An AI agency that built hiring tools received a letter from the Equal Employment Opportunity Commission. A job applicant had filed a discrimination charge alleging that the agency's automated screening system had disproportionately rejected candidates over 50. The EEOC requested extensive documentation: the model's design specifications, training data composition, validation testing results, demographic impact analysis, and all communications related to the system's development and deployment. The agency had 30 days to respond. Their documentation was scattered and incomplete. They had never conducted a demographic impact analysis for age. Their training data records did not clearly document the age distribution of the training set. They spent 22 of the 30 days reconstructing documentation that should have existed from the start, leaving only eight days for legal review and response preparation. The response was rushed, incomplete, and failed to adequately address several of the EEOC's concerns. The investigation expanded.
Regulatory inquiries and investigations are a reality of operating in the AI space. The regulatory landscape is expanding, enforcement is increasing, and agencies that build and deploy AI systems are squarely in the crosshairs. Your ability to respond effectively to regulatory inquiries can mean the difference between a resolved inquiry and an expanded investigation, a reasonable fine and a devastating penalty, a preserved reputation and a public enforcement action.
The Regulatory Inquiry Landscape
Who Regulates AI Agencies
Federal agencies in the US. The FTC (consumer protection, unfair or deceptive practices), EEOC (employment discrimination), CFPB (consumer financial protection), HHS/OCR (HIPAA enforcement), SEC (securities and financial reporting), OCC and FDIC (banking and financial services), and FDA (AI/ML-based medical devices).
State regulators. State attorneys general (consumer protection, data protection), state insurance regulators, state financial regulators, and state-specific AI regulators (such as Colorado's AI governance requirements).
EU regulators. National data protection authorities (GDPR enforcement), national market surveillance authorities (EU AI Act enforcement), and the European AI Office.
Industry regulators. PCI Security Standards Council, industry-specific self-regulatory bodies.
Types of Regulatory Actions
Information request. The regulator requests specific information or documentation about your AI systems. This is the mildest form of regulatory engagement and is often the starting point.
Formal investigation. The regulator opens a formal investigation into your practices. This typically follows a complaint, a pattern of complaints, or information suggesting non-compliance.
Civil investigative demand (CID). A formal demand for documents, testimony, or answers to written questions. More formal than an information request and typically enforceable.
Consent order or settlement. The regulator and the agency agree to resolve the matter without a formal finding of violation. The agency typically agrees to specific remedial actions and may pay a fine.
Enforcement action. The regulator takes formal enforcement action, which may include fines, cease-and-desist orders, injunctive relief, and public disclosure.
Preparing Before the Inquiry Arrives
Documentation Readiness
The single most important preparation is maintaining complete, organized, accessible documentation for all AI systems. When a regulatory inquiry arrives, you should be able to produce the following within 48 hours:
System documentation. Complete technical description of each AI system including purpose, methodology, architecture, data sources, and outputs.
Development records. Records of the development process including design decisions, testing results, validation reports, and approval records.
Data documentation. Records of all data used in the system including sources, quality assessments, handling procedures, and retention policies.
Fairness and bias records. Results of bias testing, fairness assessments, and any mitigation activities.
Impact assessments. Privacy impact assessments, risk assessments, and ethical assessments conducted for the system.
Operational records. Monitoring data, incident reports, performance metrics, and change management records.
Communications. Relevant internal and external communications about the system's design, deployment, and operation.
Legal Readiness
Identify legal counsel. Establish relationships with legal counsel experienced in AI regulation before you need them. Have counsel who understands the FTC, EEOC, CFPB, GDPR, and EU AI Act enforcement. Do not wait until an inquiry arrives to find appropriate counsel.
Legal hold procedures. Document procedures for implementing a legal hold—the preservation of all potentially relevant documents and data when litigation or a regulatory inquiry is anticipated. A legal hold must be implemented immediately upon receipt of an inquiry and must cover electronic data, paper documents, and communications.
Privilege protocol. Establish protocols for protecting attorney-client privilege during regulatory inquiries. Communications with legal counsel about the inquiry should be privileged, but this privilege can be waived through careless handling.
