Someone asked me recently how to get into AI ethics and governance. She is a good student, she said, and she is ready to do the work. She wanted to know where to start.

I get this question more than I used to. And I keep noticing that the standard answer, which involves a reading list of philosophy papers and a list of people to follow, is not the honest one. The honest one is harder to follow and more useful to have.

So here is what I would actually say.

Start with the regulatory instruments. Not summaries of them. The actual documents. The EU AI Act is 113 articles and you should read the relevant ones. Start with Article 9, which requires a risk management system. Then Article 13, which requires transparency. Then Article 14, which requires human oversight capable of understanding the system, interpreting its outputs, and deciding not to use them in specific situations. Then Article 16, which requires providers to keep technical documentation current.

Read those four articles and ask yourself a simple question: what would need to be true of the document governing the AI system for these obligations to be meaningful? Article 14 requires human oversight capable of interpreting outputs. What does the governing document need to contain for a human to be able to do that? Article 16 requires documentation that is kept up to date. What would the governing document need to specify about its own currency for that obligation to be dischargeable?

You will find, as you read carefully, that the Act creates obligation after obligation without specifying the instrument needed to meet it. That is not a drafting error. It is a design choice. And it is the most important thing to understand about where the AI governance field actually is right now.

Then read SR 26-2, the Federal Reserve's updated model risk management guidance published in April 2026. Notice what it explicitly excludes from scope: generative AI and agentic systems. The regulation that governed model risk management in financial services since 2011 has been updated, and the systems that matter most right now are outside it. That is not bureaucratic oversight. It is an acknowledgement that nobody has yet worked out how to govern them under a rigorous framework.

Those two documents give you a clearer picture of the AI governance field's actual state than anything in the philosophy literature. They tell you where the problems are by naming what they cannot yet solve.

From there, the path depends on what you want to contribute. If it is policy, the regulatory instruments are the curriculum and the gaps are your research agenda. If it is engineering, the distance between what the regulations require and what tools exist to meet it is the problem space. If it is both, that is the most interesting place to be right now, because the people who can read a regulatory instrument and build something that closes the gap are rare.

I did not come to this from philosophical ethics. I came from a practitioner's frustration with the gap between what governance documents claim to do and what they actually do. That frustration turned into a research programme, and the research programme turned into something I could point people toward when they asked questions like yours.

The programme is at nuphirho.dev. The findings are public. The reading list is real. Start with the gap. Everything interesting in AI governance right now lives in the distance between what the regulation says and what instruments exist to meet it.

That distance is the field.