Author: MCP Service

  • Institutional AI Governance in 2026: How Leading Universities Are Structuring Their Policies

    Institutional AI governance policy is no longer a stopgap memo issued in the panic months after ChatGPT’s public release. Four years on, a small cohort of research universities has converged on something that looks like a durable governance model: scoped definitions of covered technology, annual review cycles, explicit distinctions between staff, student, and researcher use cases, and carve-outs for legitimate research activity. Georgia Institute of Technology’s June 2026 policy update is the clearest recent example, and it arrives alongside two documents that help explain why the model looks the way it does — the American Association of University Professors’ 2025 report on AI and academic labour, and a framework paper from the Centre for International Governance Innovation (CIGI) on AI oversight structures.

    Taken together, these three sources sketch a benchmark against which other institutions can measure their own AI policies. This matters because the gap between universities with a mature institutional AI policy framework and those still operating on interim guidance is widening, and that gap has direct consequences for research integrity, staff workload, intellectual property, and compliance exposure as external mandates — from funder data policies to national AI regulation — continue to tighten around the edges of academic work.

    This piece maps the recurring components of mature governance and asks what they mean in practice for research administrators who are being asked to operationalise policies that, in many cases, were drafted by committees with limited administrative bandwidth.

    What Institutional AI Governance Policy Actually Covers

    The first mark of maturity in an institutional AI governance policy is precision about scope. Early policies, written under time pressure in 2023 and 2024, tended to bundle generative text tools, coding assistants, research data tools, and administrative automation into a single undifferentiated category of “AI.” That approach is now widely recognised as unworkable, because the risk profile, evidentiary standard, and appropriate oversight body differ sharply across those use cases.

    Georgia Tech’s update narrows scope by activity type rather than by tool brand — distinguishing, for instance, between AI used in instructional settings, AI used in the conduct of research, and AI embedded in institutional administrative systems (procurement, HR screening, admissions support). Each activity type sits under a different accountability line, which avoids the common failure mode of routing every AI question through a single overloaded committee.

    This scoping approach echoes a broader pattern visible across AI policies universities 2026 have adopted more generally: policy documents increasingly separate “AI as a subject of study or research” from “AI as a tool used in the process of research or teaching.” That distinction sounds obvious once stated, but its absence is one of the most common sources of confusion in first-generation policies, where a single acceptable-use clause was expected to govern both a chatbot used to draft an email and a machine-learning model that is itself the object of a funded research project.

    Annual Review Cycles Replace One-Off Mandates

    A second defining feature of mature policy is the shift from a static document to a living one. The AAUP’s 2025 report on AI and academic labour was explicit that policies adopted in haste and then left untouched had become a source of friction — faculty and staff reported that guidance no longer matched the tools they were actually using, and in several cases contradicted updated vendor terms of service or new funder requirements. The report’s recommendation, echoed in Georgia Tech’s structure, is a formal annual review cycle with a named owner, a defined trigger for interim revision (such as a material change in an underlying vendor’s data-handling terms), and a public changelog.

    This is a meaningful departure from the “policy as PDF” era. An annual review cycle converts an institutional AI policy framework into infrastructure that can absorb changes in vendor practice, national regulation, and disciplinary norms without requiring an entirely new committee process each time. It also gives institutions a defensible answer when auditors, funders, or accreditation bodies ask how currency is maintained — an increasingly common question as national and supranational AI rules, including phased implementation of the EU AI Act, ratchet up compliance expectations for organisations that use AI in decision-relevant contexts such as admissions or hiring.

    Staff, Student, and Researcher Distinctions

    Perhaps the most consequential structural choice in a mature institutional AI governance policy is the separation of rules by role rather than by tool. Staff use of AI in administrative workflows — drafting correspondence, summarising meeting notes, triaging routine enquiries — is generally governed by data-handling and confidentiality standards tied to institutional IT policy. Student use is governed primarily through academic integrity frameworks, disclosure requirements, and course-level instructor discretion. Researcher use sits in a third, more complex category, because it intersects with authorship norms, data provenance, funder mandates, and publication ethics simultaneously.

    The CIGI framework paper argues that conflating these three populations under one policy voice is a structural error, because the accountable body, the acceptable evidentiary standard, and the consequences of non-compliance differ by role. A staff member who uses an unapproved AI tool on sensitive administrative data creates a data-governance problem; a student who uses AI undisclosed on an assessment creates an academic-integrity problem; a researcher who uses AI in data analysis or manuscript preparation without disclosure creates a research-integrity and publication-ethics problem that may implicate journal policies, institutional review processes, and funder compliance obligations at once.