Response Team
Identify the team that will manage regulatory responses:
Legal lead. Outside or inside counsel who directs the response strategy and reviews all communications with the regulator.
Technical lead. A senior engineer who can locate and explain technical documentation, testing records, and system behavior.
Executive sponsor. A senior leader who authorizes response activities, approves communications, and makes strategic decisions.
Project liaison. The person most knowledgeable about the specific system or project under inquiry.
Document manager. A person responsible for organizing, reviewing, and producing documents in response to regulatory requests.
Responding to a Regulatory Inquiry
The First 48 Hours
The first 48 hours after receiving a regulatory inquiry set the tone for everything that follows.
Read carefully. Read the inquiry in detail. Understand exactly what the regulator is asking for, what the legal basis for the inquiry is, what the deadline is, and what consequences are specified for non-compliance.
Engage counsel immediately. Contact your legal counsel before taking any substantive action. Counsel will advise on the response strategy, the scope of your obligations, and the risks involved.
Implement a legal hold. Immediately preserve all documents, data, and communications that may be relevant to the inquiry. Notify all team members who may possess relevant information. Prohibit the destruction, alteration, or deletion of any potentially relevant material.
Assess the scope. Understand what the inquiry covers—which systems, which time period, which activities. Map the inquiry to your systems and documentation.
Identify the team. Assemble the response team. Assign roles and responsibilities. Set up a communication channel for the response effort.
Communicate internally. Notify relevant internal stakeholders, including leadership. Do not communicate externally about the inquiry without counsel's approval.
Preparing the Response
Document collection. Collect all documents and data responsive to the inquiry. Use the inquiry's specific requests as a checklist. Cast a wide net—under-production is worse than over-production.
Document review. Review collected documents for responsiveness, privilege, and sensitivity. Remove documents that are not responsive or that are privileged. Flag documents that are sensitive or that may raise concerns.
Gap analysis. Identify any requested documentation that does not exist. This is often the most challenging part of the response. If documentation was not created or maintained, you cannot produce it. Be honest about gaps rather than fabricating documentation.
Narrative preparation. Prepare a narrative that explains your AI systems, your governance practices, and how you addressed the specific concerns raised by the inquiry. The narrative should be factual, complete, and presented in a way that demonstrates your good faith compliance efforts.
Response drafting. Draft the formal response with counsel's guidance. The response should be clear, organized, and directly address each element of the inquiry. Do not provide more information than requested, but do not omit relevant information that the regulator would need for a complete picture.
Communicating With Regulators
Tone. Communicate respectfully, professionally, and cooperatively. Regulators respond better to organizations that demonstrate good faith cooperation than to those that are defensive or obstructive.
Accuracy. Every statement to a regulator must be accurate. Providing false or misleading information to a regulator is a separate violation that can carry severe penalties.
Completeness. Provide complete responses to each request. If you cannot fully respond by the deadline, explain what you can provide and when you will provide the remainder.
Proactive disclosure. If your investigation reveals issues beyond the scope of the inquiry, discuss with counsel whether proactive disclosure is appropriate. In some cases, proactive disclosure demonstrates good faith and reduces penalties. In other cases, it may expand the scope of the investigation.
Extension requests. If you cannot meet the response deadline, request an extension promptly and with justification. Most regulators will grant reasonable extensions if requested in good faith.
During an Investigation
If the inquiry escalates to a formal investigation:
Coordinate with your client. If the investigation relates to a system you built for a client, coordinate with the client on the response. Your interests may not be fully aligned—consult your counsel about how to manage the relationship during the investigation.
Witness preparation. If the regulator requests interviews or testimony, prepare witnesses thoroughly with counsel. Witnesses should understand the scope of the inquiry, the relevant facts, and the principles of communicating effectively with regulators (be truthful, be direct, answer only the question asked, do not speculate).
Ongoing production. During an investigation, the regulator may issue multiple rounds of information requests. Maintain your document management system and respond promptly to each request.
Remediation during investigation. If the investigation reveals compliance gaps, begin remediation immediately. Demonstrating prompt corrective action can significantly reduce penalties. Consult counsel on how to communicate remediation efforts to the regulator.
