AI Regulatory Compliance Checklist

AI REGULATORY COMPLIANCE CHECKLIST

ORGANIZATION INFORMATION

COMPLIANCE SUMMARY

PART 1: EU AI ACT COMPLIANCE

1.1 AI System Inventory and Classification

Regulatory Reference: Regulation (EU) 2024/1689

System Mapping

☐ Complete inventory of all AI systems created and maintained
☐ Each AI system documented with:

• System name and unique identifier
• Business purpose and intended use
• Provider vs. deployer role determination
• Deployment status
• Data processed
• Geographic deployment scope

Risk Classification

☐ Each AI system classified according to EU AI Act risk levels:

☐ Annex III high-risk use cases assessed:

• ☐ Biometric identification and categorization
• ☐ Critical infrastructure management
• ☐ Education and vocational training
• ☐ Employment and worker management
• ☐ Access to essential services (credit, insurance, housing)
• ☐ Law enforcement
• ☐ Migration, asylum, border control
• ☐ Administration of justice

☐ Article 6(3) exceptions documented where applicable ("narrow procedural task," non-material influence)
☐ Classification rationale documented for each system

1.2 Prohibited AI Practices (Effective February 2, 2025)

Regulatory Reference: Article 5

☐ Verified no AI systems engage in prohibited practices:

☐ Documentation confirming non-use of prohibited practices

1.3 AI Literacy (Effective February 2, 2025)

Regulatory Reference: Article 4

☐ AI literacy program established
☐ Staff training needs assessment completed
☐ Training provided to:

• ☐ AI system operators
• ☐ Technical staff
• ☐ Business users
• ☐ Management
• ☐ Compliance personnel
  ☐ Training records maintained
  ☐ Competency verification process in place
  ☐ Periodic refresher training scheduled

1.4 General-Purpose AI (GPAI) Requirements (Effective August 2, 2025)

Regulatory Reference: Articles 51-56

If organization is a GPAI provider:

☐ Technical documentation prepared per Annex XI
☐ Information provided to downstream providers
☐ Copyright compliance policy established
☐ Training data summary published (per Commission template)
☐ EU representative designated (if non-EU provider)

For GPAI with systemic risk (>10^25 FLOPs):

☐ Model evaluation and adversarial testing conducted
☐ Systemic risk assessment completed
☐ Risk mitigation measures implemented
☐ Serious incident reporting mechanism established
☐ Cybersecurity protections adequate

If organization uses GPAI:

☐ GPAI Code of Practice reviewed
☐ Downstream obligations understood
☐ Integration documentation maintained

1.5 High-Risk AI System Requirements (Effective August 2, 2026)

Regulatory Reference: Articles 8-15, 16-29

1.5.1 Risk Management System (Article 9)

☐ Risk management system established for each high-risk AI system
☐ Risk identification completed:

• ☐ Reasonably foreseeable risks identified
• ☐ Risks from reasonably foreseeable misuse identified
  ☐ Risk evaluation and analysis documented
  ☐ Risk mitigation measures implemented
  ☐ Residual risk assessment completed
  ☐ Risk management system continuously monitored and updated
  ☐ Testing procedures established

1.5.2 Data and Data Governance (Article 10)

☐ Training, validation, and testing data requirements met:

• ☐ Data quality criteria established
• ☐ Data governance practices documented
• ☐ Relevant, representative, and free of errors
• ☐ Appropriate statistical properties verified
• ☐ Bias examination conducted
  ☐ Data processing records maintained
  ☐ Data retention policies aligned with regulations

1.5.3 Technical Documentation (Article 11)

☐ Technical documentation created per Annex IV including:

• ☐ General description of the AI system
• ☐ Detailed description of system elements and development process
• ☐ Information about monitoring, functioning, and control
• ☐ Description of intended purpose
• ☐ Risk management system description
• ☐ Changes made throughout lifecycle
• ☐ List of harmonized standards applied
  ☐ Documentation kept up to date

1.5.4 Record-Keeping (Article 12)

☐ Automatic logging capabilities enabled
☐ Logs include:

• ☐ Period of use
• ☐ Reference database verification
• ☐ Input data
• ☐ Persons involved in verification
  ☐ Log retention for appropriate period (minimum as required)
  ☐ Logs accessible to authorities upon request

