1. Introduction – A Foucauldian Approach to Problematising Cybersecurity and AI Governance

The increasing complexities of cyberspace, including the recent rise of artificial intelligence (AI), demand rigorous analytical frameworks grounded in a diverse range of theory and method to aid our grasp of this increasing volatile environment, and the political responses to their associated challenges [1]. Traditional policy analysis of such challenges often adopts a problem-solving approach, seeking to optimise solutions within pre-defined parameters. However, in this paper we suggest a different methodological approach, one that draws on the work of Michel Foucault [2, 3], and designed to critically examine how cybersecurity and AI-related challenges are constructed as problems in the first place. Termed ‘Problematisation Analytics’, the approach moves beyond solution-oriented analysis of the problem to interrogate the power dynamics inherent in defining, for example, cybersecurity threats, AI risks, and the appropriate governance responses. It offers a critical lens for examining the exercise of power in the development of laws, norms, and practices that shape behaviours and thought around these problem spaces – cyberspace, including the rapidly evolving field of AI governance.

Foucault’s concept of problematisation, as articulated in his ‘history of problematics’ [4], emphasises that ‘problems’ are not objective realities, but, rather, they emerge from specific historical, social, and political contexts. By analysing how issues are framed as problems, by whom, and for what purpose, we can reveal the underlying assumptions and power relations that shape issues around cybersecurity and AI and the associated discourses and practices or actions around them. This is particularly relevant in the context of global digital technology governance, where a few powerful states and non-state actors play significant role in shaping international norms around these technologies and orchestrating digital capacity-building efforts that are designed and shaped around these norms in other less powerful developing nations. Thus, these rapid development and deployment of AI and other emerging technologies and systems introduce new and complex governance challenges, which demand critical scrutiny of how these technologies are being framed as both opportunities and risks.

A primary, and to some extent, unique feature of the suggested theoretical and methodological framework is its fusion of Foucault’s problematisation analytics with Carol Bacchi’s ‘What’s the Problem Represented to be?’ (WPR) approach and Mitchell Dean’s classification of power effects [5, 6]. Bacchi developed a six-question approach which provides a structured way by which policy texts, AI ethics guidelines, and other data sources can be interrogated to reveal their underlying assumptions and problem representations [5]. Thus, the approach allows for theoretical investigations aimed at systematic deconstruction of policy assumptions to unravel how certain problem representations become dominant, while often obscuring alternative perspectives. In addition, Dean’s concepts of truth, norm, and power effects further illuminate operations of power within these problematised fields, and how power shapes the discourse and practices around governance issues (of cybersecurity, AI, or any other form of governance). By analysing these effects of power, critical studies can be directed towards tracing how specific problem representations become normalised and translated into concrete governance strategies and interventions.

Merging these concepts within this framework, as it is proposed here, offers a unique methodological model for analysing issues around cybersecurity and AI governance, and presents a powerful tool for researchers seeking to understand the complex interplay of power, knowledge, and law within these domains. Particularly as it moves beyond technical or legal analyses to reveal the often invisible power dynamics that shape the very definition of major phenomenon like cybersecurity and AI-related problems, and the proposed solutions to these problems. Devising such methodological and theoretical approach grants such studies the possibility to critically examine the construction of these global challenges (whether around cybersecurity, AI, or any other emerging global difficulties) as problem spaces, and to understand the role of various actors in defining the associated threats, vulnerabilities, ethical considerations, and the implications of specific policy responses for different stakeholders.

While it may be used to interrogate different forms of empirical data, the suggested framework is particularly suited to textual analysis of data such as policy documents, strategy papers, legal frameworks, political speeches, and other government publication, as well as AI and other technologies ethics guidelines. This is so because it allows researchers to track the evolution of these technological concerns, the various justifications offered for specific interventions, and, crucially, the power relations embedded within these processes.

While drawing on examples of its application in exploring the UK’s cybersecurity capacity-building initiatives and their relationships with developing Commonwealth nations [7], the framework, nonetheless, is broadly applicable to a range of contexts within global digital governance, including the governance of AI and emerging future technologies. A key value that it brings to such theoretical and methodological landscape is its ability to aid the exploration and understanding of how dominant narratives around these emerging technologies’ risks often reflect and prioritise the interests of powerful actors while potentially marginalising alternative perspectives and solutions at the same time.

