AI Compliance Policy

Scope & Applicability

This Policy covers: (i) AI systems we develop or integrate into products/services; (ii) internal AI tools used for operations; and (iii) advisory engagements where we recommend, configure, or oversee client AI systems. It applies to all employees, contractors, consultants, and vendors.

1.1 Roles under the EU AI Act

• Deployer: when we use AI systems under our authority.
• Provider: when we place AI systems on the market under our name/trademark.
• Importer/Distributor: when we introduce third-party AI systems in the EU.

1.2 Leadership & Accountability

We designate an AI Risk Owner (senior executive) who chairs the AI Review Board, approves risk classifications and material changes, and reports to leadership on incidents, metrics, and improvements.

Key Definitions

AI Governance & Accountability

3.1 AI Review Board

Cross-functional Board (Legal/Compliance, Engineering, Product, Data Science, Security) chaired by the AI Risk Owner. Mandate: approve new use cases; audit live systems; investigate incidents; track regulatory changes. Meets monthly and ad hoc for urgent matters.

3.2 AI Inventory & Asset Register

• System name/version/owner; use-case and purpose; intended users.
• Risk class (Unacceptable / High / Limited / Minimal).
• Data sources, processing, retention.
• Third-party/model dependencies.
• Compliance artifacts (assessments, logs, incidents).
• Approval date, review cadence, responsible personnel.

Risk Classification & Assessments

For high-risk systems we complete a Fundamental Rights Impact Assessment (FRIA) covering privacy/bias/rights impacts, mitigations, and residual risk, retained for Board review.

Data Governance, Privacy & Intellectual Property

5.1 Data Quality

Relevance and representativeness; accuracy and completeness; bias mitigation; traceability.

5.2 Privacy & Data Protection

Lawful basis; minimization/purpose limitation; retention limits; security; cross-border safeguards.

5.3 IP & Licensing

License verification and attribution; provenance checks; legal review for datasets/models where appropriate.

Transparency, Disclosures & Content Provenance

6.1 User-Facing Disclosures

AI interaction notice; purpose/scope; limitations/risks; human contact/oversight availability.

6.2 AI-Generated Content

Provenance signals (watermarking/metadata); disclosure of AI involvement; preservation of originals/audit trails.

6.3 Technical Documentation

Architecture/data flows/logic; training data and performance metrics; risk mitigations; instructions for use.

Human Oversight, Contestation & Due Process

7.1 HITL Requirements

Qualified reviewers; override/intervention capability; meaningful human review; fallback procedures.

7.2 Individual Rights & Contestation

Access information; request human review; contest/appeal; remediation paths.

Model Quality, Safety, Fairness & Security

8.1 Validation & Testing

Performance benchmarks; robustness; fairness audits; safety validation; explainability.

8.2 Cybersecurity & Adversarial Resilience

Secure SDLC; model protection; red-team/adversarial testing; incident response; patching.

8.3 Continuous Monitoring

KPIs; drift detection; alerts and escalation; periodic re-evaluation.

Logging, Monitoring & Incident Management

9.1 Logging

Inputs/outputs, pseudonymous IDs, timestamps; model version/config; oversight actions; errors/anomalies.

9.2 Incidents

Classification (serious/near-miss); root-cause analysis; corrective actions; central incident register.

9.3 Reporting

Serious incident notifications; transparency reports; data-breach notifications; regulator cooperation.

Third-Party Vendors, Open-Source & GPAI

10.1 Vendor Due Diligence

Regulatory posture; data handling; transparency; performance; incident processes. Contractual protections required.

10.2 Open-Source Components

Licenses and attribution; provenance/limitations; independent validation; security updates; guardrails and oversight.

10.3 GPAI Obligations

Upstream documentation; downstream integration safeguards; systemic-risk duties where applicable (in force August 2, 2025).

U.S. Federal & State Requirements

No comprehensive federal AI statute is in effect as of March 2026. We apply existing sector laws (FTC Act Section 5; ECOA/FCRA; HIPAA; FERPA; COPPA) and monitor executive and agency developments including Executive Order 14179 (January 2025) and the OMB Memorandum on Federal AI Governance (April 2025).

11.2 California

AI Transparency Act (effective January 1, 2026); Generative AI Training Data Transparency Act AB 2013 (effective January 1, 2026); CCPA/CPRA ongoing enforcement.

11.3 Texas

TRAIGA (effective September 1, 2025): pre-decision notification, appeal pathways, anti-discrimination safeguards, and documentation for consequential AI decisions.

11.4 Colorado

Colorado AI Act (effective June 30, 2026): comprehensive obligations for high-risk AI systems including annual impact assessments.

11.5 New York

NYC Local Law 144 (AEDT) in force; New York RAISE Act pending Governor signature. Multiple state-level AI bills under legislative review.

EU AI Act & European Frameworks

EU AI Act (Regulation 2024/1689) in force August 1, 2024 with phased obligations:

• February 2, 2025: Prohibited practices take effect (social scoring, subliminal manipulation, emotion recognition in workplace/education).
• August 2, 2025: GPAI obligations apply. Technical documentation, copyright compliance, training data summaries required.
• August 2, 2026: Full high-risk AI obligations (Annex III: employment/HR, education, essential services, law enforcement). Pre-market conformity assessment and post-market monitoring required.

Penalties: up to 35M EUR or 7% of global turnover for prohibited practices. Extraterritorial reach where AI systems are placed on the EU market.

12.5 EU AI Office

Coordinates enforcement for GPAI models across member states. We monitor EU AI Office guidance and codes of practice as they develop.

12.6 EU Digital Omnibus

European Commission proposal (late 2025) seeking to align GDPR, EU AI Act, and ePrivacy. Outcome pending as of March 2026. We treat existing obligations as operative.

Asia-Pacific & International Requirements

• China: Generative AI Services Management Measures (enforced 2023); AI-Generated Content Labelling Measures (September 2025); Cybersecurity Law Amendments with AI provisions (January 2026).
• South Korea: AI Basic Act (in force January 2026) with risk-based classification and individual rights.
• Japan: AI Promotion Act (June 2025), non-binding, principles-based.
• Singapore: Model AI Governance Framework for Agentic AI (January 2026), the world's first comprehensive agentic AI governance framework.
• Vietnam: AI Law (phased from March 2026), first binding AI law in Southeast Asia.
• Canada: Artificial Intelligence and Data Act (AIDA) advancing in 2026, aligned with EU risk-based model.
• Brazil: AI Framework Bill No. 2338 (Senate-approved December 2024, awaiting final approval).

Where frameworks conflict, we apply the more stringent standard. We use the EU AI Act as our compliance ceiling and NIST AI RMF as our governance foundation.

Individual Rights Requests

Individuals may request access, correction, deletion, portability, restriction, or objection to profiling. For contested AI outcomes, we provide meaningful information on the logic involved and arrange human review.

Children, Biometrics & Sensitive Uses

• Parental consent where required.
• Heightened scrutiny for biometrics/health/finance data.
• Elevated precision thresholds for sensitive use cases.
• Human-in-the-loop required for consequential decisions.
• Prohibited: practices lacking scientific basis (e.g., emotion recognition in hiring).

Change Management & Versioning

• Change tickets with risk assessment.
• Updated tests/validation before deployment.
• AI Review Board sign-off for material changes.
• Version pinning/rollback/kill-switches required.
• Complete audit trails maintained.

Contact & Enforcement

Questions, concerns, or requests relating to this Policy should be directed to: