Chapter AAI regulation basicsPage 6 of 8

AI regulation basics

Compliance as an organizational habit

Regulatory readiness is not a document produced before launch; it is a repeatable way to inventory, decide, test, monitor, and improve.

~15 minPractical application

Before you start

Why this matters

A product team performs a detailed risk review on launch day. Two months later, an engineer switches model providers. A month after that, sales enables the feature for schools. Then an operations team connects it to an automatic email action. The original review remains neatly filed—and no longer describes the product.

AI systems change through models, prompts, data, retrieval sources, thresholds, integrations, users, and scale. Compliance must therefore operate as a lifecycle, with small controls built into ordinary product work.

1Learn the idea

Read

Start with an inventory

An organization cannot govern systems it does not know about. Create an inventory that includes purchased tools, internally built models, embedded vendor features, experiments using real data, and important spreadsheets or rules that make automated predictions.

Each record should name:

  • purpose, owner, and status;
  • users and affected people;
  • decision role and possible side effects;
  • model, vendor, and version;
  • data sources and sensitive categories;
  • jurisdictions and sector context;
  • initial risk tier and review rationale;
  • controls, approval conditions, and next review date.

Keep intake proportionate. A ten-minute form can route low-impact experiments, while consequential uses receive deeper review. If every idea faces a month-long committee, teams may hide experiments. If intake asks nothing meaningful, the inventory becomes a software catalog rather than a risk tool.

Read

Define decision gates

Set explicit gates for stages such as experiment, pilot, limited release, and full deployment. A gate answers: what evidence is required, who reviews it, who accepts residual risk, and what conditions limit approval?

A practical gate may require:

  1. a clear intended-use statement;
  2. risk and data classification;
  3. vendor and security review;
  4. evaluation against acceptance criteria;
  5. human-oversight and user-notice design;
  6. monitoring, incident, and rollback plans;
  7. documented approval with scope and expiry.

Not every reviewer must approve every system. Route by risk. Privacy specialists focus on data, security on threats, domain experts on professional validity, and accountable business owners on outcomes. Coordination matters because one control can affect another.

Read

Make evaluation claim-specific

Testing should examine what the product promises in realistic conditions. A generic language benchmark cannot prove that a system safely summarizes insurance appeals. Build evaluation sets from representative cases, difficult edge cases, important subgroups, and known failure modes.

Track more than average accuracy. Depending on the use, examine false positives, false negatives, unsupported claims, refusal quality, harmful content, latency, human override, accessibility, and disparities. Set release thresholds before looking at final results to reduce convenient interpretation.

Record dataset scope and limitations. Avoid putting sensitive production data into an evaluation process without purpose, access, and retention controls.

Read

Control changes, not just launches

Define which changes require reevaluation. Examples include:

  • a new model or provider;
  • altered system prompts, tools, thresholds, or retrieval sources;
  • use in a new country, language, sector, or population;
  • movement from assistive output to automatic action;
  • new sensitive data or a new integration;
  • major scale increase;
  • evidence of drift, incident, or regulatory change.

Use versioned records so the team can connect an outcome to the configuration that produced it. Vendor model updates need attention too. Contracts and technical architecture should provide change notice or allow controlled version adoption where possible.

Read

Monitor and respond

Monitoring should answer whether the system remains inside its approved boundary. Combine automated indicators with sampled human review and feedback from affected people. Watch input shifts, quality failures, subgroup outcomes, security events, override patterns, complaints, and near misses.

Write incident levels and actions in advance. A minor formatting issue may create a backlog item. Exposure of personal data may require immediate containment and specialist notification analysis. A harmful decision pattern may require pausing automation, correcting records, contacting affected people, and preserving evidence.

Someone must have authority to pause the system. A rollback plan that requires an unavailable executive is not operational.

Read

Procurement is part of governance

Vendor review should connect promises to evidence and contract terms. Ask for intended-use boundaries, evaluation methods, security information, data terms, subcontractors, model-change practices, incident support, and deletion behavior. Determine what the vendor controls and what the deploying organization must control.

Plan for exit. Can the organization export needed records, disable integrations, delete data, and continue critical work if the vendor changes terms or fails? Dependency is a governance risk.

Read

Train people for their actual role

General AI awareness helps, but role-specific training matters more. Builders need approved development data and documentation expectations. Product managers need intake and change triggers. Operators need limitations and escalation routes. Reviewers need evidence and authority. Procurement needs vendor questions. Leaders need to understand that accepting risk is a decision, not a signature ritual.

Create a culture where reporting a near miss improves the system. Punishing every disclosure encourages silence.

Read

A lightweight monthly rhythm

Small organizations can begin with a simple cadence:

  • review newly discovered uses;
  • inspect high-risk system metrics and complaints;
  • check vendor or model changes;
  • follow up on expired approvals;
  • test one rollback or incident procedure;
  • record decisions and owners.

This is more valuable than a large policy nobody applies. Maturity comes from feedback: incidents improve tests, tests improve gates, and gates improve product design.

Checking tutor…

Continue learning · glossary & guides