<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[The AI Governance Playbook]]></title><description><![CDATA[What you need to know about AI governance, before it becomes your problem. For founders, operators, and creators who are using AI.]]></description><link>https://www.aigovernanceplaybook.com</link><image><url>https://substackcdn.com/image/fetch/$s_!1_7J!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc0998477-258a-45f5-b72e-41cadb5f0958_1024x1024.png</url><title>The AI Governance Playbook</title><link>https://www.aigovernanceplaybook.com</link></image><generator>Substack</generator><lastBuildDate>Wed, 15 Jul 2026 18:12:49 GMT</lastBuildDate><atom:link href="https://www.aigovernanceplaybook.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Andy Wood]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[aigovernanceplaybook@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[aigovernanceplaybook@substack.com]]></itunes:email><itunes:name><![CDATA[Andy Wood]]></itunes:name></itunes:owner><itunes:author><![CDATA[Andy Wood]]></itunes:author><googleplay:owner><![CDATA[aigovernanceplaybook@substack.com]]></googleplay:owner><googleplay:email><![CDATA[aigovernanceplaybook@substack.com]]></googleplay:email><googleplay:author><![CDATA[Andy Wood]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[One Rule Explained: AI Literacy]]></title><description><![CDATA[EU Act Article 4]]></description><link>https://www.aigovernanceplaybook.com/p/one-rule-explained-ai-literacy</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/one-rule-explained-ai-literacy</guid><pubDate>Wed, 15 Jul 2026 10:23:26 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/467468e3-a4d0-4f3d-9621-9e4071034185_1232x928.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p>&#8220;We meant to&#8221; won&#8217;t hold up in an audit.</p></div><p>There&#8217;s a rule in the EU AI Act that&#8217;s easy to skim past because it doesn&#8217;t sound like a rule. Article 4 requires &#8220;AI literacy.&#8221; Supervision and enforcement kick in on August 2, and it doesn&#8217;t get a lot of press compared to the high-risk stuff.</p><p>Here&#8217;s what it actually means. </p><p>If your organization uses AI in the EU, in any capacity, you have to take steps so the people using it (staff, plus contractors and vendors acting on your behalf) actually understand what the tool does, what it gets wrong, and what harm it could cause. This isn&#8217;t limited to high-risk systems. A marketing team using a chatbot counts. A support desk using a copilot counts.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.aigovernanceplaybook.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.aigovernanceplaybook.com/subscribe?"><span>Subscribe now</span></a></p><p>The tricky part is that the law doesn&#8217;t say how. No mandated training hours, no certification body, no requirement to hire an AI compliance officer. Just &#8220;to their best extent.&#8221; That flexibility sounds convenient until you realize it hands regulators discretion to judge your effort after something&#8217;s already gone wrong, not before.</p><p>Worth documenting whatever training you&#8217;re doing now. &#8220;We meant to&#8221; won&#8217;t hold up in an audit.</p><p></p><div><hr></div><h6><em><strong>NOT ADVICE</strong></em></h6><h6><em>The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full <a href="https://aigovernanceplaybook.substack.com/p/disclaimer">DISCLAIMER</a></em></h6><h6></h6>]]></content:encoded></item><item><title><![CDATA[EU Sovereign Cloud Investing: The Four-Tier Framework Explained]]></title><description><![CDATA[Cloud and AI Development Act (CADA): What It Means for EU Cloud Investors]]></description><link>https://www.aigovernanceplaybook.com/p/eu-sovereign-cloud-investing-the</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/eu-sovereign-cloud-investing-the</guid><pubDate>Tue, 14 Jul 2026 13:09:36 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/c73bd9fe-d650-4485-a2a6-a87176562806_1232x928.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p>Nobody Reads the Impact Assessment. That's the Problem.</p></div><p>A partner at a Berlin infrastructure fund is looking at a term sheet on a Friday afternoon. The company: a sovereign cloud platform, EU-owned, EU-operated, selling itself as the compliant option once the Cloud and AI Development Act kicks in. One slide shows a hockey-stick chart. &#8220;Addressable public sector spend.&#8221; Big number. She&#8217;s spent two weeks trying to figure out if it&#8217;s real.</p><p>This is where a lot of European infrastructure investing sits today. A real law meets a founder story that ran way ahead of what the law says.</p><p>CADA publishes in the EU&#8217;s Official Journal on July 15 and takes effect August 4. It&#8217;s the centerpiece of the Commission&#8217;s Tech Sovereignty Package, adopted in early June. The goal: triple EU data center capacity in five to seven years, cut reliance on non-EU cloud and AI providers.</p><p>Here&#8217;s how it works. Four sovereignty tiers. Public bodies run their own risk assessments and decide which tier a contract needs. Level 1 just means you&#8217;re an EU entity, and the Commission has said outright that EU subsidiaries of US companies clear that easily. Level 2 wants proof of independence from third-country influence and a transparent supply chain. Level 3 wants EU ownership and control, down to citizenship requirements for personnel. Level 4, the &#8220;Strategic Autonomy Cloud&#8221; tier, is for defense: full transparency, zero third-country interference.</p><p>Now the part nobody puts in a pitch deck. The Commission&#8217;s own impact assessment says about 20% of public contracts will need Level 2. Under 10% will need Level 3. About 1%, mostly defense, needs Level 4. Everything else, the bulk of public cloud spend, clears at Level 1. AWS, Microsoft and Google&#8217;s European subsidiaries meet that bar without changing much about how they run.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.aigovernanceplaybook.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.aigovernanceplaybook.com/subscribe?"><span>Subscribe now</span></a></p><p>So the founder pitch since June has basically been: the EU just handed European cloud providers a protected market. That&#8217;s not what happened. The law hands them a protected sliver. Real, growing, but nowhere close to the bulk of public procurement. Price a Series B off &#8220;broad market capture&#8221; and the actual numbers will come in short, because most agencies have no legal reason to go past Level 1 or 2, and the hyperscalers can hit both.</p><p>That doesn&#8217;t kill the sovereign cloud thesis. It just means you underwrite it tier by tier, not off the headline. A company that can genuinely clear Level 3 or 4, real EU ownership, EU staff, demonstrable independence, is fighting for a small pool. But it&#8217;s a pool the hyperscalers can&#8217;t enter without restructuring they&#8217;ve shown zero interest in doing. That&#8217;s a real moat. It just covers maybe 10% of addressable public contracts, and none of the private sector, which isn&#8217;t bound by any of this.