← All posts

Compliance & Regulation

143 posts on compliance & regulation.

EU AI Act Fines vs GDPR Fines: How the Two Penalty Regimes Compare

The EU AI Act and GDPR operate parallel penalty regimes. GDPR caps the highest tier at 20 million EUR or 4% of global annual turnover. The AI Act caps its highest tier at 35 million EUR or 7% for prohibited AI practices, with 15 million EUR or 3% for high-risk non-compliance and 7.5 million EUR or 1% for misleading information. The two regimes can apply concurrently. This piece walks through the tiers, the trigger conditions, the enforcement bodies, and where the obligations actually overlap.

eu-ai-actgdprcompliancepenaltiesregulationfines
Read post →

EU AI Act Article 9: What the Risk Management System Obligation Requires

Article 9 of the EU AI Act requires a risk management system for every high-risk AI system, running as a continuous iterative process across the lifecycle. The obligations include risk identification, risk estimation, risk evaluation, and the adoption of risk management measures. The August 2, 2026 deadline applies. Most enterprise AI deployments treat risk management as a documentation exercise that ends at conformity assessment. The Article 9 reading expects an operating system that produces evidence at every decision point.

eu-ai-actarticle-9risk-managementcompliancehigh-risk-aigovernance
Read post →

AI Governance Audit Framework: What Auditors Actually Test

An AI governance audit framework tests three layers: policy artifacts, control operation, and per-request evidence. The auditor reads the policy, samples requests, and traces each sampled request through the control to the evidence record. Programs that pass tend to share six properties. Programs that fail typically fail at the evidence layer because the audit record does not exist or is under the same control as the application generating the request. This piece walks through the framework, the six properties, and the architecture the framework depends on.

ai-governanceauditcomplianceeu-ai-actsoc-2iso-42001
Read post →

EU AI Act for HR: Annex III Point 4 and the High-Risk Recruitment Stack

Annex III, point 4 of the EU AI Act classifies AI systems used in employment, workers management, and access to self-employment as high-risk. The scope covers recruitment, applicant evaluation, promotion and termination decisions, task allocation, and worker monitoring. The August 2, 2026 deadline applies. This piece walks through what the classification covers across the recruitment lifecycle, what Article 12 logging requires, and what the architecture for compliant HR AI use looks like.

eu-ai-acthrrecruitmenthigh-risk-aicompliancearticle-12
Read post →

EU AI Act for Credit Scoring: Annex III Classification and Article 12 Logging

Annex III, point 5(b) of the EU AI Act classifies AI systems used to evaluate the creditworthiness of natural persons or establish their credit score as high-risk. The classification triggers Article 12 logging, Article 13 transparency, Article 14 human oversight, and Article 26 deployer obligations. The August 2, 2026 deadline applies. This piece walks through what the classification covers, what the operational requirements actually look like, and what the architecture for compliant credit scoring AI use looks like.

eu-ai-actcredit-scoringfintechhigh-risk-aicompliancearticle-12
Read post →

Generative AI Governance: The Inspection-Layer Decisions That Sit Between Policy and Production

Generative AI governance has to bind organizational policy to per-request enforcement on the production traffic. The inspection layer between authenticated users or agents and any LLM is where the binding sits. This piece walks through the categories generative AI governance has to decide on, the enforcement placement, the record series, and how the program maps to EU AI Act Article 12 and NIST AI RMF.

generative-ai-governanceai-governanceeu-ai-actnist-ai-rmfinline-enforcement
Read post →

AI Governance Framework: The Operational Layers Between Policy Documents and the Audit Record

An AI governance framework that survives an audit has three operational layers: a policy layer that names what the program will and will not do, an enforcement layer that binds the policy to production traffic, and a record layer that produces the per-decision evidence. This piece walks through each layer, what artifacts each one produces, and how the layers map to EU AI Act Article 12, NIST AI RMF, and ISO 42001.

ai-governance-frameworkai-governanceeu-ai-actnist-ai-rmfiso-42001
Read post →

EU AI Act Records of Processing: What the Article 12 + 19 Record Has to Contain Beyond GDPR Article 30

GDPR Article 30 records of processing describe what data the organization processes. EU AI Act Article 12 plus Article 19 records describe what the AI system did with a specific request at a specific moment. The two record series carry different fields at different granularities. This piece walks through the GDPR baseline, the Article 12 plus Article 19 fields, where they sit operationally, and what the audit expects on each.

eu-ai-actrecords-of-processinggdprarticle-12article-19
Read post →

EU AI Act and Open-Source AI: Where the Open-Weight Exemption Stops and the Deployer Obligation Starts

The EU AI Act carves out a limited exemption for free and open-source AI models in Recital 89 and Article 2. The exemption covers some provider obligations on the model itself but does not cover the deployer of a high-risk system that uses the model. This piece walks through what the exemption actually says, where the obligations remain bound to the deployer, and what the operational stack has to produce regardless of model licensing.

eu-ai-actopen-source-aicompliancedeployer-obligationsarticle-12
Read post →

EU AI Act August 2, 2026 Deadline: The Operational Cutover for High-Risk AI Systems

August 2, 2026 is when the EU AI Act high-risk system obligations bind. The deadline applies to credit scoring, employment screening, education access, biometric identification, and the rest of the Annex III list. The operational cutover requires logging, identity binding on the AI request path, conformity assessment evidence, and the per-decision record under Article 12. This piece walks through the cutover, what the obligation expects, and what the operational stack has to produce.

eu-ai-actaugust-2-2026compliancehigh-risk-aiarticle-12
Read post →

EU AI Act Foundation Models: How the Regulation Treats Pre-Training, Fine-Tuning, and Substantial Modification

The EU AI Act does not use the term "foundation model" in its operative text. The regulation treats the underlying systems as general-purpose AI models under Article 51 and triggers systemic-risk obligations at 10^25 training FLOPs under Article 52. Fine-tuning and integration into downstream systems are handled separately by Article 25. The result is a layered obligation set that depends on whether the model is pre-trained, fine-tuned, or repurposed into a high-risk system.

eu-ai-actfoundation-modelsgpaicomplianceai-governanceregulation
Read post →

EU AI Act GPAI: What General-Purpose AI Model Providers Owe Under Article 51 and the Article 53 Code of Practice

Article 51 sets a separate obligation track for general-purpose AI models. Article 52 lists what counts as systemic-risk GPAI. Article 53 requires the provider to draw up technical documentation and to make information available to downstream providers. The GPAI obligations took effect August 2, 2025, ahead of the high-risk obligations. The Code of Practice published by the AI Office sets the practical compliance roadmap for the most-deployed foundation models in 2026.

eu-ai-actgpaifoundation-modelscomplianceai-governanceregulation
Read post →