Council of Europe CAHAI Approves AI Governance Feasibility Study — December 17, 2021

On 17 December 2021 the Council of Europe’s Ad Hoc Committee on Artificial Intelligence (CAHAI) adopted its Feasibility Study on a Legal Framework on Artificial Intelligence, concluding two years of multistakeholder consultations.¹ The study recommends negotiating a legally binding Council of Europe convention establishing common principles for trustworthy AI, complemented by non-binding guidance, capacity-building programs, and cooperation mechanisms.¹² Governments and enterprises operating in the Council’s 46 member states should prepare for convention talks that will define baseline obligations for transparency, accountability, risk management, and remedy.

Core elements of the feasibility study

• Convention scope. The proposed treaty would cover the lifecycle of AI systems, ensuring respect for human rights, democracy, and the rule of law. It would apply to both public authorities and private actors where state obligations are engaged through procurement, delegation, or oversight.¹
• General principles. CAHAI outlines binding principles—human dignity, fairness, transparency, accountability, non-discrimination, privacy, and data governance—that must inform AI design, deployment, and oversight.¹
• Risk-based obligations. The study recommends mandatory fundamental rights and impact assessments for high-risk AI, proportional requirements for lower-risk use cases, and outright prohibitions for AI practices incompatible with Council of Europe standards.¹
• Supervision and enforcement. States would designate independent supervisory authorities with investigatory powers, establish complaint and redress mechanisms, and enable judicial review for individuals harmed by AI decisions.¹
• Complementary instruments. Soft-law tools—model laws, certification schemes, technical guidelines, and cooperative networks—would support setup and align national practices.¹²

Strategic implications

The CAHAI study signals the Council of Europe’s intention to shape global AI governance beyond the EU’s proposed AI Act. The convention would be open to non-European states and teams, creating a broader normative framework anchored in the European Convention on Human Rights.¹ For enterprises, this means AI risk management must satisfy both EU regulatory requirements and Council of Europe standards, particularly for applications involving biometric identification, algorithmic decision-making in justice or policing, and automated content moderation.

Member states will transition CAHAI’s mandate to the newly established Committee on Artificial Intelligence (CAI), which will negotiate the treaty text, elaborate soft-law instruments, and coordinate capacity building.¹ Regulators will align national AI strategies with CAHAI recommendations, including setting up national AI supervisory authorities and ensuring independent oversight of public-sector deployments.

Implementation priorities for teams

• Governance mapping. Inventory AI systems across business functions, identify high-risk use cases (for example, biometric identification, critical infrastructure management), and map applicable Council of Europe principles to existing governance controls.
• Human rights impact assessments. Develop structured assessment methodologies covering purpose, data quality, bias mitigation, proportionality, stakeholder consultation, and mitigation plans. Align with CAHAI’s call for ex-ante and ex-post reviews.¹
• Transparency and explainability. Implement documentation and model reporting templates that articulate system objectives, training data provenance, performance metrics, and limitations. Provide user-facing explanations and contestability pathways.¹
• Accountability frameworks. Assign accountable officers for AI risk management, integrate oversight into board and executive committees, and ensure internal audit reviews AI controls regularly.
• Redress mechanisms. Establish processes for individuals to challenge automated decisions, appeal outcomes, and seek remediation—reflecting the convention’s emphasis on access to remedy.¹

National authority readiness

Governments should begin planning institutional frameworks that CAHAI envisions. This includes designating lead ministries, helping data protection or digital regulators with AI supervision mandates, and creating multidisciplinary advisory bodies involving civil society, academia, and industry.¹ Capacity-building programs should train judges, procurement officials, and public administrators on AI ethics and risk assessments, using the soft-law toolkits CAHAI proposes.¹²

Controls and metrics

• Key risk indicators. Track the number of AI systems lacking documented impact assessments, unresolved bias findings, or unaddressed human rights complaints.
• Key performance indicators. Measure completion rates of AI transparency documentation, percentage of high-risk projects reviewed by ethics committees, and setup of mitigation actions from impact assessments.
• Oversight metrics. Monitor supervisory authority engagement, audits completed, and cross-border cooperation requests under the future convention framework.
• Capacity metrics. Record training hours delivered to developers, compliance teams, and public officials on CAHAI-aligned governance practices.

