A 28-person AI agency based in New York served clients across healthcare, financial services, and retail. In 2025, they counted the regulations that directly affected their AI work: HIPAA for healthcare clients, SOX and FINRA requirements for financial services clients, CCPA for any client with California customers, the EU AI Act for clients with European operations, GDPR for European data, and a growing list of state-level AI regulations. Each regulation had different requirements, different timelines, and different enforcement mechanisms. The agency had been managing compliance on a project-by-project basis, with individual project leads interpreting regulatory requirements as best they could. A compliance audit by a financial services client revealed that the agency's interpretation of model risk management requirements was inconsistent across three different projects for the same client. The audit finding triggered a 60-day remediation period and put 1.4 million dollars in annual revenue at risk. The agency realized they needed a systematic compliance management program, not individual heroics.
The AI regulatory landscape is complex, fragmented, and expanding rapidly. Agencies that manage compliance ad hoc will eventually get caught by an inconsistency, a missed requirement, or a regulatory change they did not track. This playbook shows you how to build a compliance management program that scales with your agency and adapts as the regulatory landscape evolves.
The AI Regulatory Landscape
Current Major Regulations
EU AI Act. The most comprehensive AI-specific regulation globally. Risk-based approach with requirements ranging from transparency obligations for low-risk systems to extensive conformity assessments for high-risk systems. Provisions are phasing in from 2025 through 2027.
GDPR. The European data protection regulation affects AI agencies that process data of EU residents. Key AI-relevant provisions include the right to explanation of automated decisions, data protection impact assessments, purpose limitation, and data minimization.
CCPA/CPRA. California's privacy law creates obligations for AI agencies handling California residents' data, including rights related to automated decision-making and the treatment of inferences as personal information.
HIPAA. The US health privacy law applies to AI systems that process protected health information. Requires business associate agreements, security safeguards, and breach notification.
SOX. The Sarbanes-Oxley Act applies to AI systems that touch financial reporting for publicly traded companies. Requires internal controls, documentation, and audit support.
Sector-specific regulations. Financial services (FINRA, OCC guidance, SEC regulations), healthcare (FDA regulation of AI/ML-based medical devices), employment (EEOC guidance, state hiring algorithm laws), and other sectors impose additional requirements.
State and local AI laws. A growing number of US states and cities are enacting AI-specific legislation covering areas like automated employment decisions, facial recognition, and algorithmic accountability.
Emerging Regulations
The regulatory landscape is expanding. Key developments to monitor include federal AI legislation in the US, additional EU implementing regulations and guidance, AI regulation in other major markets (UK, Canada, Australia, Japan, China), sector-specific AI regulation, and international AI governance frameworks.
Building Your Compliance Management Program
Step 1: Regulatory Mapping
Create a comprehensive map of regulations that apply to your agency. For each regulation, document:
- Regulation name and jurisdiction
- Scope. What activities, data types, and system types does it cover?
- Key requirements. What specific obligations does it impose?
- Applicability. Which of your projects and systems are affected?
- Compliance status. Are you currently compliant? Where are the gaps?
- Timelines. When do requirements take effect? What are the compliance deadlines?
- Penalties. What are the consequences of non-compliance?
- Responsible person. Who owns compliance with this regulation at your agency?
Update this regulatory map quarterly or whenever significant regulatory changes occur.
Step 2: Compliance Framework Design
Design a compliance framework that addresses all applicable regulations through a unified set of policies, procedures, and controls. The goal is to avoid managing each regulation in isolation—instead, build a framework that satisfies multiple requirements simultaneously.
Identify common requirements. Many regulations share common themes: data protection, transparency, fairness, accountability, documentation, and monitoring. Map these themes across your applicable regulations to identify overlaps.
Define universal controls. Implement controls that satisfy the common requirements across multiple regulations. For example, a comprehensive data protection program can simultaneously address GDPR, CCPA, HIPAA, and PCI DSS data protection requirements, with targeted additions for each regulation's unique requirements.
