Governance

AI Compliance Policy

Last updated: March 31, 2026

This Policy sets mandatory requirements for the design, procurement, integration, deployment, and oversight of Artificial Intelligence ("AI") systems by Privacy Studios Advisory LLC ("PrivacyStudios," "we," "us," "our"). It aligns with the EU Artificial Intelligence Act and applicable U.S. requirements (e.g., FTC Act §5; CCPA/CPRA; VCDPA; sectoral laws including ECOA, FCRA, HIPAA, FERPA, COPPA), as well as local ordinances such as NYC's Automated Employment Decision Tools (AEDT) and California AI transparency/safety statutes. Where frameworks conflict, we apply the more stringent standard.

Table of Contents
  1. 1Scope & Applicability
  2. 2Key Definitions
  3. 3AI Governance & Accountability
  4. 4Risk Classification & Assessments
  5. 5Data Governance, Privacy & IP
  6. 6Transparency & Content Provenance
  7. 7Human Oversight & Contestation
  8. 8Model Quality, Safety, Fairness & Security
  9. 9Logging, Monitoring & Incidents
  10. 10Third-Party & GPAI Providers
  11. 11U.S. Federal & State Requirements
  12. 12EU AI Act & European Frameworks
  13. 13Asia-Pacific & International Requirements
  14. 14Individual Rights Requests (IRR)
  15. 15Children, Biometrics & Sensitive Uses
  16. 16Change Management & Versioning
  17. 17Contact & Enforcement
Section 1

Scope & Applicability

This Policy covers: (i) AI systems we develop or integrate into products/services; (ii) internal AI tools used for operations (e.g., HR, support, marketing, analytics); and (iii) advisory engagements where we recommend, configure, or oversee client AI systems. It applies to employees, contractors, consultants, and vendors handling AI-related data, systems, or decisions on our behalf.

1.1 Roles under the EU AI Act

  • Deployer: when we use AI systems under our authority.
  • Provider: when we place AI systems on the market or put into service under our name/trademark and assume compliance duties.
  • Importer/Distributor: when we introduce or make available third-party AI systems in the EU.

1.2 Leadership & Accountability

We designate an AI Risk Owner (senior executive) who chairs the AI Review Board, approves risk classifications and material changes, and reports to leadership/Board on incidents, metrics, and improvements.

Section 2

Key Definitions

AI SystemMachine-based system that infers from inputs how to generate outputs (predictions, content, recommendations, decisions) that influence environments.
Agentic AIAI systems capable of autonomous reasoning, planning, and action — initiating tasks, updating databases, and adapting dynamically with minimal human intervention. Distinct governance obligations apply.
High-Risk AICategories listed in Annex III EU AI Act, or AI systems used in consequential decisions (employment, education, health, finance, housing) under U.S. state laws such as Texas TRAIGA and Colorado AI Act.
GPAIGeneral-purpose systems (e.g., foundation models/LLMs) usable across diverse tasks or for integration into other AI. Subject to EU AI Act GPAI obligations from August 2, 2025.
Deployer / ProviderAs defined in the EU AI Act. Providers place AI systems on the market; Deployers use them under their authority.
FRIAFundamental Rights Impact Assessment for high-risk deployments under the EU AI Act.
EU AI OfficeEuropean Commission body responsible for coordinating enforcement of the EU AI Act, particularly for GPAI models with systemic risk.
Consequential DecisionUnder Texas TRAIGA and similar laws: an AI-assisted decision with legal effect or similarly significant impact on an individual in areas such as employment, education, finance, healthcare, insurance, or housing.
TRAIGATexas Responsible AI Governance Act — effective September 1, 2025. Imposes transparency, notification, appeal, and anti-discrimination obligations for consequential AI decisions.
NIST AI RMFU.S. National Institute of Standards and Technology AI Risk Management Framework — a voluntary but widely adopted governance reference aligned with international standards including ISO/IEC 42001.
Digital OmnibusEuropean Commission proposal (late 2025) to simplify and align the GDPR, EU AI Act, and ePrivacy framework. Pending; may adjust AI training data provisions and high-risk timelines.
Section 3

AI Governance & Accountability

3.1 AI Review Board

Cross-functional Board (Legal/Compliance, Engineering, Product, Data Science, Security) chaired by the AI Risk Owner. Mandate: approve new use cases; audit live systems; investigate incidents; track regulatory changes; recommend updates. Meets monthly and ad hoc for urgent/high-risk matters.