Industry-specific factors

• Public sector and justice. Courts and law enforcement agencies should prepare for stringent oversight of predictive policing, risk assessment algorithms, and biometric systems, ensuring transparency, oversight, and remedy options.¹
• Healthcare. Health systems must evaluate diagnostic AI for fairness, safety, and informed consent, coordinating with medical device regulators and ethics boards.
• Financial services. Banks and insurers should integrate CAHAI principles into credit scoring, fraud detection, and anti-money-laundering AI, aligning with existing fairness and explainability obligations.
• Platform economy. Online platforms should review content moderation algorithms, recommender systems, and targeted advertising models for compliance with human rights standards, especially freedom of expression.

program risks and mitigations

• Regulatory uncertainty. Mitigation: engage in CAI consultations, monitor draft treaty provisions, and contribute industry expertise to soft-law development.
• Resource constraints. Mitigation: prioritize high-risk AI systems for immediate assessment, use shared risk management toolkits, and partner with academic institutions for methodological support.
• Data and model opacity. Mitigation: adopt model governance platforms, require suppliers to provide documentation, and enforce contractual obligations for transparency and access to model internals.
• Cross-border compliance. Mitigation: harmonize AI controls across EU and Council of Europe frameworks to avoid duplicative assessments, and create central compliance repositories accessible to global teams.

Looking ahead

The CAI will draft the convention text in 2022–2023, with potential adoption by the Committee of Ministers thereafter.¹ Parallel soft-law instruments—guidelines on impact assessments, conformity assessment schemes, and cooperation networks—will provide operational detail.² Teams that align early with CAHAI’s blueprint can influence negotiations, show leadership in human-centric AI, and reduce compliance costs once the convention enters into force.

Cited sources

• ¹ Council of Europe: Feasibility Study on a Legal Framework on Artificial Intelligence.
• ² Council of Europe press release on CAHAI feasibility study adoption.

This brief helps teams operationalize Council of Europe AI safeguards through impact assessment design, governance frameworks, and stakeholder engagement planning.

Teams should also monitor how CAI coordinates with other global initiatives, such as the OECD’s AI work and the G7/G20 trustworthy AI principles, to ensure governance programs remain interoperable across jurisdictions.

See also

Selected articles on related subjects.

AI · Credibility 92/100 · December 20, 2021

AI Governance Retrospective — AI governance

Risk-based AI regulation accelerated between 2020 and 2021—from the EU’s white paper and AI Act proposal to U.S. executive mandates, the National AI Initiative, and NIST’s AI Risk Management Framework…

AI · Credibility 85/100 · December 13, 2021

NIST releases AI Risk Management Framework concept paper

NIST’s concept paper proposes a voluntary AI Risk Management Framework built around core functions of mapping, measuring, managing and governing risks. It calls for public feedback and outlines a roadmap to publish the…

AI · Credibility 71/100 · July 29, 2022

NIST issues second draft AI Risk Management Framework

NIST released the second draft of its AI Risk Management Framework on 29 July 2022, seeking comments on updated governance, measurement, and risk mitigation guidance ahead of the 1.0 release.

AI · Credibility 85/100 · September 28, 2022

EU AI Liability Directive (AILD) overview and current status

Explains the European Commission’s proposal for an AI Liability Directive, covering its purpose, scope, key provisions (fault‑based liability, evidence disclosure and a rebuttable presumption of causality), criticisms…

AI · Credibility 71/100 · December 6, 2022

EU Council agrees general approach on AI Act

EU telecom and digital ministers adopted a general approach on the Artificial Intelligence Act on 6 December 2022, locking in the Council’s negotiating mandate on risk tiers, prohibited uses, and conformity assessments…

Continue in the AI pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Governance Implementation Guide

  Operationalise the EU AI Act, ISO/IEC 42001, and U.S. OMB M-24-10 requirements with accountable inventories, controls, and reporting workflows.

• AI Incident Response and Resilience Guide

  Coordinate AI-specific detection, escalation, and regulatory reporting that satisfy EU AI Act serious incident rules, OMB M-24-10 Section 7, and CIRCIA preparation.

• AI Procurement Governance Guide

  Structure AI procurement pipelines with risk-tier screening, contract controls, supplier monitoring, and EU-U.S.-UK compliance evidence.

Coverage intelligence

Published

December 17, 2021

Coverage pillar

AI

Source credibility

92/100 — high confidence

Topics

Council of Europe · AI governance · Human rights · Risk management

Sources cited

3 sources (coe.int, rm.coe.int, iso.org)

Reading time

5 min

Cited sources

1. CAHAI delivers proposals for legal framework on artificial intelligence — Council of Europe
2. Feasibility Study on a Legal Framework on Artificial Intelligence — Council of Europe
3. ISO/IEC 42001:2023 — Artificial Intelligence Management System — International Organization for Standardization