Model Transparency Requirements by Regulation: What Your Agency Must Disclose and To Whom

A London-based AI agency deployed a credit scoring model for a European neobank. The model was more accurate than the bank's previous scoring approach, improving default prediction by 18%. But when the first batch of rejection letters went out, the bank started receiving requests from declined applicants asking for explanations of why they were denied. The bank forwarded the requests to the agency. The agency had built a black-box gradient boosting model with 200 features. They could not provide meaningful explanations for individual decisions. The bank's compliance team pointed out that GDPR Article 22 requires "meaningful information about the logic involved" in automated decision-making. The agency had to retrofit an explanation layer onto the model in an emergency engagement that cost $85,000, and the bank had to re-issue all rejection letters with adequate explanations within the regulatory timeline. Three applicants filed complaints with the data protection authority before the remediation was complete.

Model transparency is not one thing. It is a set of requirements that differ by regulation, jurisdiction, industry, and use case. What GDPR demands is different from what the EU AI Act demands, which is different from what the FTC expects, which is different from what sector-specific regulators require. Your agency needs to know exactly what transparency is required for each model you build, and you need to build that transparency into the model from the start, not retrofit it after a compliance crisis.

Why Transparency Is a Governance Imperative

Transparency requirements are proliferating because stakeholders across the spectrum demand the ability to understand and scrutinize AI systems.

Regulators need transparency to assess whether AI systems comply with applicable law. A model that cannot be explained cannot be examined for compliance.

Affected individuals need transparency to understand decisions that affect them and to exercise their rights to contest those decisions.

Clients need transparency to fulfill their own regulatory obligations, to make informed decisions about deploying AI systems, and to explain AI-driven actions to their customers.

Courts need transparency to evaluate claims of discrimination, negligence, or breach of duty involving AI systems.

Auditors need transparency to conduct meaningful reviews of AI system behavior and governance.

Regulation-by-Regulation Transparency Requirements

GDPR (European Union)

The GDPR establishes transparency requirements that apply to any AI system processing personal data of EU residents.

Article 13 and 14: Information to be provided. When collecting personal data, you must provide "meaningful information about the logic involved, as well as the significance and the envisaged consequences" of automated processing, including profiling.

• What to disclose: The existence of automated decision-making, including profiling. The logic involved in the processing. The significance and envisaged consequences for the data subject.
• To whom: The data subject, that is the individual whose data is being processed
• When: At the time of data collection (Article 13) or within a reasonable period (Article 14)
• How to comply: Provide a clear, plain-language explanation of how the AI system works at a general level. Explain what data is used, what factors influence the outcome, and what the possible consequences are. This does not require disclosing the algorithm's source code, but it requires more than "we use AI."

Article 22: Automated individual decision-making. Data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

• What to disclose: Meaningful information about the logic involved. Specific explanation for the individual decision when requested.
• To whom: The individual affected by the automated decision
• When: When the individual exercises their right to contest an automated decision
• How to comply: Provide individual-level explanations that describe which factors were most important in the specific decision. LIME, SHAP, or counterfactual explanations can support this requirement. The explanation must be understandable to a non-technical person.

Implementation guidance for agencies:

• Build explanation capability into every model that processes EU personal data
• Prepare general-purpose transparency documentation that describes each model's logic in plain language
• Implement individual explanation generation for models used in automated decision-making
• Test explanations with non-technical users to verify comprehensibility
• Maintain documentation of transparency measures for regulatory examination

EU AI Act

The EU AI Act establishes a risk-based framework with transparency requirements that vary by risk level.

High-risk AI systems (Article 13): Transparency and information to users.

• What to disclose: The system's intended purpose. The level of accuracy, robustness, and cybersecurity the system was tested against. Any known or foreseeable circumstance that could lead to risks. The system's performance in respect to the persons on whom it is intended to be used. Input data specifications. Interpretability of the AI system's output.
• To whom: The deployer, which is typically your client
• When: Before the system is put into service
• How to comply: Provide comprehensive technical documentation including a description of the system's intended purpose, design specifications, performance metrics across relevant subgroups, known limitations, instructions for use, and human oversight measures. This documentation must be detailed enough for the deployer to understand the system and use it correctly.