3.2 AI Inventory & Asset Register

  • System name/version/owner; use-case & purpose; intended users.
  • Risk class (Unacceptable / High / Limited / Minimal).
  • Data sources, processing, retention.
  • Third-party/model dependencies.
  • Compliance artifacts (assessments, logs, incidents).
  • Approval date, review cadence, responsible personnel.
Section 4

Risk Classification & Assessments

4.1 Classification

UnacceptableProhibited (e.g., social scoring).
High-RiskAnnex III contexts (employment, education, essential services) → conformity steps & oversight.
LimitedTransparency obligations (e.g., chatbots).
MinimalBaseline controls; voluntary codes encouraged.

4.2 FRIA

For high-risk systems we complete a Fundamental Rights Impact Assessment (privacy/bias/rights impacts, mitigations, residual risk) and retain it as technical documentation for Board review.

Section 5

Data Governance, Privacy & Intellectual Property

5.1 Data Quality

  • Relevance & representativeness; accuracy & completeness; bias mitigation; traceability.

5.2 Privacy & Data Protection

  • Lawful basis; minimization/purpose limitation; retention limits; security; cross-border safeguards.

5.3 IP & Licensing

  • License verification and attribution; provenance checks; legal review for datasets/models where appropriate.
Section 6

Transparency, Disclosures & Content Provenance

6.1 User-Facing Disclosures

  • AI interaction notice; purpose/scope; limitations/risks; human contact/oversight.

6.2 AI-Generated/Modified Content

  • Provenance signals (e.g., watermarking/metadata); disclosure of AI involvement; preservation of originals/audit trails.

6.3 Technical Documentation

  • Architecture/data flows/logic; training data & performance metrics; risk mitigations; instructions for use; conformity docs where applicable.
Section 7

Human Oversight, Contestation & Due Process

7.1 HITL Requirements

  • Qualified reviewers; override/intervention; meaningful human review; fallback procedures.

7.2 Individual Rights & Contestation

  • Access information; request human review; contest/appeal; remediation paths.
Section 8

Model Quality, Safety, Fairness & Security

8.1 Validation & Testing

  • Performance benchmarks; robustness; fairness audits; safety validation; explainability.

8.2 Cybersecurity & Adversarial Resilience

  • Secure SDLC; model protection; red-team/adversarial testing; incident response; patching.

8.3 Continuous Monitoring

  • KPIs; drift detection; alerts & escalation; periodic re-evaluation.
Section 9

Logging, Monitoring, Incident Management & Reporting

9.1 Logging

  • Inputs/outputs, pseudonymous IDs, timestamps; model version/config; oversight actions; errors/anomalies.

9.2 Incidents

  • Classification (serious/near-miss); root-cause; corrective actions; central register.

9.3 Reporting

  • Serious incident notifications; transparency reports; data-breach notifications; regulator cooperation.
Section 10

Third-Party Vendors, Open-Source & GPAI

10.1 Vendor Due Diligence & Contracts

  • Regulatory posture; data handling; transparency; performance; incident processes.

10.2 Open-Source Components

  • Licenses & attribution; provenance/limitations; independent validation; security updates; guardrails & oversight.

