Back to course overview
Module 4Risk & governance 12 min

The regulation radar

What a leader must personally know about AI regulation — the EU AI Act's risk tiers, the use-case pattern behind most rules, and the procurement clauses that do the compliance work early.

You don't need to read the regulations; you need the radar — enough shape to spot when a proposal enters regulated territory, plus a counsel relationship for the rest. The good news: nearly all AI regulation follows one pattern you can internalize in a lesson.

The pattern: regulate the use, not the technology

  • The EU AI Act — the reference framework globally — tiers by use-case risk: prohibited practices (manipulative techniques, social scoring), high-risk uses (employment screening, credit, essential services, safety components) carrying real obligations (risk management, data governance, human oversight, logging), transparency-tier uses (chatbots must disclose they're AI; synthetic media must be labeled), and minimal-risk everything else — which is most of your portfolio. Extraterritorial reach means 'we're not European' is not an answer if you touch EU customers or operations. Your model vendors carry GPAI (general-purpose AI model) obligations of their own; your procurement clauses should inherit their documentation.
  • The recurring themes across jurisdictions — US state laws, sector regulators, employment rules (NYC's bias-audit law was the template): decisions about people (hiring, firing, lending, housing) draw the strictest rules; disclosure requirements spread fastest; and documentation — can you show what the system does, on what data, with what oversight? — is the common denominator of compliance everywhere. Your Module 4 inventory and intake, run honestly, are most of the documentation these regimes ask for. That's not a coincidence; it's why minimum viable governance was designed that way.
  • Your sector's own regulators matter more than the famous acts: transportation safety rules for Alder (driver-facing AI is safety-adjacent — hence the appetite statement's 'period'), health rules in care, financial rules in lending. The radar question for any initiative: does this touch a decision a regulator already cares about? The technology being 'AI' changes the scrutiny, rarely the jurisdiction.

If you're in a regulated sector (insurance, health, lending, hiring), invert this — your best opportunities (claims, underwriting, pricing, screening) are often regulated decisions about people and money, so the minimal tier is not most of your portfolio. Tier your inventory with counsel BEFORE the portfolio workshop, not after: a candidate that looks like a quick win but lands in the high-risk tier carries obligations that change its cost, its owner, and sometimes whether it belongs in the portfolio at all.

The leader's three moves

  • Tier your inventory now. One pass with counsel: which current and portfolio systems would land in a high-risk or transparency tier anywhere you operate? At Alder: driver-log auditing (employment-adjacent — human decision preserved, documented) and anything customer-chat-facing (disclosure). An afternoon of work; years of not being surprised.
  • Put compliance in procurement. The cheapest compliance happens in contracts: vendors warrant their tier compliance, provide documentation packs, notify on material model changes, support your audit obligations. Your six-dimension rubric already scores data handling — add the regulatory clauses and buying becomes your compliance engine.
  • Assign the watch. Regulation moves quarterly; you need a named owner (usually whoever runs governance, with counsel) whose job includes a standing brief: what changed, what it touches, what we do. Ten minutes a quarter at the board; zero surprises. The AI Governance course trains exactly this person.
The compliance trap runs both directions

Under-compliance risks fines and headlines. Over-compliance — treating every drafting assistant like a high-risk system — quietly costs more: it stalls the portfolio, burns change capacity on ceremony, and teaches the organization that the safe path is the slow path (hello again, shadow usage). The tiering is the discipline: match the ceremony to the tier, and defend the minimal tier's speed as vigorously as the high tier's rigor.