    This is precisely why AI governance framework academic bodies now typically nest researcher-facing AI rules inside existing research-integrity infrastructure — offices that already handle authorship disputes, data management plans, and misconduct allegations — rather than creating a wholly new AI-specific enforcement body. It reuses trusted process rather than duplicating it.

    Research-Specific Exemptions and the CIGI Framework

    The fourth component, and arguably the hardest to get right, is the carve-out for legitimate research activity. Blanket restrictions on AI use are unworkable in disciplines where AI systems are themselves the subject of study — computer science, computational linguistics, bioinformatics — or where machine-learning tools are standard, disclosed components of a methodology, as is increasingly the case in fields ranging from materials science to systematic-review methodology in evidence synthesis.

    Mature policies handle this through explicit, narrowly defined exemptions rather than case-by-case waivers. The CIGI paper frames this as a proportionality test: restrictions should scale to the actual risk the use case presents, not to the presence of the word “AI” in a project description. In practice this means a researcher using an approved AI-assisted coding tool to accelerate data-cleaning scripts operates under different disclosure requirements than one using a generative model to draft substantive interpretive text for a manuscript — the latter engages authorship and disclosure norms that funders and journals, in the CRediT contributor-role tradition administered under NISO’s ANSI/NISO Z39.104-2022 standard, have already begun to address through explicit AI-disclosure statements distinct from human contributor roles.

    This is also where governance intersects most directly with open science mandates. Institutions preparing for REF 2029 in the UK, or complying with UKRI’s updated open access policy and NIH’s enforced data-sharing requirements, need AI exemption clauses that are legible to external auditors — vague or overly broad exemptions create exactly the kind of ambiguity that funders and publishers are now actively screening for.

    What This Means for Research Administrators

    For research administrators, the practical implications of this benchmarking exercise are concrete rather than abstract.

    • Audit your policy’s scope taxonomy. If a single clause is expected to govern chatbots, coding assistants, and administrative automation equally, it is a first-generation document and due for restructuring along activity-type lines.
    • Assign an owner and a review date. A policy without a named annual-review owner and a public revision date will drift out of alignment with vendor terms and funder mandates within a single academic year.
    • Route researcher-facing AI questions through existing research-integrity channels. Duplicating enforcement infrastructure is expensive and creates jurisdictional confusion; nesting AI oversight inside established authorship and misconduct processes is more durable.
    • Write exemptions that are legible to external reviewers. As funders and journals tighten AI-disclosure expectations, vague research exemptions become audit risk rather than administrative flexibility.
    • Benchmark against peer institutions publicly, not just internally. Bodies such as ARMA, NCURA, EARMA, and INORMS are increasingly convening peer discussion on this exact question, and shared benchmarking reduces the cost of getting scope and review-cycle design right the first time.

    These steps do not require large budgets. They require treating AI governance as an ongoing administrative process — with an owner, a calendar, and a defined interface with existing research-integrity structures — rather than a one-time policy document.

    Conclusion

    The direction of travel across AI policy higher education is now reasonably clear. Georgia Tech’s June 2026 update, the AAUP’s labour-focused critique, and CIGI’s proportionality-based framework are converging on a shared architecture: precise scope, scheduled review, role-based distinctions, and calibrated research exemptions. Institutions that have not yet moved past interim, tool-specific guidance face a widening gap — not just in policy sophistication, but in their ability to answer the questions that funders, publishers, and accreditation bodies are starting to ask routinely. As REF 2029 preparation intensifies and open science mandates continue to strengthen globally, institutional AI governance policy is fast becoming table-stakes infrastructure rather than a discretionary add-on, and the institutions treating it that way now will have considerably less remedial work to do later.

  • What the EU AI Act Means for Your Research Institution: A Practical Guide for Administrators

    From 2 August 2026, the bulk of the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) becomes fully applicable, closing the phased transition that began when the regulation entered into force in August 2024. For research administrators, this date matters more than most institutional calendars acknowledge. EU AI Act universities guidance has moved from policy briefing to operational requirement: several everyday campus tools are now reclassified as “high-risk” — admissions algorithms, proctoring software, recruitment screening systems — triggering documentation, oversight and conformity obligations that most procurement offices have not yet built into their workflows.

