Volume 2 of 2. Operational application
The present document is the second of two volumes that together compose version 1.0 of the RAISE framework. Volume 1 (internal reference TI-2026-FRMK-RAISE-v1.0-V1, Doctrinal framework) exposes the doctrinal architecture of the framework: its five pillars, their 5×5 interdependency matrix, their twelve canonical and second-order anti-patterns, the refutation criterion, and the irreducible transformations T1 to T5. The present Volume 2 prolongs this exposition by its operational test.
Volume 2 contains Part III, which develops the four-level maturity model with its dimension of controlled regression (§7), the sectoral application to the three principal terrains (Healthcare, Finance, Defense, §8) with explicit asymmetry of status, and three additional sectors in synthesis (§9). It contains Part IV, which states the seven authentic limits of the framework (§10), including the criticality threshold model C* with its three conditions of validity, the expected evolution (§11), and the doctrinal FAQ in eight canonical questions (§12). It closes with a full closing and three annexes: regulatory sources of reference by sector (B), Twingital corpus doctrinal crossroads (C), intellectual property notice, version, and history (D).
Reading Volume 2 presupposes the acquisition of Volume 1. The pillars R, A, I, S, and E, the typed cyclic matrix, the canonical anti-patterns and their minimal architectural corrections, as well as the refutation criterion and the irreducible transformations, are mobilised without redefinition. The reader who opens this Volume 2 directly without having read Volume 1 is invited to refer to Annex A of Volume 1 (operational glossary) for the definition of the technical terms mobilised.
The intellectual property notice (Annex D of the present volume) applies jointly to both volumes.
Part III. Operationalisation
§7. Maturity model. Four levels, deliverables, criteria
§8. Sectoral application. Three terrains, three tensions
§9. Three additional sectors in synthesis
Part IV. Discussion and finishing
§10. Authentic limits of the framework
§11. Expected evolution
§12. Doctrinal FAQ. Eight canonical questions
Closing
Annexes
B. Regulatory sources of reference by sector C. Twingital Institute corpus doctrinal crossroads D. Intellectual property notice, version, and history
RAISE deployment is not measured by the simultaneous satisfaction of the five pillars; it is measured by the trajectory through which an organisation reaches, and then maintains, the alignment of its AI systems to the five dimensions of the framework. The maturity model below provides the grid of this trajectory. Four levels are distinguished, each characterised by its founding question, its expected deliverables, its criteria of transition to the next level, and a typical order of duration.
| Level | Founding question | Expected deliverables | Transition criteria | Typical observed duration |
|---|---|---|---|---|
| 1. Diagnosis | Where are we on the five pillars? | RAISE cartography, register of gaps, prioritisation of work streams | Diagnosis validated by management, architecture plan engaged | 4 to 8 weeks |
| 2. Architecture | How do we integrate RAISE into design? | RAISE-aligned architecture specification, interface contracts, data model, contextual validation protocols | Architecture validated, pillar-compliant prototype | 3 to 6 months |
| 3. Governance | How do we maintain alignment over time? | Operational committees with altering power, auditability procedures, documented and signed accountability chains | Governance audited, first incident handled in conformity | 6 to 12 months |
| 4. Maintenance | How do we monitor drift? | RAISE dashboard, periodic review, regulator reporting, revalidation mechanisms triggered by signal | Reach of observable stability, incidents handled without structural regression | continuous |
The model is cumulative and not substitutive. Reaching level 3 does not exempt from the deliverables of levels 1 and 2; it presupposes them and updates them. An organisation that claims to exercise governance without having produced the architecture governs nothing; it describes intentions. The sequence of levels is not an arbitrary temporal ordering; it is the order of conditions of possibility.
The indicated durations are indicative orders of magnitude, derived from multi-sectoral observation 2022-2026 (cf. method of construction of Volume 1) and not from a systematic study. They depend on the engaged perimeter, on the initial maturity of the organisation, and on the availability of transverse expertise capable of holding simultaneously normative reading, systems architecture, and operational governance. An organisation that claims level 4 in six months has, in the best case, treated a trivial perimeter; in the less good, a problem of definition of its own levels.
One dimension absent from conventional maturity models deserves introduction: level regression. A project that was at level 3 and falls back to level 2 is not, in itself, the sign of a governance failure. It is the sign that one of the matrix dependencies of the preceding chapter has just become salient to the point of imposing a return to architecture. The most frequently observed regression is the fall from governance to architecture (level 3 to level 2) triggered by an R-to-A salience, that is, by an evolution of the normative corpus that renders the existing accountability chain insufficiently instructed. This is the typical scenario of a delegated act publication or an AI Office decision specifying a hitherto undetermined obligation.
The regression to architecture is not a failure; it is a success of the watch device. The only failure would be not to diagnose it, and to continue exercising governance on an architecture henceforth under-instructed. The maturity model must therefore be read not as an escalator on which one rises, but as a trajectory on which one can, and sometimes must, come down. Mature organisations are those that have normalised controlled regression as an adaptation procedure, rather than as confession of incompetence.
