Skip to main content
Back to Ethics at Work: Responsible AI for Organizations
Lesson 5 of 8

Know the Rules: What Compliance Demands

~27 min readLast reviewed May 2026
This lesson counts toward:Lead AI Adoption, Drive ResultsUsing AI ResponsiblyLegal Work, Faster: AI for High-Stakes PracticeBuild Fair AI Systems: A Safety GuideLead Through AI: The Executive Playbook

The AI Regulation Landscape

Most professionals believe AI regulation is either a distant future problem, a purely technical issue for IT departments, or something so complex that ordinary employees have no role in it. All three beliefs are wrong, and acting on them puts your organization at real legal and reputational risk right now. The rules governing how AI can be used at work are already in force in many jurisdictions, they apply directly to business decisions made by non-technical staff, and your daily choices about which AI tools to use and how to use them are already compliance decisions whether you realize it or not. This lesson breaks down the three most common misconceptions professionals carry into the AI regulation conversation and replaces them with accurate, actionable mental models you can use starting this week.

Three Things Most Professionals Get Wrong About AI Regulation

  1. "AI regulation is coming eventually, we have time to prepare." (Wrong. Key laws are already active.)
  2. "Regulation only affects the companies that build AI, not the companies that use it." (Wrong. Users carry significant legal obligations.)
  3. "Our legal or IT team handles compliance, this isn't a manager's problem." (Wrong. Frontline professionals make compliance-critical decisions daily.)

Myth 1: "AI Regulation Is Still Coming. We Have Time"

2024

Historical Record

European Union

The European Union's AI Act passed in 2024 and began its phased rollout immediately, with certain high-risk provisions becoming enforceable in early 2025.

The EU AI Act represents the first comprehensive AI regulation framework in a major market and establishes binding compliance obligations for organizations operating in or serving European customers.

Beyond formal legislation, sector-specific regulators have moved quickly. The U.S. Federal Trade Commission has taken enforcement actions against companies making misleading AI-related claims. The UK's Information Commissioner's Office has issued detailed guidance on AI and data protection under GDPR-equivalent law. Canada's Artificial Intelligence and Data Act is progressing through Parliament. Financial services regulators in the EU, UK, and US have all published AI-specific guidance that firms in those sectors must follow now. If your organization operates across borders, or uses AI tools hosted in different countries, you are already operating inside a complex web of overlapping rules.

The "we have time" belief often comes from confusing the timeline for full implementation with the timeline for initial compliance obligations. The EU AI Act, for example, has a phased schedule: the most severe restrictions on unacceptable-risk AI systems took effect in early 2025, high-risk system requirements phase in through 2026 and 2027, and general-purpose AI model rules apply from 2025 onward. Organizations that wait for the final deadline to begin compliance work will find themselves scrambling. Regulators across jurisdictions have been explicit that good-faith preparation efforts matter, and that documented inaction does not help when an audit or complaint occurs.

The Clock Has Already Started

The EU AI Act's prohibitions on certain AI uses, including some AI-powered social scoring and real-time biometric surveillance in public spaces, became enforceable in February 2025. If your company does business in Europe, serves European customers, or uses AI systems developed by European vendors, these rules apply to you now. "We didn't know" is not a recognized legal defense under the Act. Fines can reach €35 million or 7% of global annual turnover for the most serious violations.

Myth 2: "Regulation Only Targets AI Builders, Not AI Users"

It feels logical to assume that the companies building ChatGPT, Copilot, or Gemini are the ones regulators care about, and that organizations simply using those tools are off the hook. This assumption is incorrect, and it is specifically contradicted by the text of major AI laws. The EU AI Act explicitly defines obligations for both "providers" (those who build and place AI systems on the market) and "deployers" (organizations that use AI systems in a professional context). As a deployer, your company has its own distinct legal duties: conducting risk assessments for high-risk AI applications, maintaining usage logs, ensuring human oversight mechanisms are in place, and providing transparency to affected individuals.

Consider a concrete example. A mid-sized HR team at a European company starts using an AI-powered recruitment screening tool, perhaps something built on top of GPT-4 by a third-party HR software vendor. Under the EU AI Act, AI systems used for employment screening are classified as high-risk. The vendor has obligations as the provider. But the HR team's employer has separate obligations as the deployer: they must conduct a fundamental rights impact assessment, keep records of the system's use, ensure a human reviews AI-generated decisions before they affect candidates, and give candidates information about the AI's role in their assessment. None of these obligations disappear because a vendor built the underlying tool.

This deployer responsibility extends into U.S. law as well, even without a comprehensive federal AI statute. When a company uses an AI tool that produces a discriminatory hiring outcome, the EEOC's position is clear: the employer bears liability, not just the software vendor. The same logic applies in lending decisions governed by the Equal Credit Opportunity Act, in tenant screening under Fair Housing regulations, and in healthcare triage tools subject to anti-discrimination provisions. Using a third-party AI tool does not transfer your legal obligations to the vendor. It means you now share compliance responsibility with them, and you need contracts, audits, and oversight processes to manage that shared responsibility.

Checking Your AI Tool's Compliance Obligations

Prompt

I'm an HR manager at a company with 200 employees in Germany. We're considering using an AI-powered tool called HireVue for video interview screening. I need to understand what our legal obligations are as the company using this tool, not what HireVue's obligations are, but ours specifically. What do we need to do before we deploy it, while we're using it, and what documentation do we need to keep? Please focus on EU AI Act requirements and GDPR. Keep it practical. I'm not a lawyer.