    The timing is awkward. Institutions are simultaneously absorbing REF 2029 preparation, tightening open access mandates from UKRI and NIH, and managing a wave of AI-related research integrity concerns — all while a genuinely new compliance regime lands on the desks of research offices, HR departments and IT governance committees. Unlike GDPR, which most universities have spent a decade operationalising, the AI Act’s risk-tiered structure is unfamiliar territory, and its research exemption is narrower than many assume. The AI Act 2026 universities transition has been years in the making, but the operational detail — who signs off an impact assessment, who reviews a vendor’s conformity file — has only recently reached most institutional risk registers.

    This guide sets out what changed on 2 August, which systems are affected, where the Article 2(6) research carve-out genuinely applies, and what UK institutions — inside or outside direct EU jurisdiction — need to do next.

    Prohibited Practices: What Article 5 Rules Out on Campus

    The Act’s prohibitions took effect earlier, from February 2025, but they remain the baseline every institution must revisit as enforcement matures. Article 5 bans a small number of “unacceptable risk” practices outright, with no exemption for research or education. Two are directly relevant to campus operations.

    First, emotion-recognition systems are prohibited in educational institutions except for narrowly defined medical or safety purposes. This rules out software marketed to detect student “engagement,” attentiveness or distress via facial or vocal analysis in classrooms and remote proctoring — a category that had been gaining traction in some exam-integrity and lecture-analytics products.

    Second, social scoring — evaluating or classifying individuals based on behaviour or characteristics in ways that lead to unjustified detrimental treatment — is banned, along with manipulative AI techniques that exploit vulnerabilities such as age or disability. Admissions and pastoral-care systems that build composite “risk scores” for students without transparent, justifiable criteria sit uncomfortably close to this line and warrant legal review, not just IT sign-off.

    High-Risk Systems: What EU AI Act Universities Must Assess in Recruitment and Student Tools

    The provisions taking effect on 2 August 2026 are where most research-administration workload will land. Annex III of the Act classifies AI systems used to determine access to educational institutions, to evaluate learning outcomes, to assess appropriate levels of education, or to monitor and detect prohibited student behaviour during tests, as high-risk. Separately, AI systems used to recruit or select natural persons — including targeted job advertising, applicant screening and candidate evaluation — are also high-risk under Annex III. Both categories map directly onto tools research offices and HR departments already use: automated essay scoring, admissions-ranking algorithms, AI-assisted shortlisting for postdoctoral and technician posts, and exam-proctoring software with anomaly detection.

    Deployers of high-risk systems (which, for most universities, means the institution using a vendor’s product, not building one from scratch) must, among other obligations:

    • Conduct a fundamental rights impact assessment before deployment
    • Ensure human oversight with the authority to override automated outputs
    • Maintain records enabling traceability of system decisions
    • Confirm the provider has completed conformity assessment and registered the system in the EU database
    • Inform affected individuals — applicants, students, candidates — that a high-risk AI system is in use

    Institutions cannot outsource this responsibility to the software vendor. Procurement teams need updated due-diligence checklists that ask vendors directly whether a product falls under Annex III, and legal or governance teams should require conformity documentation as a contractual condition before renewal, not after an incident.

    The Article 2(6) Research Exemption — and Its Limits

    Article 2(6) exempts AI systems and models “specifically developed and put into service for the sole purpose of scientific research and development” from the Act’s requirements. This is the provision most frequently misread by research offices as a blanket exclusion for university activity. It is not.

    The exemption applies to the research and development activity itself — building, training and testing a novel model as a research output. It does not extend to that same system once it is deployed operationally, for example if a machine-learning tool developed in a computer science department is subsequently adopted by the registry to screen applications or by HR to shortlist candidates. At that point, the system’s purpose has shifted from research to a real-world high-risk use, and the exemption falls away.

    This distinction matters for institutions increasingly practising translational and applied research: an AI model that starts life as a PhD project can cross into regulated territory the moment it is put into institutional service. Research administrators should build a review checkpoint into technology-transfer and innovation-office workflows specifically to catch this handover, rather than assuming legal status is fixed at the point of creation.

    UK Divergence: A Different Regulatory Path

    UK AI regulation 2026 looks markedly different from the EU model. Rather than a single cross-sectoral statute, the UK has continued with a “pro-innovation,” principles-based approach, relying on existing sectoral regulators — the Information Commissioner’s Office, the Office for Students, and others — to apply AI-specific guidance within their existing remits, supported by the UK AI Security Institute’s technical evaluation work. No UK equivalent of the EU AI Act’s binding, tiered obligations has been enacted.