The five pillars of RAISE do not have the same relative weight from one sector to another. What distinguishes a deployment in health from a deployment in finance or in defence is not the fact that pillars would be present in one and absent in the other, but the fact that a particular loop of the matrix of Chapter 5 becomes, in each sector, structuring to the point of imposing the tone of the entire deployment. This loop, we name characteristic tension. Three characteristic tensions are developed below, one per sector. Each is named as doctrinal object, to allow its subsequent citation and debate.
A precision on the epistemic status of the three tensions is required before the deployment. The Healthcare (§8.1) and Finance (§8.2) sections are founded on publicly documented legal frames and accessible jurisprudence cases, whose divergences (Article 86 AI Act and MDR Annex XIV for health; GDPR Article 22 and trade secrets for finance) are objects of published debate and stabilised jurisprudence. These two tensions are qualified as validated by legal frame and jurisprudence. The Defense section (§8.3) is by contrast presented as predictive extension of the framework, in conformity with the note of §8.3.4: its empirical status is constrained by the classified nature of the deployments and by the unavailability of publicly instructable feedback. The presentation symmetry between the three sections does not reflect a validation symmetry. This asymmetry of status is claimed rather than evaded, and the reader is invited to weight the reading of the three sections according to this difference of status.
In the health sector, the explainability of an AI system is the object of a doubled regulatory requirement. The EU AI Act, in its Article 86, grants the person concerned by a high-risk decision the right to an explanation of the elements of the automated decision. The Medical Devices Regulation, in its Annex XIV, requires from the manufacturer a clinical evaluation founded on performance evidence, accompanied by post-market surveillance that measures performance under real conditions of use. The two requirements do not formally oppose each other; they define two distinct objects of explanation whose coherence is not guaranteed. What the AI Act qualifies as sufficient explanation for the patient is not necessarily what the MDR qualifies as defensible clinical evaluation, and vice versa. The Contested explainability tension is the doctrinal object that names this divergence and treats it as a design constraint, rather than as an interpretation problem to be solved case by case.
Pillar R instantiates as cross-reading AI Act × MDR/IVDR. The isolated reading of either text produces two different architectures; the cross-reading produces an architecture that takes note of the divergence points and treats them as explicit design decisions. The GDPR, the HDS regulation, the ICH E6 R3 standards for clinical trials, and FHIR R5 for interoperability, complete this corpus. [Twingital reference, Ontological collision MDR/AI Act, to be formalised].
Pillar A in health is carried by an uncommon tripartite accountability chain: the manufacturer of the medical device answers for MDR compliance, the care operator answers for compliance of use, and the data protection officer answers for GDPR compliance. The superposition of these three regimes creates overlap zones where accountability must be explicitly named, failing which it is diffuse by construction. The notified body under MDR adds a fourth dimension of surveillance, which conflates with none of the three others.
Pillar I instantiates around health interoperability standards: FHIR R5 for clinical exchange, the SNDS connector for access to French health data, InteropSanté for integration profiles, the Health Data Hub as infrastructure of provision. None of these standards is nominally mandatory for every deployment, but their absence renders, in practice, contractualised interoperability impossible and returns to the deficient pillar I of the generic-format export anti-pattern.
Pillar S in health is qualified by clinical evaluation in the sense of MDR Annex XIV. This evaluation may require, depending on the device class, its intended purpose, its novelty, and the level of available evidence, the generation of proper clinical data, sometimes prospective, on a cohort representative of the deployment population, completed by a post-market clinical follow-up (PMCF) plan. Depending on the case, retrospective validation on public datasets may feed the pre-marking file but does not suffice, alone, for the compliance file.
Pillar E instantiates as decisional explainability, when the system enters the relevant scope of the right to explanation as established by Article 86 of the AI Act for high-risk systems falling under Annex III, or when the sectoral regime (notably the MDR for medical devices under Annex I, or GDPR Article 22 for automated decisions affecting the person) functionally imposes an analogous justification requirement. Under one of these conditions, the explanation must be useful to the patient or user, defensible before a health professional, and coherent with clinical reasoning without contradicting it. This coherence constraint is what produces the characteristic tension. [Twingital reference, Bayesian and regulatory credibility, to be formalised].
PREDICARE is a territorial predictive medicine device whose architecture mobilises the five pillars of RAISE simultaneously, under the Contested explainability tension identified above. The device articulates predictive models specific to qualified territorial cohorts, under a prospective validation protocol in real clinical use conditions, with a decisional explainability device whose design integrates, upstream, the Article 86 AI Act requirements and the coherence with clinical Bayesian reasoning. PREDICARE is not, in this document, a proof of the generality of the framework; it is an implementation terrain where the design constraints described by the Contested explainability tension are taken seriously. Its architecture documentation is instructed separately; its mention here serves only to indicate that the tension is not an abstraction but an observable usage constraint.
The financial sector operates under three distinct regulatory temporalities that each impose, in their own way, a requirement of traceability and justifiability of automated decisions: DORA for digital operational resilience, MiFID II for investment advice qualification, and the AI Act directive for high-risk AI systems, including notably the models of solvency evaluation of natural persons. Solvency II and Basel III add, for insurance and banking, model risk management requirements that impose the internal justifiability of capital estimation models and internal scoring models. These requirements enter into frontal collision with the fact that the competitive advantage of financial institutions rests, in part, on the partial opacity of their internal models. The Competitive opacity tension is the doctrinal object that names this divergence: what the regulator requires as justifiable transparency, the market qualifies as attack on a competitive asset, and the design decision must arbitrate in a zone that neither jurisprudence nor the EBA or ECB guidelines have stabilised.
