Insight: Designing Ambidextrous AI Governance for Digital Transformat

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in AI Governance, draws on a landmark 2025 academic study to highlight a critical insight for fintech and enterprise leaders: building trustworthy AI is no longer a choice between innovation speed and regulatory compliance—a five-layer Ambidextrous AI Governance Framework grounded in COBIT 2019 demonstrates that both can be achieved simultaneously, delivering measurable improvements in governance maturity while aligning with ISO/IEC 42001, the EU AI Act, and Taiwan's AI Basic Law.

About the Authors and This Research

This paper is the product of collaboration among three Indonesian academic researchers whose combined expertise spans information systems governance, fintech digital transformation, and AI compliance. Lead author Merryana Lestari (h-index: 1, 6 total citations) is an emerging scholar focused on AI governance in financial technology contexts. Co-author Agustinus Fritz Wijaya (h-index: 12, 459 total citations) is one of Southeast Asia's most cited researchers in information systems governance and COBIT framework applications—his body of work is widely referenced by both academic and practitioner communities. Maria Ayu Puspita contributes expertise in fintech regulatory compliance.

Published in 2025 in the OpenAlex AI Governance journal, this study employs a rigorous Design Science Research (DSR) methodology: combining systematic literature review, multi-expert validation, and controlled simulation within a real-world fintech environment. The research has already received 1 citation, signaling early academic traction. More importantly for Taiwan's business community, the framework synthesizes COBIT 2019, ISO/IEC 42001, the EU AI Act, and Indonesian financial regulator OJK guidelines into a single, scalable governance architecture—making it directly transferable to Taiwan's own multi-framework regulatory landscape.

The Core Insight: Why "Ambidextrous" AI Governance Changes the Game

The central problem this research addresses is one that every AI-adopting organization faces: how do you accelerate AI-driven innovation—automation, personalization, fraud detection, operational efficiency—without creating ethics, security, transparency, and compliance gaps that could erode trust or trigger regulatory penalties? The researchers' answer is Ambidextrous AI Governance: a framework that gives organizations two simultaneous capabilities, just as an ambidextrous person can use both hands with equal skill.

Core Finding 1: A Five-Layer Architecture That Makes Innovation and Compliance Complementary

The proposed framework organizes AI governance into five integrated layers. The Governance Layer establishes top-level AI accountability structures, decision rights, and board-level oversight. The Strategic Alignment Layer ensures that every AI initiative maps directly to organizational objectives, preventing AI projects from becoming disconnected technical experiments. The Ambidextrous Layer is the framework's defining innovation: it simultaneously operates two modes—Exploration (innovation, agility, ethics by design, responsible experimentation) and Exploitation (risk control, standardization, compliance management, operational efficiency). The Operational Layer handles day-to-day AI system management, monitoring, and performance tracking. Finally, the Compliance and Assurance Layer interfaces directly with international standards: ISO/IEC 42001 for AI management systems, the EU AI Act for risk classification and technical documentation, and sector-specific regulations. Simulation results demonstrated that this architecture produced measurable improvements in governance maturity scores across all COBIT 2019 domain groups, while embedding trustworthy AI principles—transparency, accountability, and fairness—into routine operational processes rather than treating them as periodic compliance exercises.

Core Finding 2: COBIT 2019 as the Structural Backbone for AI Risk Management

A critical finding is that ethical declarations and AI policy documents alone are insufficient to constitute real AI governance. The research demonstrates that AI risk management must be embedded within an organization's existing enterprise governance architecture—specifically, within COBIT 2019's governance and management objective groups (EDM, APO, BAI, DSS, MEA). This finding has direct implications for Taiwan enterprises pursuing ISO 42001 certification: ISO 42001's seven core elements (organizational context, leadership, planning, support, operation, performance evaluation, and improvement) are highly complementary to COBIT 2019's structure. Organizations that leverage both frameworks in parallel can significantly reduce their certification preparation timeline and build governance capabilities that are measurable, auditable, and sustainable over time.

Implications for Taiwan's AI Governance Practice: Three Frameworks, One Integrated Response

Taiwan enterprises are currently navigating simultaneous pressure from three distinct governance frameworks, and the ambidextrous model provides a unified architecture for addressing all three.

ISO 42001 Certification Pressure: ISO/IEC 42001, the world's first AI management system standard, was formally published in 2023. Taiwan enterprises in financial services, manufacturing, healthcare, and technology sectors are now actively preparing for certification. The five-layer framework in this study maps closely to ISO 42001's structural requirements, providing a practical implementation blueprint rather than an abstract compliance checklist.

EU AI Act Compliance Pressure: The EU AI Act entered into force in 2024, with phased implementation timelines requiring high-risk AI systems to meet requirements for risk classification, transparency disclosure, human oversight mechanisms, and technical documentation. Any Taiwan enterprise with business connections to EU markets—including financial services, logistics, medical devices, and e-commerce—must proactively prepare. The study's Compliance and Assurance Layer directly maps to the EU AI Act's four-tier risk classification logic (unacceptable risk, high risk, limited risk, minimal risk), offering actionable institutional design guidance.

Taiwan AI Basic Law: Taiwan's Artificial Intelligence Basic Law draft has entered the legislative process, expected to establish foundational AI ethics principles, risk management obligations, and a government oversight framework. The three trustworthy AI principles this research embeds into its governance architecture—transparency, accountability, and fairness—align precisely with the core principles articulated in Taiwan's AI Basic Law framework. Enterprises building these capabilities now are creating compliance infrastructure for future statutory obligations before those obligations become legally binding.

