77 posts on compliance & regulation.
SaaS companies that embed AI features in product flows are pulled into the EU AI Act through their customers. If the customer uses the SaaS in a high-risk use case, the customer is the deployer and the SaaS company is often the provider. The mandate takes effect August 2, 2026.
A 23-item operational checklist for EU AI Act high-risk compliance, organized across scope, documentation, evidence, monitoring, and incident reporting. The mandate takes effect August 2, 2026. Items 12 to 18 are where most deployments fail.
Article 99 of the EU AI Act sets three penalty tiers reaching 35M EUR or 7% of global turnover for prohibited practices, 15M EUR or 3% for high-risk non-compliance, and 7.5M EUR or 1% for supplying misleading information. The mandate takes effect August 2, 2026.
Article 26 of the EU AI Act puts operational obligations on the deployer of a high-risk AI system. The deployer must monitor operation, suspend use under specific risk conditions, keep automatically generated logs, and inform the provider and authorities. The mandate takes effect August 2, 2026.
Article 19 of the EU AI Act sets the operational floor for log retention from high-risk AI systems at six months and specifies what the automatically generated logs must contain. The mandate takes effect August 2, 2026. Application logs fail the structural test.
Article 13 of the EU AI Act requires providers of high-risk AI systems to design them so deployers can interpret outputs, understand limitations, and exercise human oversight. The mandate takes effect August 2, 2026. Generic model cards fail the test.
Annex III of the EU AI Act lists the eight categories of AI systems classified as high-risk. Inclusion in Annex III triggers the full obligations of Articles 8 to 27 from August 2, 2026. Most enterprise teams are inside the scope without realizing it.
DORA took effect January 17, 2025. The regulation treats AI vendors as ICT third-party service providers. Financial entities must maintain a register of contractual arrangements, monitor concentration risk, and demonstrate exit strategies. AI inference sits squarely inside the obligation.
AI model governance fails when it sits at the model registry layer alone. Model cards and versioning catalog the asset. Per-request enforcement governs how the model is actually used. Article walks through the runtime layer most model governance programs leave out.
AI governance training fails when it gets delivered as a single all-hands course. Each role inside the enterprise needs different content. Article walks through the role-specific training tracks the regulators and auditors expect, and where the curriculum meets the runtime evidence requirement.
AI governance fails when no single role owns the per-decision audit trail. The CISO, CRO, General Counsel, CTO, and platform engineering each hold a slice. Article walks through the seven stakeholder roles, what each owns, and where the handoffs break in practice.
AI governance software splits into policy-building, inventory, and runtime enforcement. Most products in the category cover policy and inventory and leave runtime evidence to whatever the engineering team builds. Article walks through the architectural layers and what to ask vendors before signing.