AI regulation basics
Mastery check: from rules to governance
You understand regulation basics when you can turn a vague AI feature into concrete questions, proportionate controls, named owners, and a path for people affected.
Before you start
Why this matters
How to use this check
Answer each question before reading its explanation. The goal is not to memorize one jurisdiction’s categories. Rules change, and exact legal conclusions require current expert analysis. The durable skill is recognizing which facts change risk and which organizational habits make compliance possible.
This material remains general education, not legal advice.
1Learn the idea
Read
Question 1: model or use?
A company uses the same model to generate fictional product names and to rank employees for promotion. A manager says both features belong in the same tier because the underlying model is identical. What is missing?
Answer: Classification must examine use context. Promotion ranking affects livelihood and opportunity, processes employee data, and can influence a consequential decision. Product-name generation normally has lower stakes and no affected applicant population. Purpose, decision power, data, scale, and contestability differ even when the model is shared.
The team should separate feature records, controls, and permissions. It should also consider whether shared infrastructure allows data or behavior to cross boundaries.
Read
Question 2: lower risk means no law?
A photo-cropping assistant receives a lower internal AI risk rating. The team concludes that no compliance work is needed. Why is that wrong?
Answer: A lower AI tier is not a legal exemption. Privacy, security, consumer protection, copyright, accessibility, contracts, and ordinary product-safety expectations may still apply. If photos contain faces, locations, children, or confidential material, data handling matters. Marketing claims must remain accurate.
Risk tiers allocate attention; they do not replace baseline responsibilities.
Read
Question 3: disclosure
A mental-health support chatbot reveals that it uses AI only after the user finishes the conversation. Is that meaningful transparency?
Answer: The disclosure arrives too late to shape the user’s choice to interact or share sensitive information. A useful notice should appear before collection and should explain important limitations, data handling at an appropriate level, and how to reach human or emergency support. A label alone cannot make unsafe medical behavior acceptable.
Transparency supports choice and correction; it does not substitute for safety, evidence, or qualified care.
Read
Question 4: privacy minimization
An AI meeting summarizer receives complete employee profiles because “more context improves accuracy.” Name three better questions.
Answer: Ask which fields are necessary for the defined summary purpose, whether identifiers or unrelated fields can be removed, and whether the same quality can be achieved with meeting content alone. Also ask who receives the profiles, whether they are retained or reused, how rights requests flow, and whether sensitive inferences are generated.
“Useful someday” is not a specific purpose. Extra data can increase privacy, security, fairness, and quality risk.
Read
Question 5: human review
A credit system produces a score and recommended denial. An employee must click “confirm,” but sees no application data and is evaluated on speed. Does the click provide meaningful oversight?
Answer: No. The employee lacks evidence, time, and a realistic basis to disagree. The interface and incentives encourage rubber-stamping. Meaningful review requires source information, training, authority, adequate time, clear override and escalation paths, and monitoring of review quality.
The organization must preserve accurate decision factors and correction routes. Asking a model to generate a plausible denial reason is not a reliable explanation method.
Read
Question 6: launch complete?
A high-impact system passed its pre-launch evaluation. The owner marks compliance “done.” What lifecycle controls are missing?
Answer: The system needs production monitoring, complaint and incident handling, periodic review, change triggers, version records, rollback authority, and reevaluation when models, data, populations, integrations, scale, or law change. Approval should state scope, conditions, owner, and expiry.
Pre-launch evidence is a snapshot. Governance keeps the product inside its approved boundary.
Read
Regulation, ethics, and governance
These three ideas overlap but are not interchangeable.
Regulation establishes enforceable external requirements through laws and authorized rules. It answers part of “What must we do?”
Ethics examines values, harms, duties, and choices, including situations where law is silent or permits several options. It asks “What should we do, and whose interests count?”
Governance is the organizational system that turns commitments into decisions: inventories, roles, policies, review gates, evidence, monitoring, incident response, and accountability. It asks “How do we reliably decide and prove what we did?”
A product can be legally permitted yet manipulative, exclusionary, or unwise. An ethical principle without owners and controls may change nothing. Governance without ethical reflection can become checklist compliance. Regulation without operational governance can remain unread policy.
The bridge is practical. Use regulation to identify minimum duties, ethics to examine impacts and tradeoffs, and governance to make decisions repeatable and correctable.
Read
Ship-readiness checklist
Before releasing an AI feature, confirm:
- the exact use and affected population are documented;
- applicable jurisdictions and sector rules have an owner for analysis;
- data purpose, recipients, retention, and deletion are understood;
- risk classification has evidence and a review date;
- claims are tested in realistic and important edge conditions;
- notices are timely, audience-specific, and actionable;
- human review is meaningful where consequences require it;
- complaints, correction, incidents, and rollback have named routes;
- changes trigger reassessment;
- residual risk is accepted by someone with real authority.
This checklist does not determine legality. It helps a team arrive at expert conversations with the system facts already organized.
Read
Next step
Take the preliminary assessment from the scenario and compare it with an ethics review: who benefits, who bears errors, who was not consulted, and what use should remain off-limits even if technically possible? Then turn both into a governance record with owners and review dates.