The AI Regulatory Capability Framework and Self-Assessment Tool

⚡ Quick Summary

This report from the Alan Turing Institute introduces a structured framework and practical self-assessment tool designed to help regulators evaluate and improve their ability to govern AI. It responds directly to a core challenge in modern AI policy: not just defining rules, but ensuring regulators are capable of implementing them effectively.

The framework breaks AI regulation into concrete activities across a full regulatory lifecycle and maps them against six capability areas (e.g. legal powers, resources, expertise, infrastructure). It then translates these into actionable “capability statements” and scoring tools that organisations can use to diagnose gaps.

What makes this resource particularly valuable is its operational focus—it moves beyond principles and into execution. It is less about what “good AI governance” should look like, and more about whether regulators can actually deliver it in practice.

🧩 What’s Covered

The document is structured around a comprehensive model of AI regulatory capability, combining three core elements: regulatory activities, capability factors, and good practice benchmarks.

At the heart of the framework is a lifecycle model of regulation, consisting of six stages: agenda setting, rulemaking, engagement, monitoring, enforcement, and evaluation. Each stage is further broken down into 28 specific activities, such as mapping the AI landscape, assessing risks, designing enforcement mechanisms, or updating regulatory strategies. This granular approach enables regulators to pinpoint exactly where capability gaps arise.

Overlaying this lifecycle are six capability factors that determine whether regulators can perform these activities effectively: legal authority, financial resources, infrastructure and tools, research and intelligence, skills and expertise, and leadership and culture. These factors span system-level constraints (e.g. statutory powers) and organisational-level enablers (e.g. talent and collaboration).

The framework then introduces 17 “capability statements” that define what good looks like in practice. These act as benchmarks for evaluation and are explicitly tied to regulatory actions, not abstract principles.

Finally, the self-assessment tool operationalises the framework. It provides three levels of analysis: a high-level snapshot, a lifecycle-stage assessment, and a deep dive into individual regulatory activities. Each uses a scoring system (from very low to very high readiness) combined with qualitative inputs such as risks, planned actions, and external dependencies.

💡 Why it matters?

This report addresses one of the most overlooked gaps in AI governance: regulatory capability. Most frameworks assume that once rules are defined, they can be implemented. This resource challenges that assumption directly.

It reframes AI governance as an execution problem. Even the best-designed regulatory frameworks will fail if institutions lack the skills, data infrastructure, funding, or coordination mechanisms to enforce them.

Practically, this is highly relevant for jurisdictions adopting decentralised or sectoral AI regulation (like the UK or EU). In such systems, effectiveness depends not on a single authority, but on the collective readiness of multiple regulators.

For organisations, the tool provides a bridge between strategy and operations. It enables structured conversations about capability gaps, supports funding justifications, and aligns internal teams around a shared model of “what good looks like.”

❓ What’s Missing

The framework is intentionally generic, which makes it widely applicable—but also limits its prescriptiveness. It does not provide sector-specific guidance (e.g. healthcare, finance), which is often where the hardest regulatory questions arise.

There is also limited discussion of political and institutional constraints. While the framework acknowledges system-level dependencies, it does not deeply explore how power dynamics, incentives, or regulatory capture might affect capability building.

Additionally, the scoring system—while useful—relies heavily on subjective self-assessment. Without external benchmarking or validation, results may vary significantly between organisations.

Finally, the framework focuses on regulators, with less attention to how industry capabilities (or lack thereof) interact with regulatory effectiveness.

👥 Best For

Public regulators and supervisory authorities
Government departments shaping AI regulatory strategy
AI policy and governance teams within regulatory bodies
International organisations assessing regulatory readiness
Consultants supporting AI governance implementation