General-purpose AI models (Article 53): Transparency obligations.

• What to disclose: A sufficiently detailed summary of the training data content. A technical document following a regulatory template. Information for downstream providers to enable compliance with their obligations.
• To whom: The AI Office and downstream providers
• When: Before making the model available
• How to comply: Prepare and maintain the technical documentation specified in the Act. Provide a training data summary that describes the data's sources, characteristics, and preparation without necessarily disclosing the full dataset.

AI systems interacting with humans (Article 50): Transparency for certain systems.

• What to disclose: The fact that the individual is interacting with an AI system. For AI-generated content, the fact that the content was AI-generated.
• To whom: The individuals interacting with or affected by the system
• When: At the time of interaction
• How to comply: Implement clear disclosure mechanisms, such as labels, watermarks, or notifications, that inform users of AI involvement.

FTC Act (United States)

The FTC uses its authority over unfair or deceptive acts to enforce AI transparency requirements.

Section 5: Prohibition of unfair or deceptive practices.

• What to disclose: Any material information that consumers need to make informed decisions about products or services that use AI. Claims about AI capabilities must be truthful and substantiated.
• To whom: Consumers and businesses affected by AI-driven decisions
• When: Before and during the use of AI in consumer-facing contexts
• How to comply: Do not make deceptive claims about AI capabilities. Disclose AI involvement in decisions that materially affect consumers. Provide explanations for AI-driven denials or adverse actions. Ensure that AI-generated content is not presented as human-created when that would be misleading.

FTC guidance on AI and algorithms:

• The FTC has signaled that companies using AI to make decisions about consumers should be able to explain those decisions
• Using AI should not be an excuse for discrimination. If an AI system discriminates, the company is responsible regardless of whether they can explain the AI's reasoning
• Claims that an AI product does something specific must be substantiated by evidence

Fair Credit Reporting Act (United States)

The FCRA requires transparency in consumer credit decisions.

Adverse action notices (Section 615).

• What to disclose: The specific reasons for the adverse action, including the principal factors that contributed to the decision
• To whom: The consumer who received the adverse action
• When: When a consumer is denied credit, insurance, or employment based on a consumer report
• How to comply: Generate specific, actionable reasons for each denial. Generic reasons like "AI score was low" are not sufficient. Provide the top four to five factors that most significantly affected the score. This requires the model to produce factor-level explanations.

Equal Credit Opportunity Act (United States)

ECOA requires transparency in credit decisions and prohibits discrimination.

Adverse action reasons (Regulation B).

• What to disclose: The specific reasons for the credit decision, described in language the applicant can understand
• To whom: The applicant
• When: When credit is denied or offered on less favorable terms
• How to comply: Provide specific reasons that relate to factors the applicant could potentially improve. For AI models, this means generating explanations tied to actionable factors, not abstract model features.

NYC Local Law 144 (United States)

NYC's law requires transparency for automated employment decision tools.

Bias audit disclosure (Section 20-872).

• What to disclose: A summary of the results of the most recent bias audit, including the selection rate for each category and the impact ratio
• To whom: Candidates and employees subject to the automated tool, and the public
• When: The bias audit summary must be publicly available on the employer's website. Individual notice must be given to candidates at least 10 business days before use.
• How to comply: Conduct annual bias audits by an independent auditor. Publish the summary on the employer or agency's website. Provide individual notice to candidates.

State Privacy Laws (United States)

Multiple US states have enacted privacy laws with AI transparency provisions.

Common requirements across state laws:

• Right to know about automated decision-making
• Right to opt out of profiling
• Right to explanations of automated decisions in some states
• Right to appeal automated decisions

Colorado AI Act (effective 2026): Requires deployers of high-risk AI systems to provide consumers with notice that an AI system is being used, an explanation of the purpose and nature of the system, and information about how to contest the decision.