</p><p>There&#8217;s a second problem, and it&#8217;s the one that gets skipped when people only read the regulation. Tripling data center capacity takes serious money. CADA tries to help, faster permitting, better access to energy, land and financing, but European VC is still structurally smaller than the US market at every stage past Series A. And the Delaware flip hasn&#8217;t gone anywhere. Founders still reincorporate in the US to reach deeper capital pools. A company that flips to raise its Series C stops qualifying for the sovereignty tiers it was built to serve in the first place. That&#8217;s not a hypothetical. Several portfolio companies will face that exact choice in the next 18 months, and it runs straight against what CADA is trying to accomplish.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.aigovernanceplaybook.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.aigovernanceplaybook.com/subscribe?"><span>Subscribe now</span></a></p><p>The law builds the demand side. It does nothing for the supply side. Brussels can write four tiers into a regulation. It can&#8217;t manufacture the growth-stage capital that lets a startup clear Level 3 while competing on price with a hyperscaler that&#8217;s had fifteen years to optimize everything. CADA assumes qualified providers will just show up because the demand exists. Investors have to answer whether the supply actually shows up. Right now, that only happens if later-stage European capital gets a lot deeper, a lot faster, and that&#8217;s a harder problem than passing a procurement law.</p><p>Watch two things this year. How individual member states turn the four tiers into actual procurement guidance, because that&#8217;s where the real market gets drawn, country by country. And whether the first tenders under the new rules go to genuinely EU-native providers, or whether hyperscaler subsidiaries figure out how to check the Level 2 box without changing anything real about who owns or runs them. If that second thing happens at scale, the sovereignty premium funds are paying for today shrinks fast.</p><p>The term sheet isn&#8217;t wrong to exist. It&#8217;s wrong if it&#8217;s priced off a slide claiming 100% of public cloud spend is addressable, when the Commission&#8217;s own numbers say it&#8217;s closer to 30%, and the truly defensible piece is under 10%. Read the tier breakdown before the growth chart.</p><p></p><div><hr></div><h6><em><strong>NOT ADVICE</strong></em></h6><h6><em>The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full <a href="https://aigovernanceplaybook.substack.com/p/disclaimer">DISCLAIMER</a></em></h6><h6></h6>]]></content:encoded></item><item><title><![CDATA[How to build an AI compliance programme in the US with no federal law]]></title><description><![CDATA[No federal AI law, a dozen FTC enforcement actions, and states moving in every direction. Here's how to respond.]]></description><link>https://www.aigovernanceplaybook.com/p/how-to-build-an-ai-compliance-programme</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/how-to-build-an-ai-compliance-programme</guid><pubDate>Tue, 07 Jul 2026 13:52:59 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/e60908c9-4c36-42e0-a933-a774c2c4ac2f_1232x928.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p>The companies that will have the hardest time when the rules are clarified are the ones that used the uncertainty as a reason to do nothing. </p></div><p>If you&#8217;re running a business in the US and trying to build a sensible AI compliance programme, you&#8217;re working without a stable target. The rules keep shifting, and they&#8217;re shifting in different directions at the same time.</p><p>There&#8217;s no federal AI law. The Biden administration&#8217;s 2023 executive order, which at least gave companies something concrete to work toward, was revoked on the first day of the Trump administration in January 2025. The replacement executive order, signed in December 2025, is primarily focused on telling states to back off rather than telling companies what to do. And the White House&#8217;s March 2026 legislative framework, which outlines what a federal AI law might eventually look like, is a recommendation to Congress, not a law.</p><p>Meanwhile, states are moving fast. Colorado, California, Texas, Illinois, and others have passed or are implementing AI-specific statutes, and more are coming. The federal government is actively trying to preempt some of those laws, but courts haven&#8217;t settled the question of whether executive orders can actually do that. So you may be complying with a state law that the federal government is simultaneously trying to nullify, and no one knows yet who wins.</p><p>This is not a comfortable place to build a compliance programme. But it&#8217;s the place you&#8217;re in, and waiting for the picture to clear is not an option. Companies that haven&#8217;t started are already behind.</p><div><hr></div><h2>Understand what enforcement actually looks like right now</h2><p>The absence of a federal AI law doesn&#8217;t mean there&#8217;s no federal enforcement. </p><p>The FTC has been bringing AI-related enforcement actions since 2024 under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. It doesn&#8217;t need an AI-specific law to do this. Its Operation AI Comply campaign brought five cases in September 2024 alone, targeting companies that made false claims about AI capabilities, used AI to generate fake reviews, or misrepresented what their AI products could actually do. In 2025, the agency brought at least a dozen more cases along the same lines, covering companies that overstated AI sophistication, attributed capabilities to AI systems that the technology couldn&#8217;t support, and made earnings claims tied to AI tools without substantiation. The FTC&#8217;s position has been consistent across administrations: there is no AI exemption from existing consumer protection law.</p><p>The same logic applies across the regulatory stack. The CFPB has applied existing credit and consumer financial protection rules to AI-driven decision-making. The EEOC has issued guidance on AI in hiring, and the SEC has pursued AI-washing cases against public companies. State attorneys general are using broad unfair and deceptive acts and practices statutes to investigate AI-related conduct, and those statutes are powerful tools because they often allow per-violation penalties without needing to prove individual harm.</p><p>The picture is the same regardless of which agency you&#8217;re looking at: even with no federal AI law, you face real enforcement exposure from multiple directions, under legal authorities that have been in place for decades.</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/how-to-build-an-ai-compliance-programme">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[AI Deadline | Thursday 2 July 2026]]></title><description><![CDATA[For founders and operators in AI | USA &#183; UK &#183; EU]]></description><link>https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-2-july-2026</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-2-july-2026</guid><pubDate>Thu, 02 Jul 2026 11:56:10 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/bfd151b8-fc14-4a49-83c8-8086303343ed_1456x1048.