The Democracy Risk Becomes the Delegation Audit
The June 2026 arXiv paper How to Detect and Measure the AI Dangers to Democracy, by Giulia Sandri and Claudio Novelli, reframes democratic AI risk as a delegation problem: who hands power to an AI system or provider, who can observe it, and who can contest what it does.
For this essay, a delegation audit is a structured record of transferred democratic authority: principal, agent, function, affected people, legal or institutional basis, vendor chain, evidence access, oversight power, appeal route, update rule, and shutdown trigger.
Democracy As Delegation
The paper, arXiv:2606.16054 [cs.CY], was submitted on June 14, 2026. Its starting point is deliberately sober. Sandri and Novelli argue that AI mostly intensifies older democratic problems rather than inventing entirely new ones. The pressure shows up across information ecosystems, elections, and public administration.
The useful move is to treat those pressures as principal-agent problems. In democratic systems, citizens, parties, elected officials, public servants, media organizations, and agencies delegate functions to intermediaries. When those intermediaries are AI systems, platforms, vendors, campaign consultants, or public-sector software providers, the principal often cannot fully observe the agent's behavior, data, incentives, model changes, or output effects.
The democratic object is therefore not "AI" in the abstract. It is a transfer of discretion. A campaign delegates targeting and message variation. An election office delegates voter-service drafting or translation. A platform delegates ranking, recommendation, enforcement, and ad delivery to internal systems. An agency delegates triage, eligibility support, fraud detection, or case summarization. Each delegation can be useful. Each can also move judgment into a place where the affected public cannot see, correct, or politically contest it.
That makes this paper a fresh companion to the site's work on AI governance, election integrity and AI, algorithmic impact assessments, public AI registers, political ad libraries, and voter chatbots. The fresh angle is measurement discipline: democracy risk is not only a content problem or a model problem. It is a delegation chain that can lose visibility, contestability, and alignment.
What the Paper Builds
Sandri and Novelli combine two tools. First, principal-agent theory identifies where democratic delegation becomes exposed: who delegated the task, who acts as the agent, what discretion was transferred, and what the principal can no longer monitor. Second, the paper draws on the NIST AI Risk Management Framework and its seven trustworthiness characteristics: valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed.
The paper's framework uses those characteristics as evaluation criteria for delegated AI systems. Principal-agent theory says where to look; the trustworthiness criteria say what to assess. The NIST AI RMF Core adds a useful operational rhythm: govern, map, measure, and manage. The authors then operationalize the frame across domains through measurable indicators and domain-specific criteria, with institutional assessability as the central condition for democratic control.
The NIST move is important, but it should be read carefully. The AI RMF is voluntary and use-case agnostic. It gives a vocabulary for trustworthy AI, not a democratic verdict. Sandri and Novelli's contribution is to put that vocabulary inside a political relationship: a principal gives an agent discretion, and the democracy question is whether the principal and affected public still have enough evidence, authority, and remedy to govern the result.
Current Governance Context
As of June 25, 2026, the paper lands in a governance environment that is moving from abstract AI principles toward records, inventories, procurement duties, and risk classifications. In the United States, OMB Memorandum M-25-21 requires federal agencies to inventory AI use cases at least annually and treats AI as high-impact when its output is a principal basis for decisions or actions with legal, material, binding, or significant effects on rights or safety. OMB's acquisition memorandum M-25-22 tells agencies to address documentation, vendor lock-in, data handling, independent evaluation, ongoing monitoring, transparency requirements for high-impact use cases, and contract closeout or sunset terms for AI systems and services. That is delegation governance in procurement form.
In the European Union, the AI Act classifies some systems tied to the administration of justice and democratic processes as high-risk, including systems intended to influence the outcome of an election or referendum or voting behavior, with an exception for administrative or logistical campaign tools whose outputs are not directly exposed to natural persons. The same law requires public authorities using many Annex III high-risk systems to register their use in the EU database and creates documentation duties for high-risk systems. The Digital Services Act election guidelines separately frame electoral-process risk mitigation for very large online platforms and search engines.
Election administration shows the practical edge. The U.S. Election Assistance Commission's AI page says AI tools may benefit election offices but can also accelerate false or biased information and let existing threats scale more quickly. That official caution matches the paper's delegation framing: the risk is not that every AI use is illegitimate. The risk is that a public function can become dependent on an answer layer, targeting system, ranking system, vendor workflow, or model update that the responsible institution cannot adequately inspect or correct.