    This creates a genuine compliance gap for UK institutions with any EU-facing dimension. The Act’s extraterritorial scope catches organisations outside the EU whose AI system outputs are used within the EU — relevant to UK universities running joint degrees, Erasmus-adjacent exchange programmes, EU-based satellite campuses, or admissions processes serving EU applicants. For these institutions, the EU AI Act universities in the EU-27 must observe is not a foreign regulation to monitor from a distance; it is a direct compliance obligation running in parallel with domestic UK requirements.

    What This Means for Research Administrators

    The AI Act compliance research organisations now need is fundamentally a governance exercise, not solely a legal one. Research administration bodies such as ARMA, EARMA, NCURA and INORMS have all flagged AI governance as an emerging competency area for the profession, and institutional response should reflect that breadth. Practical steps for the months following 2 August 2026 include:

    • Inventory every AI-enabled tool used in admissions, assessment, proctoring, recruitment and grant triage, and classify each against Annex III
    • Establish a standing checkpoint where research-originated AI tools are reviewed before operational deployment, closing the Article 2(6) gap
    • Update procurement templates to require vendor conformity documentation as a condition of contract
    • Brief pro-vice-chancellors for research, registrars and HR directors jointly — this is not solely an IT or legal matter
    • For institutions with EU touchpoints, treat the AI regulatory framework universities in the EU must follow as binding, not advisory

    This work sits alongside, rather than replaces, existing research integrity obligations. The AI regulation academic research now operates under intersects directly with long-standing standards around transparent authorship, data provenance and reproducibility — areas where established identifier systems, such as ORCID and DataCite DOIs, already give institutions a documentation backbone to build AI governance on top of, rather than starting from zero.

    Looking Ahead

    The 2 August 2026 milestone is not the end state of AI regulation for universities; it is the point at which theoretical compliance planning becomes operational reality. Enforcement mechanisms, national supervisory authorities and guidance from the European AI Office will continue to mature over the following year, and institutions should expect further clarification — particularly on where the research exemption’s boundary sits in practice. Research administrators who treat this as an ongoing governance discipline, embedded in procurement, HR and research-office workflows, will be far better positioned than those who treat 2 August as a single compliance deadline to clear and forget.

  • REF 2029 Open Access: A Timeline and Compliance Checklist for UK University Research Offices

    UK research offices now have roughly three years to close the gap between current repository practice and whatever the four UK higher education funding bodies finalise as the REF 2029 open access policy. Research England, on behalf of the funding bodies, has signalled that the next Research Excellence Framework will extend open access requirements beyond journal articles and conference proceedings to cover long-form outputs such as monographs, edited collections and book chapters — bringing REF’s rules closer into line with the UKRI open access policy that has applied to funded outputs since 2022 and to monographs since January 2024.

    For research administrators, this is not a distant compliance exercise. Embargo tracking, repository deposit workflows, ORCID integration and contributor metadata all need to function correctly years before the submission window opens, because the assessment period will include outputs published and deposited well in advance of the census date. Institutions that treat open access compliance as a late-stage scramble — as many did before REF 2021 — risk losing eligible outputs from their submission.

    This article sets out a working timeline, a compliance checklist, and an analysis of where contributor-role metadata fits into the evidentiary picture that REF panels and internal audit teams will eventually scrutinise.

    What the REF 2029 Open Access Policy Is Expected to Require

    The REF’s open access policy has, since REF 2021, required that journal articles and conference proceedings with an ISSN be deposited in an institutional or subject repository within three months of acceptance (or, for some routes, within three months of publication), with the accepted manuscript made discoverable and, in most cases, accessible within a defined embargo period. The direction of travel for REF 2029 — flagged in funding-body consultations and confirmed in principle through Research England guidance — is twofold: extending deposit-and-access requirements to long-form outputs, and tightening alignment with the UKRI open access policy rather than running two parallel systems.

    Research offices should plan around two routes to compliance, both of which remain valid but carry different operational burdens:

    • Gold open access — the version of record is made openly available immediately on the publisher’s platform, typically funded by an article processing charge (APC) or a transformative/read-and-publish agreement. This satisfies REF and UKRI requirements at the point of publication with no embargo to track.
    • Green open access — the author’s accepted manuscript is deposited in a repository, with public access permitted either immediately or after a publisher-set embargo. This is the lower-cost route but places the compliance burden squarely on institutional repository teams, who must monitor embargo expiry and correct metadata at scale.