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><strong>This week: </strong>a 20-day window to lock in legal cover before the EU's big transparency deadline lands, the FCA's Mills Review dropping very soon, and Brussels quietly buying founders more time to argue their way out of high-risk classification. </p><p>Plus, the In Focus piece on why the AI Act's watermarking rule asks companies to do something no technology on the market can actually do yet, and what that means if you're small and don't have a compliance team to hide behind.</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-2-july-2026">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[How to implement meaningful human oversight under the EU AI Act ]]></title><description><![CDATA[The EU AI Act's human oversight rules are more demanding than most compliance teams realise]]></description><link>https://www.aigovernanceplaybook.com/p/how-to-implement-meaningful-human</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/how-to-implement-meaningful-human</guid><pubDate>Tue, 30 Jun 2026 13:03:01 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/a2080e48-12a5-4e82-8290-4934b51576f4_1344x896.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p>The phrase &#8220;meaningful human oversight&#8221; is everywhere in AI governance right now, and it&#8217;s being used to mean two very different things. </p></div><p>There&#8217;s a phrase that appears in almost every AI governance document produced in the last two years: &#8220;meaningful human oversight.&#8221; It&#8217;s in the EU AI Act, in board-level AI policies, in vendor contracts, compliance checklists, and press releases from companies that have just had something go wrong.</p><p>The problem is that most organisations use it as a destination rather than a description. They write it into a policy, assign someone a job title with &#8220;AI&#8221; in it, and consider the box ticked. What they&#8217;ve actually built is a rubber-stamp process dressed up as governance.</p><div><hr></div><h2>Where the requirement comes from</h2><p>The EU AI Act&#8217;s Article 14 is the most detailed legal statement of what human oversight of AI systems should involve. It applies to high-risk AI systems, and its requirements fall on both providers (the companies that build the systems) and deployers (the organisations that put them to use).</p><p>The split matters. Providers must create the technical and operational conditions for effective oversight. Deployers must assign qualified personnel with appropriate authority, competence, and support. In other words, the vendor has to build a system that can be overseen, and you have to make sure the right people are actually doing the overseeing.</p><p>The goal of human oversight is to prevent or minimise risks to health, safety, or fundamental rights. Oversight measures should match the risks and context of the system&#8217;s use, and can be built into the system by the provider or implemented by the deployer.</p><p>The Act doesn&#8217;t demand a single approach. What it demands is that the oversight is proportionate, real, and assigned to people who are actually equipped to do it.</p><div><hr></div><h2>The three things oversight persons must be able to do</h2><p>Article 14 sets out what the people assigned to oversight must be able to do. They must be able to properly understand the system&#8217;s capabilities and limitations, detect and address anomalies. They must remain aware of the tendency to automatically rely on or over-rely on the system&#8217;s output (automation bias). They must be able to correctly interpret the system&#8217;s output. And they must be able to decide, in any particular situation, not to use the system or to disregard its output.</p><p>The requirement isn&#8217;t that a human can see what the AI is doing. It&#8217;s that a human can understand it, question it, override it, and actually has the practical means to do all of those things without friction. Understanding, intervening, and halting are distinct capabilities, and organisations frequently conflate them.</p><div><hr></div><h2>What automation bias is, and why it&#8217;s explicitly in the law</h2><p>Automation bias is the tendency of humans to defer to an AI system&#8217;s recommendation even when they have good reason not to. It&#8217;s well documented in fields where people work alongside decision-support tools: radiology, credit underwriting, recruitment, and criminal sentencing. The pattern is consistent. When a system produces a confident output, humans tend to go along with it, even when the output is wrong.</p><p>Article 14(4)(b) of the EU AI Act specifically requires that AI providers deliver their systems in a way that oversight persons are enabled to remain aware of the possible tendency of automatically relying on or over-relying on the system&#8217;s output.</p><p>The fact that automation bias has its own named provision in the law tells you something about how seriously regulators take it. An oversight process that puts a human in the loop but doesn&#8217;t address the conditions that produce automatic deference isn&#8217;t compliant, and it won&#8217;t work.</p><p>One researcher put it plainly: &#8220;Too many people perceive human oversight as a panacea. They go, &#8216;If there&#8217;s a human who looks over it, then I don&#8217;t have to worry about AI anymore.&#8217; When in reality, that of course is absolutely not true, and it just opens a whole new box of problems.&#8221;</p><div><hr></div><h2>The rubber-stamp problem</h2><p>This is where most organisations currently are.</p><p>Many organisations claim human oversight but implement it as a rubber-stamp process. An operator clicks &#8220;approve&#8221; on every AI decision within five seconds without genuinely reviewing it. Regulators look at override rates: if an operator never overrides the AI, their &#8220;oversight&#8221; is not meaningful.</p><p>Think about what that means in practice. If your oversight person reviews 200 AI decisions a day and overrides zero of them, that&#8217;s not a sign that the AI is performing perfectly. It&#8217;s a sign that the oversight process isn&#8217;t functioning. A genuine review process will produce disagreements. Some of them will be edge cases. Some will be errors. If the override rate is zero, you&#8217;ve built a process that generates paperwork rather than one that catches problems.</p><p>Oversight procedures should create genuine friction. It should take a moment of reflection, not a reflexive click. That friction is the point.</p><div><hr></div><h2>The halt mechanism problem</h2><p>Article 14 also requires that oversight persons be able to stop the system. This sounds obvious. In practice, it often isn&#8217;t.</p><p>A halt mechanism that requires IT intervention doesn&#8217;t meet the standard. An Article 14-compliant halt mechanism must be accessible to designated oversight persons without requiring them to call IT, submit a support ticket, or log into a separate administrative console. If the halt procedure takes more than five minutes to execute, it doesn&#8217;t meet the requirement.