A key objective of this framework, therefore, is to contribute to a broader theoretical and methodological approach to understanding these emerging technologies and their challenges as socio-political phenomena, rather than purely technical ones. Ultimately, the aim is to provide a new direction and method to allow dominant narratives around these technologies to be challenged through research and promote more equitable and just approaches to discourses on how they are governed. It is hoped, therefore, that through such structured and critical approach to analysing problem representations and power dynamics, this methodology can help to foster more transparent, accountable, and inclusive governance of cyberspace and AI technologies.

2. Methodology: Problematisation Analytics – A Novel Framework for Cybersecurity and AI Governance

Problematisation Analytics, as a theoretical and methodological framework is presented and explained in more detail within this section. The framework was originally designed for a new study which developed a theoretical approach to critically interrogate how complex issues in cybersecurity and AI governance are constructed as ‘problems’ within governmental discourse and practices. It explains the theoretical underpinnings of this approach, specifically its reliance on Foucauldian analytics, and outlines how it can be systematically deployed within future research to uncover the power relations inherent in problem definitions and governmental responses to these problems. Thus, the framework provides a structured lens to analyse the discursive practices that shape the field of emerging technologies and digital governance, revealing the mechanisms and techniques through which certain issues are made visible and normalised as requiring specific interventions.

2.1. Problematisation as a Core Analytical Concept

Foucault’s notion of problematisation lies at the core of this framework, which posits that ‘problems’ and their proposed ‘solutions’ are intrinsically linked, forming two sides of the same argument [8]. Thus, in the case of current technological challenges, for example, the object of analysis is not or cannot be the cyber insecurity or AI risk issues themselves, nor the responses that are designed to solve ‘the issue’. Instead, Problematisation Analytics focuses on the logic of problematisation itself – that is, the confluence of both the problem and the solution, alongside the socio-economic and political conditions that enable their emergence [7, 9].

Such analytical shift, therefore, suggests that rather than seeking answers to how, for example, cybersecurity problems are or ought to be solved or which approaches are most effective, instead, the framework is directed at investigating the process of constituting cybersecurity as a problem space [7]. To do this, it starts by scrutinising how these issues are transformed into ‘a going concern’ [7, 10] and how they are subsequently normalised as problems that necessitate specific interventions. Thus, the framework focuses on the interplay between this problematising process and the social, economic, and political conditions that result in the production of particular power dynamics. However, the approach does not suggest or set out to trivialise the inherent difficulties or challenges of cybersecurity or any other emerging technological challenges. Neither does it suggest that the realities of digital insecurity are irrelevant. Rather, it directs attention to how such situations are represented, presented, and the nature of the responses they evoke. It does so to provide a better and deeper understanding of how such problems are formed and the rationale behind how the solutions are sought or offered.

Problematisation Analytics is therefore concerned with the mechanisms and techniques deployed in the process of problem construction and how they are presented and made visible, leading to the emergence of a ‘problem’ case or space that produces or reproduces certain power relations in the process [7]. The object of interrogation therefore, resides not in the ‘problem’ or its ‘solutions’ but in the resulting relationship between the phenomenon (e.g., cybersecurity threats, AI risks) and the political responses (e.g., capacity building, regulatory frameworks, and ethical guidelines) [7].

The framework, thus, enables a deeper exploration of notions like cybersecurity or AI safety beyond their immediate representations. As such, it helps reveal how certain discursive constructions of insecurity, threats, and risks are problematised within these discourses to enable the production of specific knowledge, political, and legal actions and norms, which are then constituted and promoted (globally) as ‘truth’ [11]. The analytical attention of the approach is therefore directed not only to how concerns and actions are presented but also to the implications of how these perspectives are organised or orchestrated. For instance, it allows for critical examination of how individuals, states or even systems (including AI systems) are categorised, classified, and regulated, and what impacts are produced from such classifications.

The adoption of a genealogical approach within the framework suggests that Problematisation Analytics will seek to understand contemporary issues by tracing the historical trajectories of how specific issues have been problematised. However, this historical reflection does not aim to pinpoint origins but to track how issues of, for instance, insecurity have consistently been presented as problems, and how solutions are subsequently produced and made intelligible within different historical moments [7, 12]. This allows for the analysis of contemporary issues like cybersecurity and AI challenges, not as isolated sets of problems, but as part of a broader ongoing security concerns, aiding one’s understanding of the solutions sought, proposed, and implemented, and their constitutive impacts through what Foucault’s referred to as a ‘history of the present’ [5, 12, 13].