AI Response

As the deploying organization, here's what you're responsible for under the EU AI Act and GDPR: **Before you deploy HireVue:** - Conduct a Fundamental Rights Impact Assessment (FRIA). This is a documented analyzis of how the tool could affect candidates' rights, particularly around bias, privacy, and fairness. You don't need a lawyer to start this; HireVue should provide documentation about how their system works, and you assess the risks in your specific context. - Register the system in the EU's AI database (required for high-risk AI systems, employment screening qualifies). - Sign a data processing agreement with HireVue under GDPR Article 28, confirming they process candidate data only on your instructions. - Verify that HireVue has provided a technical compliance file showing the system meets EU AI Act requirements. **While you're using it:** - Maintain logs of every hiring decision where the AI was involved. Keep these for at least the duration of employment, and longer for candidates not hired. - Ensure a human recruiter reviews and can override any AI recommendation before it affects a candidate. - Tell candidates in your job postings or application process that AI is used in screening. **Ongoing documentation:** - Keep your FRIA updated if your use of the tool changes. - Record any complaints or anomalies and how you responded. - Train anyone using the tool on what it does and doesn't do. Bottom line: you cannot delegate these obligations to HireVue. They're yours as the deployer.

Myth 3: "Our Legal or IT Team Handles AI Compliance. It's Not My Problem"

Legal and IT teams play a critical role in AI compliance, but they cannot do it alone, and the structure of modern AI regulation specifically places obligations on the people making day-to-day decisions. When a marketing manager chooses to use an AI tool to generate personalized email campaigns based on customer behavioral data, that decision triggers GDPR considerations around automated profiling. When a sales director instructs their team to use an AI call-analyzis tool to assess customer sentiment, that decision may require employee notification under labor laws in several EU countries. When a school principal approves the use of an AI tutoring platform that tracks student learning data, FERPA obligations are activated. None of these decisions originate in the legal department. They originate with professionals doing their jobs.

The EU AI Act reinforces this by requiring that deploying organizations ensure their staff have "sufficient AI literacy" to operate AI systems appropriately. This is not a soft recommendation, it is a legal requirement, and it applies to the people using the tools, not just the people administering them. Microsoft Copilot, Google Gemini for Workspace, and similar enterprise AI tools are being adopted at the departmental level, often faster than governance frameworks can keep pace. The professionals choosing to use these tools, deciding what data to input, and acting on the outputs are making compliance decisions. Treating this as someone else's problem is not just philosophically wrong, it is legally inaccurate.

Myth vs. Reality: A Direct Comparison

Common MythWhat Professionals BelieveThe Actual RealityPractical Implication
Myth 1: Regulation is comingWe have 2-3 years before we need to worry about AI lawsKey provisions of the EU AI Act are already enforceable; EEOC and FTC guidance is active in the USOrganizations operating in or selling to the EU need compliance processes now, not in 2027
Myth 2: Only builders are regulatedVendors like OpenAI or Microsoft carry the legal burden for their AI toolsDeploying organizations have their own distinct legal duties under the EU AI Act, GDPR, and US sector lawsBefore adopting any AI tool for a sensitive use case, your organization must assess and document its own obligations
Myth 3: Legal/IT handles thisCompliance is a back-office function handled by specializtsFrontline professionals make compliance-triggering decisions daily; the EU AI Act requires AI literacy from all usersManagers, HR teams, marketers, and educators need basic regulatory literacy as part of their professional skill set
Three dominant myths about AI regulation compared to current legal reality. All regulatory references reflect the state of law as of 2025.

What Actually Works: A realiztic Mental Model for AI Regulation

The most useful mental model for non-technical professionals is to think of AI regulation the way you think about employment law or data privacy law. You do not need to be a lawyer to understand that you cannot ask candidates their age in a job interview, or that you cannot share a customer's home address without their consent. You have internalized those rules as professional norms. AI regulation is following the same trajectory, it is moving from specializt knowledge to baseline professional literacy. The professionals who get ahead of this curve are not the ones memorizing legal statutes. They are the ones who understand which categories of AI use carry higher risk, what questions to ask before adopting a new tool, and when to escalate to legal or compliance teams.

A practical framework used by compliance-aware organizations is to categorize AI use cases by risk level before deploying any tool. Low-risk uses, drafting internal emails with Copilot, summarizing meeting notes with Otter.ai, generating social media ideas with ChatGPT Plus, carry minimal regulatory exposure because they do not make consequential decisions about people. Medium-risk uses. AI-assisted performance reviews, customer sentiment analyzis, automated marketing personalization, require documentation, human review, and sometimes explicit disclosure. High-risk uses. AI in hiring, credit decisions, healthcare triage, benefits eligibility, or student assessment, require formal risk assessments, detailed records, and in the EU, registration with regulatory authorities. This three-tier mental model is not a legal opinion, but it maps reasonably well onto how both the EU AI Act and US sector guidance actually categorize risk.

The organizations navigating AI regulation most successfully in 2025 share a common trait: they have distributed basic AI governance awareness across departments rather than siloing it in legal or IT. This does not mean every employee needs a law degree. It means that when a procurement manager is evaluating a new AI vendor, they know to ask for the vendor's EU AI Act compliance documentation. It means that when an HR business partner wants to use an AI tool to screen résumés, they know to flag it for a compliance review before launch rather than after. It means that when a sales team starts using an AI tool that records and analyzes customer calls, they know that disclosure to customers, and in many EU countries, to employees, is not optional. Distributed awareness prevents the most common and costly compliance failures.