</p><p>I&#8217;ve spoken to organisations where the person nominally responsible for AI oversight has no ability to stop the system in question without escalating to a technical team. That&#8217;s a governance fiction. The law requires the ability to halt, which means the person doing the overseeing needs the actual authority and the actual access to do it.</p><div><hr></div><h2>What the deployer&#8217;s obligations actually involve</h2><p>Under Article 26(2), deployers of high-risk AI systems must assign human oversight to persons with the necessary competence, training, and authority, as well as necessary support. Those four things are distinct, and all of them have to be present.</p><p>Competence means the person understands the domain well enough to evaluate the AI&#8217;s output. A credit officer reviewing an AI-generated lending recommendation needs enough financial knowledge to assess whether the recommendation is reasonable. A recruiter reviewing an AI-shortlisted candidate pool needs to understand what the system was optimising for and whether that&#8217;s actually what the organisation wants.</p><p>Training means the person understands how the specific system works, what its known limitations are, and what failure modes look like. Training must include case studies of AI errors in the specific domain, exercises where participants must justify their agreement or disagreement with AI outputs, and regular review of override rates. Training should be tailored to the oversight person&#8217;s role, and must be documented and refreshed when the AI system significantly changes.</p><p>Authority means the person can act on their judgment. An oversight person who has to get manager sign-off before overriding an AI recommendation, or who faces pushback when they do override it, doesn&#8217;t have genuine authority. The override mechanism has to be accessible and its use has to be culturally acceptable, not treated as a sign that the process has broken down.</p><p>Support means the person isn&#8217;t doing this alone and without resources. Adequate time, access to the system&#8217;s documentation, a clear escalation path, and a way to flag patterns rather than just individual decisions.</p><div><hr></div><h2>The &#8220;instructions for use&#8221; requirement</h2><p>There&#8217;s a less-discussed part of Article 14 that has real compliance implications. Providers of high-risk AI systems are required to include human oversight measures within the &#8220;instructions for use&#8221; for the system.</p><p>This creates a direct due diligence question for any organisation buying or licensing a high-risk AI system. Do the vendor&#8217;s instructions actually address how oversight should be implemented? Do they describe the system&#8217;s limitations clearly enough that an oversight person could detect when it&#8217;s producing unreliable outputs? Do they specify what training the oversight person needs?</p><p>If the vendor&#8217;s documentation doesn&#8217;t address these things, that&#8217;s a gap you need to flag and resolve before deployment, not after something goes wrong.</p><div><hr></div><h2>What meaningful oversight looks like when it&#8217;s working</h2><p>For each high-risk AI deployment, named individuals should be designated as responsible for oversight. Their mandate should include critically reviewing AI outputs, exercising override authority when warranted, initiating halt procedures when required, and completing regular oversight activity logs. These responsibilities should appear in job descriptions and performance objectives.</p><p>A few other markers of oversight that are actually functioning:</p><ul><li><p>The override rate is non-zero and tracked. Someone reviews it regularly and asks why the number is what it is.</p></li><li><p>Oversight persons have documented training specific to the system they&#8217;re overseeing, and that training is refreshed when the system changes.</p></li><li><p>The halt mechanism has been tested. Not described in a policy document. Actually tested, with a record of when it was tested and by whom.</p></li><li><p>There&#8217;s a process for escalating patterns, not just individual decisions. If an oversight person notices the system is producing a particular type of error repeatedly, there&#8217;s somewhere for that observation to go.</p></li><li><p>Oversight is treated as a substantive role, not an administrative one. The person doing it has enough time to do it properly.</p></li></ul><div><hr></div><h2>A note on scope</h2><p>Everything above applies specifically to high-risk AI systems as defined by the EU AI Act. That covers a specific list of use cases in Annex III: AI used in hiring and workforce management, credit scoring, educational assessment, access to essential services, law enforcement, border control, and the administration of justice, among others.</p><p>If your organisation deploys AI in any of these areas and you&#8217;re operating in the EU (or deploying to EU residents), Article 14 applies. The question isn&#8217;t whether human oversight is good practice. For high-risk systems, it&#8217;s a legal requirement, with penalties for non-compliance running up to &#8364;15 million or 3% of global turnover, whichever is higher.</p><p>For systems outside the high-risk category, the legal obligation is lighter. But the practical argument for genuine oversight doesn&#8217;t disappear. The conditions that produce automation bias don&#8217;t check which regulatory category a system falls into before they operate.</p><div><hr></div><p>The phrase &#8220;meaningful human oversight&#8221; is everywhere in AI governance right now, and it&#8217;s being used to mean two very different things. Used honestly, it describes something specific and demanding. Used as cover, it&#8217;s a way of appearing to take responsibility without actually taking it. The gap between those two readings is where most of the compliance risk currently sits.</p><p></p><div><hr></div><h6><em><strong>NOT ADVICE</strong></em></h6><h6><em>The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full <a href="https://aigovernanceplaybook.substack.com/p/disclaimer">DISCLAIMER</a></em></h6><h6></h6>]]></content:encoded></item><item><title><![CDATA[EU AI Act risk classification explained: the plain English guide]]></title><description><![CDATA[The EU AI Act risk classification system explained in plain English, no law degree required]]></description><link>https://www.aigovernanceplaybook.com/p/eu-ai-act-risk-classification-explained</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/eu-ai-act-risk-classification-explained</guid><pubDate>Thu, 25 Jun 2026 13:06:18 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/3b058963-7a68-46e6-9d36-2941d9690b14_1232x928.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p>The classification question isn&#8217;t a one-time exercise. </p></div><p>The EU AI Act doesn&#8217;t treat all AI systems the same way. It sorts them into categories based on the risk they pose to people&#8217;s safety, rights, and wellbeing, and the category your system lands in determines almost everything: what you have to do, how much it costs to comply, and what happens if you get it wrong.