The Overlap Problem

In LR-201b we covered basic regulatory mapping — jurisdiction inventory, industry overlay, risk classification, and obligation extraction. At the 301 level, the challenge is not identifying individual obligations but managing the relationships between them. The EU AI Act requires transparency. The Colorado AI Act requires impact assessments. GDPR requires data protection impact assessments. Three frameworks, overlapping scope, different terminology, different requirements, different deadlines. The overlap problem is: how do you satisfy all three without doing three separate compliance projects?

1. Obligation Harmonization Map obligations from different frameworks to common requirement categories. The EU AI Act transparency obligation and the Colorado disclosure requirement both map to "inform users they are interacting with AI." One control satisfies both. Harmonization reduces the total number of controls by identifying where a single action satisfies multiple obligations. [RECOMMEND]: Build the harmonization map before designing controls — the efficiency gains compound across every requirement.
2. Conflict Resolution When frameworks conflict — one requires data retention, another requires data deletion — document the conflict and determine which obligation takes precedence based on jurisdiction, enforcement likelihood, and penalty severity. In most cases, the stricter obligation subsumes the less strict one. In genuine conflicts, legal counsel must determine the resolution. [RISK]: Undocumented conflicts between regulatory obligations produce compliance gaps that auditors find.
3. Superset Compliance Build controls that satisfy the strictest requirement across all applicable frameworks. If the EU AI Act requires comprehensive technical documentation and the Colorado AI Act requires basic system description, build the comprehensive documentation. It satisfies both. Superset compliance is more work upfront and less work across the portfolio of obligations.