10.3 GPAI Obligations

  • Upstream documentation; downstream integration safeguards; systemic-risk duties where applicable.
Section 11

U.S. Federal & State Requirements

11.1 Federal Framework

No comprehensive federal AI statute is in effect as of March 2026. Regulation occurs through executive orders, agency guidance, and existing sector laws. The following federal instruments are currently applicable or directionally significant:

  • Existing sector laws: FTC Act §5 (deceptive/unfair practices); ECOA/FCRA (algorithmic credit and employment decisions); HIPAA (AI in health data contexts); FERPA (AI in education); COPPA (AI targeting minors).
  • Executive Order 14179 — "Removing Barriers to American Leadership in AI" (January 23, 2025): Revoked Biden-era EO 14110. Reoriented federal policy toward innovation-first AI development; removed prior transparency and data protection directives. Does not impose direct obligations on private actors but reshapes federal procurement and agency enforcement posture.
  • Executive Order — "Ensuring a National Policy Framework for AI" (December 11, 2025): Signals federal intent to preempt conflicting state AI laws. Established an AI Litigation Task Force to challenge state regulations deemed inconsistent with federal objectives. Directs Department of Commerce to assess overly restrictive state laws. Does not itself create enforceable obligations on private parties but may affect enforceability of state laws over time.
  • America's AI Action Plan (July 2025): Non-binding roadmap covering 90+ federal policy actions across innovation, infrastructure, and international AI diplomacy. Influences agency procurement expectations and export posture.
  • OMB Memorandum on Federal AI Governance (April 2025): Directs federal agencies to accelerate AI adoption with risk management practices aligned with NIST AI RMF. Applies to federal agencies; indirectly shapes vendor expectations for government contractors.
  • TAKE IT DOWN Act (enacted 2025): Requires rapid removal of nonconsensual AI-generated intimate imagery. Imposes notice and takedown obligations on platforms hosting synthetic content.
  • FTC and EEOC enforcement: Both agencies have made clear that existing consumer protection, employment discrimination, and credit laws apply fully to AI-mediated decisions. Disparate impact and unfair practice liability applies even when relying on third-party AI models.

11.2 California

California remains the most active state AI regulator. Two laws took effect January 1, 2026:

  • AI Transparency Act (effective January 1, 2026): Requires disclosure when AI-generated content is used in certain contexts. Enforcement by California Attorney General with penalties for ongoing noncompliance.
  • Generative AI Training Data Transparency Act (AB 2013) (effective January 1, 2026): Requires providers of generative AI systems to publish summaries of training datasets. Subject to active legal challenge (xAI v. California AG, filed December 2025) on First Amendment and takings grounds — monitor for injunctions. Controls around detection tools and provenance data also required.
  • CCPA/CPRA: Consumer rights over AI-processed personal data; opt-out of profiling; sensitive data obligations. Ongoing enforcement.
  • California AI Safety legislation (SB 1047 successor bills): Monitor for developments; prior broad AI safety bills did not pass but legislative intent continues.

11.3 Texas

  • Texas Responsible AI Governance Act (TRAIGA) (effective September 1, 2025): Applies where deployers use generative AI to make, or as a significant factor in making, consequential decisions in employment, education, finance, healthcare, insurance, or housing. Requires: pre-decision notification to affected individuals; appeal pathway; anti-discrimination safeguards; documentation. Enforcement via civil penalties and reasonable care defenses. Note: certain obligations apply primarily to governmental entities, but private sector deployers are subject to anti-discrimination and transparency provisions.

11.4 Colorado

  • Colorado AI Act (effective June 30, 2026): Comprehensive obligations for developers and deployers of high-risk AI systems. Covers risk management, algorithmic discrimination mitigation, consumer disclosures, and appeal rights. Implementation delayed from February 1, 2026. Subject to potential federal preemption challenge under December 2025 EO — monitor for litigation. Where applicable, requires annual impact assessments and public summaries for high-risk deployments.

11.5 New York

  • NYC Local Law 144 (AEDT) (in force): Employers using automated employment decision tools must conduct annual bias audits, notify candidates, and publish public audit summaries.
  • New York RAISE Act (passed legislature, awaiting Governor signature as of March 2026): Targets developers of high-cost AI models; mandates safety policies, risk-mitigation frameworks, and prohibits deployment of certain high-capability models without adequate safeguards. Penalties up to $10M (first offense) and $30M (repeat). Monitor for signature and implementation rules.
  • New York state-level AI bills (2025 session): Multiple bills addressing AI in employment, healthcare, and consumer interactions — await gubernatorial action.

11.6 Other States

  • Illinois: BIPA (biometric data); new AI companion and therapeutic disclosure requirements for consumer-facing AI interactions involving minors.
  • Utah — Artificial Intelligence Policy Act: Requires clear disclosure when consumers interact with generative AI in regulated commercial contexts.
  • Consumer privacy laws: CCPA/CPRA (CA), VCDPA (VA), ColoPA (CO), CTDPA (CT), and equivalents in 13+ states — all impose rights over automated profiling and AI-processed personal data. Apply the strongest relevant protection as our baseline.
  • Federal preemption landscape: As of March 2026, over 45 states have proposed AI-related bills. The December 2025 EO creates legal uncertainty around enforceability of some state laws. Monitor closely; we apply existing state law unless and until a court or federal action suspends it.
Section 12

EU AI Act & European Frameworks

12.1 EU AI Act — Implementation Timeline

The EU AI Act (Regulation 2024/1689) entered into force August 1, 2024. Obligations apply in phases:

February 2, 2025Prohibited AI practices take effect. Social scoring, real-time biometric surveillance in public spaces (with narrow exceptions), subliminal manipulation, and emotion recognition in workplace/education contexts are banned outright.
August 2, 2025GPAI obligations apply. Providers of general-purpose AI models must maintain technical documentation, comply with copyright rules, and publish training data summaries. Models assessed as posing systemic risk (compute exceeding 10²⁵ FLOPs or Commission designation) face additional duties: adversarial testing, incident reporting to the EU AI Office, cybersecurity assessments, and energy consumption reporting.
August 2, 2026Full high-risk AI system obligations apply. Covers Annex III categories: employment/HR systems, education, essential services, law enforcement, migration, justice, critical infrastructure. Pre-market conformity assessment, post-market monitoring, and serious-incident reporting required.
Penalty structureUp to €35M or 7% of global turnover for prohibited practices; €15M or 3% for high-risk violations; €7.5M or 1% for providing incorrect information. Extraterritorial reach applies where AI systems are placed on the EU market or used by EU-based deployers.

12.2 Deployer Duties (Current)

  • Use AI systems per provider instructions and intended purpose.
  • Maintain human oversight; monitor performance post-deployment.
  • Complete FRIA where required for high-risk systems affecting fundamental rights.
  • Maintain deployment logs and ensure output transparency to users.
  • Cooperate with national competent authorities (Market Surveillance Authorities) upon request.

12.3 High-Risk Controls (Applicable from August 2, 2026)

  • Risk management system throughout AI lifecycle.
  • Data governance: training data quality, representativeness, bias mitigation.
  • Technical documentation and automatic logging.
  • Transparency and instructions for use provided to deployers.
  • Human oversight measures enabling intervention.
  • Accuracy, robustness, and cybersecurity requirements.
  • Post-market monitoring and serious-incident reporting to EU AI Office and national authorities.

12.4 GPAI Obligations (In Force August 2, 2025)

  • Retain and provide upstream technical documentation to downstream providers.
  • Pass safety guidance and limitations downstream to integrators.
  • Comply with EU copyright law on training data; publish summaries of training data used.
  • For systemic-risk models: adversarial testing, cybersecurity assessment, incident reporting to EU AI Office, energy consumption tracking.

12.5 EU AI Office

Established within the European Commission, the EU AI Office coordinates enforcement for GPAI models across member states. National competent authorities (Market Surveillance Authorities) enforce requirements for high-risk AI systems deployed within their territories. We monitor EU AI Office guidance, codes of practice, and enforcement decisions as they develop.

