AI compliance obligations index

Documented assessment of a high-risk AI system’s intended use, risks, safeguards, and monitoring, completed before deployment and updated periodically. Required under Colorado AI Act §6-1-1703 (annual impact assessments for deployers; trigger date 30 June 2026 per SB 25B-004) and EU AI Act Art. 27 (Fundamental Rights Impact Assessment for public-sector and certain private-sector deployers of high-risk systems). GDPR Art. 35 DPIAs are a related but distinct obligation — they apply to high-risk personal-data processing generally and are not specific to AI.

Meaningful human review of AI outputs, particularly for high-risk and consequential decisions.

Process for detecting, documenting, and reporting AI system malfunctions or algorithmic discrimination to regulators within defined timelines. EU AI Act Art. 73 — serious incidents reported to the market-surveillance authority. Colorado AI Act §6-1-1704(3) — algorithmic discrimination must be disclosed to the Colorado Attorney General within 90 days of discovery (effective 30 June 2026 per SB 25B-004).

A documented, iterative process to identify, analyze, evaluate, and mitigate risks from an AI system throughout its lifecycle.

Clear notice to individuals when AI is used for consequential decisions and meaningful information about the logic involved.

Documented assessment of a high-risk AI system’s intended use, risks, safeguards, and monitoring, completed before deployment and updated periodically. Required under Colorado AI Act §6-1-1703 (annual impact assessments for deployers; trigger date 30 June 2026 per SB 25B-004) and EU AI Act Art. 27 (Fundamental Rights Impact Assessment for public-sector and certain private-sector deployers of high-risk systems). GDPR Art. 35 DPIAs are a related but distinct obligation — they apply to high-risk personal-data processing generally and are not specific to AI.

Controls on training, validation, and testing data — quality, representativeness, bias examination, and documentation.

Meaningful human review of AI outputs, particularly for high-risk and consequential decisions.

Process for detecting, documenting, and reporting AI system malfunctions or algorithmic discrimination to regulators within defined timelines. EU AI Act Art. 73 — serious incidents reported to the market-surveillance authority. Colorado AI Act §6-1-1704(3) — algorithmic discrimination must be disclosed to the Colorado Attorney General within 90 days of discovery (effective 30 June 2026 per SB 25B-004).

Ongoing monitoring of AI system performance, drift, and incidents after deployment.

A documented, iterative process to identify, analyze, evaluate, and mitigate risks from an AI system throughout its lifecycle.

Detailed documentation of a model's training data, architecture, performance metrics, limitations, and intended use — required for conformity assessment and audit.

Clear notice to individuals when AI is used for consequential decisions and meaningful information about the logic involved.

Controls on training, validation, and testing data — quality, representativeness, bias examination, and documentation.

GDPR-mandated assessment of high-risk personal-data processing operations, including AI systems that process personal data. Distinct from EU AI Act Art. 27 FRIA and Colorado AI Act §6-1-1703 impact assessments.

Meaningful human review of AI outputs, particularly for high-risk and consequential decisions.

Clear notice to individuals when AI is used for consequential decisions and meaningful information about the logic involved.

Controls on training, validation, and testing data — quality, representativeness, bias examination, and documentation.

Ongoing monitoring of AI system performance, drift, and incidents after deployment.

A documented, iterative process to identify, analyze, evaluate, and mitigate risks from an AI system throughout its lifecycle.

Detailed documentation of a model's training data, architecture, performance metrics, limitations, and intended use — required for conformity assessment and audit.

Ongoing monitoring of AI system performance, drift, and incidents after deployment.

A documented, iterative process to identify, analyze, evaluate, and mitigate risks from an AI system throughout its lifecycle.

Annual independent bias audit of an automated employment decision tool (AEDT), with public summary results posted on the employer’s site. Specific to NYC Local Law 144. Other frameworks (EU AI Act Art. 10, Colorado AI Act §6-1-1701 et seq., GDPR Art. 22) require fairness analysis but do NOT mandate this exact form of independent audit.

Clear notice to individuals when AI is used for consequential decisions and meaningful information about the logic involved.