Part 5 – Practical Considerations

This is Part 5 of 'Regulation of AI'

AI providers have been focussing on their forthcoming AI obligations and on governance for some time. Increasingly businesses and organisations are engaged in assessing how their use of AI comes within the scope of regulation in key territories, are becoming familiar with each regime, and are devising means to keep up with incoming changes.

A plan for action applicable for most businesses includes:

• building in compliance costs - the approach to AI regulation across jurisdictions currently appears so varied that organisations need to factor the costs of compliance into their strategy for the jurisdictions that they plan to provide or deploy AI in;
• implementing AI governance including systems and procedures for data retention and record keeping;
• assessing existing product and service lines and removing or adjusting products or services that use AI in a way that is prohibited or high risk, especially in the EU;
• identifying trusted advisors from the "noise" of what is being offered externally; and
• building internal AI expertise including by providing training to allow individuals to perform their roles and/or use the AI system in a way that is consistent with related policies and procedures - see here for our recommendations on training your staff on AI.

AI providers should have written policies, procedures, and instructions for various aspects of the AI system (including oversight of the system) and produce documentation explaining the technicalities of their AI model and its output. They should assess and document the likelihood and impact of any risks associated with the AI system, including in relation to privacy and security.

Where appropriate businesses might consider using voluntary commitments in their relevant industry sector.  The UK Government published a voluntary Code of Practice for the Cyber Security of AI in January 2025. It applies across the AI lifecycle and is aimed at stakeholders in the AI supply chain, including developers, system operators, data custodians and end-users.

Lastly, as discussed in Part 5 – AI regulation globally, ISO/IEC standards (such as ISO 23894 or ISO/IEC 4200 1:2023) can be used as tools to support the safety, security and resilience of AI systems and solutions.