Minimum Viable Oversight
Analytical Note No. 12 · Series: Governance Briefs · June 2026 Operationalises: Essay 7 “The Correction Window,” Essay 12 “Beyond Control: What Happens When the Correction Window Closes” — Beyond Control: Theory of Limits of AI Governance Русская версия
On 17 July 2012, the Uzbek Agency of Communications and Informatisation issued Order suspending the telecommunications licence of Uzdunrobita LLC (“MTS-Uzbekistan” brand) effective from 18:00 that day. Instantly 9.5 million subscribers had lost service. Whether the specific grounds were fully justified is a matter of the legal record. What matters analytically is the demonstrated institutional fact: Uzbekistan’s regulatory architecture already contains the capacity to halt the operations of a systemically significant licensed operator through a single regulatory decision.
That capacity exists. It has not yet been systematically extended to AI systems.
This is the twelfth analytical note in a series that has documented, across eleven preceding publications, the structural gaps in Uzbekistan’s AI governance architecture: the separation between documentation and enforcement, the conflict between coordination and verification functions, the absence of defined access to operational data, the missing incident protocols, the lock-in effects of procurement decisions, the concentration risk of centralised payment infrastructure, the scale mismatch when oversight frameworks are transposed without the institutional prerequisites that make them functional, the epistemic gap that emerges when institutions deploy systems they cannot inspect, and the sovereign gap when digital independence is declared without the infrastructure to exercise it.
Each of those notes diagnosed a gap. This one asks a different question: what institutional capacity already exists within the structural limits this series has established, and has not yet been extended to AI systems?
Three Conditions and the Partial Record
Essay 7 of this series identified three elements that distinguish real enforcement from its documentation: halt authority over a deployed system; independent verification with access to operational data rather than to documentation produced by the system or its operator; and consequences that make the gap between declared and actual system behaviour costly to maintain rather than merely procedurally noted.
No AI governance framework operating at scale currently satisfies all three as a coherent regime. That is a structural finding about the global condition, not a critique of any specific jurisdiction. The question relevant to Uzbekistan’s regulatory architecture is narrower: does any of the three have an institutional precedent here that could serve as its functional base in the AI domain?
The first element has a documented precedent. The 2012 MTS case is a telecommunications case, not an AI governance case. But it demonstrates that regulatory halt authority over a licensed operator, applicable to a systemically significant service, exists in Uzbekistan’s institutional architecture and has been exercised. What is absent is not the mechanism. It is the extension of that mechanism to cover AI-dependent systems embedded in financial institutions, healthcare infrastructure, or public procurement. A regulatory instrument capable of suspending a telecommunications operator’s licence has no stated equivalent for suspending or requiring rollback of an AI system whose outputs fall outside declared parameters within a licensed institution.
The second element has a partial institutional base. CBU Board Resolution No. 3266, registered 30 June 2020, establishes inspection rights over payment system operators within the scope of AML/CFT compliance, including access to internal systems and transactional records. This provides a functioning precedent for direct supervisory access to operator systems, not a theoretical possibility but an operational instrument within a defined mandate. It was not designed for AI systems. Whether the existing access rights extend to algorithmic decision logs beyond the AML/CFT purpose for which they were established remains formally unaddressed and a matter for regulatory specification rather than legislative innovation.
The third element has a legislative foundation that is not yet operational in the AI-specific context. Article 7¹ of Law No. ZRU-1115 prohibits sole reliance on AI-generated outputs in legally significant decisions affecting citizens’ rights. The prohibition creates legal exposure. It does not yet create a verification mechanism that would make compliance or non-compliance observable from outside the deploying institution. Legal exposure without verification is not a consequence in the operative sense the series has used: it is a documented liability without an activated trigger.
What Minimum Viable Oversight Looks Like
The concept of the governance residual, introduced in Essay 12 of this series, refers to the set of constraint mechanisms that retain operational leverage after the primary governance architecture has been structurally superseded. That residual is not uniform across jurisdictions. For institutions in Uzbekistan’s regulatory environment, its composition is identifiable with unusual clarity: fewer institutional layers separate the governance claim from operational reality, which means the instruments still available are closer to the surface and more readily activated than in environments where the appearance of oversight can be sustained for longer.
Three operational questions follow from this analysis. They are not a framework. They are a diagnostic: the minimum test that any institution deploying AI in a consequential domain should be able to pass from operational records rather than from documentation.
The first question: does the institution have a defined, tested procedure for halting the decision function that an AI system performs, not for switching off the technical system, but for suspending the specific outputs the system generates while human review proceeds? A system that can be powered down is not the same as a decision function that can be suspended without interrupting the operational process around it. Analytical Note No. 6 documented this distinction in the context of Uzbekistan’s emerging credit scoring infrastructure: technical reversibility and operational reversibility are different states, and institutions that have tested only the former do not know whether they possess halt authority in any meaningful sense.