Pillar R instantiates as cross-reading DORA × MiFID II × AI Act. The three regulatory temporalities do not synchronise: DORA applies since January 2025, the AI Act rises in progressive phase until 2027, MiFID II evolves through delegated acts. Reading the three together requires qualifying, requirement by requirement, the temporality of opposability, and conceiving an architecture that supports the three without imposing the rigidity of one on all.
Pillar A in FSI is codified by the three lines of defence model, whose European interpretation under DORA requires that the chief risk officer (CRO) and effective management (in the sense of Article L. 511-13 of the French Monetary and Financial Code, transposed in other European jurisdictions) carry the operational accountability for automated decisions. The EBA guidelines on outsourcing arrangements add that this accountability cannot be transferred to an external provider by contractual means. Accountability nomination is here structurally binding.
Pillar I instantiates around reporting standards (ESEF for financial information, XBRL for prudential reporting), market protocols (FIX for order transmission), and DORA operational continuity requirements. Interface contractualisation is more mature here than in health, but remains under-specified for internal flows of AI systems, which are frequently left under informal regime.
Pillar S in FSI is carried by backtesting and stress testing practices, framed by model risk management whose European standards (TRIM for the ECB, EBA Guidelines on internal models) take up and adapt the principles of the American SR 11-7 guidance. These standards are operationally mature for classical risk models (credit, market, liquidity); they do not treat, or treat insufficiently, the generative AI models recently introduced in scoring and portfolio analysis.
Pillar E is the proper site of the tension. The regulatory explainability required to defend an automated decision before the supervisory authority or a client, under Article 22 GDPR and its recital 71, enters into tension with the protection of the algorithm as competitive asset and with trade secret regimes. The resolution of this tension is neither purely technical nor purely legal; it is architectural.
Individual credit scoring is the edge-case example of the Competitive opacity tension. Article 22 GDPR grants the person concerned the right not to be subject to a decision based exclusively on automated processing, and recital 71 specifies that this person has a right to an explanation. The jurisprudence of the Court of Justice of the European Union (SCHUFA ruling, C-634/21, 2023) confirmed that automated decision is understood broadly, which includes scoring even when a human agent formally validates the decision without effective arbitration power. On the institution side, the scoring model is protected by trade secret, and its detailed disclosure to each applicant would expose its logic to circumvention strategies. Pillar E of the framework then imposes a decisional explainability qualified by recipient (the applicant does not receive the explanation that the regulator receives), endowed with a generation protocol that preserves model integrity, and traced to allow ex post audit. None of these three conditions is satisfied by the installation of a technical interpretation tool on the existing model; all three require an upstream design decision. This is precisely what the Competitive opacity tension, as doctrinal object, makes visible.
The natural objection to the Competitive opacity tension is that it would already be treated by Article 22 GDPR and subsequent jurisprudence, including the SCHUFA ruling. This objection is partially right and structurally insufficient. Article 22 GDPR and SCHUFA provide the legal frame of automated decision affecting the natural person; they do not provide the architectural grammar that would allow reconciliation of the decisional justification requirement with the protection of the model as competitive asset. The resolution proposed by practice frequently consists in producing degraded explanations that inform neither the recipient nor the regulator; this resolution satisfies the letter of the law without satisfying its spirit, and exposes the institution to the successive critique of regulator, judge, and market.
The Competitive opacity tension, as doctrinal object, does two things that Article 22 alone does not do. First, it acknowledges that competitive opacity is an architectural asset to protect, not only a commodity to mitigate. This acknowledgement changes the order of design constraints: opacity is no longer treated as a defect to compensate, but as a property to differentiate by recipient. Second, it proposes pillar E as the grammar of differentiating explanations by recipient (regulator, client, internal jurisdiction, competing market), with controlled de-anonymisation chains that preserve information asymmetry without rendering it opposable as concealment. The result is not an attenuation of the tension; it is its formalisation as architectural object, which neither GDPR nor jurisprudence operates.
The formalisation of the Competitive opacity tension as architectural object calls for identifiable design patterns. Three resolution architectures are sketched here, without claim to exhaustiveness.
Architecture by differentiated explainability chain. The explanation produced by the system is not a unique object; it is instantiated differently according to the recipient, under a contractualised chain. The applicant receives a synthetic explanation that satisfies Article 22 GDPR without revealing the model logic; the regulator, on traced requisition, receives a structured explanation that includes decision factors and eligibility conditions; the jurisdiction, in case of litigation, receives the complete explanation under judicial sequestration with controlled de-anonymisation procedure. Each recipient receives what they need to exercise their role, and nothing more. The chain itself is a contractualised object between the institution and the regulator.
Architecture by distinct surveillance model. The operational decision model, protected by commercial secret, is doubled by a surveillance model whose function is to detect decision drift by protected category (Article 22 recital 71 GDPR) and to produce alert signals to the regulator. The surveillance model is designed to be interpretable, shares the decision model’s input data without sharing its architecture, and functions under distinct governance. This architecture resolves the apparent contradiction between commercial opacity and regulatory transparency by distinguishing two complementary architectural objects.
