The Paper Architecture
Analytical Note No. 2 · Series: Governance Briefs · May 2026 · * *Operationalises: Essay 1 “The Illusion of Control” — Beyond Control: Theory of Limits of AI Governance Русская версия
Over the past two years, Uzbekistan has produced a regulatory architecture for artificial intelligence that few countries in Central Asia can match in scope or pace. Presidential Decree No. PP-358 (October 2024) established an AI development strategy to 2030. Law No. ZRU-1115 (January 2026) introduced the first legislative definition of artificial intelligence and placed explicit restrictions on autonomous decision-making in legally significant contexts. The Ministry of Digital Technologies issued Ethical Rules for AI Application in March 2026. Presidential Decree UP-189 (October 2025) mandated NAPPM coordination for all regulatory proposals involving AI implementation. The Cybersecurity Strategy 2026–2030 addressed AI-related infrastructure risks.
This represents substantial institutional work carried out within a compressed timeframe. Uzbekistan has completed the first structural stage of AI governance — establishing a normative core. The second stage is architecturally different.
Documents and enforcement are not the same thing
ZRU-1115’s central operative provision — Article 7¹ — prohibits reliance solely on AI-generated conclusions when taking legally significant decisions affecting citizens’ rights and freedoms. The norm is conceptually correct.
What does not yet exist alongside it in the current public verification framework: a definition of what constitutes “sole” reliance for the purpose of this prohibition. A mechanism for verifying compliance across the institutions subject to the law. A designated body with standing to investigate alleged violations. An evidentiary standard by which a violation would be established. A consequence structure for confirmed violations.
The norm exists. The enforcement architecture does not yet.
This is not a criticism of the drafters of ZRU-1115. It describes a structural pattern characteristic of first-generation AI regulation across every jurisdiction where it has appeared. The normative framework is created faster than the institutional infrastructure required to give it operational meaning. The EU AI Act entered into force in August 2024 with enforcement mechanisms still being developed across member states. The US Executive Order of October 2023 established reporting requirements before the reporting infrastructure existed to process them. Uzbekistan is not an outlier — it is following a pattern. What makes the Uzbek case instructive is the density and speed of the documentation. In less than two years, the regulatory output moved from strategic framework to legislative amendment, from ministerial ethics guidelines to cybersecurity strategy. Each document adds a layer. None of the layers yet connects to a functioning verification mechanism.
What a paper architecture produces
A governance framework without enforcement infrastructure is not a weaker version of governance. It is a structurally different condition. It produces documentation of compliance without producing compliance behaviour.
For institutions deploying AI systems — banks, state enterprises, government agencies — this creates a specific operational reality: the legal requirements are real, the consequences of non-compliance are not yet operational in the current public verification framework, and the distinction between appearing to comply and actually complying is not externally verifiable. Under these conditions, institutions face structural incentives to invest in documentation rather than in the controls themselves. This is not a matter of institutional intent. It is the predictable outcome of an enforcement gap. When a regulator cannot verify what a system actually does — as distinct from what its documentation declares — the institution that invests in genuine verification bears a cost that its competitors do not.
Order 3787 (AI Ethics Rules, March 2026) illustrates this at a further level. Principle-based frameworks are valuable as aspirational anchors. They do not constitute enforcement mechanisms. The distinction matters more in AI governance than in most regulatory domains, because AI systems can produce documentation showing compliance while their operational behaviour diverges from declared parameters. Independent technical reviews of AI deployments across multiple sectors internationally have documented this divergence as a structural feature of complex systems — not as an exceptional event.
The architecture and the window
Analytical Note No. 1 in this series established that the correction window is narrowing faster in AI governance than in any previous regulatory domain. Each period of operation without a verification mechanism is a period in which AI systems accumulate operational history, institutions develop dependencies, and the cost of subsequent audit increases while the practical significance of its findings decreases.
The logic of the paper architecture compounds this. A jurisdiction that builds documentation quickly but enforcement infrastructure slowly does not preserve its correction window by the act of documentation. Documents do not slow the clock. The cost of building that infrastructure grows faster than is generally assumed.
Uzbekistan’s regulatory output to date represents a significant investment in the first stage of a governance architecture. What the second stage requires is not additional documentation — it is the institutional machinery that makes the documentation operative: independent verification capacity, a designated oversight authority with meaningful access rights, incident response protocols, and consequence structures that create incentives for compliance behaviour rather than compliance documentation. Building that machinery is harder than drafting the documents. It requires resolving questions of institutional jurisdiction that the current framework leaves open — including, examined in Analytical Note No. 3, the question of who has authority to verify what AI systems actually do, as distinct from what their operators declare.
What this means for institutions
For organisations operating under Uzbekistan’s current AI regulatory framework, the gap between documentation requirements and enforcement capacity will close. The institutional trajectory is already visible; the timeline of the transition is uncertain. Organisations that understand their actual regulatory position — not the position their documentation describes — are better placed to manage that transition than those that discover the gap when enforcement arrives.
Understanding the actual regulatory position requires examining what AI systems in an organisation actually do, where human judgment remains present and where it has been displaced, and whether the gap between declared behaviour and operational behaviour is visible to the institution’s own governance structures. This kind of regulatory readiness assessment requires a separate analysis of the actual behaviour of AI systems within the organisation.
Sources
[1] Law No. ZRU-1115, 21.01.2026. On amendments and additions to certain legislative acts of the Republic of Uzbekistan in connection with the introduction of artificial intelligence technologies. lex.uz
[2] Presidential Decree No. PP-358, 14.10.2024. On approval of the Strategy for the development of artificial intelligence technologies until 2030. lex.uz
[3] Order of the Ministry of Digital Technologies No. 3787, 14.03.2026. On approval of Ethical Rules for AI Application. lex.uz
[4] Presidential Decree No. UP-189, 22.10.2025. On measures to ensure the systemic introduction of artificial intelligence technologies. lex.uz
[5] Presidential Decree No. UP-38, 2026. Cybersecurity Strategy of the Republic of Uzbekistan 2026–2030. lex.uz
[6] European Parliament and Council. Regulation (EU) 2024/1689 — AI Act. August 2024. eur-lex.europa.eu
[7] The White House. Executive Order 14110 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. October 2023. whitehouse.gov
[8] Basel Committee on Banking Supervision. Principles for Sound Management of Operational Risk. bis.org
Oybek Khodjaev — over 35 years of experience in the banking sector, finance, public administration, and business in Uzbekistan and the CIS. Author of the essay series “Beyond Control: Theory of Limits of AI Governance.” okhodjaev.com
The author develops analytical materials and architectural recommendations on AI governance, verification frameworks, and institutional readiness for government bodies, banks, and other institutions.