Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in AI Governance, urges enterprise leaders to recognize a critical blind spot: obtaining ISO 42001 certification does not automatically mean compliance with the EU AI Act—and a landmark 2023 academic study from Trinity College Dublin has now produced the first systematic map of exactly where these three major AI governance frameworks diverge, overlap, and conflict. For Taiwanese companies exporting to the European Union, understanding this gap is no longer optional; it is a board-level risk management imperative.
Paper Citation: Comparison and Analysis of 3 Key AI Documents: EU's Proposed AI Act, Assessment List for Trustworthy AI (ALTAI), and ISO/IEC 42001 AI Management System(Delaram Golpayegani, Harshvardhan J. Pandit, David Lewis, OpenAlex — AI Governance, 2023)
Original Paper: https://doi.org/10.1007/978-3-031-26438-2_15
About the Authors: Leading Semantic AI Governance Research from Trinity College Dublin
This paper was co-authored by three researchers at the ADAPT Centre, Trinity College Dublin, Ireland—one of Europe's foremost research institutions specializing in AI and digital content technologies. The team brings together expertise in formal knowledge representation, AI law, and trustworthy AI assessment frameworks.
Harshvardhan J. Pandit is the most prominent contributor, holding an h-index of 17 with over 925 total citations, placing him among the most frequently cited scholars in AI governance and data privacy semantics globally. He has contributed to the W3C Data Privacy Vocabulary (DPV), a standard that shapes how AI and privacy obligations are formally encoded across regulatory systems. Delaram Golpayegani holds an h-index of 8 with 211 citations and specializes in formal modeling of trustworthy AI evaluation frameworks. David Lewis leads the ADAPT Centre's work on AI policy and standards alignment.
Published in 2023, the paper has already accumulated 9 citations, including 1 high-impact citation—a strong signal of its relevance within the AI compliance research community. For Taiwanese enterprise executives, the importance of this research lies not in its technical methodology but in the fundamental governance question it answers: where do ISO 42001, the EU AI Act, and ALTAI align, where do they diverge, and what does that mean for organizations that must satisfy all three?
Three Frameworks, One Organization: The First Systematic Conflict Map for AI Governance Compliance
Enterprises today face a compounding compliance challenge. The ISO/IEC 42001 AI Management System standard, the EU Artificial Intelligence Act, and the Assessment List for Trustworthy AI (ALTAI) were each developed independently, by different bodies, with different legal natures, different vocabularies, and different organizational targets. Yet businesses—particularly those operating internationally—must navigate all three simultaneously. The core research question this paper addresses is deceptively simple but strategically vital: what are the actual gaps and conflicts between these three documents?
The researchers applied an upper-level ontology as a semantic bridging mechanism, translating the activity-related requirements across all three documents into a unified RDF (Resource Description Framework) resource graph. This approach allows the three documents—which differ fundamentally in structure and legal character—to be compared within a single semantic space with precision that qualitative comparison cannot achieve.
Core Finding One: Systematic Gaps and Overlaps Exist in Activity Requirements Across the Three Frameworks
The research identifies that ISO 42001 operates under a management systems logic—it governs how organizations establish, operate, and maintain AI governance processes—and is designed for organizational certification. The EU AI Act, by contrast, imposes mandatory legal obligations on providers and deployers of high-risk AI systems, as defined under Articles 6 through 51, with penalties reaching up to €35 million or 7% of global annual turnover. ALTAI functions as a voluntary self-assessment tool organized around seven key requirements: human agency and oversight, technical robustness and safety, privacy and data governance, transparency, diversity and fairness, societal and environmental wellbeing, and accountability.
The ontological comparison reveals that while all three frameworks address concepts such as risk assessment, data governance, and human oversight, they trigger these requirements under different conditions, assign them to different organizational roles, and demand different documentation artifacts. This creates a structural gap: an organization that designs its AI governance exclusively around ISO 42001 may satisfy certification requirements while still failing to meet the specific legal obligations of the EU AI Act, and vice versa.
Core Finding Two: An RDF Semantic Graph Enables Machine-Readable Compliance Path Mapping
The second major contribution of the research is the production of an RDF-format cross-framework comparison resource. Unlike a static spreadsheet comparison, an RDF resource graph is both extensible—meaning new frameworks such as Taiwan's AI Governance Act can be integrated without rebuilding the structure—and interoperable, meaning it can be directly consumed by digital compliance management systems and AI governance platforms.
For enterprise compliance teams, this signals a fundamental direction: AI governance management must evolve from manual checklist processes to digitized, semantically structured systems. Organizations that build their compliance infrastructure on interoperable, structured data frameworks will be significantly better positioned to adapt as the EU AI Act undergoes phased implementation through 2027, and as Taiwan's own regulatory landscape continues to develop under the AI Governance Act (人工智慧基本法).
Implications for Taiwan's AI Governance Practice: The Three-Framework Gap Directly Impacts Export-Oriented Enterprises
For Taiwan's internationally oriented enterprises, the framework gaps identified in this research translate directly into measurable business risk. Three sectors face the most immediate exposure.
Taiwan's technology manufacturing sector—including semiconductor design, electronics, and smart device manufacturers—increasingly embeds AI functionality into products sold in the European Union. Under the EU AI Act's extraterritorial scope, these manufacturers qualify as "providers" under Article 3(3) and are subject to the Act's full requirements for high-risk AI systems, regardless of where the company is incorporated. The Act entered into force in August 2024; provisions governing prohibited AI practices apply from February 2025, and full high-risk AI compliance requirements must be met by August 2027.