Your Three-Question Compliance Check

Before adopting any new AI tool at work, ask yourself three questions: (1) Does this tool make or significantly influence decisions about specific people, candidates, customers, employees, students, patients? If yes, risk is higher. (2) Does this tool process personal data? If yes, GDPR or equivalent privacy law is involved. (3) Does my organization operate in or serve customers in the EU? If yes, EU AI Act deployer obligations likely apply. If you answer yes to any of these, involve your legal or compliance team before launch, not after.
Map Your Team's AI Tool Risk Profile

Goal: Identify which AI tools your team currently uses, categorize them by risk level using the three-tier framework, and flag any that require immediate compliance attention.

1. Open a blank document or spreadsheet and create four columns: Tool Name, What We Use It For, Does It Affect Decisions About People? (Yes/No), Risk Category (Low/Medium/High). 2. List every AI-powered tool your team uses regularly. Include obvious ones (ChatGPT, Copilot, Grammarly AI) and less obvious ones (any software with an 'AI insights' or 'smart recommendations' feature). 3. For each tool, write one sentence describing the specific task you use it for, be concrete, not general. Example: 'We use HireVue to pre-screen video interviews for our customer service roles' rather than 'We use it for hiring.' 4. For each tool, answer the 'Does it affect decisions about people?' question honestly. If the AI output influences how you treat a specific individual, candidate, employee, customer, the answer is yes. 5. Assign a risk category using the three-tier model: Low (internal productivity, no personal decisions), Medium (customer-facing personalization, performance insights, sentiment analyzis), High (hiring, credit, health, benefits, student assessment). 6. Highlight any tools you have categorized as Medium or High risk. For each highlighted tool, write one sentence describing what human review or oversight currently exists, or note 'none' if there isn't any. 7. Identify the single highest-risk tool on your list and write down three specific questions you would ask your legal or compliance team about it. 8. Save this document. In the next section of this lesson, you will use it as a reference when we examine how specific regulations apply to specific tool categories. 9. If you are completing this as part of a team exercise, share your list with one colleague and compare results, teams often discover tools others are using that no one else knew about.

Frequently Asked Questions

  • Q: Does the EU AI Act apply to my company if we're based in the US? A: Probably yes, if you have customers, employees, or operations in the EU, or if you use AI systems that were developed or are hosted in the EU. The Act follows the same extraterritorial logic as GDPR, it applies based on where the people affected are located, not just where your company is headquartered. A US company using AI to screen job applicants in Germany is a deployer under the Act.
  • Q: What counts as a 'high-risk' AI system under the EU AI Act? A: The Act lists specific categories: AI used in hiring and employment management, education and vocational training, access to essential services (credit, housing, insurance), law enforcement, border control, administration of justice, and critical infrastructure. If your AI tool touches any of these areas, it is almost certainly high-risk. When in doubt, assume high-risk and seek legal confirmation rather than the reverse.
  • Q: We use Microsoft Copilot integrated into our Office 365. Does that create compliance obligations? A: Using Copilot for drafting emails, summarizing documents, or generating presentations is generally low-risk. However, if you use Copilot to analyze employee performance data, generate insights about specific customers from CRM data, or support decisions about individuals, the risk profile changes. Microsoft has published EU AI Act compliance documentation for Copilot, your IT or legal team should review it for your specific use cases.
  • Q: What's the difference between the EU AI Act and GDPR? Do both apply? A: GDPR governs personal data, how it's collected, stored, processed, and protected. The EU AI Act governs AI systems specifically, how they're built, deployed, and overseen. They overlap significantly because AI systems often process personal data. For most professional AI use cases, you need to consider both. GDPR has been in force since 2018 and is well-established. The AI Act is newer and adds a layer of AI-specific obligations on top of existing data protection requirements.
  • Q: What are the actual penalties if we get this wrong? A: Under the EU AI Act, fines for the most serious violations (prohibited AI practices) can reach €35 million or 7% of global annual turnover, whichever is higher. For high-risk AI system violations, fines reach €15 million or 3% of turnover. For providing incorrect information to authorities, €7.5 million or 1.5% of turnover. Under GDPR, fines can reach €20 million or 4% of global turnover. In the US, EEOC enforcement actions and FTC penalties vary but can include significant financial liability and reputational damage from public enforcement actions.
  • Q: I'm a small business owner with five employees. Does all of this still apply to me? A: Scale matters in AI regulation. The EU AI Act includes provisions that reduce the burden on small and medium enterprises. SMEs and startups have access to regulatory sandboxes (testing environments with lighter oversight) and some reduced documentation requirements. However, the core prohibitions and high-risk category rules apply regardless of company size. If you are using an AI hiring tool, a credit-scoring tool, or a student assessment tool, the risk classification does not change because you are small. The practical advice: if you serve EU customers or operate in the EU, even as a small business, the basic compliance obligations apply.

