has directly influenced European AI policy discussions. Its research outputs are regularly referenced by international standards bodies including ISO and IEC. This paper, published on the arXiv — AI Governance & Ethics platform in 2024, has already received 2 formal citations since publication—notable for a practitioner-oriented policy framework document, indicating uptake in both academic and applied governance communities.

The PBG Framework: Moving AI Ethics from Declaration to Demonstration

The paper's most important contribution is a clear and actionable argument: ethical AI cannot remain at the level of published principles or corporate value statements. It must be embedded into every stage of the AI project lifecycle through mechanisms that can be operated, monitored, and verified. The authors' PBG (Principle-Based Governance) Framework provides a multi-tiered architecture spanning organizational strategy, project management, and individual decision-making levels—each with corresponding principles, operational tools, and documentation requirements.

Core Finding 1: Three Structural Failure Modes in AI Ethics Implementation

The research identifies three recurring failure patterns that undermine even well-intentioned AI ethics efforts. First, organizations possess senior-level ethical intentions but lack operationalized toolkits that frontline teams can actually apply during development. Second, even where mechanisms exist, there are no sustained tracking systems to verify ongoing adherence. Third, the absence of documentation creates an evidence vacuum when organizations need to demonstrate compliance to regulators, clients, or boards. The PBG Framework directly addresses each failure mode through a layered design: the organizational policy layer sets direction, the project management layer provides workflow integration, and the individual decision layer ensures accountability at the point of action.

Core Finding 2: Ethics Must Be Integrated Concurrently with Innovation, Not Applied Retrospectively

One of the paper's most practically significant arguments is the cost of "ethics retrofitting." When AI governance is treated as a post-development review process, organizations face compounding remediation costs as technical decisions become locked in. The PBG Framework mandates explicit ethics checkpoints at each phase of the AI development lifecycle—requirements definition, data collection, model training, deployment, and ongoing monitoring. This "shift-left ethics" approach mirrors the lifecycle integration requirements of ISO/IEC 42001 and aligns directly with the EU AI Act's (Regulation (EU) 2024/1689) requirement for mandatory conformity assessments for high-risk AI systems before market placement.

What This Means for Taiwanese Enterprises Navigating AI Compliance

Taiwanese enterprises face a convergence of three binding regulatory frameworks that are simultaneously tightening their requirements, with direct implications for market access and supply chain positioning.

ISO/IEC 42001 (2023): The world's first international standard for AI management systems requires organizations to establish a comprehensive management system covering risk assessment, impact assessment, objective setting, and continual improvement across the full AI system lifecycle. ISO 42001 certification is rapidly becoming a procurement qualification threshold for European, Japanese, and North American enterprise buyers. Taiwanese technology manufacturers, software service providers, and financial institutions with international operations should treat this standard as a near-term business necessity, not a long-term aspiration.

EU AI Act — Regulation (EU) 2024/1689: Officially enacted in 2024, the EU AI Act classifies AI systems into four risk tiers: unacceptable risk (prohibited), high risk (mandatory conformity assessment), limited risk (transparency obligations), and minimal risk (voluntary code of conduct). High-risk categories explicitly include human resources management systems, credit scoring, critical infrastructure management, and education assessment tools—all sectors with significant Taiwanese enterprise participation. The Act applies extraterritorially: any Taiwanese company whose AI system outputs are used by EU-based users, or that provides AI-embedded products to EU clients, falls within its jurisdiction regardless of physical establishment in the EU.

Taiwan AI Basic Act (人工智慧基本法): Taiwan's draft AI Basic Act is under legislative review, structured around principles of human-centricity, trustworthiness, transparency, and risk proportionality—mirroring the EU AI Act's philosophical foundations. The Act establishes a shared responsibility framework between government and enterprises and is expected to create formal compliance obligations for enterprises deploying AI in public-facing or high-impact contexts. Organizations that establish robust governance foundations now will face substantially lower friction when formal compliance requirements become mandatory.

The PBG Framework's multi-tiered, document-centric governance architecture maps with high structural fidelity onto the requirements of all three frameworks, making it an exceptionally practical reference point for Taiwanese enterprises beginning or maturing their AI governance journey.

How Winners Consulting Services Co. Ltd. Translates PBG Principles into ISO 42001-Ready Systems

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) assists Taiwanese enterprises in building AI management systems that satisfy the requirements of ISO 42001, the EU AI Act, and the Taiwan AI Basic Act. Our engagement model is not advisory report delivery—it is sustainable governance system construction.

