In August, the EU starts enforcing the AI Act. Three-quarters of companies admit their governance hasn’t kept pace.
The US published its national AI policy framework in March. California’s AI Safety Act is already live, with whistleblower protections and training data transparency requirements. The regulatory moment that’s been talked about for years is arriving.
The change isn’t in the rules themselves. It’s in what regulators now want to see.
Not ‘we have an AI principles document.’ Demonstrable controls. Evidence. Accountability you can point to.
That’s a different ask.
Implications.
What demonstrable controls actually means:
Can you trace a system’s output back to its inputs? If an AI decision gets challenged, can you show how it was reached?
Is there a documented path for a human to review or override the system? Not a theoretical option. A real, tested, working one.
Do you know what your model was trained on? This is becoming a statutory requirement in several places.
Have you written down what failure looks like and built something to detect it?
Who in your organisation is accountable when the system causes harm? Not responsible for the technology. Accountable for the outcome. That person should be named before the system goes live.
Risks by Applications.
The assumption that this only applies to large enterprises is wrong.
The EU AI Act defines risk by application, not company size. Any AI used in hiring, performance management or termination decisions is high-risk, regardless of how small the company is. Any AI making customer-facing decisions in finance, healthcare or education sits in the same category. Biometric identification is high-risk by definition.
California and the US framework follow similar logic. Use-case determines obligation, not headcount.
Plan Ahead.
The practical argument for doing this properly from the start isn’t regulatory. It’s financial.
Retrofitting governance onto a live system is expensive. It often means rebuilding parts of the system. It always means documenting decisions that weren’t made with documentation in mind.
Building accountability in from the start costs a conversation at the brief stage.
The questions aren’t technical. Who is accountable for outcomes? What does failure look like? How will decisions be traced? Where does a human review the output? What was the model trained on?
These are cheap questions early. They’re costly questions late.
What To Do.
Three questions worth asking about any AI system you’re building or running right now.
Can we trace the outputs back to their inputs? If no, that’s the first fix.
Who is accountable when this system is wrong? If that’s unclear, name the person before anything goes live.
What does failure look like, and does someone get alerted within 24 hours? If no, that’s a live compliance risk.
None of this is complicated. It just has to happen before launch, not after.
Which of these is hardest for your current setup to answer?