Define regulation-specific controls. For requirements unique to specific regulations, implement targeted controls that address those specific requirements without duplicating the universal controls.
Create a compliance matrix. Build a matrix that maps each regulatory requirement to the specific controls, policies, and procedures that address it. This matrix becomes your primary tool for demonstrating compliance and identifying gaps.
Step 3: Policy Development
Develop compliance policies that establish the rules your agency follows. Core policies include:
Data protection and privacy policy. How your agency collects, processes, stores, and deletes personal and sensitive data. Address all applicable data protection regulations.
AI development standards. How your agency develops AI systems, including requirements for documentation, testing, validation, and deployment. Address quality and safety requirements across applicable regulations.
Risk management policy. How your agency identifies, assesses, and manages AI risks. Address risk management requirements from the EU AI Act, NIST AI RMF, and sector-specific regulations.
Third-party management policy. How your agency evaluates, contracts with, and monitors third-party AI tools, models, and data sources. Address supply chain compliance requirements.
Incident response policy. How your agency detects, responds to, and reports compliance incidents. Address breach notification and incident reporting requirements across applicable regulations.
Records management policy. How your agency creates, maintains, and retains compliance documentation. Address documentation and record-keeping requirements across applicable regulations.
Step 4: Compliance Operations
Build the operational processes that keep your agency compliant on a day-to-day basis.
Compliance monitoring. Implement ongoing monitoring of your compliance status. This includes automated compliance checks (access control audits, data protection scans, configuration reviews), periodic compliance assessments (quarterly or semi-annually), and event-driven compliance reviews (triggered by regulatory changes, project changes, or incidents).
Regulatory tracking. Track regulatory developments that may affect your agency. Subscribe to regulatory alerts. Monitor industry publications. Participate in industry groups that discuss regulatory developments. Assign responsibility for regulatory tracking to a specific person or team.
Compliance training. Train all team members on compliance requirements relevant to their roles. Deliver initial training during onboarding and refresher training annually or when significant regulatory changes occur. Track training completion and effectiveness.
Compliance reporting. Report compliance status to leadership regularly (at least quarterly). Reports should cover current compliance status across all applicable regulations, identified gaps and remediation progress, regulatory developments and their implications, compliance incidents and their resolution, and resource needs and priorities.
Step 5: Project-Level Compliance Integration
Integrate compliance into your project delivery workflow so that every project addresses compliance requirements from inception through operation.
Project compliance assessment. At project kickoff, assess which regulations apply to the project based on the industry, geography, data types, system types, and client requirements. Document the assessment and share it with the project team.
Compliance requirements specification. Based on the assessment, define the specific compliance requirements for the project. Include these requirements in the project plan and resource allocation.
Compliance checkpoints. Build compliance checkpoints into the project lifecycle:
- Design review: Verify compliance requirements are addressed in the design
- Pre-deployment review: Verify compliance requirements are met before deployment
- Post-deployment review: Verify compliance controls are operating effectively
- Periodic review: Reassess compliance status at regular intervals
Compliance documentation. Produce compliance documentation as part of the project deliverables. This includes regulatory compliance assessments, data protection impact assessments, conformity assessments (where required by the EU AI Act), and compliance evidence packages.
Managing Cross-Regulation Complexity
Conflicting Requirements
Some regulations may impose requirements that appear to conflict. For example, transparency requirements may tension with trade secret protections. Data retention requirements may conflict with data minimization principles. Explainability requirements may be difficult to satisfy for complex models.
When you encounter apparent conflicts, analyze both requirements carefully—often the conflict is less real than it appears. Seek legal guidance when genuine conflicts exist. Document your analysis, your approach, and the reasoning behind it.
Multi-Jurisdiction Operations
If your agency serves clients in multiple jurisdictions, you need to manage compliance across multiple regulatory frameworks simultaneously. Strategies include:
Highest common denominator. Apply the most stringent requirement across all jurisdictions. This simplifies operations but may over-constrain your work in less regulated markets.