Architecture by opposable decision register. Each automated decision of the system is inscribed in a register signed, timestamped, and architected to allow ex post reconstruction at different granularity levels according to the recipient of the request. The register itself is the contractualised object; the decision model may remain opaque, but its outputs are rendered opposable by the trace. This architecture particularly mobilises pillar I (register interface contracts) and pillar A (named accountability of the register holder).
These three architectures are not exclusive; they can combine on the same deployment. Their common function is to transform the Competitive opacity tension into a set of explicit design constraints, rather than into ad hoc compromise negotiated case by case with the regulator.
The defence sector is excluded from the scope of the AI Act by Article 2(3), which reserves AI systems placed on the market or put into service exclusively for military, defence, or national security purposes. This exclusion does not mean absence of frame, but a distinct frame, and more constraining on certain pillars. AI systems for military purposes fall under NATO frames (STANAG), the European directive on dual-use goods (regulation 2021/821), national classification frames (IGI 1300 in France, national equivalents elsewhere), and employment doctrines specific to armed forces. The characteristic tension of the sector is the following: the auditability of AI systems, which is an operational requirement for the chain of command, requires a traceability that, by the classified nature of operations, can neither be produced nor preserved under the forms that pillars A and E suppose in other sectors. The Classified auditability tension is the doctrinal object that names this divergence.
Pillar R combines the AI Act exclusion, the European regulation on dual-use goods, NATO frames, national classification doctrines, and the ANSSI/PAMS directives for systems hosting classified information. Active corpus reading is more demanding here than in health or finance, because the absence of a unified supranational frame imposes a reading by jurisdiction of employment. [Twingital reference, Learning what cannot vary, to be formalised].
Pillar A is articulated around the military chain of command, whose operational accountability belongs nominatively to the unit commander or tactical commander, and whose system approval falls under the employment authority (in France, the contrôle général des armées and the DGA for armament systems). This chain is clearer than in health or finance, because it is codified by service regulations; but it is also more demanding, because it cannot be delegated to a committee or to a collegial device.
Pillar I instantiates under NATO interoperability standards (STANAG for transmission protocols, AEDP for geospatial data, MIL-STD for interfaces), under the constraint of national digital sovereignty, and under the rules of compartmentalisation by classification level (Restricted, Confidential Defense, Secret Defense). Compartmentalisation transforms contractualised interoperability into segmented contractualised interoperability: contracts exist at each level, but do not cross levels without explicit authorisation procedure.
Pillar S is carried by the operational qualification of armament systems, which combines validation under simulated combat conditions (MILDEP in France, NATO equivalents elsewhere) and validation under real engagement conditions as operational feedback is measured. This validation has a particularity: it must treat the adversarial character of the usage context, which renders the ecological robustness mentioned in Chapter 4 indissociable from adversarial robustness.
Pillar E is the proper site of the tension. Decisional explainability, in the architectural sense of Chapter 4, requires that the automated decision can be reconstructed and defended before a qualified third party. In classified environment, the documentation that makes this reconstruction possible is itself a sensitive object, whose production and preservation open a surface of exposure to adversary intelligence. The resolution is neither to renounce explainability, nor to expose documentation; it is to design explainability protocols differentiated by auditor level, with controlled de-anonymisation chains.
Target designation decision support systems represent the edge case of the Classified auditability tension. Such a system treats multiple intelligence sources, applies classification and prioritisation models, and presents to the operator a qualified set of potential targets with an indication of confidence level and collateral risk. International humanitarian law, through the additional protocols to the Geneva Conventions, requires that the final decision be taken by a human having significant control (the concept of meaningful human control), with capacity to evaluate the distinction between military objectives and protected persons and the proportionality of engagement. Pillar A of the framework, read under this constraint, requires that the decision’s accountability chain be documented at a level of detail that would render, if treated as in health or finance, the entire system exposable to adversary intelligence. Pillar E requires an explainability of the recommendation useful to the operator without revealing the intelligence sources that produced it. The Classified auditability tension, as doctrinal object, makes visible that the resolution is not a compromise between auditability and classification, but an architecture in which documentation is multi-level, its access is traced, and its de-anonymisation is conditioned on external legal frames (parliamentary inquiry committee, international jurisdiction, contrôle général des armées). The design of this architecture is the proper object of RAISE deployment in Defense environment.
The Classified auditability tension is, among the three tensions developed in this chapter, the one whose empirical demonstration is most constrained. Operational deployments in classified environment are not, by construction, the subject of detailed academic publications; accessible feedback is most often stripped of the elements that would allow fine architectural analysis. The present treatment is therefore more conceptual than demonstrative; it relies on publicly available legal frames, on employment doctrines documented in open sources, and on the analysis of the framework’s internal coherence.
This epistemic limit is assumed. It does not invalidate the tension as doctrinal object; it qualifies its status as architectural prediction rather than as stabilised empirical observation. A refutation of this tension would require either a demonstration that auditability and classification are effectively compatible in current deployments by other paths than the one proposed here, or a demonstration that the tension can be resolved by mechanisms that RAISE does not envisage. Neither is, at the date of this document, publicly available in the consulted literature. Section §8.3 must therefore be read as a predictive frame of governability, to be confronted with effective practices as they become publicly instructable.