1.5.5 Transparency and Information to Deployers (Article 13)

☐ Instructions for use provided to deployers including:

• ☐ Identity and contact of provider
• ☐ Characteristics, capabilities, and limitations
• ☐ Intended purpose
• ☐ Level of accuracy, robustness, cybersecurity
• ☐ Circumstances that may affect performance
• ☐ Specifications for input data
• ☐ Human oversight measures
• ☐ Computational and hardware resources needed
• ☐ Expected lifetime and maintenance measures

1.5.6 Human Oversight (Article 14)

☐ Human oversight measures designed and implemented:

• ☐ Identified to deployer
• ☐ Appropriate to AI system risks
• ☐ Enable full understanding of capacities and limitations
• ☐ Enable monitoring during operation
• ☐ Enable intervention capability (stop button, override)
• ☐ Enable decision to not use or disregard AI output
  ☐ Human oversight procedures documented
  ☐ Oversight personnel identified and trained

1.5.7 Accuracy, Robustness, Cybersecurity (Article 15)

☐ Accuracy levels documented:

• ☐ Accuracy metrics defined
• ☐ Appropriate accuracy achieved for intended purpose

• ☐ Accuracy information communicated to deployers
  ☐ Robustness measures implemented:

• ☐ Resilience to errors and faults

• ☐ Resilience to attempts to alter use by third parties

• ☐ Redundancy measures where appropriate
  ☐ Cybersecurity protections in place:

• ☐ Protection against unauthorized access

• ☐ Protection against data poisoning
• ☐ Protection against model manipulation
• ☐ Protection against adversarial examples

1.6 Deployer Obligations (Effective August 2, 2026)

Regulatory Reference: Article 26

☐ Technical and organizational measures implemented for instructions of use
☐ Human oversight conducted by competent individuals
☐ Input data relevant to intended purpose
☐ Monitoring for AI system risks during operation
☐ Fundamental rights impact assessment completed (where required)
☐ Logs retained as required (minimum 6 months)
☐ Cooperation with authorities ensured
☐ Information provided to affected persons regarding use of high-risk AI

For deployers of AI systems making decisions about natural persons:

☐ Persons informed they are subject to AI system
☐ Information about AI system purpose provided
☐ Right to explanation enabled for decisions producing legal effects

1.7 Transparency Obligations (Effective August 2, 2026)

Regulatory Reference: Article 50

☐ AI system interaction disclosure:

• ☐ Persons informed when interacting with AI

• ☐ Exception for obvious AI context documented
  ☐ Synthetic content labeling:

• ☐ AI-generated content marked as machine-generated

• ☐ Technical standards for marking followed
  ☐ Emotion recognition/biometric categorization disclosure:

• ☐ Persons informed of system operation

• ☐ Categories of personal data being processed disclosed
  ☐ Deepfake disclosure:

• ☐ Synthetic audio/video/images disclosed as AI-generated

• ☐ Artistic exception documented where applicable

1.8 Conformity Assessment (High-Risk)

Regulatory Reference: Articles 43-49

☐ Conformity assessment type determined:

• ☐ Self-assessment (Annex VI internal control)
• ☐ Third-party assessment (notified body required)
  ☐ Assessment completed prior to placing on market/deployment
  ☐ EU Declaration of Conformity drawn up (Article 47)
  ☐ CE marking affixed (Article 48)
  ☐ Registration in EU database completed (Article 49)
  ☐ Conformity reassessment planned for substantial modifications

1.9 Post-Market Monitoring and Incidents

Regulatory Reference: Articles 72-73

☐ Post-market monitoring system established
☐ Monitoring plan documented
☐ Data collection mechanisms operational
☐ Performance degradation detection in place
☐ Serious incident reporting process established:

• ☐ Incident definition aligned with Article 73
• ☐ Notification procedures to market surveillance authority
• ☐ Timeline for notification understood (immediate for serious incidents)
  ☐ Corrective action procedures documented

1.10 Penalties Awareness

Regulatory Reference: Article 99

☐ Penalty framework understood by relevant personnel

PART 2: GDPR COMPLIANCE FOR AI

2.1 Lawful Basis for AI Processing

Regulatory Reference: GDPR Articles 6, 9

☐ Lawful basis identified for AI data processing:

• ☐ Consent
• ☐ Contract performance
• ☐ Legal obligation
• ☐ Vital interests
• ☐ Public interest/official authority
• ☐ Legitimate interests (with balancing test)
  ☐ Special category data handling assessed (Article 9)
  ☐ Documentation of lawful basis maintained

2.2 Automated Decision-Making (Article 22)

☐ Assessment completed whether AI decisions are:

• ☐ Solely automated (no meaningful human involvement)

• ☐ Produce legal effects or significantly affect individuals
  ☐ If Article 22 applies:

• ☐ Explicit consent obtained, OR

• ☐ Contract necessity established, OR

• ☐ Legal authorization identified
  ☐ Safeguards implemented:

• ☐ Right to obtain human intervention

• ☐ Right to express point of view
• ☐ Right to contest decision
  ☐ Information provided to data subjects about automated decisions
  ☐ Meaningful information about logic involved provided

2.3 Data Protection Impact Assessment (DPIA)

Regulatory Reference: Article 35

☐ DPIA requirement assessed for AI processing
☐ DPIA conducted where required including:

• ☐ Systematic description of processing
• ☐ Necessity and proportionality assessment
• ☐ Risk assessment to rights and freedoms
• ☐ Measures to address risks
  ☐ DPO consulted (if appointed)
  ☐ Supervisory authority consultation if high residual risk

2.4 Transparency and Information

Regulatory Reference: Articles 13-14

☐ Privacy notice updated to include:

• ☐ Existence of automated decision-making
• ☐ Meaningful information about logic involved
• ☐ Significance and envisaged consequences
  ☐ Information provided at time of data collection
  ☐ Information provided when data obtained from third parties

2.5 Data Subject Rights for AI

☐ Rights processes accommodate AI:

• ☐ Access to information about AI processing
• ☐ Rectification of data used in AI
• ☐ Erasure of data (where applicable)
• ☐ Restriction of AI processing
• ☐ Objection to AI profiling
  ☐ Response timelines met (1 month, extendable)
  ☐ Staff trained on handling AI-related requests

PART 3: US STATE AI LAWS COMPLIANCE

3.1 Colorado Artificial Intelligence Act (CAIA)

Effective Date: June 30, 2026

Applicability Assessment

☐ Determination made: Does organization deploy "high-risk AI systems"?
☐ "Consequential decisions" assessment completed:

• ☐ Education enrollment/opportunities
• ☐ Employment or employment opportunity
• ☐ Financial or lending services
• ☐ Essential government services
• ☐ Healthcare services
• ☐ Housing
• ☐ Insurance
• ☐ Legal services

☐ Provider vs. Deployer role determined

Developer Obligations (if applicable)

☐ Documentation provided to deployers:

• ☐ Model cards/dataset cards
• ☐ Intended uses
• ☐ Training data description (high level)
• ☐ Known limitations
• ☐ Mitigation steps

• ☐ Guidance on appropriate use and monitoring
  ☐ Public statement maintained describing:

• ☐ Types of high-risk systems developed

• ☐ How algorithmic discrimination risks are managed
  ☐ Attorney General notification process established for discovered risks (90-day window)
  ☐ Documentation response process for AG requests (90-day window)

Deployer Obligations

☐ Risk management policy and program implemented
☐ Annual impact assessment completed for each high-risk system
☐ Consumer disclosures provided:

• ☐ Pre-decision notification of AI use (required before decision)
• ☐ Purpose disclosure

• ☐ Nature of consequential decision disclosed
  ☐ Consumer rights enabled:

• ☐ Right to correct erroneous personal data

• ☐ Right to appeal adverse decisions
• ☐ Human review available when technically feasible

Reasonable Care Standard

☐ Risk management framework aligned with recognized standard:

• ☐ NIST AI RMF
• ☐ ISO/IEC 42001
• ☐ Other nationally/internationally recognized framework
  ☐ Impact assessments conducted
  ☐ Disclosures made

Small Business Exemption Assessment

☐ Small business status determined (50 or fewer full-time employees)
☐ If small business exemption claimed:

• ☐ Exemption requirements verified
• ☐ Documentation maintained

Affirmative Defense Documentation

☐ Framework compliance documented (for affirmative defense)
☐ Violation discovery and correction measures documented

3.2 California AI Laws

California AI Transparency Act (SB 942)

Effective: January 1, 2026

☐ GenAI systems with California users assessed
☐ AI detection tools provided (where required)
☐ Content provenance disclosures made
☐ Manifest or embedded content credentials included
☐ User-facing disclosure requirements met