The second question: can the institution’s supervisory authority, or any body with a defined external mandate, examine what the AI system actually decided in a specific case from operational logs rather than from documentation the institution or its vendor produced? Analytical Note No. 4 documented the audit-without-access problem: the distinction between reviewing declared system behaviour and inspecting actual system behaviour is the difference between reading the instructions and examining the machine in operation. An institution that can demonstrate its AI system’s actual decision path from records it does not exclusively control has begun to satisfy the verification condition. An institution that can only produce documentation generated by the system itself, or by the institution that deployed it, has not satisfied it regardless of the volume of that documentation.
The third question: is there a defined consequence, regulatory, legal, or operational, if an AI system’s actual behaviour is found to diverge from its declared parameters? Not a procedure for initiating an investigation, but a defined outcome at its conclusion. The licence suspension mechanism demonstrated in 2012 provides the institutional form of such a consequence within the domain of licensed operators. Its adaptation to cover AI system behaviour within those operators’ operations is a design gap, not an institutional one.
An institution that can answer all three questions from operational evidence rather than from documentation has the foundations of a minimum viable oversight architecture. An institution that cannot has a governance document.
The operational translation of these three questions into a diagnostic for specific institutions is work of a different kind, closer to audit than to analysis.
The Position This Closes
Eleven preceding notes documented what the architecture lacks. This note records what it has.
The structural limits of AI governance established across the essay series (sovereign override, material predetermination, institutional mismatch) are not temporary gaps that additional regulation will eventually close. They are architectural features of the current institutional order. Acknowledging this does not produce a recommendation to cease regulatory effort. It produces a repositioning: from measuring whether the governance documentation is complete to measuring whether the instruments that retain operational leverage within structural limits are being deployed or being preserved for the purpose of sustaining a narrative of control.
Twelve notes have progressively revealed the governance residual operating within structural limits, not from the perspective of those designing oversight architectures, but from that of those operating within them. What is documented here is not sufficient for comprehensive oversight. It provides the foundations for something more honest: a minimum viable architecture that can be built without pretending the structural limits do not exist. That conversion does not begin with new legislation. It begins with the deliberate extension of existing mandates through regulatory specification to a domain that has so far been governed primarily through the documentation of intent. The correction window does not remain open indefinitely. This is the architecture that can be built while it still is.
The analytical work concludes here. The institutional work does not.
Sources & Notes
[1] CBU Board Resolution, Registration No. 3266, June 30, 2020. Internal control rules on AML/CFT for payment system operators, e-money system operators, and payment organisations. lex.uz
[2] Law No. ZRU-1115, January 21, 2026. On amendments and additions to certain legislative acts in connection with the introduction of artificial intelligence technologies. Article 7¹. lex.uz
[3] Uzbek Agency of Communications and Informatisation. Order No. 19-L, July 17, 2012. On suspension of the activity licence of Unitel LLC (MTS-Uzbekistan brand). Documents in the matter were the subject of subsequent arbitration proceedings.
[4] CBU Board Resolution No. 5/11, March 25, 2026. Registered by the Ministry of Justice of the Republic of Uzbekistan, April 15, 2026, Registration No. 3817. Rules for the Provision of Payment Services via Unified QR Code. lex.uz
[5] Presidential Decree No. PP-204, May 26, 2026. On further measures to increase the popularisation of financial services and expand support for small and medium-sized businesses. lex.uz
[6] Khodjaev, O. Beyond Control: Theory of Limits of AI Governance. Essay 7 “The Correction Window.” 2026. okhodjaev.com
[7] Khodjaev, O. Beyond Control: Theory of Limits of AI Governance. Essay 8 “The Agency Transfer.” 2026. okhodjaev.com
[8] Khodjaev, O. Beyond Control: Theory of Limits of AI Governance. Essay 12 “Beyond Control: What Happens When the Correction Window Closes.” 2026. okhodjaev.com
[9] Khodjaev, O. Beyond Control: Theory of Limits of AI Governance — An Analytical Synthesis. May 2026. Zenodo. DOI: 10.5281/zenodo.20120514
[10] Khodjaev, O. Analytical Glossary of AI Governance Terms. Version 1.0. 2026. Zenodo. DOI: 10.5281/zenodo.20741338
[11] Khodjaev, O. Governance Briefs. Analytical Note No. 4 “Audit Without Access.” May 2026. okhodjaev.com
[12] Khodjaev, O. Governance Briefs. Analytical Note No. 6 “The Rollback Problem.” June 2026. okhodjaev.com
Oybek Khodjaev — over 35 years of experience in banking, finance, public administration, and business in Uzbekistan and the CIS.
Author of the essay series “Beyond Control: Theory of Limits of AI Governance.” okhodjaev.com
The author advises public institutions and financial organisations on AI governance, verification frameworks, and institutional readiness.