1. AI Governance Gap Diagnosis: We benchmark your existing AI applications against the 10 management elements of ISO 42001 and the three-tier structure of the PBG Framework, producing a quantified gap analysis report that identifies your highest-priority risk areas and assigns a current governance maturity score. This diagnosis is available at no charge as your first engagement step.
2. AI Risk Classification and Conformity Assessment Design: Drawing on the four-tier risk logic of the EU AI Act, we classify each of your existing and planned AI systems, design proportionate conformity assessment procedures for high-risk systems, and establish the documentation workflows required to evidence compliance to regulators and enterprise clients.
3. ISO 42001 Management System Implementation and Certification Readiness: We guide your organization through the full implementation cycle—policy development, risk and impact assessment processes, objective setting, internal audit design, and personnel training—targeting completion of foundational system elements within 90 days and positioning your organization for formal certification audit within 6 to 9 months depending on organizational scale.

Frequently Asked Questions

How is the PBG Framework different from the AI ethics policy our company already has in place?

The PBG Framework's defining value lies in two dimensions that most existing AI ethics policies lack: operationalizability and auditability. Many organizations have published AI ethics statements or internal policy documents, but these rarely provide project teams with specific tools for each development phase or generate the evidence records needed to demonstrate compliance to regulators or clients. The PBG Framework's three-tier architecture—organizational policy, project management, and individual decision layers—provides corresponding principles, operational checklists, and documentation requirements at each level. This transforms ethics governance from declaration into verifiable management behavior, which is precisely what ISO 42001 certification auditors assess.

Does the EU AI Act apply to Taiwanese companies with no physical presence in the EU?

Yes. The EU AI Act adopts a market-effect jurisdiction principle similar to GDPR's extraterritorial framework. If a Taiwanese company's AI system outputs are used by EU-based users, or if the company provides products or services with embedded AI capabilities to EU clients, the Act applies regardless of where the company is physically incorporated or headquartered. For high-risk AI systems, this means mandatory conformity assessment before market placement and designation of an EU-authorized representative. Taiwanese technology manufacturers, SaaS providers, and financial institutions with EU-market exposure should conduct a risk classification review of their AI portfolios as a priority action in 2024 and 2025.

What specific benefits does ISO 42001 certification deliver, and how does it relate to EU AI Act and Taiwan AI Basic Act compliance?

ISO/IEC 42001, published in 2023 as the world's first AI management system standard, delivers four categories of concrete benefit to certified organizations. First, it establishes a qualification credential increasingly required by European and Japanese enterprise procurement processes. Second, it provides substantive management system evidence that significantly reduces the documentation burden for EU AI Act conformity assessments. Third, its principles of transparency, risk proportionality, and continual improvement directly correspond to the foundational requirements of Taiwan's AI Basic Act. Fourth, it reduces legal liability and reputational exposure from AI system failures by embedding systematic risk identification and mitigation. ISO 42001 certification is not a substitute for EU AI Act conformity declarations for high-risk systems, but it materially lowers the effort required to achieve those declarations.

How long does it take to implement an ISO 42001-compliant AI management system, and what are the steps?

Depending on organizational scale and existing governance maturity, full ISO 42001 implementation typically requires 3 to 9 months. Winners Consulting Services follows a four-phase engagement structure: Phase 1 (Weeks 1–4) covers current-state diagnosis and gap analysis against ISO 42001's 10 management elements; Phase 2 (Weeks 5–8) covers policy and mechanism design including AI risk classification architecture, impact assessment procedures, and documentation templates; Phase 3 (Weeks 9–12) covers system implementation and personnel training to ensure each organizational level can execute its designated governance responsibilities; Phase 4 (Week 13 onward) covers internal audit execution and continual improvement cycles in preparation for certification audit. Most medium-sized enterprises can complete foundational system elements within 90 days and reach certification readiness within 6 months.

Why should Taiwanese enterprises work with Winners Consulting Services Co. Ltd. for AI governance?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) offers three differentiating capabilities. First, we integrate international standards (ISO 42001), regulatory requirements (EU AI Act), and local legal context (Taiwan AI Basic Act) into a unified, Taiwan-specific compliance pathway rather than applying generic frameworks designed for other markets. Second, our consulting team combines technical AI expertise with regulatory policy specialization, enabling us to translate academic frameworks like the PBG Framework into executable internal processes and management tools that Taiwanese enterprise teams can actually operate. Third, our diagnostic-led engagement model ensures that every client investment is preceded by a clear, quantified understanding of their current governance gaps and highest-priority action items. We offer a no-cost initial diagnostic so enterprises can make informed decisions about their governance investment before committing resources.