California AB 2013 (GenAI Training Data Disclosure)

☐ Training data documentation maintained
☐ High-level summary of training data prepared
☐ Disclosure statement accessible on website

California Deepfake Laws

☐ Political content disclosures compliant (election periods)
☐ Intimate image protections implemented
☐ Watermarking/labeling requirements met

3.3 Illinois AI Laws

Illinois AI Video Interview Act

☐ Applicability assessed (AI analysis of video interviews)
☐ If applicable:

• ☐ Applicant notification provided before interview
• ☐ Explanation of AI analysis provided
• ☐ Consent obtained from applicant
• ☐ Sharing limitations observed
• ☐ Deletion upon request enabled (30-day window)

Illinois HB 3773 (Employment AI)

☐ Applicability assessed
☐ Notice requirements met before using AI in employment decisions
☐ Bias testing requirements satisfied

Illinois Biometric Information Privacy Act (BIPA)

☐ Biometric data use in AI assessed
☐ If BIPA applies:

• ☐ Written policy on retention and destruction
• ☐ Written release/consent obtained
• ☐ Disclosure of purpose and duration
• ☐ Data retention limits observed
• ☐ No sale/profit from biometric data

3.4 New York City Local Law 144 (AEDT)

Applicable: Automated Employment Decision Tools in NYC

☐ Applicability determined (hiring/promotion decisions in NYC)
☐ If applicable:

• ☐ Annual bias audit conducted by independent auditor
• ☐ Audit results published on website
• ☐ Candidate/employee notice provided (10+ business days before use)

• ☐ Alternative selection process offered
  ☐ Audit includes:

• ☐ Impact ratio calculations

• ☐ Analysis by sex, race/ethnicity, intersectional categories
• ☐ Historical data or test data analysis

3.5 Other State Laws

Texas AI Laws

☐ Texas deepfake laws assessed
☐ Disclosure requirements for AI-generated content met

Washington State

☐ Facial recognition requirements assessed
☐ AI disclosure requirements met

Other Applicable States

☐ Applicable state laws identified: [LIST STATES]
☐ Compliance assessment completed for each

PART 4: SECTOR-SPECIFIC REGULATIONS

4.1 Financial Services

Fair Lending (ECOA, FCRA)

☐ AI credit decisions assessed for discrimination
☐ Adverse action notice requirements met
☐ Specific reasons for denial provided
☐ Fair lending testing conducted

Algorithmic Trading

☐ SEC/CFTC requirements assessed
☐ Risk controls implemented
☐ Pre-trade risk management in place

Model Risk Management (SR 11-7)

☐ OCC/Federal Reserve guidance followed (if applicable)
☐ Model validation completed
☐ Independent review conducted
☐ Documentation maintained

4.2 Healthcare

FDA AI/ML Regulations

☐ Medical device classification assessed
☐ If AI/ML device:

• ☐ FDA clearance/approval pathway determined
• ☐ Software as Medical Device (SaMD) requirements met
• ☐ Predetermined change control plan in place
• ☐ Real-world performance monitoring

HIPAA Compliance

☐ PHI use in AI assessed
☐ BAAs in place with AI vendors
☐ Minimum necessary principle applied
☐ De-identification requirements met (if applicable)

4.3 Employment

EEOC Guidance

☐ AI hiring tools assessed for discrimination
☐ Disparate impact analysis conducted
☐ Reasonable accommodation process maintained
☐ Title VII compliance verified

ADA Compliance

☐ AI screening tools accessibility assessed
☐ Disability discrimination risks evaluated
☐ Accommodation requests processable

4.4 Insurance

☐ State insurance regulator guidance reviewed
☐ AI underwriting fairness assessed
☐ Pricing discrimination evaluated
☐ Required disclosures made

4.5 Education

☐ FERPA compliance for AI in education
☐ Student data protection measures
☐ EdTech vendor agreements reviewed

PART 5: INTERNATIONAL AND CROSS-BORDER COMPLIANCE

5.1 UK AI Regulation

☐ UK AI regulatory developments monitored
☐ Sector-specific guidance reviewed:

• ☐ FCA (financial services)
• ☐ CMA (competition)
• ☐ Ofcom (communications)
• ☐ ICO (data protection)
  ☐ UK GDPR requirements met