Three Things Most Professionals Get Wrong About AI Regulation

Most professionals operating in 2024 carry one of three assumptions about AI regulation: that it's too vague to affect their daily work, that compliance is purely an IT or legal department problem, or that regulations only apply to companies actually building AI systems. All three assumptions are wrong, and acting on any of them creates real professional and organizational risk. The regulations taking shape right now create obligations for the people using AI tools, not just the people coding them. Understanding where the misconceptions break down is the fastest way to protect yourself and your organization.

Myth 1: AI Regulations Are Too Vague to Have Real Teeth

The complaint sounds reasonable: regulations use phrases like 'appropriate safeguards' and 'meaningful human oversight' without defining exactly what those mean in practice. Professionals interpret this vagueness as a sign that enforcement is distant, theoretical, or unlikely to touch their organization. That interpretation is dangerously incomplete. The EU AI Act, which entered into force in August 2024, includes fines of up to €35 million or 7% of global annual turnover for the most serious violations, whichever is higher. Those are not theoretical numbers. They are the same order of magnitude as GDPR penalties, and GDPR enforcement has already cost companies like Meta over €1.2 billion in a single ruling.

Vague language in regulation doesn't mean weak regulation. It means regulators retain discretion to interpret violations broadly. GDPR's 'appropriate technical measures' language was similarly criticized as vague when it launched in 2018. Six years later, it has produced hundreds of enforcement actions across Europe. The AI Act follows the same legislative architecture deliberately. Regulators write flexible standards so the law doesn't become obsolete as technology evolves. For professionals, this means the absence of a specific rule saying 'you cannot do X with ChatGPT' is not the same as permission to do anything.

The vagueness also disappears quickly when you look at sector-specific guidance layered on top of framework regulations. The US Equal Employment Opportunity Commission has issued explicit guidance on AI in hiring. The UK Information Commissioner's Office has published detailed rules on AI and data protection. The US Federal Trade Commission has taken enforcement action against companies for deceptive AI claims. The picture that emerges is not vague at all, it's a patchwork of increasingly specific requirements that apply to HR managers, marketing directors, and procurement officers right now, not someday in the future.

Vague Language ≠ No Enforcement

Flexible regulatory language gives enforcers more room to act, not less. The same 'principle-based' approach used in GDPR, which many dismissed as toothless in 2018, has produced billions in fines. Assume that if a regulator can argue your AI use caused harm or violated a principle, they have tools to act. 'Nobody told us exactly what to do' is not a legal defense.

Myth 2: Compliance Is the Legal or IT Department's Problem

This assumption is the most comfortable one, and therefore the most dangerous. It allows professionals to keep using AI tools without thinking critically about how they're using them, because someone else is responsible for making sure everything is above board. The problem is that most AI regulations explicitly assign obligations to the people making decisions with AI outputs, not just the people configuring the systems. The EU AI Act's requirements for human oversight in high-risk applications mean the manager reviewing an AI-generated candidate ranking is part of the compliance chain, not just the vendor who built the tool.

Think about a hiring manager using an AI screening tool to filter 400 applications down to 20 for review. Under EEOC guidance and EU AI Act provisions, that manager has responsibilities: understanding what criteria the AI used, being able to explain why candidates were excluded, and ensuring the process doesn't produce disparate impact on protected groups. None of those obligations can be fully delegated to IT or legal. The hiring manager is the human in the loop. If they rubber-stamp AI outputs without genuine oversight, they, and their organization, own the compliance exposure.

The same logic applies in marketing, finance, customer service, and education. A marketing manager who uses an AI tool to generate targeted ad copy based on demographic profiling may be touching data privacy regulations. A teacher using AI to grade essays needs to understand whether those outputs could be challenged for bias. A financial advisor using AI to generate client recommendations faces fiduciary and suitability obligations that don't disappear because an algorithm made the suggestion. Regulation follows the decision, not just the tool. If you're making or approving decisions with AI, you're in scope.

HR Manager Checking Compliance Exposure for an AI Hiring Tool

Prompt

I'm an HR manager at a mid-sized retail company with about 800 employees. We've started using an AI tool to screen resumes and rank candidates before human review. I need to understand what compliance obligations this creates for me personally and for my team, not for our IT department, but for the people actually using the tool day-to-day. We operate in the US and sell to EU customers but don't have EU employees yet. What should I be doing differently starting Monday?

AI Response

Your compliance exposure is more immediate than most HR managers realize, and it sits squarely with your team, not IT. Here's what applies to you right now: **EEOC and Adverse Impact Monitoring**: The EEOC's 2023 guidance on AI in hiring makes clear that employers are responsible for monitoring whether AI screening tools produce disparate impact on protected classes, race, gender, age, disability status. You don't need to audit the algorithm yourself, but you do need to track outcomes. Start keeping a simple record: how many candidates from each demographic group entered the AI screening stage, and how many passed through to human review. If you see a significant gap, you have an obligation to investigate. **Explainability for Rejected Candidates**: Under existing employment law, candidates can request reasons for rejection. If your AI tool can't give you a plain-language explanation of why it ranked someone low, you have a problem. Ask your vendor today: 'Can you give me a human-readable explanation for any individual ranking decision?' If the answer is no, escalate that to legal before your next hiring cycle. **Documentation of Human Review**: The fact that a human reviews the AI shortlist only protects you if that review is genuine. Document that your team actually evaluated the AI's reasoning, not just accepted the ranking. A two-sentence note per hire explaining why the final decision was made is a reasonable starting point. **Monday Action**: Pull your last three hiring cycles. Check whether the AI-screened shortlists reflect the demographic mix of your applicant pool. Flag any gaps and bring them to your legal team with the data, not just a question.