Taiwan's financial sector, including banks, insurance companies, and fintech platforms operating EU-facing services, faces particular exposure to the high-risk AI categories defined in Annex III of the EU AI Act, which explicitly includes AI systems used for creditworthiness assessment and life and health insurance risk scoring. Taiwan's AI Governance Act further requires specific categories of organizations to establish AI risk assessment mechanisms—a requirement that ISO 42001's risk assessment architecture under Clause 6.1.2 is well-positioned to satisfy, but only if the implementation also covers the EU AI Act's additional documentation and conformity assessment requirements.
The strategic implication of Golpayegani, Pandit, and Lewis (2023) for Taiwanese enterprises is therefore this: ISO 42001 certification and EU AI Act compliance are complementary but not interchangeable. Organizations that design an integrated governance mechanism addressing both simultaneously—using the cross-framework gap analysis methodology this paper introduces—will achieve full coverage with significantly less duplicated effort than organizations that approach each framework independently.
How Winners Consulting Services Co. Ltd. Helps Taiwan Enterprises Build Integrated AI Governance
積穗科研股份有限公司(Winners Consulting Services Co. Ltd.)helps Taiwan enterprises design and implement AI management systems that simultaneously satisfy ISO 42001 certification requirements, EU AI Act compliance obligations, and Taiwan AI Governance Act provisions. Our methodology is directly grounded in the cross-framework gap analysis logic introduced by Golpayegani et al. (2023), ensuring that every governance mechanism we design is built to cover intersections and resolve conflicts across all three frameworks—not just the one a client initially requests.
- Cross-Framework Gap Diagnosis: We begin with a structured gap analysis using ISO 42001, EU AI Act Articles 6–51, and Taiwan's AI Governance Act as simultaneous reference points. This means we identify not only what your organization is missing relative to each individual framework, but specifically where the gaps between frameworks create compliance blind spots that single-framework assessments would miss entirely. For enterprises with EU market exposure, we additionally map each AI application against EU AI Act Annex III to determine high-risk classification status.
- Integrated AI Management System Design: Rather than designing separate governance mechanisms for ISO 42001 and EU AI Act compliance, we build a unified AI management system architecture following the "design once, cover multiple frameworks" principle that the RDF resource graph methodology in this research makes possible. This approach reduces documentation overhead, eliminates requirement duplication, and ensures that governance investments are fully leveraged across all applicable frameworks.
- AI Risk Classification and High-Risk AI Identification: We assist enterprises in conducting a complete inventory of AI applications and formally classifying each against EU AI Act risk tiers (prohibited, high-risk, limited-risk, minimal-risk) and ISO 42001 Clause 6.1.2 risk assessment requirements. For high-risk AI systems, we design the required conformity assessment documentation, technical documentation, and human oversight mechanisms required under both frameworks, aligned with Taiwan AI Governance Act provisions on risk evaluation.
Winners Consulting Services Co. Ltd. offers a complimentary AI Governance Mechanism Diagnostic, designed to help Taiwan enterprises establish an ISO 42001-compliant management mechanism within 90 days.
Request Free Mechanism Diagnostic →Frequently Asked Questions
- Does ISO 42001 certification mean a company is already compliant with the EU AI Act?
- No—ISO 42001 certification and EU AI Act compliance are related but distinct. ISO 42001 certifies that an organization has established, implemented, and maintains an AI management system meeting international standard requirements; it is a voluntary management system standard. The EU AI Act is a legally binding regulation that imposes specific mandatory obligations on providers and deployers of AI systems placed on the EU market, particularly for high
FAQ
- ISO 42001、EU AI Act 與 ALTAI 三大 AI 治理框架有什麼差異?
- ISO 42001 是國際標準化組織發布的 AI 管理系統認證標準,著重企業內部治理流程;EU AI Act 是歐盟具法律約束力的人工智慧法規,依風險等級分類管制;ALTAI 則是歐盟提出的可信賴 AI 自評清單,屬於軟性指引。三者在適用範圍、強制性與技術要求上各有不同,企業需同時符合才能避免合規缺口。
- 企業同時導入多個 AI 治理框架會遇到什麼衝突風險?
- 都柏林三一學院 2023 年研究指出,ISO 42001、EU AI Act 與 ALTAI 三大框架之間存在語義定義不一致、要求重疊或矛盾等問題。例如同一套 AI 系統可能符合 ISO 認證卻違反歐盟法規,或滿足 ALTAI 自評卻未達 ISO 控制措施要求。企業若未系統性比對這些缺口,將面臨同時違反多重標準的法律與商業風險。
- 什麼是 AI 治理的語義本體論分析方法?
- 語義本體論(Semantic Ontology)方法是將不同文件中的概念、定義與要求轉化為結構化的知識模型,以便進行跨框架比對分析。都柏林學者團隊運用此方法,系統性繪製出 ISO 42001、EU AI Act 與 ALTAI 之間的對應關係與衝突點,讓企業能精準辨識哪些合規要求彼此矛盾,哪些可以整合執行,大幅降低重複投資與違規風險。
- 台灣企業如何因應歐盟 AI Act 與國際 AI 治理標準?
- 台灣企業若有產品或服務輸出歐盟市場,必須符合 EU AI Act 的風險分級要求;同時導入 ISO 42001 可建立系統化的 AI 管理制度,提升國際信任度。建議企業先進行現有 AI 系統盤點,識別風險等級,再參照 ALTAI 自評清單檢視可信賴性,並委請專業顧問協助整合三大框架要求,避免合規缺口造成市場准入障礙。
- 為什麼選擇積穗科研股份有限公司協助此議題?
- 積穗科研股份有限公司(Winners Consulting Services Co., Ltd.)提供 ISO 42001、EU AI Act 合規輔導,協助企業建立負責任的 AI 治理框架。
Was this article helpful?
Related Services & Further Reading
Want to apply these insights to your enterprise?
Get a Free Assessment