Adopting this framework within a research exercise also suggests that the object and scope of such interrogation or study are rooted in what Foucault conceptualised as ‘the field of the work of thought’ [10]. According to Foucault, this is confined to analysing how power operates to create perspectives that enable actions in response to problem phenomena, forming an assemblage of problems and measures that reproduce certain power relations and structures [10]. The approach is therefore grounded in the hypothesis that current trends around these new technologies signal renewed strategies for handling complex situations, representing renewed assemblages of heterogeneous historical elements that produces modern basis of power [7, 14, 15].

2.2. Employing Bacchi’s ‘What’s the Problem Represented to be?’ (WPR) Approach

To allow for a systematic deconstruction of problematisations within cybersecurity and AI governance practices or actions, for example, the Problematisation Analytics framework rely on Bacchi’s WPR approach to policy analysis [9, 16]. This integration is justified because (a) Bacchi’s approach is Foucauldian, and (b) by the adaptability of their approach for critical socio-legal and socio-political research. Like Foucault, Bacchi views ‘problems’ not as given but as social constructions, challenging assumptions that governmental actions are simply reactive responses to pre-existing issues. Instead, governments and other actors are seen as active participants in the creation or production of these ‘problems’ [5, 9]. This represent a shift in perspectives that move away from a problem-solving discourse towards a problem-questioning one.

Bacchi’s WPR approach also operationalises Foucault’s notion of practical or prescriptive texts as points of departure for identifying problematisations. For Bacchi, policy texts, reports, proposals, and speeches are rich sources of empirical materials because they inherently contain explicit or implicit diagnoses of problems [9, 17, 18]. These texts are also inherently prescriptive, and they often start by highlighting a problem, then determining its perceived causes, before concluding by outlining proposed solutions and recommendations. Thus, Bacchi suggests identifying the ‘deep conceptual premises operating within problem representations’ [5] within such textual analysis. This involves, for example the following:

  1. Identifying the core concern (e.g., threats of cyber-attack, poor state preparedness, and AI safety risks).

  2. Noting what is presented as the ‘why’ of the problem (e.g., lack of technical capacity, poor security habits, lack of robust AI ethical frameworks, or the role of economic status).

Most governmental official releases and other official documents often map what is considered problematic and offer prescribed solutions, thereby providing useful data sources for research that seek to employ this approach. Problematisation Analytics complements this with other data sources, such as research interviews, conference presentations, and speeches, to provide genealogical and spatial context, and to uncover underlying assumptions and knowledge claims that further sustain presumptions about problem representations [15].

Bacchi’s WPR approach, therefore, provides a rigorous strategy, based on its six analytical questions, to organise and interrogate policy texts or other institutional releases, forcing researchers to confront how specific problem representations are constructed and for what purpose. These questions also demand reflexivity, urging researchers to treat their own assumptions as potential problem representations [5]. The analytical questions suggested by Bacchi are as follows:

  • What is the problem represented to be in a specific policy?

  • What presuppositions or assumptions underlie this representation of the problem?

  • How has this representation of the problem come about?

  • What is left unproblematic in this problem representation? Where are the silences? Can the problem be thought about differently?

  • What effects are produced by this representation of the problem?

  • How/where has this representation of the problem been produced, disseminated, and defended?

  • How could it be questioned, disrupted, and replaced?

A key benefit of such systematic questioning is that it provides robust structural support for analysing such governance practices (of cybersecurity and AI or any challenging phenomenon), organising and concretising the analytical logic while minimising oversimplification.

2.3. Interrogating the Operation of Power with Dean’s Classification

To fully track the relations of power and their impacts within problematised fields, the Problematisation Analytics framework further fuses Bacchi’s WPR approach with Dean’s classification of power effects [7]. Dean’s concepts allow for a nuanced understanding of how power operates in governing, and its effects on individuals, states, and institutions. As such, it enables the unravelling of how political thoughts and perspectives create and sustain problematised fields [19]. A systematic use of Dean’s power classification within this framework, alongside Bacchi’s WPR, enhances the analysis of research data and, in particular, the presentation and interpretation of research findings.

