Two computer technology faculty members at At 黑料网911, Dmitri Kharchevnikov and Steve Robinett, have published new peer鈥憆eviewed research that could reshape how organizations secure and govern their rapidly expanding AI systems.
Their paper, Declarable Integration of NIST AI Risk Management into AI鈥慸riven ISMS through Policy鈥慳s鈥慍ode, examines one of the most persistent challenges in the field: turning broad, high鈥憀evel security guidelines into concrete, enforceable rules that AI systems can follow.
鈥淎I is everywhere 鈥 it’s transforming industries, reshaping jobs and raising serious questions about safety, fairness and accountability,鈥 Kharchevnikov said. 鈥淧eople are right to be concerned, and research like ours is part of the effort to make sure AI develops in a way that is transparent, accountable and secure.鈥
They hope their research can alleviate some of those concerns.
鈥淗aving this paper published means that a real, practical frustration I carried for years has been turned into something that can genuinely contribute to the field,鈥 Kharchevnikov said. 鈥淚 really hope this work helps other IT people make their lives easier and their systems safer.鈥
Kharchevnikov decided to tackle the topic when he observed the governance landscape around AI had multiple frameworks and guidelines 鈥渆xisting on their own, often in misalignment with each other,鈥 he said. 鈥淭hat was the moment I decided to work on this problem.鈥
It was important to him, however, not to just document the problem.
鈥淚 wanted to explore making the governance process automated through a technique called policy-as-code, which translates written rules into machine-enforceable controls,鈥 Kharchevnikov said. 鈥淔or that, I needed someone with strong programming expertise who could help assess whether governance rules written in natural language could realistically be encoded as code, and who could also help maintain scientific rigor when analyzing data.鈥
Enter Robinett.
鈥淓xactly the right person for the role,鈥 Kharchevnikov said.
鈥淎s a software engineer, I was drawn early to the profound ways artificial intelligence is reshaping the technology industry,鈥 Robinett said. 鈥淲hen I saw how AI was affecting every corner of our industry, I knew this was something we had to address head-on in our curriculum. I couldn’t think of a better way to get to know my new colleague than to build something meaningful together.”
As AI becomes embedded in everything from customer service to critical infrastructure, organizations face mounting pressure to demonstrate that their systems are safe, trustworthy and compliant with emerging regulations. Robinett and Kharchevnikov argue that the traditional approach鈥攑olicy documents, checklists and periodic audits鈥攃annot keep pace with the speed and scale of modern AI deployment.
Their study introduces an approach known as policy-as-code, which involves converting security and compliance requirements into executable program code rather than leaving them as written documents. By embedding these rules directly into the systems that must follow them, organizations can ensure that policies are automatically checked, enforced and evaluated. This allows compliance to be tested and audited with the same consistency and precision used in modern software development, reducing reliance on manual reviews and improving overall accountability.
Traditional compliance frameworks are essentially static documents no matter how detailed and well-intentioned they are, Kharchevnikov said, noting someone ultimately still has to read, interpret and verify that an organization is following the rules.
鈥淭hat process is slow, inconsistent and doesn’t scale well, especially as AI systems grow more complex and the number of regulations keeps expanding鈥 Kharchevnikov said. 鈥淥ur approach is different because it treats governance rules as something the computer can actually run.Instead of a checklist that a human works through periodically, the controls become automated 鈥 they execute continuously, flag violations in real time and integrate directly into the organization’s existing security infrastructure.鈥
Robinett and Kharchevnikov went even a step further. To evaluate how far this approach can go, they focused on two of the most influential security frameworks in use today: the National Institute of Standards and Technology鈥檚 AI Risk Management Framework and the international ISO/IEC 27001 information security standard. Together, these frameworks contain more than 200 individual security actions.
Robinett manually reviewed each action, assessing whether it could be reliably translated into code. Kharchevnikov then conducted statistical analysis on the resulting dataset to identify patterns and determine how much AI governance can realistically be automated.
What also set their work apart was that they didn’t just propose automation in theory 鈥 they systematically analyzed all 212 governance actions in the NIST AI Risk Management Framework and showed that nearly 85% of the actions can realistically be encoded as machine-executable controls.
鈥淲e then did something that even NIST itself hasn’t done yet: we mapped those controls to the internationally recognized ISO/IEC 27002 cybersecurity standard,鈥 Kharchevnikov said. 鈥淟ast time we checked, NIST had only indicated this kind of alignment as something they were planning to do sometime in the future. We went ahead and did it now. The result is a framework that is faster, more consistent and far less dependent on manual human effort, which ultimately means organizations can stay compliant without consuming so much of their team’s time and energy.鈥
Kharchevnikov said his experience managing IT systems meant it made sense to him that many of the controls could be executed by the computer system itself, but he found it 鈥渆ye-opening and frankly alarming鈥 to find few to no controls in place in the areas of System and Network Security, Identity and Access Management and Asset Management.
