CASRAI Dictionary

Tag: compliance

  • NSPM-33 implementation: 18 months in

    National Security Presidential Memorandum 33, issued in 2021 and operationalised through implementation guidance during 2022-2024, requires US federal research-funding recipients to disclose certain affiliations, support, and resources from foreign sources, with the aim of identifying conflicts of commitment and undue foreign influence. The major federal agency rollouts (NIH, NSF, DOE, DOD, NASA, USDA) became binding through 2024 and 2025. We are now 18 months into substantive implementation. This post is a status report.

    What NSPM-33 requires

    The disclosure requirements run across three axes. Current and pending support: applicants must disclose all sources of support for ongoing and planned research activities, including foreign sources, with structured detail. Biographical sketch: applicants must list all affiliations, including foreign ones, in a structured format. Conflicts of interest and commitment: applicants must disclose financial conflicts of interest, foreign relationships, and any obligations to entities that could constitute conflicts of commitment.

    The structure is mostly common-form across agencies — the Common Forms work coordinated by NSTC’s Joint Committee on the Research Environment produced templated disclosure formats — though agency-specific variations persist. The CASRAI NSPM-33 entry tracks the common-form versions.

    What worked

    Three things have worked better than was expected at rollout.

    First, institutional infrastructure. Most major research universities built the disclosure-collection and -review infrastructure during 2022-2024 in anticipation of binding requirements. By the binding date, most had functional systems: faculty-facing tools for disclosure entry, research-administration review workflows, integration with proposal-submission pipelines. The smaller and less-resourced institutions struggled more, but the AAU- and APLU-coordinated capacity-building efforts substantially closed the gap.

    Second, the common-form approach. The Common Forms work was widely criticised during development for being slow and produced-by-committee. The result has held up well: a researcher applying to multiple agencies can use the same biographical sketch and current-and-pending-support disclosures with only minor agency-specific extensions. The pre-Common-Forms world had every agency requiring its own format; the post-Common-Forms world has substantial harmonisation.

    Third, the compliance posture. The major agencies have, on the whole, used the disclosure requirements as compliance tools rather than enforcement weapons. The early concerns about a wave of investigations leveraging disclosure inconsistencies as the predicate for action have largely not materialised. Where investigations have proceeded, they have done so in cases with substantive concerns beyond disclosure failures alone.

    What is broken

    Three implementation problems persist.

    First, retroactive disclosure. The requirements ask for disclosure of historical affiliations and support, often going back several years. Researchers have variable recollection and variable access to records of those years. Honest mistakes — forgotten honorary positions, misremembered dates, inaccurate amounts on past awards — produce disclosure inconsistencies that institutions then have to investigate and resolve. The investigation overhead is substantial; the underlying integrity concerns are usually minor.

    Second, international-collaboration chilling. The disclosure requirements have, in our community’s observation, produced a chilling effect on international collaboration, particularly with collaborators in countries that the US identifies as competitor jurisdictions. Researchers report declining collaboration invitations they would previously have accepted, in part to avoid the disclosure overhead, in part out of caution about how the disclosed activity might later be interpreted. The chilling effect is hard to measure but is widely reported.

    Third, the institutional-versus-individual line. The disclosure requirements ask the individual researcher to disclose their affiliations, but many “foreign affiliations” are institutional arrangements (university-to-university partnerships, MOUs, joint programmes) that the individual researcher discovers only when asked to disclose them. The institutional research administration knows the partnerships; the individual researcher often does not. Surfacing institutional partnerships in individual-disclosure workflows is an unsolved UX problem.

    The ORCID interlock

    One concrete improvement that NSPM-33 implementation has driven is tighter integration with ORCID as the canonical record of researcher affiliations. ORCID 4.0’s affiliation history with ROR IDs and date ranges is the natural source for the biographical-sketch component of NSPM-33 disclosures; agencies are increasingly accepting ORCID-derived biographical sketches and several are piloting direct ingestion from ORCID at submission. The CASRAI ORCID implementation guide has been updated with the NSPM-33 patterns.

    The longer-term value of this integration is that it incentivises researchers to maintain a current and complete ORCID record, which has benefits well beyond compliance. The institutions that have invested in ORCID adoption are well-positioned for NSPM-33 compliance; the institutions that have not are pushing researchers to maintain disclosure information in institutional systems that diverge from ORCID, creating a synchronisation problem.