Jurisdiction-specific controls. Implement a base set of controls that satisfy common requirements, with jurisdiction-specific additions for unique requirements. This is more complex but more efficient.
Data segregation. Separate data processing by jurisdiction to enable jurisdiction-specific compliance. This adds infrastructure complexity but provides clear regulatory boundaries.
Compliance Scalability
As your agency grows, compliance complexity grows with it—more projects, more clients, more jurisdictions, more regulations. Plan for scale:
Invest in tooling. Compliance management platforms, automated monitoring tools, and documentation systems become essential as you scale past 25 to 30 people.
Hire compliance expertise. At 30 to 50 people, consider hiring a dedicated compliance professional. At 50-plus people, consider building a compliance team.
Standardize ruthlessly. The more standardized your processes, the easier they are to scale. Resist the temptation to customize compliance approaches for each project—standardize wherever possible and customize only where required.
Automate evidence collection. Manual evidence collection does not scale. Automate the collection of access logs, change records, monitoring data, and other compliance evidence.
Building a Compliance Culture
Compliance Training
Effective compliance training is not a one-time event—it is an ongoing program that keeps your team informed and engaged.
Onboarding training. Every new hire receives compliance training within their first 30 days. The training covers the regulatory landscape that affects your agency, your compliance policies and procedures, the team member's specific compliance responsibilities, how to identify and escalate compliance concerns, and the consequences of non-compliance.
Role-specific training. Different roles have different compliance responsibilities. Data scientists need training on data protection, bias testing, and model documentation requirements. Project managers need training on compliance project planning and client compliance coordination. Sales teams need training on compliance-related client questions and contract provisions.
Regulatory update training. When significant regulatory changes occur, deliver targeted training that covers what changed, how it affects your agency, and what team members need to do differently.
Annual refresher training. Deliver annual refresher training that reinforces core compliance concepts and covers new developments. Keep it practical and relevant—scenario-based training is more effective than abstract lectures.
Compliance Champions
Designate compliance champions in each team or practice area. Compliance champions are not compliance professionals—they are team members with additional compliance awareness who serve as the first point of contact for compliance questions within their team. They identify compliance issues early, before they become problems, and they help embed compliance practices into daily work.
Incentives and Accountability
Build compliance into your performance management framework. Recognize and reward team members who demonstrate strong compliance practices. Hold managers accountable for compliance outcomes in their teams. Make compliance a factor in project success evaluation, not just an afterthought.
Responding to Regulatory Inquiries and Investigations
Despite your best compliance efforts, you may face regulatory inquiries or investigations. Prepare for this possibility:
Legal counsel. Establish relationships with legal counsel experienced in AI regulation before you need them. Do not wait until an inquiry arrives to find a lawyer.
Response procedures. Document procedures for receiving, escalating, and responding to regulatory inquiries. Define who is authorized to communicate with regulators and how communications should be documented.
Evidence preservation. When you receive a regulatory inquiry, immediately preserve all relevant evidence. Do not delete, modify, or destroy any documents, data, or records that may be relevant.
Cooperation. Cooperate with regulatory inquiries fully and honestly. Obstruction or deception will make any situation significantly worse.
Remediation. If an investigation reveals compliance gaps, remediate them promptly and document the remediation. Demonstrating prompt corrective action can significantly reduce penalties.
Your Next Step
This week: Create your initial regulatory map. List every regulation that applies to your agency and its projects. For each regulation, identify the most critical requirements and your current compliance status. Identify the three most significant compliance gaps.
This month: Design your compliance framework. Map common requirements across regulations. Define universal and regulation-specific controls. Build your compliance matrix. Develop your core compliance policies. Begin integrating compliance assessments into project kickoffs.
This quarter: Operationalize your compliance program. Implement compliance monitoring and regulatory tracking. Deliver compliance training to all team members. Build compliance checkpoints into your project delivery workflow. Establish compliance reporting to leadership. Begin closing the most critical compliance gaps identified in your initial assessment.