LR-201b · Module 1

Regulatory Mapping

4 min read

The first step in compliance is knowing what you are complying with. That sounds obvious. It is not. The AI regulatory landscape is a patchwork — different jurisdictions, different industries, different levels of enforcement, different effective dates. An organization that serves European clients, operates in three US states, and processes healthcare data is subject to at minimum four overlapping regulatory frameworks, each with different requirements, different definitions of "AI system," and different penalties for non-compliance.

  1. Step 1: Jurisdiction Inventory List every jurisdiction where you operate, serve clients, or process data. Each jurisdiction is a potential source of AI regulation. The EU AI Act applies if you serve EU residents — regardless of where your servers are. US state laws apply if your clients operate in those states. Do not limit the inventory to where your office is. Expand it to where your data touches.
  2. Step 2: Industry Overlay Layer industry-specific requirements on top of geographic jurisdiction. Financial services, healthcare, government contracting, and education each have sector-specific AI rules that add to the general framework. A healthcare AI application must comply with both the EU AI Act and HIPAA. Neither excuses the other.
  3. Step 3: Risk Classification Map your AI use cases to the risk classifications in each applicable framework. The EU AI Act uses four tiers: unacceptable, high, limited, and minimal. Each tier carries different obligations. An AI system that assists with hiring decisions is high-risk under the EU AI Act. The same system used for internal scheduling is minimal risk. The use case determines the classification, not the technology.
  4. Step 4: Obligation Extraction For each applicable framework and risk classification, extract the specific obligations: documentation requirements, transparency obligations, human oversight mandates, bias testing requirements, incident reporting procedures. These become your compliance checklist — specific, verifiable, and traceable to the source regulation.