    Because gold routes depend on library subscription-and-publish budgets that are already under strain, most UK institutions will continue to rely heavily on green deposit for the majority of REF 2029 outputs. That makes repository workflow discipline — correct deposit dates, embargo periods, and linking between manuscript and published version — the single highest-leverage compliance activity available to a research office before the submission deadline.

    Aligning Institutional Policy with the UKRI Open Access Policy

    Every research administration policy 2026 review cycle should include an explicit reconciliation exercise between the institution’s own OA policy, the REF’s emerging requirements, and the UKRI open access policy that already governs UKRI-funded outputs. The three are not identical. UKRI’s policy applies to research articles from April 2022, and to monographs, book chapters and edited collections from January 2024, with its own embargo and licensing terms, including a strong preference for CC BY licensing on gold outputs. REF’s policy applies more broadly to eligible staff and output types regardless of funder, which means an output can be UKRI-compliant but not yet REF-compliant if deposit metadata is incomplete.

    Research offices that maintain a single reconciled policy document — rather than separate funder-facing and REF-facing guidance — reduce the risk of academic staff receiving contradictory instructions from research support, library and faculty administrators. cOAlition S and Plan S remain relevant context here: although Plan S is a funder coalition rather than a REF requirement, its emphasis on immediate open access and transparent licensing has shaped UKRI’s direction, and REF’s own trajectory is unlikely to diverge sharply from it.

    ORCID Integration and Contributor-Role Metadata as Compliance Evidence

    ORCID identifiers are now close to universal in UK research administration, mandated or strongly encouraged by UKRI, most publishers, and a growing number of institutional HR and grants systems. For REF 2029, ORCID integration does more than disambiguate authors — it creates a persistent, verifiable link between a researcher, their outputs, and their eligible-staff status, which simplifies the audit trail that Research England and institutional REF teams will need to produce if outputs are challenged.

    Contributor-role metadata adds a further layer of evidentiary value that is easy for research offices to overlook. CASRAI originated the CRediT contributor role taxonomy in 2014. The standard is now stewarded by NISO as ANSI/NISO Z39.104-2022. Where repositories and publisher metadata capture CRediT roles alongside ORCID identifiers, institutions gain a structured, machine-readable record of who contributed what to a given output — useful for authorship disputes and for demonstrating that the “significant intellectual contribution” threshold for REF eligibility has genuinely been met. As repository platforms increasingly support CRediT fields natively, research offices should capture this metadata at deposit time as routinely as they record embargo dates, not as a separate, optional enhancement.

    This matters particularly in fields with large, multi-author teams — clinical and biomedical research prominent among them. Clinical research administration teams managing outputs from multi-site trials or NHS-affiliated studies often face the most complex authorship questions in any REF submission, given author lists that can run into dozens of names across institutions. Structured contributor-role data, tied to ORCID and captured at deposit, gives clinical research offices a defensible, auditable basis for attributing REF-eligible contribution rather than relying on retrospective reconstruction from correspondence or grant records.

    Research Data Management Policy and the Wider Open Science Picture

    REF 2029 compliance planning should not be siloed from the institution’s broader research data management policy. UKRI, alongside funders including Horizon Europe and organisations such as DataCite, has continued to push data-sharing requirements that intersect directly with open access compliance: a paper’s data availability statement, its repository DOI, and its open access status are increasingly treated as a single package by funders, publishers and — likely — REF panels assessing research environment statements. Institutions whose research data management policy already requires deposit in a recognised repository with a DataCite DOI will find it easier to demonstrate the joined-up research environment that REF’s non-output elements reward.

    What This Means for Research Administrators

    A practical REF 2029 readiness checklist for research offices should include the following:

    • Audit current repository deposit rates against REF 2021’s three-month acceptance-to-deposit rule, and identify systemic gaps by department or faculty.
    • Confirm that institutional OA policy explicitly reconciles REF requirements with the UKRI open access policy, including differing embargo and licensing terms.
    • Extend repository ingestion workflows now to cover monographs, book chapters and edited collections, ahead of confirmed REF 2029 rules on long-form outputs.
    • Mandate ORCID capture at the point of output submission for all research-active staff, and reconcile ORCID records against HR eligible-staff lists annually.
    • Enable and populate CRediT contributor-role fields in the repository platform, prioritising multi-author disciplines such as clinical and biomedical research where contribution disputes are most likely.
    • Align research data management policy with open access policy so that data availability statements, repository DOIs and manuscript deposits are captured as one workflow rather than three.
    • Build embargo-expiry monitoring into repository administration so that green OA outputs become publicly accessible automatically once terms lapse, rather than remaining dark indefinitely.