Myth 3: Regulations Only Apply to Companies Building AI

The intuition here makes surface-level sense: OpenAI builds ChatGPT, so OpenAI is the regulated entity. Your company just uses the tool. This framing collapses quickly when you look at how the EU AI Act categorizes responsibility. The Act distinguishes between AI 'providers', companies that build and place AI systems on the market, and AI 'deployers', organizations that put those systems to use in their operations. Deployers carry their own set of obligations, including conducting fundamental rights impact assessments for high-risk applications, ensuring human oversight, and maintaining logs of AI system use. If you're using AI tools in HR, credit assessment, education, or critical infrastructure, your organization is a deployer with legal obligations regardless of whether you wrote a single line of code.

The deployer distinction matters enormously for non-technical professionals because it means vendor contracts and terms of service are not sufficient compliance protection. Signing up for an enterprise AI tool and ticking the 'I agree' box on the vendor's terms does not transfer your regulatory obligations to the vendor. It may allocate some liability, but your organization still owns the obligation to use the tool responsibly within the scope the regulation defines. A hospital using an AI diagnostic tool is a deployer. A bank using AI for loan decisioning is a deployer. A school using AI for student assessment is a deployer. The compliance work lives inside your organization, not inside your vendor's.

MythWhy Professionals Believe ItThe RealityWhat It Means for You
Regulations are too vague to enforceLegal language uses broad principles rather than specific rulesFlexible language gives regulators more enforcement discretion, not less. GDPR proved thisAssume principle-based rules apply to your use case; get ahead of them rather than waiting for specifics
Compliance is IT or Legal's problemTechnical tools seem like technical responsibilitiesRegulations assign obligations to decision-makers, not just tool-builders or tool-buyersIf you use AI outputs to make or influence decisions, you are in the compliance chain
Only AI builders face regulationThe company that makes ChatGPT seems like the logical targetThe EU AI Act and others explicitly regulate 'deployers', organizations using AI in their operationsYour vendor contract doesn't transfer your regulatory obligations; your organization owns them
US companies don't face EU rulesGeographic separation seems like regulatory separationThe EU AI Act applies to any AI system used in the EU or affecting EU residents, regardless of where the company is basedIf you have EU customers, partners, or employees, EU AI rules likely apply to your operations
Common AI regulation myths versus the operational reality for non-technical professionals

What Actually Works: Building a Practical Compliance Posture

The professionals who handle AI regulation well aren't waiting for their legal team to hand them a policy document. They're building habits around three practical questions they ask before deploying any AI tool in a meaningful workflow. First: what decision or output is this AI influencing, and who could be harmed if it's wrong or biased? Second: can I explain the AI's output to a colleague, a client, or a regulator in plain language? Third: is there a human with genuine authority and genuine understanding making the final call? These questions don't require a law degree. They require the same professional judgment you'd apply to any significant business decision.

Documentation is the underrated backbone of AI compliance for non-technical professionals. Regulators investigating AI-related complaints will ask for records: what tool was used, when, for what purpose, who reviewed the output, and what decision was ultimately made. Most organizations using AI tools casually have none of this. Start simple. A shared spreadsheet logging AI tool use in high-stakes workflows, hiring, client recommendations, performance reviews, financial advice, costs nothing and creates a defensible paper trail. Enterprise tools like Microsoft Copilot and Google Workspace increasingly include audit logs you can activate. Turn them on. Use them.

Vendor due diligence is the third pillar. Before deploying an AI tool in any regulated workflow, ask the vendor three questions in writing: What data does this tool use to generate outputs? Has the system been tested for bias or disparate impact? What controls exist to prevent the system from using prohibited categories like race, religion, or health status in its outputs? Vendors who can't answer these questions clearly are vendors whose tools create compliance exposure. This isn't a technical conversation, it's a procurement and risk management conversation that any manager can have. The answers belong in your vendor file alongside the contract.

The Three Questions That Replace a Law Degree

Before using AI in any consequential workflow, ask: (1) Who could be harmed if this output is wrong or biased? (2) Can I explain this AI output in plain language to someone affected by it? (3) Is a human with real authority making the final call, not just approving whatever the AI suggested? If you can answer all three clearly, you're in a defensible position. If any answer is 'I'm not sure,' that's your risk signal.
AI Compliance Audit for Your Current Tools

Goal: Identify the AI tools you're currently using in professional workflows and assess your organization's compliance exposure using a structured framework, no legal expertise required.

1. Open a blank document or spreadsheet and create five columns: Tool Name, Workflow It's Used In, Type of Decision It Influences, Who Reviews the Output, and Documentation Currently Kept. 2. List every AI tool your team uses regularly, include ChatGPT, Copilot, Gemini, Grammarly AI, Canva AI, any AI features inside your HR, CRM, or project management software. 3. For each tool, write one sentence in the 'Workflow' column describing exactly where it appears in your work: 'Used to draft candidate rejection emails' or 'Used to score leads in our CRM.' 4. In the 'Decision' column, rate the stakes: Low (drafting routine content), Medium (influencing a business decision), or High (directly affecting hiring, firing, lending, health, or legal matters). 5. For any tool rated Medium or High, write the name of the specific person who reviews and approves the AI output before it affects anyone. If no clear person exists, write 'None identified.' 6. In the Documentation column, note what records currently exist for that tool's use, email threads, system logs, nothing. 7. Highlight every row where the stakes are Medium or High AND either the reviewer column says 'None identified' OR the documentation column says 'nothing.' 8. For each highlighted row, write one sentence describing the simplest change that would reduce the risk: assigning a named reviewer, activating an audit log, or adding a one-line note to your decision records. 9. Share the completed audit with your manager or legal contact, framing it as a risk identification exercise rather than a compliance failure, you're getting ahead of the issue, not reporting a crisis.

