AI regulation and compliance: EU AI Act, US frameworks, and board responsibilities
Executive summary
Boards are now accountable for strategic decisions that determine how AI is adopted, governed and reported. Regulation is moving from principle-based guidance to prescriptive obligations that affect product design, procurement, HR systems, marketing, and financial controls. This article provides a board-level framework to translate regulatory requirements, notably the EU AI Act and evolving US frameworks, into governance, compliance programmes and measurable oversight. It frames practical responsibilities, KPIs and an operational approach (the AIOS) for directors, executive teams and investors.
Regulatory overview: what boards must know
EU AI Act (risk-based, prescriptive obligations)
- Scope and classification: The EU AI Act establishes a risk-based regime: prohibited practices (unacceptable risk), high-risk systems, systems requiring transparency obligations, and minimal-risk applications. High-risk systems include certain biometric identification, critical infrastructure, employment and credit scoring systems, and safety-relevant products.
- Obligations for providers and deployers: For high-risk systems, organisations must implement a documented quality management system, perform conformity assessments, maintain technical documentation, ensure traceability and logging, apply rigorous data governance, conduct human oversight, and implement post-market monitoring. Transparency obligations require clear user information for some systems, and specific labelling and consumer information for generative systems is emerging.
- Enforcement and penalties: Administrative fines are significant and can reach a percentage of global turnover. National supervisory authorities will exercise enforcement powers, including corrective measures and market restrictions.
- Compliance timelines: The Act introduces phased compliance windows tied to product availability and model types. Boards must track implementation deadlines and supply-chain expectations.
US frameworks (risk management, sectoral enforcement, and emerging rules)
- Federal approach: The US does not have a single federal AI statute comparable to the EU AI Act. Instead, the approach combines executive guidance, agency-specific rules and the NIST AI Risk Management Framework (RMF). The White House has issued executive orders and guidance focused on AI safety, testing and interagency coordination.
- NIST AI RMF: NIST provides a voluntary, flexible RMF to identify, measure and manage AI risk across governance, data, model, and assessment domains. It is widely recommended as a compliance baseline for boards seeking demonstrable due diligence.
- Agency enforcement: Agencies such as the FTC, SEC, FDA, and state regulators are using existing authorities to regulate AI-related conduct, for example consumer protection, disclosure obligations, product safety, and healthcare device approvals. State laws may add biometric privacy or civil rights obligations.
- Market expectations: US regulators and investors increasingly expect strong governance, explainability where appropriate, and documented testing of models, particularly in finance, healthcare and products sold to consumers.
Board responsibilities and decision rights
Strategic oversight and risk appetite
- Set a clear AI risk appetite aligned with enterprise strategy and fiduciary duties. Decisions on which AI capabilities to develop, procure or deploy must be assessed against enterprise-level risk tolerances, regulatory exposures and investor expectations.
- Approve enterprise-wide AI policies, including data governance, model validation, privacy, ethics and third-party management. These policies must be translated into enforceable procedures and metrics.
Governance roles and committees
- Assign accountability: Boards should ensure that responsibilities for AI compliance are explicit. Typical roles include an executive sponsor (C-suite), a Chief AI Officer or Head of Model Risk, Data Protection Officer where EU GDPR intersects, and a compliance owner responsible for conformity assessments.
- Committee oversight: Consider creating or expanding the remit of existing risk, audit, or technology committees to include AI and model risk. Committees should receive periodic, structured reporting aligned to KPIs and compliance milestones.
Policy, procedure and change programme approvals
- Approve change programmes that translate policy into operational controls: procurement clauses, vendor due diligence, model validation standards, data handling procedures, and employee training curricula.
- Require that major AI investments undergo a governance review and are subject to documented conformity assessments or equivalent due diligence prior to deployment.
See where AI fits in your business. Free.
A 45-minute audit. We map the highest-value automations and what they're worth in time and money. No pitch, no pressure.
Building a compliance programme
Inventory, classification and risk assessment
- Maintain an enterprise inventory of AI systems mapped by risk category, business function, data sensitivity and third-party dependencies. Inventory updates should be routine and auditable.
- Conduct Data Protection Impact Assessments (DPIAs) and AI-specific risk assessments for systems that intersect with high-risk use cases or regulated sectors.
Technical and data governance
- Establish data quality standards, lineage, provenance and retention policies. High-risk models require representative datasets, bias testing and documented cleaning procedures.
- Implement model governance standards: version control, reproducibility, explainability thresholds, performance validation and drift detection.
Documentation, conformity and third-party risk
- Prepare technical documentation and evidence packages that support regulatory conformity assessments. This includes architecture diagrams, training data descriptions, validation reports and post-market monitoring plans.
- Embed contractual clauses that require vendors to support audits, provide model cards and documentation, and indemnify for non-compliance where appropriate.
Assurance, monitoring and incident management
- Implement continuous monitoring and post-deployment surveillance to detect performance degradation, bias emergence, or safety incidents. Define incident response procedures, escalation paths and remediation timelines.
- Align internal audit plans to include AI controls and periodic independent model validation.
KPIs and board reporting
Operationalise oversight with measurable indicators. Suggested board-level KPIs:
- Percentage of AI systems inventoried and risk-classified.
- Number of high-risk systems with completed conformity assessments or equivalent validation.
- Time-to-remediation for regulatory or audit findings.
- Number of model incidents or adverse outcomes reported per period and remediation closure rate.
- Percentage of employees with role-appropriate AI compliance and security training.
- Vendor risk score distribution and percentage of critical vendors meeting contractual compliance clauses.
- Costs and resources allocated to AI compliance programmes vs. planned budgets.
- Investor engagement metrics: number of investor queries related to AI, responses provided and disclosure updates.