The detailed development of three sectors does not exhaust the framework’s scope. Three additional sectors, treated here in synthesis, each make visible a characteristic tension distinct from those examined in Chapter 8. Their complete development is left to subsequent work; their mention here signals that the architectural grammar of RAISE is instantiable well beyond the three principal terrains.
The applicable normative corpus combines the RGS v2 for public information systems, the GDPR, DORA evolutions for public financial services, ANSSI referentials for cybersecurity, and the PSNR for national systems. The characteristic tension is of R↔A nature: corpus reading is conducted by technical services, while political accountability is carried by the elected official or ministerial authority, without the two levels being structurally articulated. The typical result is a deployment where normative reading is active but the accountability chain diffuse, or the inverse. The Political disjunction tension is the object that names this configuration.
The corpus combines IEC 62443 for industrial cybersecurity, ISO 27001 for information management systems, the CER (Critical Entities Resilience) directive for the resilience of critical entities, the AI Act for high-risk AI systems supporting operation, and IEC 61508 for functional safety. The characteristic tension is of I↔S nature: interoperability, which is an operational efficiency requirement, becomes in a criticality environment a failure vector when the qualification of incoming sources is under-instructed. The Critical interoperability tension is the object that names this configuration. It is the characteristic tension of major cascade incidents in transport, energy, and telecommunications infrastructures.
The corpus combines ICH E6 R3 for good clinical practices, 21 CFR Part 11 for electronic records and signatures under FDA regime, the AI Act for high-risk AI systems, the MDR/IVDR for medical devices and in vitro diagnostic devices, and the GDPR. The characteristic tension is of R↔S nature: scientific validation in the sense of clinical research, founded on prospective control and pre-specified analysis, enters into divergence with regulatory compliance in the sense of the AI Act, which requires continuous justification of performance under usage conditions. The Doubled validation tension is the object that names this configuration. It is distinguished from the Contested explainability tension of the Healthcare sector in that it bears not on the explanation recipient but on the epistemic status of performance evidence.
A doctrine that does not state its limits is not a doctrine. This section lists seven structural limits of RAISE, formulated by their author in the terms most unfavourable to the framework itself. They are not invitations to rhetorical prudence; they define the conditions under which the framework ceases to be useful.
The framework provides an architectural grammar that makes compliance governable by construction. It does not provide the metric that would allow calculating the degree of compliance reached, nor the threshold beyond which compliance is acquired. This quantification remains sectoral, and falls under the evaluation grids proper to each sector (HAS for health, EBA for finance, employment authority for defence). An organisation that would seek in RAISE the calculation of a compliance score would be misguided; it should seek in RAISE the grammar that makes this score, when it exists sectorally, calculable in a non-trivial way.
The application of the framework, in particular of pillars R and E, requires an architecture team capable of conducting active reading of applicable normative texts, and of deriving the design constraints that follow from them. This competence exists, but it is rare, and it is concentrated in functions that are not, in most organisations, structurally integrated to system design. The framework does not create this competence; it presupposes its availability. An organisation that does not have this competence cannot apply RAISE by documentary mimicry; it must first constitute the competence or externalise the function under a contractual regime that is not that of standard outsourcing.
Pillar S addresses operational safety in the sense of the system’s reliability and robustness. It does not address, or addresses only incidentally, cyber-security in the sense of the NIS2, IEC 62443, ISO 27001 frameworks. These frameworks are orthogonal by object to RAISE: they treat the conditions of protection of the system against intentional external threats, where RAISE treats the conditions of governability of its automated decisions.
This orthogonality by object does not imply incident independence. As soon as a cyber compromise can alter an automated decision of the system, orthogonality by object is doubled by coupling by incident. The compromise of an incoming source (pillar I), of an interpretation chain (pillar E), or of a validation protocol (pillar S) transforms an external protection frame into an alteration factor of internal governability. RAISE and the applicable cyber frame are therefore orthogonal by object and coupled by incident. Coupling by incident requires that the composite governance of the five pillars integrate, in its surveillance perimeter, cyber incidents as triggers of a propagation test in the sense of §6.6.
The framework does not propose the detailed articulation of the two frames because it falls under distinct doctrinal work, to be conducted in a subsequent publication; it signals on the other hand that this articulation is, in the practice of deployments in regulated environments, non-negotiable.
The matrix of Chapter 5 states that the ten non-identity pairs between the five pillars all admit a non-null dependency. This statement is an analytical model, falsifiable by qualitative counter-example on a concrete case, but it does not constitute a formal demonstration in the mathematical sense. The ternary typology of dependencies (possibility, validity, legitimacy) is itself a doctrinal decision that could be discussed. The framework does not claim the logical robustness of a theorem; it claims the diagnostic utility of an analytical frame. This more modest claim is, in the domain of governance frameworks, already ambitious.