</p><p>Most of the confusion about the Act comes from not understanding this sorting process. People read about prohibited AI and assume the rules apply to them. Or they assume the rules don&#8217;t apply because their product isn&#8217;t obviously dangerous. Both mistakes lead to the same place: a compliance programme built on the wrong foundation.</p><div><hr></div><h2>The four categories</h2><p>Every AI system in the scope of the EU AI Act falls into one of four categories. The smallest group faces the most restrictions. The largest group faces almost none.</p><p><strong>Unacceptable risk: banned outright.</strong> A small number of AI applications are prohibited entirely because the EU has decided no legitimate use case justifies them. These include social scoring systems that rate citizens based on their behaviour and personal characteristics, real-time remote biometric identification in publicly accessible spaces (with narrow exceptions for law enforcement), AI systems that manipulate people through subliminal techniques in ways that cause harm, and systems that exploit vulnerabilities of specific groups such as children or people with disabilities. These bans have been in force since February 2025. If your system falls into one of these categories, there is no compliance path. The activity is simply not permitted.</p><p><strong>High risk: permitted but heavily regulated.</strong> This is where most of the Act&#8217;s compliance obligations live. High-risk systems can be used, but they must meet a demanding set of requirements covering technical documentation, risk management, human oversight, data governance, logging, and transparency. The full set of what qualifies is covered below.</p><p><strong>Limited risk: transparency obligations only.</strong> Systems in this category don&#8217;t face the full compliance burden, but they do have to be honest about what they are. Chatbots must tell users they&#8217;re talking to an AI. Systems that generate synthetic images, audio, or video must label them as AI-generated. Emotion recognition systems must disclose when they&#8217;re being used. The obligations are lighter but real.</p><p><strong>Minimal risk: no specific obligations.</strong> The majority of AI applications in commercial use sit here. Spam filters, AI-powered video games, recommendation engines, and most productivity tools. No specific requirements apply under the Act, though general EU law (GDPR, consumer protection rules, and so on) still does.</p><div><hr></div><h2>How a system gets classified as high risk</h2><p>This is the question most organisations get wrong.</p><p>A system can become high-risk in one of two ways.</p><p>The first is if it&#8217;s a safety component of a product that already falls under existing EU product safety legislation. This covers a wide range of physical goods: machinery, medical devices, toys, lifts, vehicles, and aviation equipment. If your AI system is embedded in any of these products and performs a safety function, it&#8217;s high risk under Article 6(1) of the Act, regardless of what the AI itself does.</p><p>The second is if it falls into one of the use cases listed in Annex III. This is the list that catches most business applications, and it covers eight areas:</p><ol><li><p>Biometrics, including remote identification systems and AI used to categorise people based on sensitive attributes like race, political opinion, or sexual orientation.</p></li><li><p>Critical infrastructure management, where AI influences the operation of systems like electricity, water, gas, or transport networks.</p></li><li><p>Education and vocational training, covering AI that determines access to institutions, evaluates students, or monitors behaviour during tests.</p></li><li><p>Employment, workforce management, and access to self-employment. This is one of the most practically relevant categories for most businesses. It covers AI used to recruit or select candidates, make decisions about promotion or termination, allocate tasks, or monitor performance.</p></li><li><p>Access to essential private and public services, including credit scoring, insurance risk assessment, emergency service dispatch, and the evaluation of benefit entitlements.</p></li><li><p>Law enforcement uses, covering predictive policing tools, lie detectors, and systems that assess the risk an individual poses.</p></li><li><p>Migration, asylum, and border control, including tools that assess travel document authenticity or the risk posed by individuals at borders.</p></li><li><p>Administration of justice and democratic processes, covering AI used to assist courts or influence elections.</p></li></ol><p>If your system&#8217;s intended use falls into any of these areas, it&#8217;s presumed high risk. The question then becomes whether any exemption applies.</p><div><hr></div><h2>The Article 6(3) exemption</h2>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/eu-ai-act-risk-classification-explained">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Your AI pilot worked. Here's what to do in the next 30 days]]></title><description><![CDATA[Scaling AI after a successful pilot: a 30-day checklist that covers the gaps]]></description><link>https://www.aigovernanceplaybook.com/p/post-pilot-ai-deployment-plan</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/post-pilot-ai-deployment-plan</guid><pubDate>Tue, 23 Jun 2026 13:05:47 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/ea7a5032-16ec-48d3-8afa-68aa679080cf_1232x928.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p>Your pilot passed. Now the real work starts. A 30-day post-pilot checklist for leaders who want it to stick.</p></div><p>Passing a pilot is the easy part.</p><p>I know that sounds backwards. Pilots take months; they involve procurement cycles, vendor negotiations and internal sign-offs, and when the results come back positive, everyone exhales and treats it like the hard work is done. But the pilot is a controlled environment. A small team, a scoped use case, and someone paying close attention to the outputs. The real test starts the moment you decide to scale.</p><p><strong>Most AI deployments that fail don&#8217;t fail in the pilot. They fail in the 90 days after it. </strong>The handover from &#8220;this worked in a test&#8221; to &#8220;this is now how we operate&#8221; is where the gaps show up, and most organisations aren&#8217;t prepared for how quickly those gaps compound.</p><p>What follows is a 30-day plan for the period immediately after a pilot sign-off. It covers six areas: workflow redesign, team communication, risk monitoring, success measurement, vendor management, and data governance. It also covers something most post-pilot plans ignore entirely: what to do if things go wrong and you need to stop.</p><div><hr></div><h4><strong>Why the post-pilot window is where deployments break</strong></h4><p>A pilot succeeds on a narrow brief. You tested whether the AI could do a specific thing in a specific context, and it could. What you didn&#8217;t test is whether your existing workflows were designed to absorb it, whether your team understands what changes and what doesn&#8217;t, or whether you have any visibility into what the system does on a bad day.</p><p>Scaling without addressing those things doesn&#8217;t spread the pilot&#8217;s success. It spreads its blind spots.</p><p>The 30-day window matters because it&#8217;s when habits form. The team is paying attention, the tool is new, and the decisions made in this period tend to stick. Get the structure right now, and you&#8217;re building on solid ground. Let it drift, and you&#8217;re correcting embedded problems six months later, which costs more in time, money and goodwill than most leaders budget for.</p><div><hr></div><h4><strong>Week one: workflow redesign</strong></h4><p>Before anyone outside the pilot team touches the tool, the workflows need to change. This is the step most organisations skip, and it&#8217;s the reason so many AI deployments get quietly abandoned rather than formally cancelled. The tool gets bolted onto an existing process that wasn&#8217;t designed for it, creates friction, and gradually stops being used.</p><p>Workflow redesign doesn&#8217;t mean rebuilding everything. It means mapping the specific points where the AI output enters the existing process and asking whether that process still makes sense. If the AI now produces a first draft of a weekly report in 20 minutes that previously took four hours, the approval and review process probably needs to change too. If it doesn&#8217;t, you&#8217;ve saved four hours of writing time and added two hours of unnecessary checking, and the net gain is smaller than it should be.</p><p><strong>The checklist for week one:</strong></p><ul><li><p>Map every workflow that touches the AI output, not just the ones that were part of the pilot</p></li><li><p>Identify where human review is genuinely needed versus where it&#8217;s been carried over from the old process by default</p></li><li><p>Reassign the time freed up by the tool to specific tasks, with specific owners, before the tool goes live at scale</p></li><li><p>Document the new workflow clearly enough that someone who wasn&#8217;t in the pilot can follow it on day one</p></li><li><p>Set a single point of contact for process questions during rollout, so confusion doesn&#8217;t become rumour</p></li></ul><div><hr></div><h4><strong>Week two: team communication</strong></h4><p>The people most affected by an AI deployment are rarely the ones who had the most input into the decision to run it. That gap creates anxiety, and anxiety that doesn&#8217;t get addressed directly tends to fill itself with whatever story feels most plausible, which is usually the worst-case one.</p><p>Week two is about getting ahead of that. Not with a company-wide email that announces the rollout and thanks everyone for their flexibility, but with direct conversations that answer the questions people actually have: what is changing about my role, what is staying the same, who do I go to if something doesn&#8217;t work, and what happens if the system produces something wrong while my name is on the output?</p><p>That last question matters more than most leaders realise. If a team member doesn&#8217;t know whether they&#8217;re accountable for an AI-generated output they reviewed and approved, they&#8217;ll either over-check everything (eliminating the time saving) or under-check everything (creating risk). Neither is the outcome you want.</p><p><strong>The checklist for week two:</strong></p><ul><li><p>Brief every affected team directly, not just managers. People make better decisions when they understand the context</p></li><li><p>Answer the accountability question explicitly: who is responsible for AI outputs at each stage of the process</p></li><li><p>Create a clear and low-friction way to flag errors or unexpected outputs, and make clear it won&#8217;t be treated as a complaint</p></li><li><p>Set realistic expectations about the learning curve. The tool will produce better outputs as the team gets better at using it, and that takes time</p></li><li><p>Identify the people most resistant to the change and have a direct conversation rather than hoping the general briefing lands with them</p></li></ul><div><hr></div><h4><strong>Week three: risk monitoring and the rollback plan</strong></h4><p>This is the area most post-pilot plans treat as an afterthought, usually because the pilot produced clean results and it&#8217;s tempting to assume that continues. It doesn&#8217;t always. Models drift. Inputs change. Edge cases that didn&#8217;t appear in a controlled pilot appear regularly in production, and if nobody is looking for them, nobody finds them until the damage is done.</p><p>Risk monitoring at this stage doesn&#8217;t require a dedicated team or expensive tooling. It requires someone with a clear remit to look at the outputs regularly and ask whether anything has changed.</p><p><strong>The checklist for week three:</strong></p><ul><li><p>Assign a named owner for output quality monitoring. Not a committee, a person</p></li><li><p>Define what a problematic output looks like before one appears, so the response isn&#8217;t improvised</p></li><li><p>Set a weekly review cadence for the first month, dropping to monthly once the system is stable</p></li><li><p>Log every error or unexpected output, however minor. Patterns in that log are early warning signs</p></li><li><p>Check whether the inputs the AI is working from have changed since the pilot. New data sources, new formats, and changed internal processes all affect output quality in ways that aren&#8217;t always obvious</p></li></ul><p>The rollback plan deserves its own conversation because almost nobody has one. If the deployment needs to stop, whether because of a serious error, a regulatory question, or simply because the tool isn&#8217;t performing as expected at scale, what happens? Who makes the call? How do you revert operations without chaos?</p><p>The answers don&#8217;t need to be elaborate. You need a named decision-maker, a defined trigger (what level of error rate or what type of incident warrants a pause), and a documented plan for reverting to the pre-AI process in the short term. A deployment with no exit ramp isn&#8217;t a sign of confidence. It&#8217;s a gap in planning.</p><div><hr></div><h4><strong>Week four: success measurement</strong></h4><p>A pilot has defined success criteria. The production deployment needs them too, and they&#8217;re usually different ones. The pilot asked, &#8220;Can this work?&#8221; The production deployment asks, &#8220;Is this working, consistently, at scale, and is the return worth the ongoing cost?&#8221;</p><p>Most organisations don&#8217;t set those criteria explicitly, which means they have no basis for answering the question when it comes up in a budget review or a board meeting. &#8220;It seems to be going well&#8221; is not a defensible position.