Investor engagement and disclosure
Strategic investor communications
- Develop a systematic disclosure framework for investors that communicates the organisation's AI policies, governance structure, risk appetite, and material exposures. Transparency reduces litigation and market-concern risk.
- Prepare playbooks for investor meetings that address likely queries on model risk, third-party dependencies, data practices and remediation capability.
Align financial controls and reporting
- Ensure financial forecasting and capital allocation account for compliance costs, potential fines and investments in assurance.
- Coordinate disclosure between legal, compliance and investor relations to maintain consistency in messaging.
Employee engagement and change programmes
Workforce training and capability
- Launch mandatory role-based training for executives, product managers, data scientists and frontline users, focusing on regulatory obligations, reporting lines and escalation procedures.
- Integrate AI competence into performance management and talent programmes to retain and attract the skills necessary for compliance.
Change management
- Run change programmes that align operating procedures, IT, HR, legal and product teams. Change programmes must have clear milestones, success criteria and KPIs reported to the board.
- Use stakeholder engagement practices to address employee concerns, particularly where AI affects jobs, decisions or monitoring.
Operationalising governance with the AIOS
The AI Operating System (AIOS) translates board policy into executable controls and reporting. Key modules:
- Governance layer: policy library, roles and responsibilities matrix, committee charters and decision trees.
- Inventory and risk module: asset register, automated classification workflows and DPIA templates.
- Compliance and assurance module: conformity assessment trackers, technical documentation repository, audit trails.
- Data and model operations: lineage tools, version control, testing pipelines and monitoring dashboards.
- Reporting and KPIs: executive dashboards that feed audit committees with real-time indicators.
- Change and training: programme management and employee engagement trackers.
Implementation roadmap for the board
Immediate (0-90 days)
- Approve an AI governance charter and designate executive accountability.
- Mandate an AI inventory and initial risk classification for all systems in production or advanced development.
- Require a gap analysis comparing existing controls against EU AI Act obligations and NIST RMF principles.
Medium term (3-12 months)
- Operationalise policies into procedures: procurement clauses, vendor due diligence checklists, DPIA templates, and model validation standards.
- Launch employee training and establish a scheduled reporting cadence to governance committees.
- Prioritise conformity assessments for high-risk systems and engage external auditors where needed.
Long term (12-36 months)
- Embed AIOS capabilities for continuous monitoring, post-market surveillance and board reporting.
- Revisit risk appetite and strategic priorities informed by regulatory developments, market expectations and audit outcomes.
- Develop scenario planning and crisis playbooks for major incidents, regulatory investigations, or material model failures.
Practical considerations for directors
- Evidence over intention: Regulators and investors look for documented implementation, not just policy statements. Boards should demand demonstrable artefacts: inventories, DPIAs, validation reports and remediation logs.
- Integration not isolation: AI compliance cannot be siloed. It must be part of enterprise risk, internal audit, IT security and legal processes.
- Resource allocation: Compliance requires sustained investment in people, tooling and assurance. Boards must consider these as operating expenses with predictable KPIs.
- Global coordination: Where operations span jurisdictions, harmonise controls to meet the strictest applicable standard and adapt disclosures and procedures locally.
Next steps for boards
Direct the CEO and relevant committees to present:
- A consolidated AI risk register and compliance gap analysis within the next board cycle.
- A resourcing plan for conformity assessments and the AIOS implementation, with cost and timeline estimates.
- A communication plan for investor engagement and employee training aligned to regulatory milestones.
Boards that convert regulatory obligations into operational policies, measurable KPIs and structured change programmes will reduce legal exposure, safeguard reputation and sustain investor confidence while enabling responsible AI adoption.
Where to from here
Book a free AI audit and we'll show you what's worth augmenting first in your business, and what isn't.
Live with passion & AI,
Brett
Want this installed in your business?
Bespoke AI implementation across your operations: strategy, build, rollout, and ongoing drift maintenance.
Frequently asked questions
What does the EU AI Act require from boards?
+
The EU AI Act places direct obligations on organisations that provide or deploy high-risk AI systems. Boards must ensure a documented quality management system is in place, conformity assessments are completed, and post-market monitoring is active. Failure to comply can result in administrative fines calculated as a percentage of global annual turnover.
How does the US approach to AI regulation differ from the EU?
+
The US does not have a single federal AI statute. Regulation comes from executive guidance, the NIST AI Risk Management Framework, and agency-specific enforcement by bodies such as the FTC, SEC, and FDA. State laws may add biometric privacy or civil rights requirements on top of federal expectations.
Which board committees should oversee AI compliance?
+
Boards should extend the remit of existing risk, audit, or technology committees to cover AI and model risk. These committees need structured, periodic reporting against defined KPIs and compliance milestones. A named executive sponsor at C-suite level should be accountable for day-to-day compliance.
What KPIs should a board use to track AI compliance?
+
Useful board-level KPIs include the percentage of AI systems that have been inventoried and risk-classified, the number of high-risk systems with completed conformity assessments, time-to-remediation for audit findings, and the proportion of employees who have completed role-appropriate AI compliance training. Vendor risk scores and compliance costs versus budget are also worth tracking.
What is the AIOS and how does it support AI governance?
+
The AI Operating System (AIOS) translates board policy into executable controls and reporting. It covers a governance layer, an inventory and risk module, a compliance and assurance module, and executive dashboards that feed audit committees with real-time indicators. It is designed to reduce the gap between policy intent and operational reality.

Brett is a four-time founder (Darra Tyres, Gladfish, EzyTrac, Anaboo) and the operator behind AIOS, Anaboo's AI Operating System. He writes from inside the build, installing AI in his own businesses first and reporting back what actually moves the numbers. Based between Singapore, the UK and Australia.