Dean’s approach categorises power effects into three main elements:

  1. Truth effect: This refers to how a problem is presented and made visible, rendering its acceptance as necessary and vital, even if it might otherwise be contested. Such problem representations often appear in reports claiming factual basis, like statistical data on cyber intrusions or widening technology gaps or AI misinformation risk, for example. The truth effect legitimises the problem as real, justifying government actions, reforms, norms, and rules. In AI governance, this could involve presenting data on AI-related harms or risks to justify calls for regulation.

  2. Norm effect: Following the establishment of a problem through the truth effect, the norm effect functions to diagnose the problem and produce blueprints for addressing it through specific actions (e.g., regulations, laws, capacity development programs, and AI ethical guidelines). Crucially, the norm effect has the potential to obscure alternative perspectives on the problem, effectively codifying authoritative assertions of truth into ‘normative judgments’ [8, 19].

  3. Power effect: This emerges from the interplay between freedom and dominance, particularly when norms are modulated to appear as creating individual or state freedom. The power effect serves as a means of execution or problem-solving, enforcing what is allowed or disallowed, prescribing or proscribing who should adopt certain principles, norms, or strategies, and for what purpose. It determines whose behaviour ought to be changed or adapted, and identifies states or entities that fall short of prescribed standards. Dean’s framework allows researchers to trace how, through the identification of norms and those perceived as ‘outsiders’ (e.g., ‘good guys’ vs. ‘bad guys’ in cybersecurity or AI discourse ), a ‘loop back to relations of power’ [19] can reveal the contexts in which obligation precedes freedom.

Like Bacchi’s WPR, Dean’s process is also Foucauldian, rooted in the idea that the ‘problematising activity’ [20] of governments is evident in their operational methods. For Dean, governments, particularly in liberal states, operate under a tension between freedom, obligations, and coercion [19]. Therefore, analysing this tension is crucial to understanding governmental function and the impacts of their actions. The Problematisation Analytics framework can therefore apply these effects to highlight the relations and operations of power that exist between states and other actors within the governance discourse around emerging technologies such as AI.

3. Applying Problematisation Analytics: Empirical Scope and Illustrative Case Study

Thus far, we have explained the ability of the Problematisation Analytics framework that is designed to be highly adaptable across diverse empirical contexts within cybersecurity, AI, and other emerging technology governance research. In this section, we outline the types of empirical materials that are suitable for this framework and demonstrate its application through an illustrative case study derived from a recent doctoral study.

3.1. Suitable Empirical Materials and Data Selection

The analytical strength of Problematisation Analytics lies in its capacity to deconstruct how problems are discursively constructed within various forms of governmental or governance communication. As such, the framework is particularly suited for the analysis of textual data, derived from both primary and secondary sources that articulate, justify, or respond to perceived problems in digital technology governance.

  1. Primary sources examples: These are critical for identifying original problem representations and proposed interventions. They include, but are not limited to the following:

    • Official policy documents: These may include such documents as National cybersecurity strategies, AI ethics guidelines, legislative proposals, policy white papers, strategic reviews, and governmental reports. These types of documents are often explicit in their definition of problems. They will also often outline solutions – preferred, proposed, or otherwise, serving as rich sites for problematisation analysis.

    • Legal texts: These include laws, regulations, treaties, and international agreements related to cybersecurity, for example, data privacy, and AI governance. Normative judgements are often encoded within these types of texts and as such provide authoritative representations of problems.

    • Speeches and declarations: These will include keynote addresses by policymakers, government officials, or industry leaders at conferences, press releases, parliamentary debates, or debates at international forums. These forms of data often frame issues around the perceived challenges and articulate preferred responses or actions required to address them.

    • Non-governmental and industry reports: Publications from think tanks, industry associations, and civil society organisations will be amongst the examples of such data. They will typically address and reproduce the dominant discourse around the issue (cybersecurity threats, AI risks, etc.) or produce their own discourse or engage those advocating for specific governance approaches.

  2. Secondary sources: These types of data provide crucial contextual understanding, historical trajectories, and critical commentary on problem representations. This may include, in the case of cybersecurity and AI challenges, academic literature, journalistic accounts, and historical analyses relevant to the evolution of discourse around the problems.

Most crucially, and for effective analysis, empirical materials should be selected based on their potential to reveal how specific issues are problematised. This involves identifying documents or statements that, for example:

  1. frame a particular phenomenon as a ‘problem’ requiring attention or intervention;

  2. propose ‘solutions’ or ‘responses’ to the identified problem;

  3. are situated within relevant policy, legal, or discursive contexts pertaining to cybersecurity, AI, or global digital governance; and

  4. allow for a genealogical tracing of how a problem representation has evolved over time or across different political contexts.