    None of this requires new technology so much as disciplined process ownership: a named team responsible for repository metadata quality, reporting into the same research administration policy 2026 review that governs REF preparation more broadly.

    Conclusion

    The precise wording of the REF 2029 open access policy has not yet been finalised, but its broad shape — closer alignment with UKRI, extension to long-form outputs, and continued reliance on repository infrastructure — is clear enough for research offices to act now. Institutions that use the next two to three years to strengthen ORCID integration, adopt contributor-role metadata such as CRediT, and unify their open access and research data management policies will enter the submission window with an evidence base that is audit-ready and genuinely reflective of how their research was produced. Those that wait for the final policy text will be retrofitting compliance onto years of incomplete metadata — a considerably harder task.

  • UKRI’s New Research Data Policy: A Plain-English Briefing for Institutional Administrators

    UKRI is expected to publish an updated research data policy in summer 2026, and institutional research offices should not wait for the final text to start preparing. Signals from UKRI’s existing Common Principles on Data Policy, its 2022 open access policy, and the broader direction of travel across funders point clearly toward a single organising idea: “maximising data value.” For research administrators, that phrase is not a slogan — it is a compliance requirement in waiting, and it will touch data management plans, persistent identifiers, and the systems that track them long before any enforcement clock starts ticking.

    The pattern is familiar. When the UKRI open access policy took effect for journal articles in 2022 and for monographs in 2024, institutions that had already invested in repository infrastructure, author identifier hygiene, and rights-retention workflows absorbed the change with minimal disruption. Those that had not scrambled. A forthcoming UKRI research data policy is likely to follow the same script, extending the funder’s open research agenda from published articles to the underlying datasets, code, and materials that support them.

    This briefing sets out, in plain English, what “maximising data value” is likely to mean operationally, and what a research data management policy readiness checklist should contain before the formal text arrives.

    What “Maximising Data Value” Means for a UKRI Research Data Policy

    UKRI’s framing of data value draws directly on the FAIR principles — Findable, Accessible, Interoperable, and Reusable — first articulated in the scientific data community and now embedded in funder expectations across the UK, the EU’s Horizon Europe programme, and beyond. In practice, “maximising value” is unlikely to mean simply “publish more data.” It means data that can be discovered through standard metadata, accessed under clear licensing terms, described in formats other researchers’ tools can parse, and reused with enough provenance information to trust it.

    For administrators, the operational translation is threefold:

    • Findable — datasets need persistent identifiers and rich, machine-readable metadata, typically registered through services such as DataCite, so they surface in discovery tools rather than sitting on an unindexed institutional server.
    • Accessible — access conditions (open, embargoed, or restricted for sensitive data) must be stated explicitly and consistently, not left to individual researcher discretion.
    • Interoperable and Reusable — data needs documented standards, controlled vocabularies where they exist, and licensing that permits reuse, mirroring the rights-retention logic already familiar from open access compliance.

    None of this is achievable researcher-by-researcher at the point of grant closeout. It requires infrastructure that exists before the data is generated — which is precisely why an anticipatory approach matters more than a reactive one.

    Data Management Plans as the Compliance Backbone

    Data management plans (DMPs) are the mechanism through which funders convert data policy principles into auditable commitments. UKRI councils already require DMPs for many grant types, but a unified data policy is likely to standardise expectations across councils that have historically varied — a source of persistent friction for multi-council and interdisciplinary awards.

    Institutions should treat the DMP not as a one-off grant-application document but as a living compliance artefact, reviewed at key milestones: award, mid-project, and closeout. This is where the overlap with research integrity policy becomes explicit. Bodies such as COPE and the UK’s own research integrity infrastructure have repeatedly linked poor data stewardship — undocumented provenance, irreproducible datasets, unclear authorship of derived outputs — to the conditions that enable disputes and, in the worst cases, retractions tracked by services such as Retraction Watch. A robust DMP process is therefore not merely an administrative box to tick; it is a frontline research integrity control.

    Administrators should also expect closer alignment between DMP compliance and the CRediT contributor role taxonomy, which clarifies who is responsible for which stage of data collection, curation, and analysis. CASRAI originated the CRediT contributor role taxonomy in 2014. The standard is now stewarded by NISO as ANSI/NISO Z39.104-2022. Institutions that already map CRediT roles into their publication workflows are well placed to extend the same logic to dataset contributorship statements.