How Winners Consulting Services Helps Taiwan Enterprises Build Ambidextrous AI Governance

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) assists Taiwan enterprises in establishing AI management systems that meet ISO 42001 and EU AI Act requirements, conducting AI risk classification assessments, and ensuring that artificial intelligence applications comply with Taiwan's AI Basic Law. Drawing directly on the framework insights of this research, we recommend the following three concrete actions for Taiwan enterprise leaders:

1. Conduct an Ambidextrous AI Governance Baseline Assessment: Map your organization's current AI applications against the five governance layers of the ambidextrous framework, identifying gaps in both the Exploration dimension (innovation ethics, agility structures) and the Exploitation dimension (risk controls, compliance coverage). Simultaneously conduct an ISO 42001 gap analysis to determine which of the standard's seven core elements require priority investment.
2. Implement a Systematic AI Risk Classification Program: Following the EU AI Act's four-tier risk taxonomy, conduct a comprehensive inventory of all AI use cases within your organization. For applications that fall into the high-risk category—credit scoring, recruitment screening, critical infrastructure management, medical diagnostics—design transparency disclosure mechanisms, human oversight protocols, and accountability tracking systems before regulatory deadlines arrive.
3. Integrate COBIT 2019 to Accelerate ISO 42001 Governance Maturity: Embed AI risk management objectives within your organization's existing COBIT 2019 governance structure, establishing quantifiable AI governance performance indicators across the EDM, APO, BAI, DSS, and MEA domain groups. This dual-framework approach ensures that ISO 42001 certification translates into sustainable institutional capability rather than a one-time documentation exercise.

Frequently Asked Questions

What is the most difficult layer to implement in an Ambidextrous AI Governance Framework for fintech organizations?

The most challenging layer is consistently the Ambidextrous Core Layer, because it requires a single organization to simultaneously support rapid innovation experimentation and strict risk-compliance enforcement—two organizational cultures that most financial institutions have historically kept separate. Breaking down the structural divide between innovation teams and risk management teams requires cross-functional governance design: unified AI oversight committees, shared risk assessment frameworks, and cross-departmental AI ethics review processes. Winners Consulting Services can design the specific cross-functional operating protocols needed to make this dual-mode capability work in practice.

How should Taiwan enterprises determine whether their AI systems fall under the EU AI Act's high-risk classification?

The EU AI Act's Annex III provides the definitive high-risk AI system list, which includes AI applications in credit scoring and creditworthiness assessment, recruitment and employee management, critical infrastructure operation, medical device functionality, law enforcement, and educational assessment. For Taiwan's fintech sector specifically, AI-powered credit scoring systems, anti-fraud detection engines, and algorithmic trading systems are strong candidates for high-risk classification. Taiwan enterprises with EU market exposure should immediately conduct an AI application inventory mapped against Annex III, followed by a technical documentation and human oversight readiness assessment for any high-risk systems identified.

How does ISO 42001 certification relate to EU AI Act compliance, and does one substitute for the other?

ISO/IEC 42001 and the EU AI Act are complementary but distinct frameworks that serve different purposes. ISO 42001 is a management system standard that provides a structured architecture for continuous improvement in AI governance—covering organizational context, leadership accountability, planning, operational processes, and performance evaluation. The EU AI Act is a legal regulation that imposes specific technical and procedural requirements on high-risk AI systems operating in or affecting EU markets. ISO 42001 certification does not substitute for EU AI Act compliance, but it creates significant structural advantages: organizations with ISO 42001-compliant management systems have pre-built documentation, risk assessment, and accountability processes that directly satisfy many EU AI Act procedural requirements. Taiwan's AI Basic Law is expected to follow a similar principles-based approach to ISO 42001, making early certification doubly valuable.

What is a realistic timeline and phased approach for building AI governance from scratch?

Based on Winners Consulting Services' implementation experience with Taiwan enterprises, a medium-sized organization (under 500 employees) can establish a foundational ISO 42001-aligned AI governance mechanism in 90 to 120 days: Days 1–30 focus on current-state diagnosis and ISO 42001 gap analysis; Days 31–60 cover AI governance policy design, risk classification framework development, and accountability structure definition; Days 61–90 complete core process implementation, staff training, and performance indicator establishment; Days 91–120 execute internal audit and improvement cycles in preparation for formal certification assessment. Larger enterprises or financial institutions with complex AI application portfolios typically require 6 to 12 months for full implementation. The earlier an organization begins, the lower the total certification investment.

Why engage Winners Consulting Services Co. Ltd. for AI governance advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is one of Taiwan's few consulting organizations that simultaneously holds practical competency in ISO 42001 implementation, EU AI Act compliance analysis, and COBIT governance framework integration. We do not offer generic templates or off-the-shelf compliance checklists. Every engagement begins with a rigorous diagnosis of your organization's specific AI application landscape, industry regulatory environment, and current governance maturity level—producing a customized, implementable governance design rather than an abstract policy document. We continuously monitor global AI governance academic research (including studies like this one) and regulatory developments, ensuring that every recommendation we make reflects current international standards rather than yesterday's best practices. Our complimentary governance diagnostic allows organizations to assess collaboration value before making any commitment.