The selection process of both data types and data sources should also be iterative, allowing for the emergence of new relevant data and sources as the analysis progresses. This is also consistent with the inductive and interpretative nature of Foucauldian inquiry [2].

3.2. Illustrative Demonstration: Problematisation in Cybersecurity Governance

To demonstrate how Problematisation Analytics can be operationalised, this section draws on material from a recent comparative research project that examined the problematisation of cybersecurity in global security governance. For present purposes, these cases, involving the UK’s cybersecurity initiatives and their interactions with three developing Commonwealth nations (Ghana, Botswana, and Trinidad and Tobago), are not analysed in full. Instead, they are used in a limited illustrative way to exemplify how the framework enables a critical examination of problematisation and governmentality practices in the context of state-led capacity-building [7] and to demonstrate its adaptability to a broad range of research areas.

In this demonstration, therefore, it is shown how Problematisation Analytics can be applied to diverse sources such as national cybersecurity strategies, parliamentary reports, bilateral agreements, international development white papers, and UN and Commonwealth documents. Applying Bacchi’s six analytical questions to such materials highlights the kinds of problem representations typically encountered (e.g., framing weak cybersecurity in developing nations as a technical deficit or a lack of legal frameworks). The framework draws attention to how such framings justify particular forms of capacity-building and norm-promotion led by external actors.

Similarly, using Dean’s categories of power effects (truth, norm, and power) illustrates how the framework can reveal the implications of these problem representations. For example:

Truth effect: The framework enables analysis of how statistics or narratives (e.g., global interconnectedness, rising cybercrime figures, etc.) establish the ‘truth’ of a ubiquitous cybersecurity problem, thereby legitimising desired interventions.

Norm effect: This allows for an understanding of how specific norms and standards (e.g., ‘best practices’, ‘responsible state behaviours’, etc.) emerge from these problematisations, and presented as universal solutions or truth.

Power effect: This enables one to see how such norms translate into practices that may shape sovereignty or policy choices in developing nations, thereby exposing subtle forms of dependency or ‘governance at a distance’ [7, 21, 22].

This illustrative demonstration underscores how Problematisation Analytics moves beyond surface-level policy analysis to expose underlying assumptions, power dynamics, and the effects of problem constructions in global digital governance. While a full empirical application lies beyond the scope of this paper, it demonstrates the framework’s potential for critical and empirically grounded inquiry into complex socio-technical issues like cybersecurity and AI.

3.3. Genealogical Approach to Data Analysis

Engaging data analysis within Problematisation Analytics is inherently iterative and genealogical, driven by the systematic application of both Bacchi’s WPR questions and Dean’s power effects. The process is not always linear in application but involves a continuous oscillation between theoretical concepts and empirical material. However, a recommended application steps may include the following:

  1. Initial scan and familiarisation: Researchers will begin by familiarising themselves with the selected empirical materials, performing initial readings to identify recurring themes, dominant problem formulations, and proposed solutions related to the current phenomenological issue.

  2. Application of Bacchi’s WPR questions: Each relevant document or statement is then systematically interrogated using Bacchi’s six questions. This involves close textual analysis to:

    • pinpoint the explicit or implicit problem representation;

    • reveal underlying assumptions (e.g., about technology, human behaviours, and state capacity);

    • trace the historical emergence of these representations;

    • identify what is left unsaid or unproblematic;

    • hypothesise potential effects of these representations; and

    • consider the context of the representation’s production and dissemination.

  3. Identification of Dean’s power effects: As problem representations are identified and deconstructed using Bacchi’s WPR, the analysis should start to shift to how they contribute to truth, norm, and power effects. The research can then follow a course of systematically mapping how certain facts become ‘truths’, how these truths translate into specific ‘norms’ or recommended actions, and how these norms ultimately exert a form of ‘power effect’ by shaping behaviours or perceptions, often influencing the parameters of acceptable discourse or action.