    Persistent Identifiers: The Infrastructure Layer Nobody Notices Until It’s Missing

    Persistent identifiers (PIDs) are the connective tissue of any credible research data infrastructure, and they are the single most concrete thing an institution can fix before a policy lands. Three PIDs matter most:

    • ORCID identifiers for researchers, now widely mandated across funder and publisher workflows, ensuring datasets are correctly attributed even when authors move institutions or change names.
    • ROR (Research Organization Registry) identifiers for institutional affiliation, increasingly required alongside ORCID to disambiguate which organisation is accountable for which output.
    • DataCite DOIs for the datasets themselves, giving each dataset a citable, resolvable, permanent address independent of where it happens to be hosted.

    CrossRef DOIs for articles and DataCite DOIs for datasets should be linked bidirectionally wherever possible, so that a published paper and its underlying data form a verifiable pair. Institutions that have not yet audited their systems for consistent ORCID and ROR capture — particularly in their electronic research administration platforms, current research information systems, and repository intake forms — should treat this as the highest-priority, lowest-cost preparation step available. It requires no new policy to justify; it improves compliance readiness for every funder mandate, not just UKRI’s.

    What This Means for Research Administrators

    The institutions best positioned for a summer 2026 policy announcement will not be the ones that read it fastest — they will be the ones whose sponsored research administration infrastructure already produces compliant metadata as a by-product of normal grant management, rather than as a bolt-on exercise triggered by audit anxiety. Practical steps worth starting now include:

    • Auditing current DMP templates against FAIR principles and standardising them across faculties or research councils where practice has diverged.
    • Confirming that ORCID and ROR capture is mandatory, not optional, at the point of grant setup within the institution’s research administration system.
    • Establishing or reviewing institutional agreements with DataCite (directly or via a national or subject repository) for dataset DOI minting.
    • Mapping data stewardship responsibilities using a CRediT-style contributor framework, so accountability for data quality is documented rather than assumed.
    • Briefing research integrity offices now, so that data policy compliance is understood as an extension of existing research integrity policy rather than a parallel, competing process.

    Professional bodies including ARMA, NCURA, EARMA, and INORMS have all flagged funder data mandates as a growing training and resourcing need for research administrators; institutions that engage with these networks now will have a head start on interpreting whatever UKRI ultimately publishes.

    Looking Ahead

    A formal UKRI research data policy, when it arrives, will almost certainly be framed around the language of value, openness, and reuse rather than restriction. But the operational substance — FAIR-compliant metadata, disciplined data management plans, and consistent use of persistent identifiers — is already knowable, and already actionable. Institutions that treat the coming months as a compliance sprint rather than a waiting period will be the ones for whom “maximising data value” is simply a description of how they already work, not a new burden imposed from outside.

  • NIH’s March 2026 Grants Policy Statement: What Every Institution’s Research Office Needs to Do Now

    The National Institutes of Health has issued a March 2026 revision to the NIH Grants Policy Statement (NOT-OD-26-057), and research offices outside the United States are not exempt from its reach. Any UK or international institution holding a subaward, consortium agreement, or direct NIH grant now has a compliance clock running: the most consequential change — a new prior-approval requirement for subawards — takes effect from 1 June 2026.

    For research administrators, this is not a routine annual refresh. The revised NIH grants policy statement 2026 tightens subrecipient monitoring, reinforces the NIH Data Management and Sharing (DMS) Policy, and, less visibly but just as significantly, hardens expectations around how contributor roles are documented on funded outputs. Institutions that treat this as a US-only administrative update will find themselves scrambling when their next competing renewal or Just-in-Time submission is flagged for missing subaward documentation.

    This explainer sets out what changed, why it matters for research grant administration beyond NIH’s own borders, and the concrete steps a research office should be taking this quarter.

    What NOT-OD-26-057 Actually Changes

    The headline change in the March 2026 NIH Grants Policy Statement revision is the introduction of a prior-approval step before a recipient institution may issue certain subawards under active NIH grants. Historically, subaward issuance sat largely within a recipient’s own delegated authority once the parent award was in hand, subject to standard federal subrecipient monitoring obligations under 2 CFR 200 (the Uniform Guidance). From 1 June 2026, awardee institutions must obtain NIH sign-off before finalising subawards that meet the thresholds specified in the revised policy — a shift that mirrors the agency’s broader push, visible across recent Notices, to get earlier visibility into where federal research funds ultimately flow.