Three Arenas
The first arena is the information ecosystem. Citizens and representatives rely on platforms, recommender systems, search systems, and generative interfaces that curate, rank, synthesize, and distribute public information. The delegation problem is not merely misinformation; it is that the gatekeeping system may be privately tuned, weakly disclosed, and hard to challenge.
The second arena is elections and participation. Parties and candidates increasingly rely on vendors and consultants for voter analytics, targeting, sentiment modeling, message generation, and campaign infrastructure. The paper treats those systems as agents whose predictive accuracy, bias, data protection, explainability, and accountability should be measured rather than assumed.
The third arena is public administration. Elected officials and civil servants delegate screening, classification, prioritization, service delivery, risk scoring, and case handling to AI systems and their corporate providers. Here the democratic injury can be administrative: the public decision remains official, but the logic of the decision becomes hard to see, appeal, or correct.
Assessability Is Control
The strongest concept in the paper is institutional assessability. It means the principal has enough capacity, access, records, expertise, and authority to evaluate whether the delegated AI system remains trustworthy in its actual context.
That standard is stricter than transparency theater. A press release, benchmark score, or vendor assurance is not assessability. Assessability requires an evidence path: what was delegated, what system acted, what data and rules mattered, how performance was validated, how bias and security were tested, what changed after deployment, who can contest outputs, and who can stop or renegotiate the delegation.
Assessability also has a capacity side. A public body may technically have a contract clause, dashboard, model card, or audit right while lacking staff, budget, legal leverage, testing data, language expertise, accessibility review, or incident authority. The delegation audit should therefore ask not only whether evidence exists, but whether the principal can use it before harm is normalized.
The paper names three interlocking delegation failures: monitoring failure, output contestability failure, and goal misalignment. That triad is a practical audit checklist. If the principal cannot observe the agent, cannot challenge the output, and cannot verify that the agent still serves public goals, then the deployment is not under democratic control even if a human remains somewhere in the workflow.
Delegation Failures
The first failure is authority laundering. A private system or vendor default makes a practical decision, while the public institution remains the formal face of accountability. The voter sees the election office, the applicant sees the agency, or the citizen sees the platform policy, but the decisive threshold may have been set elsewhere.
The second failure is monitoring without remedy. The institution receives logs, dashboards, or reports, but no usable right to pause the system, inspect disputed cases, require model-change notice, test local populations, or force correction. Observation alone is not control.
The third failure is contestability collapse. Affected people can complain about an output but cannot learn which system shaped it, what source record was used, whether a human relied on it, or how to correct the underlying data or rule. Appeals become customer support tickets rather than democratic accountability.
The fourth failure is threshold outsourcing. The most important value judgment - what residual risk is acceptable for a voting process, public benefit, public safety alert, enforcement priority, or civic information channel - is silently buried in product settings, risk scores, moderation rules, or optimization objectives. That is the paper's strongest warning about private-vendor delegation.
The fifth failure is scope drift. A tool procured for drafting, translation, search, analytics, or workflow support becomes a de facto decision system because staff trust it, managers reward throughput, interfaces make override costly, or the vendor adds new features. A delegation audit has to record decision force, not only product category.
The Unmeasured Judgment
The authors are careful about the framework's limit. Severity and acceptable risk are evaluative judgments. Current methodologies, they argue, often do not acknowledge or operationalize those judgments. That is a serious gap because an institution can measure many things and still outsource the decisive question: how much democratic harm is tolerable?
The problem becomes sharper when that judgment is silently delegated to private vendors. A vendor can choose product defaults, data retention, ranking objectives, risk thresholds, refusal behavior, audit logging, model-update cadence, and documentation scope. Those choices can determine the effective democratic risk posture before the public agency or campaign describes the system to anyone affected.
The paper therefore should not be read as a completed measurement instrument. It is a way to locate the measurement problem. The hardest part is not naming the seven criteria or listing indicators. The hardest part is making public institutions own the value judgments that set thresholds, tradeoffs, and remedies.