The framework is designed to operate at the level where the European legislator has chosen to operate, that is, at the level of system design. Its application in non-EU jurisdictions (FDA in the United States, MHRA in the United Kingdom, CFDA in China, sectoral authorities in other jurisdictions) requires a transposition work that this document does not perform. Transposition is not a simple translation of terms; it requires qualifying, jurisdiction by jurisdiction, what supervisory authorities consider compliant, and revising certain pillars in light of these qualifications. The framework remains mobilisable outside the EU; its full operational value there is conditional on adaptation work that multinational organisations will have to conduct for their own perimeter.
The framework structures the governability of the system in regulated environment. It does not provide, as it stands, the arbitration instrumentation between cost, delay, and risk that determines, in industrial practice, what level of governability is economically sustainable. This absence is not an oversight; it is a methodological decision coherent with the delimitation of §2 and with the exclusion of the economic dimension from the ternary typology of the matrix §5. Governability in the sense of RAISE is a condition of possibility of deployment, not a variable of optimisation. An organisation that would seek in RAISE a portfolio arbitration function between compliance and marginal cost would not find it.
This limit is the most immediately visible in COMEX practice. Any industrial arbitration reintroduces the economic dimension at the moment of resource allocation, and the framework is silent on this reintroduction. The compatibility between RAISE and the economic rationality of the COMEX therefore depends on an external articulation, to be conducted by the organisation itself or by a complementary doctrinal instrument. The construction of this instrument is explicitly signalled as one of the conditions of evolution of the framework in its Chapter §11. Without it, RAISE remains intellectually superior in diagnosis but operationally circumventable in arbitration.
The absence of the economic dimension in the framework calls for a positioning argument that goes beyond the simple recognition of the limit. This argument is formulated as a threshold model, to be instructed case by case by the organisation, but whose general form is defensible here.
Let C be the criticality of a deployment, measured by the combination of four factors: regulatory exposure (AI Act class, MDR class, DORA class, relevant sectoral class); severity of potential damage (bodily, financial, reputational) in case of failure; volume and frequency of automated decisions taken by the system; degree of adversarial environment (possible hostile intentionality). The model states that there exists a threshold C* above which the expected cost of a non-RAISE-aligned deployment, over the system’s life horizon, exceeds the cost of a RAISE-aligned deployment, and below which the inverse is true.
The asymmetry that determines C* depends on three mechanisms. First mechanism: the marginal cost of a regulatory regression (in the sense of §7.3) grows more than linearly with criticality, because a regression on a high-impact system triggers chains of investigations, recalls, and contractual contestations that a low-impact system does not trigger. Second mechanism: the informational value of ontological traceability (Annex A) grows with criticality, because the capacity to reconstruct ex post a contested decision determines the opposability of the organisation’s defence. Third mechanism: litigation and reactive compliance costs themselves grow more than linearly with criticality, because they attract the attention of the regulator and the specialised press.
Under these three mechanisms, the total expected cost of a non-RAISE deployment is dominated by the total expected cost of a RAISE deployment beyond C*. That is, beyond this threshold, RAISE is not an optional improvement but an economically rational strategy, compared to the alternative. Below C*, the inverse is true: the implementation of RAISE produces a marginal cost that no gain of governability compensates.
The model is intentionally asymmetric: it does not claim that RAISE is universally applicable, but that its relevance is conditioned on the criticality of the deployment. This precision is essential for the COMEX, which cannot adopt a framework that ignores its portfolio arbitration constraints.
The C* threshold model as stated above is conditioned. Three validity conditions must be named explicitly to avoid it being interpreted as universal. First condition: the system must present a sufficient decisional volume for the marginal cost of traceability, explainability, and validation to be absorbable by mass effect. For a system handling few decisions per unit of time, the RAISE investment may be economically unjustified independently of unit criticality. Second condition: execution must be largely automated. For a system where the final decision systematically rests on a human operator with effective override, the expected cost of system failure is bounded by the cost of human control, which shifts C* upward and may render it unreachable in practice. Third condition: litigious and regulatory exposure must be significant. For a system operating in a low-exposure sector (for example unregulated product recommendation), regression and litigation costs remain linear or sublinear, and the C* threshold may not be reached at observable criticality.
Under these three conjoint conditions, the model is defensible and RAISE becomes economically dominant beyond the identifiable threshold. Epistemic precision: the model states a logical asymmetry of expected costs, derived from the three mechanisms described qualitatively. It does not provide real cost data per sector or the calculated value of C* in an observed deployment. The transformation of logical asymmetry into empirical measurement falls under distinct econometric work, to be conducted by sector and by criticality class. Outside these conditions, RAISE remains useful as a diagnostic grid without being economically dominant. This precision does not weaken the framework; it delimits its perimeter of optimal application and explains why its adoption is sectorally asymmetric: strong in health, regulated finance, and defence, weaker in retail, generalist content, and services with low regulatory exposure. The C* threshold itself is not calculated here; its determination falls to the organisation, its sector, and the satisfaction of the three validity conditions above. The function of this section is to claim that the arbitration exists, that it is non-trivial, that it is conditioned, and that RAISE becomes economically dominant beyond an identifiable threshold rather than being presented as universally preferable. This strategic concession strengthens the defensibility of the framework rather than diminishing it.
Three axes of evolution of the field are identifiable at the date of this publication. The framework is designed to absorb them without structural change; this robustness is, in itself, a test of the relevance of its design.