鈥淭hose decisions carry a lot of context that a machine cannot fully grasp yet,鈥 Kharhevnikov said. 鈥淵ou still need a human in the loop. These are not minor concerns; they are foundational pillars of any serious security program. Our work essentially shows organizations where the blind spots are, so they know what gaps they need to fill on their own.鈥
Kharchevnikov and Robinett鈥檚 research suggests the implications are significant for industries racing to adopt AI while facing heightened scrutiny from regulators and the public. Automating the majority of governance actions could allow organizations to move from reactive, manual compliance cycles to continuous, machine鈥慹nforced security. It also creates a more transparent and auditable trail: automated rules can be traced, tested and verified in ways traditional policy documents cannot.
Another key contribution of the study is its demonstration of how disparate standards can be aligned. By mapping NIST鈥檚 AI鈥憇pecific guidance to the broader ISO/IEC 27001 controls, the paper reveals how organizations can unify their security posture rather than maintaining parallel processes. In an environment where AI systems increasingly interact with traditional IT infrastructure, this integration may prove essential.
The paper also underscores a broader shift in the field: AI governance must evolve as quickly as AI itself. Manual oversight alone cannot keep pace with systems that learn, adapt and scale. Automation is no longer optional, Kharchevnikov and Robinett said.
For organizations exploring AI adoption, the study offers both a caution and a roadmap. The caution: relying solely on human review and static documents is no longer sufficient. The roadmap: embrace policy鈥慳s鈥慶ode to build governance systems that are as dynamic and intelligent as the technologies they oversee.
Kharchevnikov and Robinett say their research is just the start.
鈥淲e hope it opens doors for others in the field,鈥 Kharchevnikov said. 鈥淭he natural next steps would be moving the framework closer to actual implementation 鈥 developing working policy-as-code templates that organizations can use in real systems 鈥 and addressing the coverage gaps we identified in areas like system and network security and identity and access management.鈥
The two aren鈥檛 sure whether they will be the ones taking it to that next step.
鈥淏ut that’s also what’s exciting about publishing research,鈥 Kharchevnikov said. 鈥淵ou put it out into the world and other researchers, security architects and policymakers can pick it up and run with it. If our work helps someone else build something useful, that’s a meaningful outcome in itself.鈥
One certain outcome is that a friendship developed between two colleagues who had just met when they started the work since this is Kharchevnikov鈥檚 first year working at At 黑料网911, where he works remotely from his home outside Atlanta.
鈥淢y involvement began with a conversation with Dmitri 鈥 a collaboration that took shape even before Dmitri officially joined the college,鈥 said Robinett, who has been working at At 黑料网911 for 10 years. 鈥淲hat started as a shared interest in emerging technology has grown into both a professional partnership and a personal friendship, fueling the development of new AI-focused coursework for students across disciplines. This effort has given me a lot of energy. Working on something this relevant, with someone this engaged 鈥 that’s exactly the kind of collaboration that makes this work rewarding.鈥
鈥淚’m also proud that this work came out of At 黑料网911,鈥 Kharchevnikov said. 鈥淩esearch and the pursuit of new knowledge are a natural part of what we do here 鈥 faculty are not just teachers, we are also scholars who engage with real problems and contribute to our fields. This publication is simply one example of that, and I hope it inspires both colleagues and students to see academic inquiry as something that belongs here just as much as anywhere else.鈥
The research will greatly benefit At 黑料网911 students, whether they are pursuing Cybersecurity or Computer Programming degrees or students who are merely interested in learning more about this emerging technology that is transforming the modern workplace.
鈥淐oncepts like policy-as-code and automated compliance are increasingly relevant in real-world IT environments, so weaving those ideas into my existing courses makes a lot of sense,鈥 Kharchevnikov said.
Both Kharchevnikov and Robinett will be teaching an AI Fundamentals course this fall that will be the first-of-its-kind in the Montana University System. There are no prerequisites for the course, so members of the general public can sign up for the class, which will be offered both the first and the second block of the fall 2026 semester. Contact admissions at 406-268-3700 or [email protected] for more information.
鈥淎I governance will be one of the major topics (of the class),鈥 Kharchevnikov said. 鈥溾tudents won’t just be learning about AI from a textbook 鈥 they’ll be engaging with original research produced right here at At 黑料网911.鈥
The full paper is available through the Journal of Information and Knowledge Management. Robinett and Kharchevnikov welcome conversations with practitioners, researchers and policymakers interested in applying or expanding on their findings.
Link to publication: