Definition
The model and its outputs fail to meet legal or regulatory requirements, organisational practices or values in how the business operates.
Controls & guardrails that address this
7Grouped by control function, with the AI lifecycle stage(s) to apply each and the other risks it addresses. Filter by control category below.
Conduct a regulatory impact assessment at design stage. Map planned use case activities to applicable regulatory obligations.
Engage legal and compliance at design stage to identify pre-approval or notification requirements before build begins.
Conduct a formal compliance review of model design, data practices, and outputs before deployment approval.
Obtain all required regulatory pre-approvals and file notifications before go-live. Do not launch without confirmation.
Require legal and compliance review of all training data sources before acquisition to confirm regulatory basis.
Maintain a regulatory change register for applicable rules. Trigger compliance review when new regulatory guidance is issued.
Map notification obligations and timeframes at design and pre-approve templates with legal/compliance. Appoint the notification decision-owner before go-live.
source: PDPC/IMDA mandatory data-breach and incident reporting timeframes; GDPR Art. 33โ34 breach notification; NIST SP 800-61r2 (Coordination & Information Sharing); ISO/IEC 27035