The universal baseline: what every organisation needs
Regardless of jurisdiction, industry, or size, every organisation that uses AI in ways that affect other people should have five things in place. These are not aspirational standards — they are the minimum that can reasonably be called AI governance rather than ungoverned AI use.
An AI inventory: a maintained record of what AI systems the organisation operates or uses, what they do, what data they process, and who is responsible for them. An AI use policy: a written document that tells employees what AI tools they can use, what data they can put into AI tools, and who to ask when they are unsure. A data classification for AI: clear guidance on what categories of data (public, internal, confidential, regulated) can go into which categories of AI tools. A vendor AI due diligence process: a defined procedure for assessing new AI tools before they are adopted, including data handling review. An incident response procedure: a documented process for what to do when an AI system causes harm or fails in a material way, including escalation paths and regulatory notification assessment.
EU AI Act compliance checklist for deployers
If your organisation deploys high-risk AI (Annex III categories) affecting EU residents, these obligations are now active. Human oversight: you must implement measures enabling human monitoring of high-risk AI and intervention where necessary — document what these measures are, who is responsible for them, and how they work. Monitoring: you must monitor high-risk AI for performance against intended purposes and residual risks — document what you monitor, at what frequency, and what triggers review. Logs: you must maintain logs of high-risk AI operation for at least six months — verify that logging is active and that logs are being retained and accessible. Incident reporting: if a serious incident occurs (death, serious injury, major property damage, or significant disruption to critical infrastructure), you must report to the relevant national authority — designate who makes this assessment and within what timeframe. Fundamental rights impact assessment: for certain deployer contexts (law enforcement, migration, education, employment, essential services), a fundamental rights impact assessment is required before deployment.
Privacy law AI checklist
For GDPR and UK GDPR compliance: identify your lawful basis for processing personal data in AI systems — this must be documented and specific to each AI system and processing activity. Review transparency obligations — individuals must be informed when AI processes their data, particularly for automated decisions. Assess Article 22 applicability — if any AI makes decisions about individuals that have legal or similarly significant effects, additional safeguards apply. Conduct Data Protection Impact Assessments for high-risk AI processing — DPIAs are mandatory for certain AI uses (biometrics, systematic profiling, novel technologies in public spaces). Implement data subject rights procedures — individuals have rights to access, rectification, erasure, and objection that apply to AI-processed data.