A defensible threshold has to be dated, attributed, reviewable, and connected to remedies. If a system may misdirect voters, misclassify benefit applicants, suppress lawful speech, distort public comments, or rank civic information, the institution should say what failure rate, population disparity, correction delay, evidence gap, or residual uncertainty is unacceptable. Otherwise the word "risk-based" can become a way to avoid saying who accepted the risk on behalf of whom.
Governance Standard
Any democratic AI deployment should publish or maintain a delegation audit: principal, agent, delegated function, affected population, legal authority, vendor and subcontractor chain, model or system version, data categories, decision force, human-oversight authority, NIST trustworthiness evidence, performance and bias tests, security controls, privacy controls, appeal path, logging policy, update procedure, incident channel, and shutdown trigger.
The audit should connect to the wider evidence system: AI system inventory, audit trail, procurement record, incident report, human oversight procedure, notice and appeal path, system card, and change-management log. If those artifacts use different names or identifiers, accountability breaks at the join.
The audit should also name the value judgment. What harm severity scale is being used? What residual risk is acceptable? Who approved that threshold? What public body can revise it? What vendor defaults are prohibited because they move those judgments outside democratic control? Which affected communities, election officials, civil servants, journalists, researchers, or watchdogs can challenge the threshold after deployment?
For procurement, the standard is blunt: no democratic function should be delegated to a system whose operator cannot provide version history, evaluation evidence, data-handling limits, audit access, incident support, portability, and a path to stop or replace the service. A public institution that cannot exit a vendor relationship has not delegated authority; it has ceded it.
The Spiralist rule is this: when an AI system enters a democratic function, ask what was delegated before asking what the model answered.
Source Discipline
This page treats the Sandri and Novelli article as a June 2026 arXiv preprint and framework proposal, not as a completed regulatory standard or settled empirical proof. Its value is conceptual: it links principal-agent theory, NIST trustworthiness criteria, and institutional assessability into a way to ask sharper questions about democratic AI deployments.
NIST sources are used for voluntary risk-management vocabulary. OMB sources are used for U.S. federal agency governance and procurement requirements. EU AI Act and Digital Services Act sources are used for legal classification and platform-risk context in the European Union. The EAC source is used for election-administration risk context. None of those sources proves that a particular AI deployment is lawful, safe, fair, or democratically legitimate in practice.
Claims about a specific public-sector system should be checked against the responsible agency, procurement file, system inventory, impact assessment, audit trail, public notice, incident record, and appeal path. A vendor blog post, benchmark score, transparency label, or model card is evidence of a claim; it is not the whole democratic record.
Current-source claims in this page were checked on June 25, 2026.
Sources
- Giulia Sandri and Claudio Novelli, How to Detect and Measure the AI Dangers to Democracy, arXiv:2606.16054 [cs.CY], submitted June 14, 2026.
- Giulia Sandri and Claudio Novelli, How to Detect and Measure the AI Dangers to Democracy, arXiv PDF, reviewed June 25, 2026.
- National Institute of Standards and Technology, AI Risk Management Framework, official NIST page for AI RMF 1.0 and related resources, reviewed June 25, 2026.
- National Institute of Standards and Technology, AI Risks and Trustworthiness, NIST AI RMF trustworthy-AI characteristics, reviewed June 25, 2026.
- National Institute of Standards and Technology, AI RMF Core, describing the govern, map, measure, and manage functions.
- Office of Management and Budget, M-25-21: Accelerating Federal Use of AI through Innovation, Governance, and Public Trust, April 3, 2025, reviewed June 25, 2026.
- Office of Management and Budget, M-25-22: Driving Efficient Acquisition of Artificial Intelligence in Government, April 3, 2025, reviewed June 25, 2026.
- European Union, Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence, official EUR-Lex text, reviewed June 25, 2026.
- European Commission, Guidelines for providers of VLOPs and VLOSEs on the mitigation of systemic risks for electoral processes, reviewed June 25, 2026.
- U.S. Election Assistance Commission, Artificial Intelligence (AI) and Election Administration, reviewed June 25, 2026.
- Related pages: AI Governance, Election Integrity and AI, NIST AI Risk Management Framework, Algorithmic Impact Assessments, The AI Register Becomes Public Memory, The Ad Library Becomes Political Memory, The Voter Chatbot Becomes the Election Clerk, and The Policy Table Becomes the Participation Filter.