Frequently Asked Questions

  • Q: My company is small, do AI regulations really apply to us? A: Size affects some thresholds but not core obligations. The EU AI Act has reduced requirements for small and medium enterprises, but it doesn't exempt them from high-risk application rules. In the US, EEOC and FTC rules apply regardless of company size if you're using AI in hiring or customer-facing decisions. Smaller organizations often have more exposure, not less, because they have fewer compliance resources to catch problems early.
  • Q: If I'm just using ChatGPT for drafting emails, am I really at regulatory risk? A: For low-stakes internal drafting, the risk is minimal. The risk scales with the decision the AI is influencing. Drafting a routine update email, low risk. Using ChatGPT to draft performance improvement plans, client-facing financial summaries, or medical communications, higher risk, because errors or biases in those outputs can cause real harm and trigger regulatory scrutiny.
  • Q: Our vendor says their AI tool is 'compliant', isn't that enough? A: No. Vendor compliance means the vendor meets their obligations. It doesn't mean your use of the tool is compliant. You remain responsible for how you deploy the tool, what decisions you make with its outputs, and whether you've implemented the human oversight your regulation requires. Always ask vendors to specify exactly which regulations they're compliant with and get it in writing.
  • Q: How do I know if a workflow counts as 'high-risk' under the EU AI Act? A: The Act lists eight high-risk categories explicitly: biometric identification, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and administration of justice. If your AI use touches any of these areas, including hiring, employee performance management, or student assessment, you're in high-risk territory.
  • Q: We don't have EU customers or employees. Do EU rules still matter to us? A: Possibly. The EU AI Act applies when the output of an AI system is used in the EU, not just when the company is based there. If your AI-generated content, decisions, or services reach EU residents, you may be in scope. More practically, many multinational clients and partners now require AI compliance as a contract condition, regardless of where you're based. Staying current protects business relationships, not just legal standing.
  • Q: What's the single most important thing a non-technical professional can do right now? A: Map your AI use to your decisions. Most professionals can't name every AI tool touching their workflows, let alone which decisions those tools influence. The compliance audit task above is a genuine starting point. Regulators and courts will ask 'what did you know and what did you do about it?' Having a documented inventory of your AI use, even a rough one, demonstrates good faith and gives you a foundation to build on.

Key Takeaways from Part 2

  1. Vague regulatory language doesn't mean weak enforcement, it gives regulators flexibility to act broadly, as GDPR demonstrated with billions in fines.
  2. Compliance obligations follow decisions, not just tools. If you're using AI outputs to influence hiring, client recommendations, or performance reviews, you're in the compliance chain.
  3. The EU AI Act explicitly regulates 'deployers', organizations using AI, not just the companies building it. Your vendor's compliance doesn't cover yours.
  4. Three questions replace a law degree: who could be harmed, can you explain the output, and is a real human making the final call?
  5. Documentation is your primary defense. Simple logs of AI tool use, reviewers, and decision rationale cost nothing and create a defensible record.
  6. Vendor due diligence is a procurement skill, not a technical one. Asking vendors about bias testing and data use belongs in every AI tool evaluation.

AI Regulation: What Most Professionals Get Wrong

Most professionals carry three beliefs about AI regulation that sound reasonable but lead to bad decisions. First: that AI regulation is still years away, so there's no urgency to act now. Second: that compliance is purely a legal or IT problem, not something managers, marketers, or HR teams need to worry about. Third: that using a reputable AI tool automatically means you're operating within the law. All three beliefs are wrong. Acting on any of them could expose you, your team, or your organization to real liability right now.

Myth 1: "AI Regulation Is Still Coming. We Have Time"

This belief is understandable. Tech policy moves slowly, and most professionals remember years of congressional hearings that produced nothing concrete. But enforcement is already happening. The EU AI Act began phasing in during 2024, with prohibitions on certain high-risk AI applications taking effect in early 2025. GDPR, which absolutely applies to AI systems processing personal data, has been enforced since 2018 and has produced fines exceeding €1.2 billion to date. If your company does business in Europe, or handles data from EU residents, you are already operating inside a live regulatory framework.

In the United States, the picture is more fragmented but equally active. The FTC has taken enforcement actions against companies making deceptive AI-generated claims. The EEOC has issued guidance on AI in hiring, making clear that algorithmic discrimination violates existing civil rights law. New York City's Local Law 144 requires bias audits for any AI tool used in hiring decisions, and that law is already in effect. Illinois, Colorado, and California have passed or are actively enforcing AI-specific legislation. The regulatory environment is not approaching. It is here.

The practical implication: waiting for a single federal AI law before paying attention is the wrong strategy. Professionals in HR, marketing, finance, and operations are already making AI-assisted decisions that fall under existing laws, employment law, consumer protection law, data privacy law. The question is not whether regulation applies to your work. It's whether you know which regulations already do.

