The Conflict of Functions
Who audits the regulator? The structural gap between coordination of AI regulatory proposals and independent oversight of deployed AI systems in Uzbekistan.
Analytical Note No. 3 · Series: Governance Briefs · May 2026
Operationalises: Essay 3 “The Regulator’s Dilemma” — Beyond Control: Theory of Limits of AI Governance
Русская версия: okhodjaev.com/governance-briefs/the-conflict-of-functions-ru/
Presidential Decree No. UP-189 (October 22, 2025) represents a significant advance in Uzbekistan’s institutional architecture for AI governance. It establishes a $100 million financing mechanism for AI infrastructure and projects through the Reconstruction and Development Fund, a mandatory coordination gate for AI-related regulatory proposals through the National Agency for Prospective Projects (NAPPM), educational integration at every level from primary school to postgraduate training, and an accountability structure that extends to the Prime Minister personally. Taken together with PP-358 and ZRU-1115, it completes a first-generation AI governance framework that few countries in the region have achieved in comparable time.
The question this architecture does not yet resolve — and one that grows more consequential as deployment scales — is structural rather than procedural. It concerns not what the framework says, but what function has not yet been assigned.
Coordination and oversight are not the same function
From January 1, 2026, Article 3(a) of UP-189 requires that all draft normative-legal acts and technical specifications involving AI implementation be agreed with NAPPM in mandatory order. This is a meaningful institutional step. It inserts a coordination review into the regulatory pipeline before proposals become operative, ensuring that AI-related regulatory drafts pass through a body with cross-sectoral visibility. Article 3(b) further assigns to NAPPM the authority to determine procedures for AI implementation in sensitive sectors: crypto assets, e-commerce, insurance, securities, and blockchain-based information systems.
Coordination of this kind operates on documents and proposals. Its object is the regulatory framework before deployment. It is architecturally different from oversight, whose object is the operational behaviour of systems after deployment.
An oversight body asks not whether a regulatory proposal is internally consistent, but whether a deployed system behaves as its documentation declares. Not whether an ethics principle has been endorsed — as with Order No. 3787 of the Ministry of Digital Technologies (March 2026) — but whether AI systems in operation comply with it. Not whether a risk framework has been approved, but whether the actual risk profile of deployed systems corresponds to what the framework assumed.
Both functions are necessary. They are not the same function.
What the current architecture creates
Article 2(g) of UP-189 establishes the Center for AI and Digital Economy Development (the Center) as the customer of AI implementation projects funded under the Decree, and simultaneously as the responsible body for their practical application. Article 11(g) designates the same Center as the body conducting post-monitoring of the timely and quality implementation of those projects. The Coordination Commission for the Digital Uzbekistan 2030 Strategy, which distributes project financing under Article 7(a), reviews project KPIs within the same institutional ecosystem.
This dual assignment — customer and post-implementation monitor — reflects an early-stage institutional configuration in which the bodies with the technical expertise to assess AI project implementation are also the bodies responsible for driving that implementation. The same sequence appears across every first-generation AI governance framework: the EU AI Act entered into force in August 2024 with conformity assessment mechanisms still being developed; the US Executive Order of October 2023 established reporting requirements before the infrastructure to process them was operational. Uzbekistan is not an exception to a global pattern. It is following it.
What has not yet been designated in the current architecture is a body with a mandate and access rights that are independent of the commissioning and implementation chain — a body whose specific function is to examine whether deployed AI systems behave as declared, in real operation, not only at the proposal stage.
ZRU-1115’s central operative provision — Article 7¹’s prohibition on exclusive reliance on AI-generated conclusions in legally significant decisions — requires exactly this capacity for its enforcement. Determining whether an institution has used an AI system’s output exclusively, or whether human judgment was substantively present in a decision process, cannot be established through document review alone. It requires access to operational data.
Under the current public architecture, no institution holds an explicitly independent mandate, the necessary access rights, and operational authority to perform this verification function.
