Principles Without Practice: A Careful Read of the Responsible-AI Governance Review

A nurse notices that the new AI documentation tool keeps coding one diagnosis wrong. She mentions it; nobody is sure who owns the problem, so nothing happens. That small scene is the whole subject of this paper, scaled up: the distance between a hospital that has endorsed responsible artificial intelligence and a hospital that can actually do something when one of its systems misbehaves. Endorsement is cheap and universal. The machinery to act on it is neither, and it is the machinery this review is about.

The work is a scoping review by Emmanouil Papagiannidis, Patrick Mikalef and Kieran Conboy in The Journal of Strategic Information Systems: Responsible artificial intelligence governance: A review and research framework. The authors note that plenty of bodies have published principles, but that the literature on how those principles get operationalised — across designing, executing, monitoring and evaluating an AI system — is, in their own words, disparate and lacking in cohesion. Before borrowing any of their conclusions, it pays to be clear about the kind of evidence on offer.

The machinery, in three parts

The framework's spine is a sorting of governance into three kinds of practice, and it is more useful read from the bottom up than the top down. Relational practices are the human layer: how cross-functional work is organised, how the people who actually use a system are drawn into shaping it, how the competence to challenge a model is built at every level rather than concentrated in a committee. Procedural practices are the how: how bias in training data is detected, by what criteria a model is cleared for clinical use, what is done — and what is learned — when it gets a case wrong, how regulatory duties are re-checked over time instead of once. Structural practices are the who: who holds decision authority, who owns which phase of the lifecycle, what the escalation route is when a system produces something it should not.

Put back in the order the paper uses — structural, procedural, relational — the three look tidy. The honest reading is that the relational layer is the one institutions lose first and miss most. Our nurse with the miscoding tool is the test case: she has the knowledge a governance system needs and no path to deliver it. Governance that exists as a document but not as a route a worried clinician can walk is governance only in name.

Why the distinction earns its keep

Underneath the three-part scheme sits the paper's sharpest move: prising apart two words that are constantly run together. A principle of responsible AI describes a destination — be fair, be accountable, be transparent. Governance is the apparatus that makes the destination binding: who decides, by what process, with what consequence when the answer comes out wrong. Nearly all of the public conversation, and nearly every corporate AI charter, lives on the principles side of that line. The review's claim is that principles without governance are good intentions, and that the literature has left the governance badly under-specified.

What it is, and what it cannot do

This is a review and a conceptual framework, not a study of outcomes. The authors synthesised the existing responsible-AI literature — dozens of studies, drawn largely from European and US settings — and built an organising structure from it. There is no primary data, no intervention, no measured effect, so the framework cannot tell you that adopting it produces safer or fairer AI. It is a scaffold for asking better questions, not a validated pathway with a result attached. The authors are candid about that, and about a second limit a European reader should weigh: a corpus drawn overwhelmingly from Europe and North America carries those regions' regulatory and cultural assumptions, and should structure local judgement rather than substitute for it. A taxonomy this clean has one further hazard — real governance failures rarely respect the lines between structural, procedural and relational; they happen in the seams between them. The lens earns its place by forcing those seams into view, not by promising that three filled boxes make an institution safe.

Why it matters here

For a German or European hospital the use is unglamorous: a checklist for an honest stocktake. Have we named who is accountable for AI decisions? Is there a defined process for data quality and bias review, and a real route for reporting when a system errs — the route our nurse never found? Are end users, clinical and nursing alike, brought into how a tool is shaped and supervised? Have we separated the systems where a human makes the final call from those that act with people only correcting them afterwards, and tuned oversight to that difference? Wherever the truthful answer is 'no' or 'not yet', the framework has already done its job by locating the gap.

Under the Medizinprodukteverordnung (MDR) and the EU AI Act, much of this stops being voluntary for high-risk clinical AI: accountability, traceability and transparency become compliance obligations rather than ethical extras. The review will not tell a hospital how to satisfy them. What it offers is a precise language for asking whether the institution can — which is the first thing any oversight committee needs, and the part most charters quietly skip.

Source: Papagiannidis E, Mikalef P, Conboy K. Responsible artificial intelligence governance: A review and research framework. The Journal of Strategic Information Systems 2025;34(2):101885 (online 5 January 2025). A peer-reviewed scoping review and conceptual framework — synthesis and structure, with no primary data or measured outcomes; its claims are about how to organise the question, not evidence that any arrangement works.