Don't Wait for a Single "AI Law" to Pay Attention

Dozens of existing laws. GDPR, EEOC guidelines, FTC rules, HIPAA, CCPA, already govern how AI can be used in professional settings. A new federal AI law would add to this landscape, not replace it. Treat compliance as a current responsibility, not a future one.

Myth 2: "Compliance Is a Legal or IT Problem, Not Mine"

This myth is the most dangerous one in practice. It assumes that legal teams vet the tools and IT teams configure them safely, so everyone else can use AI without thinking about it. But the decisions that create compliance risk happen at the individual professional level, the HR manager who uses ChatGPT to screen resumes, the marketer who uses AI to personalize outreach based on demographic data, the sales director who uses an AI tool to score leads. These are not IT decisions. They are business decisions with legal consequences.

Regulators are increasingly clear that intent doesn't matter, outcomes do. If an AI-assisted hiring process produces racially skewed results, the fact that you didn't build the algorithm is not a defense. The EEOC's 2023 guidance explicitly places responsibility on employers, not tool vendors. Similarly, if an AI tool generates a false claim about a competitor and your team publishes it, the FTC's concern is with your organization, not the AI company. Understanding basic compliance principles is now part of every professional's job description, whether or not it says so on paper.

The good news: you don't need to become a lawyer. You need a working mental model, know what type of data you're using, know what decisions the AI output is influencing, and know whether those decisions touch areas like employment, credit, healthcare, or consumer rights. Those are the high-risk zones where existing law is most active. For everything else, general best practices around accuracy, transparency, and human review provide solid protection.

Checking Your Team's AI Use Against Basic Compliance Principles

Prompt

I'm an HR manager at a mid-sized company. We've started using AI tools to help write job postings, summarize resumes, and draft interview questions. I want to make sure we're not accidentally creating legal or compliance risks. What are the main areas I should review, and what questions should I be asking about each AI-assisted step in our hiring process?

AI Response

Great instinct to review this proactively. Here are the key areas to examine across your AI-assisted hiring workflow: **Job Postings** Ask: Does the AI-generated language include any age-coded words (like 'digital native' or 'recent graduate') or gender-coded phrasing? Tools like Textio flag these automatically. Review every posting before publishing. AI models can reproduce biased patterns from historical job ad data. **Resume Screening** This is the highest-risk area. Ask: Is the AI ranking or filtering candidates, or just summarizing? Ranking introduces algorithmic bias risk. Under NYC Local Law 144 and EEOC guidance, any automated tool that influences candidate selection should be audited for disparate impact. Document your process. **Interview Questions** Ask: Are AI-suggested questions legally compliant? Avoid anything that could elicit protected class information, questions about family status, nationality, age, or health. Have HR or legal review any AI-generated question bank before use. **Data Handling** Ask: What data are you feeding into the AI tool? Pasting candidate resumes into a free AI tool may violate your data privacy obligations if those resumes contain sensitive personal information. Check your vendor's data retention policy. **Overall Recommendation** Create a one-page AI use log for your hiring team: what tool was used, at which step, and who made the final human decision. This documentation protects you if a hiring decision is ever challenged.

Myth 3: "If the AI Tool Is Reputable, We're Covered"

Using ChatGPT Plus, Microsoft Copilot, or Google Gemini does not transfer legal responsibility to OpenAI, Microsoft, or Google. Every major AI vendor's terms of service states clearly that the user is responsible for how outputs are used. A reputable tool means the vendor has invested in safety measures, content filters, bias testing, data security. It does not mean every output is accurate, unbiased, or legally appropriate for your specific use case. The tool is the instrument. You are the professional making the decision.

Think of it like a calculator. A reputable calculator from a trusted brand is accurate. But if you input the wrong numbers, or apply the result in the wrong context, the calculator isn't liable for the error, you are. AI tools are more capable than calculators, and their outputs are more convincing, which makes this mistake easier to make. Always apply professional judgment before acting on AI output, especially when the output will influence a decision affecting another person, a candidate, a customer, a patient, a student.

The MythWhy Professionals Believe ItThe Reality
AI regulation is still comingFederal AI legislation is slow and incompleteGDPR, EEOC rules, FTC enforcement, and state laws are already active
Compliance is IT's or Legal's problemTechnical tools feel like technical responsibilityProfessionals making AI-assisted decisions carry compliance responsibility for those decisions
Using a reputable AI tool means you're coveredBrand trust implies legal protectionVendor terms of service explicitly place responsibility on the user, not the tool provider
Three common compliance myths versus the regulatory reality professionals need to act on now.

What Actually Works: A Practical Compliance Mindset

Professionals who handle AI responsibly don't memorize legislation. They build three habits. First, they categorize AI use by risk level before acting. Low-risk uses, drafting internal emails, brainstorming ideas, summarizing meeting notes, require basic accuracy checks. High-risk uses, anything affecting employment decisions, customer credit, healthcare recommendations, or legal documents, require human review, documentation, and possibly legal sign-off. Knowing which category you're in before you start takes about ten seconds and prevents most serious mistakes.

Second, they treat AI outputs as drafts, not decisions. This is the single most protective habit you can develop. When an AI tool summarizes a candidate's resume, recommends a customer segment, or drafts a contract clause, that output enters a human review process, it doesn't bypass one. This matters legally because regulators look for evidence of human oversight. It matters practically because AI tools make confident-sounding errors. Building a review step into your workflow protects both the people affected by your decisions and your professional standing.

