Search papers, labs, and topics across Lattice.
This paper identifies a critical gap in the governance of artificial intelligence (AI) regarding operational resilience, highlighting that existing frameworks focused on trustworthiness do not adequately address the continuity of business services during severe disruptions. It argues for the necessity of an AI Resilience Framework that incorporates dependency mapping, criticality-substitutability tiering, and explicit fallback doctrines to manage AI-related risks. The proposed framework aims to provide actionable strategies for organizations to enhance their resilience against potential AI failures, thereby bridging the divide between AI governance and operational stability.
AI governance frameworks fall short in ensuring operational resilience, necessitating a new approach to manage dependencies and risks effectively.
The rapid adoption of artificial intelligence across regulated firms has produced an extensive governance response oriented around trustworthiness: the EU AI Act, ISO IEC 42001, the NIST AI Risk Management Framework, and the United Kingdom's principles-based approach all address safety, fairness, transparency, and model risk. That response is necessary but incomplete. It does not, on its own, address operational resilience: the continuity of important business services under severe but plausible disruption, the substitutability of AI components, and the concentration of dependency on the small number of firms that supply frontier models. This paper argues that AI adoption creates a resilience obligation that is distinct from, and inadequately covered by, the trustworthy AI stack, and that United Kingdom financial authorities are already closing this gap through the Financial Policy Committee's systemic analysis, the Critical Third Parties regime, and the May 2026 joint statement on frontier AI and cyber resilience. We map the two regulatory logics, identify the structural gap between them, and propose the AI Resilience Framework: a regime-agnostic method for bringing AI dependencies inside the operational resilience perimeter through dependency mapping, a criticality-substitutability tiering, the extension of impact tolerances to AI-specific failure modes, an explicit fallback doctrine, and provider level concentration management. The framework gives chief information security officers, security architects, and boards an actionable route from AI governance policy to demonstrable resilience. This work extends a companion analysis of the United Kingdom cyber resilience regulatory stack into the artificial intelligence dimension.