</p><p><strong>The checklist for week four:</strong></p><ul><li><p>Define two or three specific metrics that will tell you whether the deployment is delivering at scale. These should connect directly to the KPIs that justified the pilot in the first place</p></li><li><p>Set a baseline now, before the data gets muddied by the rollout period, so you have something clean to measure against</p></li><li><p>Decide how often you&#8217;ll formally review performance and who will see the results</p></li><li><p>Build a simple dashboard or reporting process that makes the metrics visible without requiring someone to manually compile them each time</p></li><li><p>Set a six-month review date in the diary now. Not to decide whether to cancel, but to make a considered decision about whether to expand, adjust, or consolidate based on real data</p></li></ul><div><hr></div><h4><strong>Vendor management in production</strong></h4><p>The vendor relationship changes once you&#8217;re in production. During the pilot, the vendor is motivated to be responsive, helpful, and present. Once you&#8217;re a paying customer running at scale, that dynamic shifts, and the gaps in the original agreement become more visible.</p><p>Before the end of the first 30 days, the commercial and operational relationship needs to be clearly defined.</p><ul><li><p>Confirm your SLAs in writing: uptime guarantees, response times for support requests, and what compensation applies if those commitments aren&#8217;t met</p></li><li><p>Establish a named contact on the vendor side for operational issues, separate from the sales relationship</p></li><li><p>Get the vendor&#8217;s model update schedule on your radar. A routine update from their side can change output behaviour overnight, and you want advance notice, not a surprise</p></li><li><p>Understand the vendor&#8217;s own compliance and security posture, especially if you&#8217;re in a regulated sector. Their certifications and audit history matter to your regulators as well as theirs</p></li><li><p>Agree a process for communicating changes on both sides. If your data inputs or use case changes, they need to know. If their model or infrastructure changes, you need to know</p></li></ul><div><hr></div><h4><strong>Data governance</strong></h4><p>This is the area that creates the most expensive surprises in regulated industries. Once AI is in production, data flows that didn&#8217;t exist before the pilot now exist at scale, and the compliance picture changes accordingly.</p><p>The questions to answer before the end of day 30:</p><ul><li><p>What data is the AI accessing, processing, or storing, and does that match what was assessed during the pilot?</p></li><li><p>Has any personal, sensitive, or commercially confidential data entered a workflow it wasn&#8217;t explicitly cleared for?</p></li><li><p>If you&#8217;re operating under the EU AI Act, UK AI governance guidance, or sector-specific regulation in financial services or healthcare, does the production deployment require additional documentation, transparency obligations, or human oversight requirements beyond what the pilot established?</p></li><li><p>Who owns data governance for this deployment on an ongoing basis? If the answer is &#8220;whoever is closest to the problem at the time,&#8221; that&#8217;s a gap</p></li><li><p>Do your contracts with the vendor address data residency, retention, and deletion clearly enough to satisfy your legal team and, if relevant, your regulators?</p></li></ul><p>Getting data governance right in the first 30 days is far less painful than correcting it after an audit, a breach, or a client question you can&#8217;t answer.</p><div><hr></div><h4><strong>One thing worth saying plainly</strong></h4><p>A 30-day plan implies the work is done at day 31. It isn&#8217;t. What the first 30 days should produce is a stable operating baseline: workflows that make sense, a team that understands its role, a monitoring process that will catch problems early, and a commercial and compliance foundation solid enough to build on.</p><p>From there, the questions shift from &#8220;is this working?&#8221; to &#8220;what else could this do, and should it?&#8221; That&#8217;s a better place to be making decisions from than the post-pilot enthusiasm that tends to drive the first wave of scaling choices.</p><p>The organisations that get sustained value from AI treat the post-pilot period as seriously as the pilot itself. The ones that skip it tend to find out why that matters when the next budget cycle comes around, and nobody can clearly explain what the deployment actually delivered.</p><p></p><div><hr></div><h6><em><strong>NOT ADVICE</strong></em></h6><h6><em>The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full <a href="https://aigovernanceplaybook.substack.com/p/disclaimer">DISCLAIMER</a></em></h6><h6></h6>]]></content:encoded></item><item><title><![CDATA[AI Deadline | Thursday 18 June 2026]]></title><description><![CDATA[For founders and operators in AI | USA &#183; UK &#183; EU]]></description><link>https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-18-june-2026</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-18-june-2026</guid><pubDate>Thu, 18 Jun 2026 07:02:09 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/e56bc863-899e-45af-887f-f82e0b3dca29_1456x1048.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h3>&#128308; Act now</h3><p>August 2 is 45 days away. If your product generates AI content or operates any interface where EU users interact with something AI-powered, that date is your compliance problem. Article 50 of the AI Act hasn&#8217;t moved. The Digital Omnibus extended the high-risk system deadline to December 2027. It left Article 50 exactly where it was.</p><p>The EU AI Office published the final Code of Practice on transparency of AI-generated content on June 10. It&#8217;s the practical guide to what August 2 requires. The short version: chatbots and virtual assistants interacting with EU users must identify themselves as AI at the start of the interaction. Systems generating synthetic text, images, audio or video for EU users must mark that content in a machine-readable format. For deepfakes, a visible label is also required.</p><p>The machine-readable marking obligation - embedded C2PA metadata, invisible watermarks - lands slightly later. The Article 50(2) marking requirement for generative AI output applies from December 2, with grandfathering for systems already on the market before August. But the user-facing disclosure obligation is August 2, and that one is live in 45 days.</p><p>What to check now: does your chatbot or AI assistant tell EU users they&#8217;re talking to an AI at the start of the session? Does any deepfake or synthetic video output carry a visible label? Is your consent basis current against what you&#8217;re actually doing in those flows?</p><p>The Code of Practice is 30 pages and it&#8217;s on the Commission&#8217;s digital strategy site. Read it before July.</p><p><strong>Action</strong>: Map every EU-facing AI interface in your product and confirm it meets Article 50&#8217;s user-disclosure requirements before August 2.</p><div><hr></div><h3>&#128993; Heads up</h3><p><strong>&#127466;&#127482; EU | High-risk classification consultation - 5 days left</strong></p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-18-june-2026">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[The 7 question your board needs to answer before approving the AI programme]]></title><description><![CDATA[Before any AI programme gets board sign-off, seven questions need answers. Most leadership teams skip all of them.]]