12.6 EU Digital Omnibus Proposal

The European Commission introduced the Digital Omnibus proposal in late 2025, seeking to simplify and align the GDPR, EU AI Act, and ePrivacy framework. Proposed changes include adjustments to training data provisions, relaxed restrictions on certain AI data processing, and potential timeline adjustments for high-risk obligations. Outcome and final text remain pending as of March 2026. We treat existing obligations as operative and will update this Policy as the Omnibus is finalized.

12.7 GDPR Interaction

The EU AI Act operates alongside GDPR. Automated decision-making with legal or similarly significant effects requires a lawful basis, transparency, and the right to human review (Article 22 GDPR). Where AI systems process personal data, both frameworks apply concurrently. The Digital Omnibus may adjust some GDPR provisions relevant to AI training — monitor for final text.

Section 13

Asia-Pacific & International Requirements

As PrivacyStudios advises clients across multiple jurisdictions, we track binding and emerging AI frameworks globally. The following summarizes material developments in key Asia-Pacific and other international jurisdictions as of March 2026. Where a framework is not yet binding, it is noted as such.

13.1 China

  • Generative AI Services Management Measures (effective August 2023, enforced): Requires Chinese providers of generative AI services to obtain user consent, ensure data quality, label AI-generated content, establish user complaint mechanisms, and conduct algorithm security reviews. Applies to services with "public opinion attributes" or "social mobilization capacity." Non-Chinese providers offering services to users in China may be within scope.
  • Measures for Labelling AI-Generated and Synthetic Content (effective September 1, 2025): Platforms must implement detection mechanisms including audio watermarking, encrypted metadata, and VR-based watermarking for synthetic content. Mandatory labeling of AI-generated images, audio, and video.
  • Cybersecurity Law (CSL) Amendments (effective January 1, 2026): China's top legislature passed major amendments to the CSL on October 28, 2025, introducing AI-specific provisions for the first time into Chinese national law. Covers AI R&D support, training data infrastructure requirements, AI ethics rulemaking, and AI risk assessment and security governance obligations. Detailed implementing rules anticipated.
  • AI Plus Action Plan (August 2025): National strategic blueprint for AI deployment across six sectors: science, industry, consumer services, public welfare, governance, and international collaboration. Targets 70% AI penetration in key sectors by 2027. Non-binding but shapes regulatory priorities.
  • Draft AI Law (proposed May 2024, pending): Would introduce binding requirements for high-risk AI systems; create a comprehensive regulatory framework equivalent in scope to the EU AI Act. Status: under legislative review. Monitor for adoption.

13.2 South Korea

  • AI Basic Act (enacted January 2025, in force January 2026): South Korea's comprehensive AI law introduces risk-based classification broadly aligned with the EU AI Act, with lighter compliance requirements and a stronger innovation emphasis. Key obligations: transparency and disclosure for high-impact AI systems; risk assessment documentation; human oversight requirements; individual rights including access and contestation. Applies extraterritorially where AI systems affect Korean users. The Personal Information Protection Commission (PIPC) released generative AI guidelines (August 2025) supplementing the Act.

13.3 Japan

  • AI Promotion Act (enacted May 2025, effective June 2025): Establishes a non-binding governance framework emphasizing voluntary cooperation over penalties. Focuses on strategic coordination across government agencies, transparency goals for AI systems, and R&D promotion in manufacturing, healthcare, and robotics. Japan maintains a principles-based approach relying on existing laws rather than AI-specific enforcement — but transparency and responsible use expectations are embedded.
  • AI Safety Institute (AISI): Japan's AISI, modeled on the UK institution, focuses on pre-deployment testing of frontier models and international coordination through the G7 Hiroshima AI Process.