Why the AI context makes this harder
Essay 3 of the Beyond Control series describes a structural trilemma facing every regulatory body governing a fast-moving technology: the simultaneous requirements of understanding the technology, moving quickly enough to remain relevant, and maintaining the independence that makes oversight binding rather than decorative. In the AI context, a specific asymmetry compounds this trilemma: the technical knowledge required for meaningful verification of AI system behaviour is concentrated in the institutions closest to deployment.
This means that any body positioned to conduct independent oversight currently faces an access gap. Uzbekistan’s institutional architecture has created capable bodies — the Center, NAPPM, the Coordination Commission — with genuine technical and coordinating capacity. What the current arrangement has not yet produced is the functional separation between promotion and oversight that makes independent verification possible. The body best positioned to assess an AI project’s real behaviour is the body that commissioned it.
International regulatory experience in sectors characterised by fast-moving technical change and high institutional stakes — banking supervision, nuclear verification, pharmaceutical approval — shows a consistent pattern. The separation of promotion from oversight is not, in those cases, treated as a preference. It is treated as the structural condition for oversight retaining independent meaning. When the same institution simultaneously drives implementation and evaluates it, the logic of implementation tends, gradually and without any single deliberate decision, to shape the methodology of evaluation.
What this means for institutions
For organisations operating under Uzbekistan’s current AI regulatory framework, the present architecture has two practical implications.
The first continues from Analytical Note No. 2: enforcement of ZRU-1115’s operative provisions is not yet operational in the current public framework. Institutions face structural incentives to invest in documentation rather than in the controls that documentation is meant to reflect.
The second concerns data. As AI systems accumulate operational history and institutional dependencies deepen, the behavioural data required to assess those systems’ real performance concentrates in the deploying institutions. An independent verification body established after this accumulation faces the mandate without the data access. An oversight architecture built before deep dependency is established retains the option of specifying data access requirements from the outset — before the data becomes proprietary to the institutions being overseen.
Analytical Note No. 4 — “Audit Without Access” — examines this directly: what the centralised behavioural financial dataset created under CBU Resolution 3817 (March 2026) contains, who has authority to read and interpret it, and what this means for the limits of fiscal oversight.
📄 Download PDF (English) · Скачать PDF (русский)
Sources
[1] Presidential Decree No. UP-189, 22.10.2025. On additional measures for the further development of artificial intelligence technologies. Articles 2(g), 3(a), 3(b), 7(a), 11(g). lex.uz
[2] Presidential Decree No. PP-358, 14.10.2024. On approval of the Strategy for AI Technology Development to 2030. lex.uz
[3] Law No. ZRU-1115, 21.01.2026. On amendments to certain legislative acts in connection with the regulation of relations arising from the use of artificial intelligence. Article 7¹. lex.uz
[4] Order of the Ministry of Digital Technologies No. 3787, 14.03.2026. On approving Ethical Rules for the Development, Implementation and Use of AI-Based Solutions. lex.uz
[5] European Parliament and Council. Regulation (EU) 2024/1689 — AI Act. August 2024. eur-lex.europa.eu
[6] The White House. Executive Order 14110 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. October 2023. whitehouse.gov
[7] Basel Committee on Banking Supervision. Core Principles for Effective Banking Supervision. Principle 1: operational independence of the supervisory authority. bis.org
[8] International Atomic Energy Agency. Statute of the IAEA. Article III: Verification mandate independent of national programs. iaea.org
[9] Dal Bó, Ernesto. “Regulatory Capture: A Review.” Oxford Review of Economic Policy 22(2), 2006. academic.oup.com
Oybek Khodjaev — over 35 years of experience in banking, finance, public administration and business in Uzbekistan and the CIS. Author of the essay series “Beyond Control: Theory of Limits of AI Governance.” okhodjaev.com
The author advises public institutions and financial organisations on AI governance, verification frameworks, and institutional readiness.