Your new experience awaits. Try the new design now and help us make it even better

ORIGINAL RESEARCH article

Front. Artif. Intell.

Sec. Technology and Law

Audit-as-Code: A Policy-as-Code Framework for Continuous AI Assurance

Provisionally accepted
Aoun E MuhammadAoun E Muhammad1*Kin-Choong YowKin-Choong Yow1Shrooq AlsenanShrooq Alsenan2
  • 1University of Regina, Regina, Canada
  • 2Princess Nourah bint Abdulrahman University, Riyadh, Saudi Arabia

The final, formatted version of the article will be published soon.

Select one of your emails

You have multiple emails registered with Frontiers:

Notify me on publication

Please enter your email address:

If you already have an account, please login

You don't have a Frontiers account ? You can register here

Existing AI assurance and governance frameworks rely heavily on documented written policies and manual reviews of the implementation. The primary challenge is not the length of these documents but to operationalizate the gap from transforming qualitative requirements into verifiable controls. This approach makes ensuring continuous compliance through the development life cycle hard to enforce, scale and reproduce. This paper presents a continuous assurance framework called Audit-as-Code that maps governance requirements to technically-auditable rules , that can be a combination of versioned policy specification and executable checks for evidence artifacts, linked to structured evidence regarding data, models, provenance, performance, decisions and explanations regarding the decisions being made. While the framework addresses the governance and regulatory mapping requirements, the primary focus of this paper is MLOps/CI-CD (continuous integration/continuous delivery) operationalization, and turning these requirements into deterministic checks and gate decisions integrated in operational workflows. In this paper, we introduce an assured readiness score that integrates the governance risk with other key responsible AI principles such as traceability and explainability. This approach helps in aligning deployment decisions with predefined risk tiers and the framework automates decisions whether a system can proceed, requires remediation and fixes, or should be blocked. It also provides targeted suggestions for improvement and compliance for the lags identified. We evaluated this framework on representative AI systems and demonstrated how a single evidence bundle can be used to support assessment across different governance regulations. In doing so, Audit-as-Code ensures AI assurance transforms from a documentation driven policy module to a quantitative, auditable, reproducible and operationally practical module to ensure compliance.

Keywords: AI assurance, CI/CD, Compliance, Explainability, governance, policy-as-code, reproducibility, traceability

Received: 03 Dec 2025; Accepted: 04 Feb 2026.

Copyright: © 2026 Muhammad, Yow and Alsenan. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) or licensor are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.

* Correspondence: Aoun E Muhammad

Disclaimer: All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article or claim that may be made by its manufacturer is not guaranteed or endorsed by the publisher.

Supplementary Material