Policy & governance

Policy and governance

This section tracks regulation, standards, and risk management that matter for launch readiness and customer trust.

What changed in this year and why it matters

• European Union the AI Act is moving through implementation. Harmonized standards will define how providers show conformity. Design now for accuracy, robustness, transparency, human oversight, and cyber controls.
• United States NIST continues guidance on risk and misuse and agencies are backing standards work. Expect stronger asks on provenance, eval transparency, and secure deployment.
• United Kingdom public model eval work and safety cases help teams build risk registers for cyber, chemical, biological, and agent topics.
• Singapore the Model AI Governance Framework for generative systems and the Project Moonshot test suite give practical playbooks for builders in the region.
• Global standards ISO IEC 42001 is the new management system for AI. Early adopters use it to stand up accountable governance and to prepare for the EU Act and similar rules.

Builders guide by region

• EU map features to risk levels and prepare tech docs for data, evals, monitoring, and human oversight. Track standard drafts and align controls early.
• US align to the NIST AI risk model and sector guidance. Keep records of evals, incidents, and model updates.
• UK borrow safety case structure for sensitive domains and align cyber posture with national guidance.
• Singapore use local framework checklists and test suites to set gates and incident playbooks.

Program controls to implement now

• Policy stack acceptable use, safety, data retention, incident response, and red team rules.
• Role clarity product, safety, security, privacy owners with sign off gates.
• Model register with versions, tasks, eval scores, guardrails, and known fail cases.
• Pre deploy and post deploy safety evals tied to your risks coding safety, bio and chem sensitive knowledge, cyber tools, and agent autonomy.
• Human oversight for high impact flows with clear escalation paths.
• Supplier due diligence for hosted APIs and for open weight models including license checks and vulnerability reviews.

Documentation set

• Model card purpose, training data summary, limits, and risk notes.
• System card tools, data sources, external calls, and real world side effects.
• Change log for prompts, adapters, datasets, and weight updates.
• Audit trail for releases, incidents, and fixes.

Risk and incident management

1. Collect user reports and safety signals and route to an on call owner.
2. Contain by rate limiting, disabling features, or rolling back.
3. Eradicate root cause prompt, policy, or model change.
4. Recover and monitor, then publish a postmortem with actions and owners.

Data protection and privacy

• Set clear retention, consent, and data minimization. Never place secrets in prompts.
• Scan for PII on both input and output and redact when needed.
• Isolate dev, stage, and prod and restrict access with least privilege.

Launch gates

• All safety thresholds pass, red team has no unresolved critical issues.
• Privacy and security reviews complete with diagrams and threat model.
• Model and system cards updated and published.
• Rollback and kill switch tested.