AI Regulation — EU AI Act, US Policies, and What's Coming

The Meridian Story

Elena (General Counsel) presented a regulatory briefing. Her opening point: "The EU AI Act applies to us even though we don't build AI models. We USE AI — and the regulation covers users too. We operate in the EU, which means compliance is not optional."

This was a perspective shift for the team. They'd assumed AI regulation was primarily a concern for technology companies that build AI systems, not for companies that use them as business tools.

The EU AI Act — Risk-Based Framework

The EU AI Act classifies AI systems by risk level, with escalating requirements:

Unacceptable Risk (Banned): Social scoring by governments, real-time biometric surveillance in public spaces (with narrow exceptions), AI that manipulates behavior to cause harm.

High Risk (Strict Requirements): AI used in employment decisions (hiring, evaluation), credit scoring, educational assessment, critical infrastructure management, law enforcement. High-risk systems require: conformity assessments, documentation of training data and model behavior, human oversight mechanisms, accuracy and robustness testing, and registration in an EU database.

Limited Risk (Transparency Obligations): AI systems that interact with people must disclose they are AI. Deepfake content must be labeled. Emotion recognition systems must inform users.

Minimal Risk (No Specific Requirements): AI in spam filters, video game AI, industrial optimization. Most enterprise AI falls here.

Key insight for leaders: Classification depends on the USE CASE, not the technology. The same LLM used for internal meeting summaries (minimal risk) and for screening job applicants (high risk) falls into different categories — with different compliance obligations.

Meridian's assessment: Invoice processing — minimal risk (internal operational efficiency, no individual impact). Resume screening — high risk (employment decisions affecting individuals). Demand forecasting — minimal risk (internal business optimization). The resume screening tool immediately moved to the governance committee for enhanced review.

US AI Policy Landscape

The US approach is more sector-specific than the EU's comprehensive framework:

• Executive Orders provide federal guidance on AI safety, security, and trustworthiness
• Sector regulators apply existing laws to AI: SEC for AI in financial services, FDA for AI in healthcare, FTC for AI in consumer protection
• State-level regulation is emerging, with varying requirements across jurisdictions

For organizations operating in the US, the practical approach is: monitor federal guidance, understand your sector's regulatory expectations, and build governance that anticipates regulatory evolution.

Global Regulatory Trends

Regardless of jurisdiction, several trends are consistent:

1. Risk-based approaches — regulation scales with the potential impact of AI decisions
2. Transparency requirements — organizations must disclose AI usage, especially when it affects individuals
3. Accountability — someone must be responsible for AI system behavior
4. Data governance — requirements around training data quality, consent, and privacy
5. Human oversight — high-stakes AI decisions require human review

Organizations that build governance aligned with these trends will be better prepared as regulations mature.

Practical Compliance Preparation

Step	Action	Timeline
1	Classify all AI systems by risk level (EU AI Act categories)	Immediate
2	Identify high-risk use cases and assess compliance gaps	Within 1 month
3	Ensure human oversight mechanisms exist for high-risk systems	Within 3 months
4	Document AI systems: purpose, data, testing, limitations	Ongoing
5	Monitor regulatory developments in your operating jurisdictions	Quarterly review

What This Means for Your Organization

• If you operate in the EU or serve EU customers, the EU AI Act compliance timeline is active. Assess your AI portfolio now.
• If you operate primarily in the US, sector-specific regulation applies. Understand your industry's regulatory expectations.
• Regardless of jurisdiction, building governance practices aligned with global trends positions you well as regulation evolves.
• The responsible AI practices from Lesson 14 (fairness testing, transparency, documentation, human oversight) directly support regulatory compliance.

Key Takeaways

• The EU AI Act classifies AI by risk level, with escalating requirements. Most enterprise AI falls in minimal or limited risk categories. Employment, credit, and education AI is high risk.
• Regulation applies to AI USERS, not just AI builders. Organizations that deploy AI have compliance obligations.
• Global regulatory trends converge on: risk-based approaches, transparency, accountability, data governance, and human oversight.
• The governance and responsible AI practices from Lessons 12–14 directly support regulatory compliance.

Next Lesson

There's one risk area that existing governance often misses entirely. In Lesson 16, we'll address Shadow AI — the AI tools employees are using without organizational oversight — and how to move from prohibition to productive governance.