  4. Genealogical tracing and pattern identification: The insights derived from examination of the data following Bacchi and Dean processes are then synthesised to trace the genealogy of specific problematisations. This involves identifying patterns across documents and over time, revealing continuities and discontinuities in how these phenomenological challenges are framed, who benefits from these framings, and what forms of governance are legitimised as a result. This iterative process ensures that the analysis remains deeply rooted in the empirical material while continuously building towards a broader understanding of the dynamics of problematisation in the chosen problem field.

4. Challenges, implications, and future directions of Problematisation Analytics

While Problematisation Analytics offers a powerful critical framework for dissecting the construction of problems, particularly within cybersecurity and AI governance, as already tested against the original study for which it was designed, its application comes with inherent methodological and philosophical considerations. This section addresses these challenges, discusses the broader implications of adopting such an analytical lens, and outlines promising avenues for future research.

4.1. Methodological Challenges and Considerations

Applying a Foucauldian genealogical approach, particularly when combined with methodical tools like Bacchi’s WPR and Dean’s power effects, require careful methodological reflexivity. A core challenge lies in the interpretive nature of critical discourse analysis. While the framework allows for structured lines of questioning, definitions of categories, identification and presentation of research findings, the identification of problematising and power effects relies, to a certain extent, on the researcher’s interpretation of discursive practices. This underscores, therefore, the importance of transparency in the analytical process and a clear articulation of the researcher’s position or stance, ensuring academic rigor even in the absence of positivist notions of objectivity [23, 24].

Furthermore, genealogical inquiry, by its very nature, does not seek to establish direct causality or predict future outcomes. Instead, it aims to shed light on the historical conditions and power relations that shape the ‘history of the present’ [2], as reflected in the parlance of Foucault. Studies employing this framework must therefore be cognisant of what it offers: that is, a rich and deeper understanding of how problems are constituted and what effects they produce, rather than focusing on research outcomes that represent prescriptive solutions or present definitive causal links. Such study must also be mindful that, while the method focuses on revealing the constitutive role of problem representations, trivialising the realities of the problem falls outside the scope of the framework. Neither does the method suggest that empirical problems are not ‘real’, but, rather, its focus should be on how such situations are represented and the nature of the responses they evoke.

Another consideration lies in the scope and boundaries of analysis. While the framework can be applied to a wide array of textual and discursive data, defining the relevant source and managing its breadth requires strategic decisions [25]. The aim here is not exhaustive documentation, but a focused examination that reveals significant patterns of problematisation. Additionally, as with any critical research approach, there is a constant need to guard against imposing a pre-determined critical stance, allowing the empirical material to guide the unravelling of problem constructions instead.

Finally, fusing Foucault’s nuanced concepts (like problematisation and governmentality, in other words, Bacchi and Dean) into a structured analytical framework, while beneficial for empirical application, requires careful navigation to avoid oversimplification. Therefore, the analytical questions and categories should serve as archetypes and guidelines, acknowledging that the complexities of power relations in contemporary governance can lead to emergent forms that extend beyond the existing conceptualisations. Studies employing this framework must therefore remain open to such nuances.

4.2. Implications for Research in Emerging Technologies like Cybersecurity and AI Governance

Adopting Problematisation Analytics carries significant implications for advancing research in emerging technologies’ governance challenges in the following ways:

Deeper critical implications: It shifts the analytical gaze from what is being done, presented, or accepted as objects of concern to how and why certain issues become objects of governance. This fosters a deeper, more critical understanding of policy processes and their underlying power dynamics, moving beyond descriptive accounts of policies or the technologies themselves.

Unveiling power relations: By systematically linking problem representations to power effects, the framework unravels how specific narratives (e.g., about cyber threats, AI risks, or state capacities or vulnerabilities) are deployed to justify particular interventions, shape norms, and influence behaviours. This is crucial for understanding the socio-political economy and dynamics of digital technology governance.

Contextualising global governance: For international relations and global governance scholars, it provides a robust tool to analyse how global norms and practices deployed to address challenges around technologies, such as cybersecurity and AI are constituted, and how they can perpetuate the existing hierarchies or create new forms of governance at a distance, particularly with regards to relations between wealthier and more powerful states and the poorer and less powerful ones.

Informing ethical discourse: Particularly in the rapidly evolving field of AI ethics, this framework can allow for a critical examination of how ethical ‘problems’ (e.g., bias, accountability, and safety) are framed, and, crucially, whose interests are served by these particular framings, enabling a more nuanced and politically aware ethical discourse.

