Showing Posts From

Ai regulatory risk enterprise

Regulatory Exposure Your Legal Team Hasn't Priced In Yet

Regulatory Exposure Your Legal Team Hasn't Priced In Yet

Most enterprise legal teams have a mental model for new regulation built from the GDPR experience: wait for the law to come into force, watch the early enforcement actions to understand where the real exposure sits, then document accordingly. Move fast on the documentation, slow on the underlying change. Find out where the lines are before you invest in compliance infrastructure. That model worked reasonably well for GDPR — enforcement was slow, penalties in the early years were manageable, and the documentation-first approach bought time without serious consequences in most cases. It is the wrong model for the EU AI Act. The difference is structural. GDPR primarily required documentation of existing practices and some adjustments to data handling procedures. The EU AI Act, in its high-risk provisions, requires conformity assessment before deployment — not documentation of what you're already doing, but evidence that the system meets requirements before it goes live. Organizations that apply the GDPR mental model will find themselves with AI systems in production that haven't been through the required assessments, with no clean path to retroactive compliance, and with exposure that compounds with every decision the system makes while out of conformity. What the Act actually says The EU AI Act classifies AI systems into four tiers based on the risk of harm their deployment creates. Unacceptable risk systems are prohibited outright: social scoring by governments, real-time biometric identification in public spaces for law enforcement (with narrow exceptions), AI that exploits vulnerable groups, and systems that manipulate behavior through subliminal techniques. These are banned — no compliance path, no exemption. High-risk systems are the category most enterprises need to focus on. These require conformity assessment before deployment, ongoing monitoring in production, mandatory human oversight mechanisms, detailed technical documentation, and registration in an EU database before deployment. The high-risk categories include: AI systems used in hiring and employee management, credit scoring and credit access, insurance underwriting, educational admission and assessment, law enforcement support, migration and asylum processing, administration of justice, critical infrastructure management, and certain medical device software. Limited risk systems — primarily chatbots and AI-generated content — require transparency disclosures: users must be told they're interacting with AI. Minimal risk systems have no mandatory requirements under the Act, though voluntary codes of conduct may apply. The high-risk category is where most enterprise exposure sits, and it's larger than most legal teams initially assume when they scan the definition. Which enterprise use cases are actually high-risk The hiring dimension alone is significant. Any AI system used to sort, screen, rank, or make recommendations about job candidates or existing employees falls into high-risk. That includes resume screening tools, interview analysis software, performance management AI, and automated scheduling or task assignment systems that affect working conditions. Most large enterprises now use at least one tool in this category, often embedded in HR software they didn't build and may not have evaluated from an AI Act perspective. Credit and financial services exposure is equally broad. AI systems used in credit scoring, creditworthiness assessment, and insurance risk pricing are high-risk. This includes systems used by banks, insurers, and any firm offering financial products that involves AI-driven eligibility or pricing decisions. The medical device software provisions catch more organizations than expected. AI software that is a safety component of a medical device, or AI used to make clinical decisions affecting patient care, falls into high-risk — including software used by healthcare providers, not just device manufacturers. The critical infrastructure category covers AI used in the management of roads, railways, airports, water, gas, electricity, and certain digital infrastructure. This is relevant not just for utilities but for logistics companies, transportation operators, and cloud infrastructure providers. Why the GDPR parallel breaks down Under GDPR, the primary obligation is to document how you process personal data and to meet certain data subject rights requirements. The documentation has to be accurate, but the underlying processing can largely continue while you get the documentation in order. Under the EU AI Act, high-risk systems cannot be deployed until they have passed a conformity assessment. The assessment covers: risk management processes, data governance for training data, technical documentation of system design and performance, logging and monitoring capabilities, transparency and instruction requirements, human oversight mechanisms, and accuracy and robustness requirements. This isn't a documentation exercise that follows deployment. It's a pre-deployment gate. An organization that deploys a high-risk AI system without completing conformity assessment is not behind on compliance documentation — it is operating an illegal system. The penalty structure reflects this. Maximum penalties for prohibited systems are €35 million or 7% of global annual turnover. For high-risk system violations, the maximum is €15 million or 3% of global turnover. These are not late-documentation penalties — they're deployment penalties, applying to every period the non-compliant system was in operation. The extraterritorial reach The EU AI Act applies to any provider that places AI systems on the EU market or puts them into service in the EU, and to any deployer that uses AI systems in the EU — regardless of where the provider or deployer is based. A US company selling software that includes an AI hiring tool to European customers is a provider subject to the Act. A UK company using an AI credit scoring system for its European customers after Brexit is a deployer subject to the Act. A global company running an AI performance management system for its European employees is subject to the Act for those deployments. The extraterritorial scope is broader than most non-EU legal teams initially assume, and the relevant analysis is not "are we an EU company" but "are we deploying AI systems that affect people in the EU." The foundation model provisions The EU AI Act includes specific provisions for general-purpose AI models — what the Act calls GPAI models — which are relevant for any organization using large language model APIs from providers like OpenAI, Anthropic, Google, or Meta. GPAI providers have their own compliance obligations. But organizations that build applications on top of GPAI models are deployers of those capabilities, and the Act creates a liability chain. If you build a high-risk application on top of a GPAI model, your conformity assessment needs to address the GPAI component — you can't simply defer to the model provider's compliance documentation as if your deployment decisions are irrelevant. The practical implication: if you're using an LLM API to power a system that falls into a high-risk use case — an AI system that helps make hiring decisions, credit assessments, or medical triage — the fact that you're using a third-party model doesn't eliminate your conformity assessment obligation for the application layer you've built. What to do now vs. what can wait The Act has a phased implementation timeline. Prohibited system provisions are already in force. High-risk system requirements apply progressively based on system type, with most provisions applying from August 2026 onward, and some extended timelines for specific categories. This creates a window — but it's narrower than it appears, because conformity assessment for complex AI systems takes time. Running the assessment, remediating gaps, completing documentation, and registering in the EU AI database is a 6–12 month process for a well-prepared organization. Organizations that start this process in mid-2026 may find themselves past the deadline. What to do now: inventory every AI system used by your European employees or affecting your European customers. Classify each against the Act's risk tiers. For high-risk systems, begin the conformity assessment process. Flag the GPAI component for any application built on LLM APIs. What can wait: the transparency and labeling requirements for limited-risk systems can be addressed in a second wave. The voluntary codes of conduct for minimal-risk systems are not urgent. The documentation maintenance requirements for compliant high-risk systems are ongoing, not front-loaded. The organizations that will be in the most difficult position in 2026 are those that decided to monitor the situation rather than act on it. The monitoring strategy works when compliance is about documentation. It fails when compliance is a deployment gate — and for the EU AI Act's high-risk provisions, that's exactly what it is.

Read full article