Author: Dr Joshua Scarpino

CASE STUDY: ARISE CASE STUDY

Why Organizations Are Adopting ARISE Framework™

What Three Months of Cross-Sector Adoption Data Says About the Value of a Unified Assurance Layer

Most AI governance conversations begin with the wrong question. They ask which framework an organization should adopt. The more useful question is what an organization gains operationally once it adopts one. The first three months of ARISE Framework™ adoption data answer that question directly. Practitioners from nine industry sectors and six global regions began using the framework within two months of availability, and the pattern of how they are using it reveals what the architecture delivers in practice.

Organizations adopt ARISE because it resolves a problem that sector-specific compliance frameworks do not solve. Compliance frameworks specify what must be governed. They do not specify how to govern AI systems that generate risk every hour of every day. The ARISE Framework provides the operational assurance layer that fills that gap, and the adoption data shows organizations across industries arriving at that conclusion independently.

The Operational Problem ARISE Resolves

AI systems do not produce risk on a quarterly schedule. They produce it continuously, through model drift, agent permission expansion, data exposure, and decision-making at machine speed. Annual audit cycles are insufficient for systems that generate risk continuously; a misconfigured agent permission can persist for months before detection under traditional review models.

Organizations subject to multiple regulatory regimes face a compounding problem. A healthcare organization governed by HIPAA, the EU AI Act where applicable, and emerging clinical AI guidance cannot operate three separate governance programs without significant overhead. A financial institution managing model risk under Basel III while preparing for EU AI Act compliance cannot maintain duplicate assurance programs that say similar things in different vocabularies. The ARISE Framework provides a single assurance architecture that maps to the operational requirements embedded within each of these frameworks.

The seven domains, GOVERN, MANAGE, IDENTIFY, PROTECT, DETECT, RESPOND, and VALIDATE, are not compliance categories drawn from any single regulation. They are operational assurance functions. DETECT and VALIDATE satisfy the conformance monitoring obligations in the EU AI Act. PROTECT and RESPOND address the data protection and incident response requirements in HIPAA. IDENTIFY and GOVERN correspond to the model inventory and accountability requirements in both NIST AI RMF and ISO 42001. Mappings currently exist for 14 frameworks, six criteria sets, and eight regulations, and the catalog continues to grow.

The practical effect for an organization is consolidation. One assurance program produces evidence that satisfies multiple regulatory obligations simultaneously, rather than producing the same evidence three times in three different formats.

What Organizations Gain by Adopting ARISE

The adoption data offers concrete signals about what organizations are getting from the framework, broken down by sector.

Continuous assurance instead of periodic review. Healthcare practitioners deploying AI in clinical decision support, diagnostic imaging, and patient data management cannot wait for annual review cycles to identify model failures. Energy sector practitioners managing AI-assisted grid systems cannot allow predictive maintenance failures to reach physical infrastructure before they are detected. Manufacturing organizations cannot govern AI systems that affect production quality and worker safety on a quarterly cadence. The ARISE Framework provides the DETECT and RESPOND mechanisms that allow these organizations to identify and contain failures at the rate the systems produce them.

Transferable methodology across client engagements. Consulting represents 25% of named-sector practitioners, second only to Information Technology at 29%. Consulting practitioners adopt ARISE because it gives them a single assurance methodology that maps to client-specific regulatory requirements without requiring a custom framework for each engagement. The benefit is leverage; one adoption decision propagates into multiple client governance programs.

Integration with existing model risk management. Financial services practitioners are integrating ARISE with model risk management programs that already exist under Basel III and similar regimes. The framework does not replace those programs; it extends them to cover the assurance gaps that traditional MRM does not address, particularly around generative and agentic AI systems that fall outside conventional model definitions.

Foundational architecture for organizations in nascent regulatory environments. Practitioners in markets where AI regulation is still emerging, including several African and South Asian organizations in the cohort, engage with the GOVERN and IDENTIFY domains as foundational architecture. They are not adopting ARISE to comply with a regulation that already exists. They are adopting it to establish governance discipline before regulation arrives. This is materially less expensive than retrofitting governance after a regulatory inquiry.

Reference architecture awareness from regulatory bodies. Government regulatory bodies have begun engaging with the framework distinctly from other practitioner cohorts. Regulators evaluating ARISE at this depth are assessing it as a reference architecture for the standards they will impose on the entities they oversee. Organizations that adopt the framework now position themselves ahead of standards that may reference its structure.

Educational and pipeline benefits. Practitioners from multiple global universities and health informatics programs have integrated ARISE into curriculum. Organizations hiring from these programs receive practitioners who are already fluent in the framework, which compresses onboarding time for governance roles.

Why the Distribution Matters

The geographic and sector distribution is itself a signal of operational value. Verified practitioner organizations span the United States, the United Kingdom, Nigeria, Kenya, Ethiopia, Algeria, Ghana, Malaysia, the Philippines, Indonesia, Bangladesh, Pakistan, Germany, the Netherlands, Chile, Argentina, and Nepal. The framework is being applied across environments governed by the EU AI Act, emerging African AI policy frameworks, APAC data governance regimes, and US sector-specific regulations simultaneously.

A framework designed for a single jurisdiction does not produce that distribution. Organizations adopt it because it accommodates their specific regulatory environment without requiring separate configurations. An EU practitioner preparing for AI Act obligations and a Nigerian fintech governing AI in live payments infrastructure use the same domains, calibrated to their respective contexts.

The sector spread carries the same implication. Information Technology, Consulting, and Financial Services account for over 67% of named-sector practitioners. The remaining cohorts span healthcare, energy, manufacturing, education, communication services, utilities, materials, and real estate. Sectors with little historical engagement in AI governance discourse, including utilities, materials, and real estate, are now applying structured assurance to their AI deployments. The framework supports each without modification.

How Adoption Typically Proceeds

The engagement data reveals how organizations move from initial evaluation into active deployment.

A meaningful share of practitioners returned for multiple sessions, indicating active framework application rather than one-time research. The highest engagement concentration is in consulting, consistent with practitioners who reference the framework repeatedly during live client engagements. Financial services practitioners are moving from initial assessment into integration with existing programs. Healthcare and energy practitioners are using the framework to address governance requirements that their existing compliance programs do not specifically cover.

The pattern suggests that organizations gain value from ARISE in three stages. Initial adoption establishes a common assurance vocabulary that maps to existing regulatory obligations. Integration ties that vocabulary into existing risk and compliance programs, eliminating duplicate effort. Operational deployment shifts governance from periodic review to continuous assurance, which is the stage at which the framework delivers its largest practical benefit.

What This Means for Organizations Not Yet Engaged

Three months of adoption data is not a long observation period, but the patterns are consistent enough to support a clear inference. Organizations across industries, regulatory jurisdictions, and governance maturity levels are reaching the same conclusion: a unified assurance architecture is more efficient than parallel framework-specific programs, and continuous assurance is more effective than periodic review for systems that generate risk continuously.

Organizations not yet engaged with the framework face a practical decision rather than a strategic one. They can continue operating parallel governance programs aligned to each applicable framework and absorb the resulting overhead. They can adopt a unified assurance architecture that maps to those frameworks at the operational level and consolidate the work.

The data shows which option organizations are choosing when they evaluate the trade-off directly. Nine sectors. Six global regions. Multiple regulatory jurisdictions. One governance language.

The ARISE Framework™ is developed by Assessed Intelligence. The full case study is available at assessedintelligence.com.