Home/Insights/Governance Insight

Governance Insight | AI · Quantum · Standards | July 2026

Critical AI and Quantum Standards Should Not Be Hidden Behind Paywalls

As AI, cybersecurity, and quantum technologies become part of critical infrastructure, the standards that govern them increasingly function like public rules. When those standards are locked behind paywalls, democratic legitimacy, security, and global resilience suffer.

Technical standards are often treated as background documents: useful for engineers, procurement teams, auditors, and regulators, but not central to public governance. That assumption is becoming harder to defend.

The issue

In artificial intelligence, cybersecurity, operational technology, and quantum technologies, standards increasingly define how critical systems are designed, assessed, certified, and trusted. They influence procurement decisions, regulatory compliance, security baselines, and the practical meaning of "responsible" or "safe" deployment.

ISO/IEC JTC 1, created in 1987, remains one of the central global venues for information technology standards, including cybersecurity, privacy, cloud computing, AI, and related digital systems. ISO/IEC JTC 3, created in 2024, is now focused on quantum technologies. These are not peripheral technical domains; they are core infrastructure for the next phase of digital governance.

The problem is simple: many of the standards that shape these systems are not freely accessible. They are sold through paywalled dissemination models, often at prices that may be manageable for large firms and wealthy institutions, but burdensome for smaller organizations, researchers, civil-society groups, public-interest experts, and lower-income jurisdictions.

For ordinary commercial standards, this may be a funding-model debate. For critical AI, cybersecurity, and quantum standards, it is more serious. It becomes a question of legitimacy and security.

When standards become governance

A standard is not always law. But some standards begin to function like law.

This happens when a standard is incorporated into regulation, referenced in procurement, used by courts or auditors as a benchmark, or treated as a condition for market access. In those cases, organizations may not be legally forced to use the standard in theory, but in practice they may have little choice.

This creates a rule-of-law problem.

The core principle: If a standard defines what compliance means, people should be able to read it. If it shapes public obligations, it should be open to scrutiny. If it affects how critical infrastructure is secured, researchers and practitioners should be able to evaluate it without a paywall.

The Court of Justice of the European Union made this issue concrete in March 2024 in Case C-588/21 P, involving access to harmonised standards referenced in EU law. The Court held that where harmonised standards form part of the legal framework, there is an overriding public interest in disclosure.

That ruling does not automatically make every international standard free. But it sharpens the principle: when technical standards perform a public legal function, access cannot be treated as a private convenience.

The continuing dispute is visible in the later action brought by IEC and ISO against the European Commission, Case T-631/24, filed in December 2024. That case reflects a deeper institutional conflict between copyright-based funding models and public access to standards that increasingly govern real-world obligations.

The security problem: weakest-link systems

The access issue is not only democratic. It is also operational.

Cybersecurity and critical infrastructure are weakest-link environments. A system is not secure merely because the most advanced actors follow best practice. It is vulnerable when smaller, under-resourced, or less mature actors cannot reach the baseline.

This matters for AI in operational technology, where AI systems may interact with industrial control environments such as energy, water, transport, and manufacturing. Recent joint guidance from Canada, the United States, and allied partners on AI in operational technology emphasizes the need to understand AI use, establish governance and assurance frameworks, and embed safety and security practices into AI-enabled OT systems.

Those principles are right. But they also raise the next question: if security expectations eventually become embedded in formal standards, will every operator, regulator, researcher, and public-interest stakeholder be able to read them?

The same issue applies to post-quantum cryptography. NIST released its first three finalized post-quantum cryptography standards in August 2024, making them openly available as public standards for quantum-resistant security.

That openness matters. The migration to quantum-safe cryptography will take years. It will require coordination across governments, financial institutions, cloud providers, utilities, vendors, and smaller organizations. If the baseline guidance is not broadly accessible, migration becomes more uneven. Uneven migration creates long-lived vulnerabilities.

In security-critical domains, a paywall is not just a price. It can become friction in the adoption of a common security baseline.

Why open access does not mean weak standards

A common objection is that standards bodies need revenue. That concern is real. Standards development requires coordination, editing, governance, expert participation, translation, publication, and long-term maintenance.

But the answer does not need to be universal abolition of every paywall. A more practical approach is differentiated access.

Standards that are purely voluntary, commercial, or low-risk may continue under mixed funding models. But standards that are incorporated into law, referenced by regulation, or effectively required for critical infrastructure should be openly accessible.

The costs of developing those standards can be funded differently: public funding, scaled membership contributions, domain-specific consortia, certification services, training, and value-added implementation support.

This separates access from sustainability. The core document should be public where the public interest requires it. Revenue can still come from services, certification, participation structures, and institutional support.

Open access also improves quality when paired with disciplined process. Security researchers, academics, smaller firms, civil-society organizations, and practitioners in underrepresented regions can identify ambiguities, implementation problems, and unintended consequences earlier. A standard that can be read by more qualified people can be tested by more qualified people.

A practical transition

A credible reform path should avoid slogans and focus on implementation. A staged transition could begin with the most critical domains:

  1. Identify quasi-legal standards. Regulators and standards bodies should identify standards that are incorporated into law, referenced in public procurement, or treated as effective requirements for critical infrastructure.
  2. Pilot open access in high-risk areas. AI in operational technology, cybersecurity baselines, post-quantum migration guidance, and quantum communications are strong candidates for early pilots.
  3. Create funding mechanisms before removing revenue. Governments, large firms, and industry consortia should help fund open-access publication for critical standards, especially where public law and public safety are involved.
  4. Expand participation. Open documents are not enough. Civil society, independent researchers, smaller companies, and lower-income jurisdictions need realistic ways to participate in standards development.
  5. Use regulation as leverage. Major jurisdictions can make open access a condition for recognizing a standard in critical-infrastructure regulation or public procurement.

This is not about weakening standards bodies. It is about adapting them to the role they now play.

Maple Quanta's view

Maple Quanta's position is straightforward: when standards govern critical AI, cybersecurity, or quantum infrastructure, access is part of governance.

A standard that defines public obligations should be publicly knowable. A standard that shapes security baselines should be broadly inspectable. A standard that affects global resilience should not be available only to those with institutional budgets.

The future of AI and quantum governance will not be decided only by models, algorithms, or hardware. It will also be decided by the rules that define trust, safety, accountability, and interoperability. Those rules must be technically sound. But they must also be legitimate.

For critical AI and quantum infrastructures, open access to key standards is not a luxury. It is part of democratic accountability, security readiness, and responsible innovation.

Sources

Navigate AI and quantum standards with confidence.

Independent, vendor-neutral guidance on AI governance, cybersecurity readiness, and quantum-safe transition planning.

Contact Maple Quanta

This briefing is for governance and risk discussion only. It is not legal advice.