Implementation guidance for agencies operating across multiple states:

• Build transparency capabilities that satisfy the most demanding state requirements
• Implement a modular transparency framework that can be configured for different jurisdictional requirements
• Maintain a regulatory tracker that monitors new state AI transparency requirements
• Document which transparency measures apply in which jurisdictions

Sector-Specific Transparency Requirements

Healthcare (FDA): AI systems used in clinical settings may need to disclose their intended use, performance characteristics, training data representativeness, and limitations.

Financial services (SR 11-7): Model documentation must describe the model's conceptual soundness, development process, performance metrics, limitations, and ongoing monitoring approach.

Insurance: Many states require insurers to disclose the use of AI in underwriting and claims decisions and to provide explanations for adverse decisions.

Employment: Beyond NYC Local Law 144, the EEOC has signaled that employers using AI in employment decisions should be prepared to explain how those decisions are made.

Building a Multi-Regulation Transparency Architecture

Given the patchwork of requirements, build a transparency architecture that satisfies multiple regulations simultaneously.

Layer 1: Model documentation. Comprehensive technical documentation that serves as the foundation for all transparency disclosures.

• Model purpose and intended use
• Training data description and representativeness
• Model architecture and methodology
• Performance metrics across relevant subgroups
• Known limitations and failure modes
• Feature descriptions and importance
• Validation and testing results

Layer 2: General explanations. Plain-language explanations of how the model works, suitable for data subjects and non-technical stakeholders.

• What the model does in business terms
• What data the model uses
• What factors most influence the model's decisions
• What the possible outcomes are
• How individuals can contest decisions

Layer 3: Individual explanations. Explanations for specific decisions, generated on demand.

• Which factors most influenced this specific decision
• How the decision would change if specific factors were different
• What the individual could do to receive a different outcome
• The confidence level of the decision

Layer 4: Regulatory compliance documentation. Documentation formatted to meet specific regulatory requirements.

• GDPR Article 13/14 privacy notices
• EU AI Act technical documentation
• FCRA adverse action reason codes
• Bias audit reports per NYC Local Law 144
• SR 11-7 model documentation for financial services

Implementing Transparency by Model Type

Different model architectures have different transparency capabilities. Your implementation approach must match.

Linear and Logistic Regression Models

Inherently interpretable. Feature coefficients directly explain the model's decision logic.

• Document feature coefficients and their business interpretation
• Generate individual explanations by listing the top contributing features and their contributions
• Validate that coefficient interpretations align with domain knowledge

Decision Tree and Rule-Based Models

Highly interpretable. Decision paths can be traced for individual predictions.

• Document the decision rules in plain language
• Generate individual explanations by tracing the decision path for each prediction
• Visualize key decision branches for non-technical stakeholders

Gradient Boosting and Random Forest Models

Moderate interpretability through post-hoc explanation methods.

• Use SHAP values for both global and local explanations
• Generate individual explanations using SHAP, LIME, or similar methods
• Validate that post-hoc explanations are consistent and stable

Deep Learning Models

Lowest inherent interpretability. Require specialized explanation methods.

• Use attention weights, gradient-based methods, or integrated gradients for explanation
• Implement SHAP or LIME for individual explanations
• Consider using inherently interpretable models for high-transparency-requirement use cases
• If deep learning is necessary, invest in explanation quality and validation

Large Language Models

Unique transparency challenges due to emergent behavior and scale.

• Document the model's capabilities and known limitations
• Implement chain-of-thought prompting to generate reasoning traces
• Provide confidence indicators for generated outputs
• Disclose the AI nature of the system to users

Your Next Step

For every model your agency has in production, create a regulatory transparency checklist. List every regulation that applies based on the jurisdiction, industry, and use case. For each regulation, identify the specific transparency requirement and assess whether your current model documentation and explanation capabilities satisfy it.

If you find gaps, and most agencies will, prioritize them by regulatory risk. Requirements attached to specific enforcement mechanisms like GDPR fines or FCRA adverse action requirements should be addressed first. Build the transparency capabilities into your model development process so that every new model ships with the transparency documentation and explanation capabilities required by every applicable regulation. The agencies that build transparency into their DNA will serve the clients that demand it. The ones that treat it as an afterthought will keep paying for emergency retrofits.