The first axis is the progressive operational diffusion of ISO/IEC 42005:2025 standard on AI systems impact assessment. This standard, published in 2025 and complementary to ISO/IEC 42001, provides an evaluation methodology that RAISE can integrate as a tool in pillar R without modifying its five-pillar structure.
The second axis is the evolution of the AI Act Code of Practice, which specifies through successive acts the obligations applicable to general-purpose AI models. Each evolution of the Code constitutes an evolution of the normative corpus actively read by pillar R. Mature organisations will treat it as a signal of controlled regression in the sense of Chapter 7, rather than as a perturbation to absorb without re-reading.
The third axis is the rise of the European AI Office and designated national authorities. These authorities will produce, through their decisions, their guidelines, and their administrative jurisprudence, the interpretation material that will render the AI Act corpus effectively operational. Pillar R will integrate these productions as a living part of the normative corpus, without this requiring a revision of the framework.
The questions that follow are those that the practice of presenting the framework has surfaced with sufficient regularity to merit a written treatment. They are posed in their most direct form, and treated without evasion.
Because NIST AI RMF is a risk management framework, whose function is to identify, measure, and manage the risks associated with the deployment of an existing AI system. RAISE is an architecture framework, whose function is to structure the design of the system so that it is governable by construction. The two frameworks are not in competition. An organisation can, and often must, use both: RAISE upstream for design, NIST RMF downstream for operational risk management.
No. Certification presupposes a referential adopted by a recognised standardisation body, a certification scheme, and a body of qualified auditors. RAISE is a doctrine produced by a single actor. Its robustness rests on the public defensibility of its statements, not on the authority of a certification scheme. An organisation can claim a RAISE-aligned deployment, but this claim is doctrinal, not certified. For certification, ISO/IEC 42001 is the appropriate instrument, which articulates with RAISE rather than substituting for it.
ISO 13485 manages the quality of an organisation that manufactures medical devices. It structures processes, roles, documentation. RAISE structures the design of an AI system in regulated environment. The two do not treat the same object. A manufacturer of an AI-based medical device typically mobilises both: ISO 13485 for its quality system, RAISE for the architectural design of the AI device itself.
Yes, without structural modification. The five pillars instantiate in the case of LLMs and agentic systems with increased salience of certain pillars (E for decisional explainability, A for accountability in chains of automated action) and the appearance of proper architectural objects (prompt policies, persistent memory mechanisms, tool contracts in agentic architectures). The framework absorbs these specificities as instantiations of its pillars, rather than as exceptions.
No. SHAP, like LIME, like attention maps, is a technical interpretation tool. Pillar E requires a decisional explainability qualified by recipient, usage frame, and production protocol, conceived upstream of model design rather than added downstream. SHAP can be one of the technical means mobilised in this explainability; it is neither its definition nor the condition of its sufficiency.
No. The AI Act classification qualifies a system with regard to legal obligations. RAISE structures the design of the system with regard to these obligations and other sectoral requirements. The classification is an input to pillar R, not a substitute for the framework. A system qualified as high-risk by the AI Act may be more or less governable by construction depending on whether its architecture is or is not RAISE-aligned; the classification alone settles nothing on this governability.
The question, posed in these terms, expects an answer that no architecture framework can give. The cost depends on the perimeter, the maturity at start, the availability of transverse expertise, and the criticality of the sector. An indicative range, for a complete deployment going from diagnosis to operational maintenance (levels 1 to 4 of Chapter 7), typically extends from several hundred thousand euros for a limited perimeter in a mature sector, to several million for a complex perimeter in a highly regulated sector. The cost of non-deployment, when it becomes measurable, is almost always higher; this asymmetry is not a sales argument, it is an observation.
Partially. Retro-application is typically conducted as a diagnosis in the sense of level 1 of Chapter 7, which produces the cartography of gaps. The closing of these gaps requires, in the most favourable case, governance and documentation work; in the least favourable, a return to architecture equivalent to redesign. The distinction between the two cases depends on the depth of design decisions that were taken without the governability constraint. A system designed under the compliance-by-amendment anti-pattern is not, in practice, made RAISE-aligned by documentation; it is made RAISE-aligned by partial or total re-design.
RAISE is not a compliance framework. It is an architecture framework that makes compliance conceivable, verifiable, and opposable. It replaces neither NIST AI RMF, nor ISO/IEC 42001, nor the AI Act, nor the sectoral grids. It defines the order in which these instruments must enter design to prevent them from becoming decorative documentation.
The five pillars of RAISE, their interdependency matrix qualified by diagnostic tests, their eight canonical anti-patterns with their minimal architectural corrections, their maturity model with controlled regression dimension, their three principal sectoral instantiations under named characteristic tension, and the five refusals they render defensible, form the doctrinal architecture of the framework. The refutation criterion introduced in the methodological note fixes its conditions of serious application.
Three formulas condense what the five pillars, taken together, defend.
A framework that does not change design only changes documentation.
A governance device is measured by what it prevents, not by what it documents.
An AI system is not regulated because it has been documented. It is regulated because its design renders documentation possible.
These three sentences close the loop opened in the preamble. They state, in their most stripped form, the test that any RAISE-aligned deployment will have to pass.
