How to respond to an AI regulatory investigation

Regulatory investigations into AI practices are increasing. Whether triggered by a complaint, a supervisory examination, a media report, or a regulator's own initiative, the first 48-72 hours shape the organisation's position for months or years. This guide covers what to do when a regulator comes calling about your AI.

Likely trigger points

Regulators open AI-related investigations in several ways: routine supervisory examination uncovers AI governance gaps (APRA (Australian Prudential Regulation Authority), FCA (Financial Conduct Authority), Fed, OCC); individual complaint about an AI-driven decision (ICO, OAIC (Office of the Australian Information Commissioner), CFPB, PDPC); media coverage of an AI incident or failure; self-reported incident or breach notification; market-wide thematic review (ASIC (Australian Securities and Investments Commission) REP 798 was a thematic review of AI governance in Australian financial services); whistleblower disclosure; cross-regulator referral.

First 48-72 hours

Preserve evidence. Impose a litigation hold on all relevant documents, emails, logs, model outputs, and system configurations. AI systems create evidence that may be transient, model versions, training data snapshots, decision logs. Preserve the specific model version and configuration at the time of the relevant events, not the current version.

Engage legal counsel. External legal counsel with AI regulatory experience. Legal privilege applies to communications with legal counsel, ensure privilege is properly established before substantive internal discussions.

Identify the scope. What specifically is the regulator investigating? Which AI systems, which decisions, which time period, which legal basis? The scope determines which team members, documents, and systems are relevant.

Assemble the response team. Legal, compliance, risk, technology (AI/ML team), business owner of the relevant AI system, communications. Named coordinator for all regulator interactions. Single point of contact avoids conflicting communications.

What regulators typically request

AI system inventory and risk classification for the relevant system(s). Model documentation, model cards, validation reports, bias testing results. Decision logs and audit trails for affected individuals. Data governance documentation, data sources, data quality, DPIA. Governance framework, AI policy, committee minutes, board reporting. Vendor documentation, contracts, due diligence, sub-processors. Incident response, prior incidents, remediation actions. Staff training records.

What helps your position

Having an AI inventory you can produce quickly. Being able to show governance operated before the investigation, not built in response to it. Documentation that demonstrates considered decision-making, rationale for risk classification, control design, monitoring approach. Evidence of board engagement and challenge. Vendor due diligence that includes AI-specific assessment. Prompt, complete, and accurate responses to regulator requests, regulators notice when organisations are responsive versus obstructive.

What hurts your position

No AI inventory, the regulator's first question is "what AI do you have?" and not being able to answer is immediately problematic. Governance documentation created after the investigation began. Inconsistencies between what you tell the regulator and what the evidence shows. Defensive or obstructive behaviour. Evidence of known problems that weren't addressed.

Primary sources: APRA · FCA · ICO

Related reading