    For UK universities and research institutes that sit downstream as subrecipients on US-led NIH awards, this changes the practical timeline of collaboration. A subaward that might previously have been executed within weeks of a parent award’s Notice of Award could now be delayed pending NIH’s prior-approval review. Research offices coordinating multi-country consortia — a common pattern in genomics, infectious disease, and clinical trials networks — need to build this lag into project start dates and budget-period planning, and should flag it explicitly to principal investigators who are used to faster subaward turnaround.

    Data Management and Sharing: Convergence, Not a New Burden

    The revised Grants Policy Statement does not introduce a new data-sharing regime; instead, it folds the existing NIH Data Management and Sharing Policy more tightly into the core policy document, making DMS plan compliance an explicit, cross-referenced condition of award rather than a companion policy institutions could treat as separate. In practice, this means DMS plans are now read alongside the Grants Policy Statement’s subaward and reporting provisions as a single compliance package, which raises the stakes for institutions whose data plans have been thin or templated.

    The same logic applies to the NIH open access policy lineage — the NIH Public Access Policy that governs deposit of peer-reviewed manuscripts arising from NIH funding. The 2026 revision continues to align expectations around timely deposit, persistent identifiers, and machine-readable metadata with the broader global shift toward open science, echoed in UKRI’s own open access policy and the cOAlition S Plan S principles. Institutions with NIH-funded outputs should treat manuscript deposit compliance and DMS plan fidelity as two halves of the same reporting obligation, not separate boxes to tick.

    Contributor Roles and the Attribution Layer

    A quieter but structurally important element of the revised policy is its reinforcement of contributor-role transparency in reporting and progress reports involving multiple investigators and subrecipient teams. Where an award spans several institutions, NIH’s expectation is that reporting clearly distinguishes who did what — an expectation that maps naturally onto the contributor role taxonomy first published as CRediT.

    CASRAI originated the CRediT contributor role taxonomy in 2014. The standard is now stewarded by NISO as ANSI/NISO Z39.104-2022, and its fourteen roles — from Conceptualization and Methodology through to Writing – Original Draft and Writing – Review & Editing — give research offices a ready-made, internationally recognised vocabulary for exactly the kind of multi-institution attribution NIH’s revised reporting language is asking for. Institutions that already require CRediT statements on manuscripts arising from grant-funded work, and that track contributor roles at the ORCID-linked researcher level, will find it far easier to produce the kind of granular reporting the 2026 policy anticipates than those relying on ad hoc author-order conventions.

    This is a useful moment for research offices to check whether their internal reporting templates for multi-site NIH awards actually capture contributor roles in a structured way, or whether that information exists only informally between collaborating PIs.

    What This Means for Research Administrators

    The combined effect of the subaward prior-approval rule, the tighter DMS/open-access linkage, and the contributor-attribution expectations is a policy environment that rewards institutions with mature research administration policy 2026 infrastructure and penalises those still managing NIH compliance manually. Concretely, research offices should:

    • Map every active and pipeline NIH subaward against the new prior-approval thresholds, and rebuild subaward issuance timelines to account for the review step from 1 June 2026.
    • Audit existing DMS plans against the revised Grants Policy Statement language, not just the standalone DMS Policy text, to close any gaps in how the two are cross-referenced.
    • Confirm that manuscript deposit workflows tied to the NIH Public Access Policy are functioning ahead of any competing renewal or annual progress report.
    • Introduce or reinforce CRediT-based contributor statements in multi-institution reporting, using ORCID identifiers to anchor role attribution at the individual level.
    • Brief PIs directly — subaward delays and reporting changes affect project planning, not just the compliance office, and PIs are often the last to hear about policy notices like NOT-OD-26-057.

    Bodies such as NCURA, EARMA, and ARMA have all flagged the growing complexity of cross-border federal compliance as a priority area, and institutions should look to these networks — alongside INORMS — for shared templates and peer benchmarking rather than building compliance responses in isolation. Investment in structured research administration training on the revised Grants Policy Statement, delivered before the June deadline, will do more to prevent downstream delays than any last-minute scramble once subawards start stalling in review.

    Looking Ahead

    NIH’s March 2026 revision is best read as part of a broader convergence: funder policies, open science mandates, and structured attribution standards are increasingly expected to interlock rather than operate as parallel compliance streams. Research offices that align their subaward management, data-sharing infrastructure, and contributor-role reporting now — rather than treating each as a separate policy silo — will be far better placed not only for this revision, but for the funder policy changes that are likely to follow it as NIH, UKRI, and other major funders continue to tighten the links between funding, data stewardship, and verifiable attribution of research contributions.