The table below lists the primary regulatory sources mobilised in the present document. It does not substitute for a compliance file; it serves as a citation index.
| Sector | Primary sources |
|---|---|
| Healthcare and Life Sciences | EU Regulation 2017/745 (MDR), EU Regulation 2017/746 (IVDR), AI Act Article 6 (high-risk classification) and Article 86 (right to explanation), MDR Annex XIV (clinical evaluation), ISO 14155 and ICH E6 R3 (good clinical practices), HL7 FHIR R5 (interoperability), HDS (French referential), EU Regulation 2025/327 (EHDS, European Health Data Space, whose sectoral application deadlines are staggered from publication; to be verified in final proofreading according to press date) |
| Finance and Insurance | EU Regulation 2022/2554 (DORA), Directive 2014/65/EU (MiFID II), Directive 2009/138/EC (Solvency II), Basel Committee (Basel III), EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02), GDPR Article 22 and recital 71, CJEU C-634/21 (SCHUFA, judgement of 7 December 2023) |
| Defense and National Security | AI Act Article 2(3) (defence and national security exclusion), EU Regulation 2021/821 (dual-use goods), NATO STANAG, IGI 1300 (General Interministerial Instruction, France), II 901 (Interministerial Instruction, France), ANSSI/PAMS referentials, Additional Protocols I and II (1977) to the Geneva Conventions (1949) |
| Public sector and administrations | RGS v2 (General Security Referential), GDPR, ANSSI referentials, PSNR (State Information Systems Security Policy), DORA for public financial services |
| Critical infrastructures | IEC 62443, ISO/IEC 27001:2022, EU Directive 2022/2557 (CER, Critical Entities Resilience), EU Directive 2022/2555 (NIS2), IEC 61508, AI Act |
| Clinical research and Biotech | ICH E6 R3 (good clinical practices), 21 CFR Part 11 (FDA, electronic), MDR/IVDR, AI Act, GDPR |
Editorial note for finalisation. This annex consolidates the primary references mobilised in the document. Before final publication, an editorial verification is recommended on three points: the effective version of regulations at publication date (notably the consolidation of the GDPR and the delegated acts of the AI Act published since 2024); the coherence between Article 86 of the AI Act and the sectoral regimes (notably the MDR and GDPR Article 22); the availability of jurisprudence references more recent than SCHUFA (CJEU and French Conseil d’État notably). This verification does not bear on the accuracy of the listed references, but on their stability at the date of press.
The table below proposes the mapping between the pillars of RAISE and the published or in-preparation articles of the Twingital Institute doctrinal corpus. References marked as to be formalised correspond to articles whose writing is engaged but not yet published; they are signalled as such for transparency and will be updated at each publication.
| Pillar | Twingital reference articles |
|---|---|
| R, Regulatory Architecture | Ontological collision MDR/AI Act [to be formalised]. Learning what cannot vary [to be formalised]. |
| A, Accountability and Governance | Hexagonal architecture as a condition of governability [to be formalised]. |
| I, Interoperability Standards | Contractualised promotion port [to be formalised]. |
| S, Safety and Operational Validation | Public benchmarks have lost the right to decide alone [to be formalised]. |
| E, Explainability and Ethics | Bayesian and regulatory credibility [to be formalised]. Learning what cannot vary [to be formalised]. |
Internal reference. TI-2026-FRMK-RAISE-v1.0.
Author. Jérôme Vetillard, Twingital Institute.
Intellectual property status. The present document is protected by full reservation, and a Soleau envelope has been filed with INPI in parallel with publication, for certain dating of the anteriority of the formulation. The doctrinal objects nominally identified in the document (5×5 interdependency matrix, eight canonical anti-patterns and their four second-order extensions, four-level maturity model with regression dimension, six characteristic sectoral tensions, irreducible transformations T1 to T5, criticality threshold model C*) are dated by this filing as original formulation and articulation proper to the Twingital Institute corpus. The filing protects the trace of anteriority of this formulation; it is neither claim of appropriation of pre-existing general concepts, nor opposition to their use by third parties in competing frames.
Citation conditions. Citation of the document is authorised up to 200 cumulative words per third-party publication, subject to full attribution comprising title, author, internal reference, and date. Full reproduction, partial reproduction beyond 200 words, or substantial reformulation of named doctrinal objects, is subject to prior written authorisation. Commercial use of the document or of its named doctrinal objects is subject to licence.
Diffusion. The present document is delivered upon nominative registration and logging. Each copy bears a nominative watermark (“Document delivered to [First Name Last Name, Organisation] on [date]”). The associated RAISE web page, under CC-BY-NC-ND licence, exposes the genesis and the statement of the five pillars; it contains neither the 5×5 matrix, nor the anti-patterns, nor the sectoral tensions, which are exclusive to the present PDF.
Version history.
| Version | Date | Modification |
|---|---|---|
| v1.0 | 2026-05-XX | Initial version, Soleau filing and publication joint. |
| v5.0 | 2026-05-05 | Assembled draft after four review cycles (CTO/academic x 4). Not yet passed through automatic reviewer pipelines. |
Enter your details to access the document. Free access — no sales outreach.
Personalized document · Free access · No sales outreach