Post-Inquiry Actions
Remediation
Implement all remedial actions committed to during the inquiry or required by any settlement or consent order. Document the remediation thoroughly. Verify that remediation actions are effective.
Compliance Enhancement
Use the inquiry as an opportunity to strengthen your compliance program. Address the specific issues identified by the inquiry and evaluate whether similar issues could exist in other systems or projects.
Lessons Learned
Conduct a post-inquiry review that captures what triggered the inquiry, what went well in the response, what was challenging, what documentation was missing, and what process improvements would help in future inquiries.
Monitoring
After an inquiry, the regulator may conduct follow-up monitoring or require periodic reporting. Build the monitoring and reporting requirements into your operational processes.
Building Regulatory Resilience
Maintain audit-ready documentation. The best preparation for regulatory inquiries is maintaining complete, organized documentation at all times. Do not create documentation for audits—create documentation as part of your normal workflow and keep it current.
Conduct regular self-assessments. Periodically assess your own compliance against applicable regulations. Identify and address gaps before regulators find them. Self-assessments should cover all applicable regulations and should be documented with the same rigor as external audit findings.
Monitor regulatory developments. Track regulatory enforcement actions, guidance, and rulemaking that affects AI. Understanding what regulators are focused on helps you anticipate inquiries and prepare proactively. Subscribe to regulatory newsletters, follow enforcement actions in your industry, and participate in industry groups that discuss regulatory trends.
Build relationships. Engage constructively with regulators through public comment processes, industry groups, and conferences. Building a reputation as a responsible, engaged industry participant can benefit you if an inquiry arises. Regulators are more likely to approach cooperatively with organizations they know and respect.
Conduct tabletop exercises. Simulate regulatory inquiry scenarios with your team at least annually. Walk through the process from receipt of the inquiry through response preparation and submission. Identify gaps in your readiness and address them.
Regulatory Inquiry Scenarios by Regulator
FTC Investigation
The FTC investigates AI practices under its authority to prohibit unfair or deceptive acts or practices. FTC inquiries often focus on whether AI systems work as advertised, whether data practices match privacy disclosures, whether AI systems cause substantial harm to consumers, and whether claims about AI capabilities are truthful.
Prepare by ensuring your marketing claims about AI capabilities are accurate and substantiated, your data practices match your privacy policies and disclosures, your AI systems include safeguards against consumer harm, and you can demonstrate the testing and validation behind your AI claims.
EEOC Investigation
EEOC investigations focus on whether AI systems used in employment decisions produce discriminatory outcomes. Prepare by conducting regular adverse impact analysis, documenting the job-relatedness and business necessity of all model features, maintaining complete records of model development, testing, and validation, and implementing reasonable accommodation capabilities.
State Attorney General Investigation
State attorneys general investigate AI practices under state consumer protection, privacy, and AI-specific laws. Prepare by understanding the specific laws in every state where you or your clients operate, maintaining documentation that demonstrates compliance with state requirements, and monitoring state enforcement trends to anticipate areas of focus.
EU Regulatory Inquiry
EU regulators enforce GDPR and the EU AI Act through national supervisory authorities. Prepare by maintaining GDPR compliance documentation including records of processing activities, data protection impact assessments, and lawful basis documentation. Prepare EU AI Act conformity assessments for high-risk systems. Designate an EU representative if you are based outside the EU.
Your Next Step
This week: Identify the three most likely regulatory inquiry scenarios for your agency based on your industry, use cases, and the current regulatory environment. For each scenario, assess whether you could produce the requested documentation within 48 hours. Identify the most critical documentation gaps.
This month: Establish your regulatory response team and procedures. Identify and engage legal counsel with AI regulatory expertise. Begin closing the most critical documentation gaps. Implement legal hold procedures.
This quarter: Conduct a comprehensive self-assessment of your compliance posture against applicable regulations. Build audit-ready documentation into your standard workflow. Train your team on regulatory response procedures. Conduct a tabletop exercise simulating a regulatory inquiry to test your response capabilities.