    The CRediT angle

    NSPM-33 does not require CRediT roles in disclosures, but the disclosure framework’s interest in “all sources of support” includes contributions to research activities. A researcher who contributed to a foreign-funded project — even without being a PI — has a disclosure obligation. The CRediT role framework provides a vocabulary for characterising those contributions, and several institutional implementations now use CRediT-aligned controlled vocabularies in their disclosure forms.

    What’s still pending

    Three institutional adjustments are still in motion 18 months in.

    First, training and culture. The disclosure requirements need to become routine, the way IRB compliance has become routine. Most institutions still treat disclosure as a special workflow with episodic attention; the maturity target is that disclosure is built into hiring, promotion, sabbatical, and proposal workflows as a routine compliance item.

    Second, institutional-individual reconciliation. The institutional partnerships and the individual disclosures need to be reconciled systematically. Several institutions have built dashboards that show, for each researcher, the institutional partnerships their disclosed affiliations imply, with prompts for confirmation. This is the right direction; it is not yet widely deployed.

    Third, cross-institutional data sharing. When a researcher moves between US institutions, their disclosure history needs to travel with them. The current state is that it does not, reliably; the new institution rebuilds the disclosure profile from scratch. This is wasteful and produces unnecessary inconsistencies. ORCID-anchored disclosure portability is the right architectural answer; institutional adoption is the missing piece.

    What CASRAI recommends

    For research-administration offices, the priority for 2026 is to consolidate the operational maturity of disclosure workflows: routine integration with proposal submission, ORCID-anchored biographical sketches, institutional-partnership reconciliation, training programmes that treat disclosure as a standard compliance item. The CASRAI institutional research-security guide walks through the maturity model.

    For researchers, the operating posture is to keep ORCID current, to maintain a personal log of affiliations and support that supports disclosure, and to treat disclosure as part of professional practice rather than as exceptional compliance.

    For agencies, the priority is to continue the common-form harmonisation work and to consider further ORCID integration. The 2026 update to the Common Forms is in development and the indications are positive.

    Related dictionary entries

  • Making sense of the EU AI Act for research administration

    The EU Artificial Intelligence Act entered into force in August 2024 with a staged implementation timeline that runs through 2027. By February 2025 the prohibited-AI-practices provisions and the AI-literacy obligation became binding; through 2025 the general-purpose-AI provisions came into effect; in 2026 the high-risk-AI obligations begin to apply; in 2027 the act is fully in force. Research-administration offices across Europe (and at non-EU institutions handling EU data subjects or EU collaborators) have been working through the implications. This post is a practical orientation, not legal advice, on what the act requires of research administration in 2026.

    What the act actually covers

    The EU AI Act is risk-tiered. Prohibited practices (social scoring, real-time biometric identification in public spaces with narrow exceptions, exploitative manipulation) are out, full stop. High-risk AI systems — defined in Annex III to include AI used in education, employment, law enforcement, critical infrastructure, and several other domains — face substantial obligations around risk management, data governance, technical documentation, transparency, human oversight, accuracy, and post-market monitoring. Limited-risk AI (chatbots, emotion-recognition systems, AI-generated content) faces transparency obligations. Minimal-risk AI faces none specific to the act.

    The research-specific carve-outs are important but narrower than is sometimes claimed. The act excludes AI systems and models developed solely for the purpose of scientific research and development; it does not exclude AI systems used in the conduct of research that is not itself AI research. A clinical-trial protocol that uses an AI system for patient stratification is not exempt because it is research; the AI system is being deployed in a context (healthcare) covered by the act. The exemption is for AI as an object of study, not AI as a tool of study.

    Where research-administration touches the act

    Five touchpoints in practice.

    1. AI literacy obligation

    Article 4 requires providers and deployers of AI systems to take measures to ensure a sufficient level of AI literacy of their staff and others using AI systems on their behalf. This applies to research-administration staff using AI tools (proposal-screening assistants, plagiarism detection with AI components, AI-assisted compliance review). The required “sufficient level” is not specified in detail; the European AI Office and national competent authorities are expected to publish guidance. The CASRAI EU AI Act entry tracks the guidance as it emerges.