13.4 Singapore

  • Model AI Governance Framework (MAIGF): Singapore's foundational voluntary framework covering explainability, fairness, and accountability in AI deployment. Regularly updated; currently integrated with ISO/IEC 42001 and NIST AI RMF for international interoperability.
  • Model AI Governance Framework for Generative AI (2024): Developed with input from 70+ global organizations including Anthropic, Google, and Microsoft. Addresses generative AI-specific risks including hallucination, data privacy, and content safety.
  • Model AI Governance Framework for Agentic AI (January 2026, launched at WEF Davos): World's first comprehensive governance framework for agentic AI systems. Introduces Agent Identity Cards (standardized disclosures of capabilities, limitations, authorized action domains, and escalation protocols) and a five-tier autonomy taxonomy. Non-binding but highly influential for professional services using autonomous AI tools.
  • No binding AI legislation: Singapore maintains a voluntary, sector-specific approach with no comprehensive AI law. Governance is coordinated through IMDA and the Personal Data Protection Act (PDPA). A National AI Council chaired by the Prime Minister was announced in Budget 2026.
  • AI Assurance Framework (planned 2026): Will unify technical, organizational, and ethical testing criteria across Singapore's existing tools (AI Verify, ISAGO). Monitor for publication.

13.5 Vietnam

  • AI Law (promulgated December 2025, phased implementation from March 2026 over four years): Vietnam became the first Southeast Asian country to enact a binding AI law. Covers AI labeling, transparency obligations, and prohibitions tied to human rights and public order. Detailed enforcement mechanisms and regulatory infrastructure are being established through 2026. Monitor implementing regulations as they are issued.

13.6 Taiwan

  • AI Basic Act (effective January 2026): Introduces a foundational AI governance framework with sector-specific initiatives already in place. Draft laws and additional guidelines under consideration. Focus on transparency and responsible use.

13.7 Canada

  • Artificial Intelligence and Data Act (AIDA) (part of Digital Charter Implementation Act, advancing in 2026): Would impose obligations on "high-impact" AI systems including risk mitigation, transparency, recordkeeping, and incident reporting — closely aligned with the EU risk-based model. Organizations operating across North America will need to reconcile AIDA requirements with U.S. state laws and any future federal guidance. Monitor for legislative adoption and implementation dates.

13.8 Brazil

  • Brazilian AI Framework — Bill No. 2338 (approved by Senate December 2024, awaiting final legislative approval as of March 2026): Comprehensive AI law closely aligned with the EU AI Act, grounded in privacy and fundamental rights. Would introduce risk-based obligations, transparency requirements, and accountability mechanisms. Monitor for final adoption and enforcement date.

13.9 Our Approach to International Compliance

Where frameworks conflict, we apply the more stringent standard. For jurisdictions where AI law is not yet binding, we monitor developments and adopt applicable principles voluntarily where doing so serves client trust and operational readiness. We use the EU AI Act as our compliance ceiling and NIST AI RMF as our governance foundation, with local frameworks addressed as the adaptation layer.

Section 14

Individual Rights Requests (IRR)

Individuals may request access, correction, deletion, portability, restriction, or objection to profiling with legal or similarly significant effects. For contested AI outcomes, we provide meaningful information on the logic involved and arrange human review.

Submit Individual Rights Requests to legal@privacystudios.com

Section 15

Children, Biometrics & Sensitive Uses

  • Parental consent where required.
  • Heightened scrutiny for biometrics/health/finance.
  • Elevated precision thresholds.
  • Human-in-the-loop for consequential decisions.
  • Red-lines for practices lacking scientific basis (e.g., emotion recognition in hiring).
Section 16

Change Management & Versioning

  • Change tickets with risk assessment.
  • Updated tests/validation.
  • AI Review Board sign-off.
  • Version pinning/rollback/kill-switches.
  • Audit trails.
Section 17

Contact & Enforcement

Questions, concerns, or requests relating to this Policy should be directed to:

PrivacyStudios Advisory LLC

legal@privacystudios.com