5.2 Canada AI Regulation

☐ AIDA (Artificial Intelligence and Data Act) developments monitored
☐ PIPEDA compliance for AI data processing
☐ Provincial requirements assessed

5.3 Other Jurisdictions

☐ Applicable jurisdictions identified: [LIST]
☐ Compliance requirements mapped for each
☐ Cross-border data transfer mechanisms in place

PART 6: ORGANIZATIONAL COMPLIANCE INFRASTRUCTURE

6.1 Governance

☐ AI governance structure established
☐ Roles and responsibilities defined:

• ☐ AI Compliance Officer/Lead
• ☐ System Owners
• ☐ Technical Leads
• ☐ Legal/Compliance
  ☐ Board/Executive oversight in place
  ☐ AI governance committee operational (if applicable)

6.2 Policies and Procedures

☐ AI policies documented:

• ☐ AI Ethics Policy
• ☐ AI Risk Management Policy
• ☐ Generative AI Acceptable Use Policy
• ☐ AI Data Governance Policy

• ☐ AI Vendor Management Policy
  ☐ Procedures documented:

• ☐ AI system development lifecycle

• ☐ Risk assessment procedures
• ☐ Impact assessment procedures
• ☐ Incident response procedures
• ☐ Human oversight procedures
  ☐ Policy review schedule established

6.3 Risk Management

☐ AI risk management framework implemented
☐ Risk assessment methodology documented
☐ Risk appetite defined
☐ Risk register maintained
☐ Risk reporting mechanisms operational

6.4 Training and Awareness

☐ AI compliance training program established
☐ Training completion tracked
☐ Competency requirements defined
☐ Refresher training scheduled

6.5 Documentation and Records

☐ Document retention policy covers AI records
☐ Technical documentation maintained
☐ Assessment records retained
☐ Decision logs preserved
☐ Incident records archived

6.6 Vendor Management

☐ AI vendor due diligence process established
☐ Vendor assessments completed
☐ Contracts include compliance requirements
☐ Ongoing vendor monitoring in place

6.7 Audit and Monitoring

☐ Internal audit scope includes AI compliance
☐ Compliance monitoring mechanisms operational
☐ KPIs/metrics tracked
☐ External audit/assessment schedule (where required)

PART 7: COMPLIANCE CALENDAR

Key Regulatory Dates

Recurring Compliance Activities

PART 8: GAP ANALYSIS AND REMEDIATION

Identified Gaps

Remediation Tracking

PART 9: ATTESTATION AND SIGN-OFF

Assessment Certification

I certify that this compliance assessment has been completed accurately and to the best of my knowledge:

Assessor:

Name: _________________________________ Title: _________________________________

Signature: _________________________________ Date: _________________________________

Management Acknowledgment

Management acknowledges receipt of this compliance assessment and accepts responsibility for addressing identified gaps:

Compliance Officer/Manager:

Name: _________________________________ Title: _________________________________

Signature: _________________________________ Date: _________________________________

Executive Sponsor:

Name: _________________________________ Title: _________________________________

Signature: _________________________________ Date: _________________________________

APPENDIX A: REGULATORY REFERENCE GUIDE

EU AI Act Key Provisions

US State Law Quick Reference

APPENDIX B: COMPLIANCE RESOURCES

Regulatory Authorities

Standards and Frameworks

Official Guidance

• EU AI Act Guidelines: artificialintelligenceact.eu
• Colorado AG Website: coag.gov
• NIST AI Resources: nist.gov/artificial-intelligence
• EEOC AI Guidance: eeoc.gov

APPENDIX C: ASSESSMENT METHODOLOGY

This checklist is designed for:

1. Initial Compliance Assessment: Complete all applicable sections to establish baseline
2. Annual Review: Update assessments and verify continued compliance
3. Pre-Deployment Assessment: Complete relevant sections before deploying new AI systems
4. Triggered Assessment: Use after incidents, regulatory changes, or significant modifications

Scoring Guidance:

• Complete all items marked with ☐
• Document evidence for each compliance item
• Identify gaps where requirements are not met
• Develop remediation plans for all gaps

This AI Regulatory Compliance Checklist is provided for informational purposes. Organizations should work with qualified legal counsel to ensure compliance with applicable regulations. Regulations are subject to change; verify current requirements.