    Practically, institutions should be running AI-literacy training for research-administration staff in 2026. This need not be elaborate; an annual two-hour training covering what AI systems the institution uses, what their limitations are, what the disclosure obligations are, and where to escalate concerns is a defensible baseline.

    2. High-risk AI in education and employment

    Annex III includes AI systems used in education (admissions decisions, student assessment, allocation to programmes) and in employment (recruitment, performance evaluation, task allocation). University admissions offices using AI to triage applications fall within high-risk; research-administration offices using AI to score research proposals likely do not, but the boundary is being tested. Employment decisions about research staff — using AI to rank job applicants or to score performance for promotion — clearly fall within high-risk.

    For research administration, the practical question is whether any AI system in current or planned use crosses the threshold. The compliance checklist runs: identify all AI systems in use; categorise each against the act; for high-risk systems, conduct a fundamental-rights impact assessment; ensure human oversight is meaningful, not nominal; document the risk-management system; register in the EU database.

    3. GenAI transparency obligations

    Article 50 requires that AI-generated content be marked as such, with limited exceptions. For research administration, this affects AI-generated text in proposal review, AI-generated summaries of compliance documents, AI-generated translations of regulatory text. Where AI is used to generate content that will be read by a human as if it were human-produced, the act requires a marker.

    This dovetails with the publisher-led GenAI disclosure conventions for scholarly content. The CASRAI institutional GenAI disclosure guidance integrates the publisher requirements and the EU AI Act obligations into a single workflow.

    4. Data governance and GDPR alignment

    The AI Act intersects extensively with the GDPR. High-risk AI systems must use training, validation, and testing data sets that are relevant, sufficiently representative, free of errors, and complete. For systems trained on personal data, the GDPR’s purpose-limitation and minimisation principles apply alongside the AI Act’s data-governance requirements. Research administration that procures or deploys AI systems should ensure the AI vendor can document training-data provenance and consent status for any personal data used.

    5. Research-exemption boundary cases

    The research exemption is being tested at the boundary. A university research group developing an AI system as their research output is exempt; the same group using the system in a clinical context with EU patients is not. A university operating a public-facing AI service developed in-house is a provider under the act and subject to the full provider obligations even if the development was research. The European AI Office has indicated it will publish boundary guidance through 2026; until it does, the conservative reading is that any AI use outside the development phase brings the act into play.

    The compliance checklist

    The practical 2026 checklist for a research-administration office:

    • Inventory all AI systems in use or planned use across research administration.
    • Categorise each system against the AI Act risk tiers.
    • For high-risk systems, conduct a fundamental-rights impact assessment.
    • For GenAI use, ensure transparency markers are applied to AI-generated content.
    • For employment-decision systems involving research staff, ensure human oversight is documented and meaningful.
    • Run AI-literacy training for relevant staff.
    • Verify that AI vendors can document training-data provenance and consent.
    • Align AI Act compliance with GDPR processes; do not run parallel programmes.
    • Track guidance from the European AI Office and national competent authority.
    • Document everything; the act’s audit posture is documentation-heavy.

    Non-EU implications

    The act’s extraterritorial reach matters for non-EU institutions. If an institution outside the EU operates an AI system whose output is used in the EU, the act applies. A US university running AI-assisted admissions for an EU campus, a UK research administration office using AI to triage proposals from EU collaborators, a Canadian institution running a GenAI service available to EU users — all may fall within the act’s scope. Non-EU institutions with material EU engagement should run the same compliance checklist as EU institutions.

    What’s still uncertain

    Several material questions remain open through 2026 and will be resolved by Commission guidance, national-authority interpretation, or early case law. Where does the boundary of “research and development” sit? How is “sufficient level of AI literacy” measured? What documentation suffices for the fundamental-rights impact assessment? How does the act interact with existing sectoral regulation (clinical-trials regulation, education-sector law, employment law) in member states? The CASRAI compliance and regulatory domain is tracking these questions and publishing updates as guidance emerges.

    For now, the operating posture for research administration is: take the inventory; do the risk-tiering; document the high-risk systems; run the literacy training; treat the act as a serious ongoing compliance programme, not a one-off exercise. The penalties under the act are substantial and the enforcement architecture is being built; the institutions that started in 2024-2025 are well placed, those that haven’t started should begin now.

    Related dictionary entries