It is suggested, therefore, that while there may be a perceived ‘withdrawal of the state’ [26] in contemporary governing technologies (with powerful technology billionaires increasingly been seen as all powerful and seemingly in control) employing this framework constitutes new theoretical and methodological direction to understanding the role of the state (in its many formations), nonetheless, in the control and orchestration of the global socio-political order, while sustaining new forms of liberal governance. This interrogation of the state’s role, through Foucauldian power concepts, allows ‘governing’ to be understood as an analytical domain whose practices and discourses need examination to understand their different forms of contemporary power.

4.3. Future Directions for Research

The Problematisation Analytics framework opens up several promising avenues for future research, including the following:

  1. Broader empirical application: Future studies could apply this framework to various emerging technological governance challenges, such as those posed by synthetic media, quantum computing, or biotechnologies. Cross-sectoral comparisons could reveal common patterns of problematisation.

  2. Comparative analysis: The framework is particularly well-suited for comparative studies across different national, regional, or international contexts, allowing for analysis of how similar technological problems are constructed and governed differently, and the implications of these variations.

  3. Actor-centric problematisation: While the framework focuses on discursive practices, future research could delve deeper into the specific roles of diverse actors (e.g., private tech corporations, civil society organisations, international NGOs, etc.) in problematising and shaping digital governance, and analysing their specific ‘truth-telling’ and ‘norm-setting’ strategies.

  4. Longitudinal genealogical studies: Expanding genealogical tracing across longer historical periods could provide even richer insights into the enduring nature of certain problem constructions and the subtle shifts in power dynamics over time, particularly within cybersecurity and AI and other emerging technologies.

  5. Methodological refinement: Future work could also explore integrating Problematisation Analytics with other critical theories and methods (e.g., feminist critiques of technology, postcolonial studies, etc.) to enrich its analytical depth and address specific blind spots.

  6. Policy interventions and impact: Research could explore the practical implications of understanding problematisation for designing more equitable and effective governance interventions, moving from critique to constructive engagement with policy development.

Through its structured and critical approach to analysing problem representations and power dynamics, Problematisation Analytics can thus provide invaluable tools to studies aiming to challenge dominant narratives and foster more transparent, accountable, and inclusive approaches to emerging technology challenges, including those of cybersecurity and AI governance.

5. Conclusions

The focus of this paper has been to introduce and elaborate on the Foucault-inspired concept of Problematisation Analytics, which serves as both theoretical and methodological framework, designed for the critical examination of how global cybersecurity and contemporary AI-related challenges are constructed as ‘problems’ within the landscape of global digital governance. Moving beyond conventional problem-solving approaches, this framework posits that these ‘problems’ are not pre-given realities but are discursively produced through specific historical, social, and political conditions, inherently intertwined with their proposed solutions.

By fusing Foucault’s concept of problematisation with Bacchi’s WPR approach, alongside Dean’s classification of power effects, Problematisation Analytics offers a structured yet nuanced tool for empirical research. Bacchi’s WPR questions provide a methodical mechanism for deconstructing policy texts and other discursive materials, revealing the underlying assumptions and representations that shape problem definitions. Complementing this, Dean’s analytical categories (truth, norm, and power effects) allow for a deeper interrogation of how power operates within these problematised fields, exposing how certain narratives legitimise specific interventions and shape behaviour within digital governance, or governance more generally.

As demonstrated through the illustrative case study on cybersecurity governance, this framework facilitates a move beyond surface-level policy analysis and technological realities. It enables one to design studies that aim to uncover the often invisible power dynamics that influence the very definition of digital threats and the subsequent design of governance responses. This is particularly pertinent for the rapidly evolving domains of cybersecurity and AI, where the framing of risks and the call for regulation can have profound geopolitical and societal implications.

While acknowledging the inherent interpretive challenges of Foucauldian inquiry, Problematisation Analytics provides a rigorous and adaptable approach for critical socio-technological, socio-legal, and socio-political research. It compels researchers to consider what is left unproblematic in dominant discourses and how certain knowledge is produced or reproduced to serve particular interests. Thus, this framework contributes significantly to a broader theoretical understanding of cybersecurity and AI, for example, as socio-political phenomena, advocating for more transparent, accountable, and equitable approaches to their governance. Ultimately, through its ability to engage studies that can challenge dominant narratives, the framework offers a vital lens for navigating the complexities of power, knowledge, and law in an increasingly digitised world.