Third, they keep basic records. You don't need a complex audit system. A simple log, what AI tool was used, for what purpose, who reviewed the output, and what decision was made, creates a paper trail that demonstrates responsible use. If a decision is ever questioned, this documentation shows that AI assisted a human professional, not that AI made an unsupervised call. Many organizations are now formalizing this as an AI use policy, but even a personal habit of documenting significant AI-assisted decisions puts you ahead of most professionals.

Your Monday Morning Compliance Check

Before using an AI tool for any significant professional task, ask three questions: (1) Does this output affect another person's opportunities, rights, or finances? (2) Does the data I'm inputting include personal or sensitive information? (3) Will I review this output before it influences a real decision? If the answer to 1 or 2 is yes, slow down and apply human judgment carefully. If the answer to 3 is no, stop and build in a review step.
Build Your Personal AI Risk Checklist

Goal: Create a practical, one-page checklist you can use before any significant AI-assisted task to catch compliance and quality risks before they become problems.

1. Open ChatGPT (free version works fine) or Claude and start a new conversation. 2. Type this prompt: 'I am a [your job title] at a [your industry] organization. Help me create a short pre-task checklist I can use before using AI tools on important work tasks. The checklist should cover data privacy, accuracy risks, and decisions that affect other people. Keep it to 8-10 yes/no questions I can answer in under two minutes.' 3. Read the output carefully and identify any questions that don't apply to your specific role, delete those. 4. Add at least one question specific to your industry (e.g., for HR: 'Does this output influence a hiring or firing decision?'; for healthcare: 'Does this involve patient data?'). 5. Reformat the checklist in a Word document or Google Doc with a clear header: 'AI Use Pre-Task Check, [Your Name].' 6. Add a second section titled 'When to Escalate' and ask the AI: 'What are three situations where I should pause an AI-assisted task and consult my legal or compliance team before proceeding?' 7. Copy that response into your document and edit it to match your organization's structure. 8. Save the document somewhere accessible, your desktop, a shared drive, or your note-taking app. 9. Use the checklist on your next three AI-assisted tasks and note any questions that feel missing or redundant, then revise accordingly.

Frequently Asked Questions

  • Q: Do I need to tell people when I've used AI to help with my work? A: It depends on the context and your organization's policy. In client-facing work, marketing content, journalism, and academic settings, disclosure expectations are growing, and in some cases legally required. For internal drafts and personal productivity, no disclosure is typically needed. When in doubt, check your company's AI use policy or ask your manager.
  • Q: Can I paste client or employee data into ChatGPT to analyze it? A: Be very careful here. Free versions of most AI tools may use your inputs to train future models, check the privacy settings. Even with data protection turned on, pasting personally identifiable information (names, salaries, medical records, contact details) into a consumer AI tool likely violates your data privacy obligations and possibly GDPR or HIPAA. Use anonymized or synthetic data instead.
  • Q: What's the difference between the EU AI Act and GDPR, do both apply to me? A: GDPR governs data privacy and already applies to any organization handling EU residents' personal data. The EU AI Act governs AI systems specifically, categorizing them by risk level and imposing requirements on high-risk applications. Both can apply simultaneously. If you process EU personal data through an AI system, both frameworks are relevant.
  • Q: My company hasn't given me any AI guidelines. What should I do? A: Start with the three habits described above: categorize by risk, treat outputs as drafts, and document significant uses. Then ask your manager or HR team whether a formal policy exists or is in development. If you're in a position to influence policy, use the task in this lesson to build a starter checklist that could become the foundation of a team guideline.
  • Q: If an AI tool makes a factual error in something I publish, who is responsible? A: You are. The organization publishing the content is legally responsible for its accuracy, not the AI vendor. This is why human review before publication is essential, not optional. The FTC has made clear it will hold companies, not AI tools, accountable for false or misleading AI-generated claims.
  • Q: Is it safe to use AI tools for anything related to performance reviews or employee management? A: Proceed with caution. AI-assisted performance language is low-risk if a manager reviews and personalizes it. AI systems that score, rank, or recommend employment actions are high-risk and fall under EEOC scrutiny. Never let an AI tool make or heavily influence a termination, promotion, or disciplinary decision without substantial human review and documentation.

Key Takeaways

  • AI regulation is not pending. GDPR, EEOC guidelines, FTC enforcement, and multiple state laws already apply to professional AI use right now.
  • Compliance responsibility sits with the professional making the decision, not the legal team, IT department, or AI vendor.
  • Using a reputable AI tool does not transfer legal liability. Every major vendor's terms of service places responsibility on the user.
  • The three habits that actually protect you: categorize tasks by risk level, treat AI outputs as drafts requiring human review, and document significant AI-assisted decisions.
  • High-risk zones, hiring, credit, healthcare, consumer rights, require the most caution because existing law is most active there.
  • A simple pre-task checklist, built with a free AI tool, can become your most practical compliance safeguard starting today.

Featured Reading

This lesson requires Pro

Upgrade your plan to unlock this lesson and all other Pro content on the platform.

Upgrade to Pro

You're currently on the Free plan.

Practice this in a lab

Fix the Broken Prompt: AI Content Moderation Audit

intermediate · 12 min

Spot the Better Bias Check: AI Loan Summaries Under the Microscope

intermediate · 10 min