></description><link>https://www.aigovernanceplaybook.com/p/the-7-question-your-board-needs-to</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/the-7-question-your-board-needs-to</guid><pubDate>Tue, 16 Jun 2026 08:08:25 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/a93f67de-5d54-4ab9-8a69-67099c4b561f_1232x928.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p>Before any AI programme gets board sign-off, seven questions need to be answered. Most leadership teams skip all of them.</p></div><p>Most AI transformation programmes run into trouble for the same reason. The organisation approved a strategy without first answering some prior questions about who they are. Six months in, they find themselves looking at an AI system that technically works but creates obligations, risks, or decisions they&#8217;re not comfortable owning. By then, unwinding it is expensive.</p><p>Regulators won&#8217;t ask you these questions. The EU AI Act, the UK&#8217;s emerging AI oversight regime, and the various US federal guidance documents are built around what your AI systems do, not who you are as an organisation. What your AI systems should do, and where they shouldn&#8217;t operate at all, depends almost entirely on the answers you need to find before anyone writes a line of code or signs a vendor contract.</p><p>The questions below aren&#8217;t a workshop exercise. They&#8217;re what a board or leadership team needs to have on the record before signing off on anything significant.</p><div><hr></div><h2>Why identity questions are governance questions</h2><p>Amazon spent three years building an AI hiring tool, from 2014 onwards, designed to score job applicants and surface the best candidates automatically. By 2015, the company&#8217;s own engineers had discovered the system was penalising CVs that included the word &#8220;women&#8217;s&#8221; and downgrading graduates of all-women&#8217;s colleges. The tool had been trained on a decade of historical CVs submitted to Amazon, the majority from men, and had learned to treat male candidates as the default standard for a good hire. Amazon scrapped the project by early 2017. </p><p>Amazon had public commitments to diversity and workplace equality. Nobody had asked, before the tool was built and tested internally, whether training a hiring algorithm on historical data from a male-dominated industry was consistent with those commitments. The system was working exactly as designed. The design was the problem. A governance process that asked the right identity questions upfront would have caught this before three years of engineering time went into it.</p><p>Under the EU AI Act, AI systems used in recruitment and employment decisions are classified as high-risk (Annex III). That classification triggers obligations around human oversight, data governance, and transparency. Those obligations assume your organisation has already decided it wants to operate in this space and has thought through what that means. If your values or public commitments say something different from what the system is actually doing, technical compliance doesn&#8217;t fix it.</p><p>The same applies in financial services, healthcare, legal services, and media. The rules tell you what you must do if you deploy. Whether you should deploy is a question only you can answer, and most organisations leave it implicit until something goes wrong.</p><div><hr></div><h2>The questions</h2><p><strong>What decisions are we comfortable letting AI make without a human reviewing the outcome?</strong></p><p>Many leadership teams skip this entirely. They approve an AI programme at a high level and leave the question of human oversight to the technical teams, who reasonably interpret silence as permission to automate as much as possible. That&#8217;s not negligence on their part. It&#8217;s a predictable response to an absent instruction.</p><p>You need a position on this before any deployment decision gets made. In financial services, automated decisions about credit, insurance pricing, or fraud flags have direct regulatory consequences under GDPR Article 22 (right not to be subject to solely automated decisions) and under the EU AI Act&#8217;s high-risk framework. In HR, the same automated decision-making rules apply to hiring and performance management tools. Your position on human-in-the-loop requirements shapes every downstream design choice, and if you don&#8217;t set it, someone else will.</p><p>&#8220;We will always have a human review any decision that affects a customer&#8217;s access to our core product or service&#8221; is a position. &#8220;We believe in responsible AI&#8221; is not.</p><p><strong>What do we stand for publicly, and does our AI strategy match it?</strong></p><p>Your ESG commitments, your D&amp;I statements, your published customer values. Do they constrain anything you&#8217;re planning to do with AI? If you&#8217;ve publicly committed to fair and explainable decisions, deploying a black-box model for customer triage is a problem regardless of whether it&#8217;s technically legal. The gap between stated values and actual system behaviour is exactly what investigative journalists and regulators look for first.</p><p>The EU AI Act&#8217;s transparency obligations under Article 50 now create a legal floor for certain disclosures. The reputational exposure starts well below that floor. A journalist doesn&#8217;t need to cite Article 50 to write a damaging story.</p><p><strong>Who are our customers, and what power do we have over them?</strong></p><p>This question makes some leadership teams uncomfortable, which is usually a sign it needs asking. Some organisations have genuine choice relationships with their customers. Others operate in contexts where the customer has limited or no alternatives, where decisions carry serious consequences, or where the population served is vulnerable in ways that matter legally and ethically.</p><p>The EU AI Act treats these contexts differently. Systems that manage or assess people in employment, education, essential services, or law enforcement are high-risk by default. The more useful question for your leadership team is sharper than the regulatory classification: if your customers can&#8217;t easily go elsewhere, and a wrong decision significantly affects their life or livelihood, your AI programme needs more oversight and caution. That&#8217;s true whether or not the regulator has caught up with your specific use case yet. Regulation tends to follow harm. You don&#8217;t want to be the case study.</p><p><strong>Where does our liability actually sit?</strong></p><p>AI systems create legal exposure that many leadership teams haven&#8217;t mapped properly. Under GDPR, you remain the data controller regardless of which third-party AI vendor you&#8217;re using. Under the EU AI Act, if you deploy a general-purpose AI model in a high-risk context, you take on obligations previously reserved for developers. Product liability law in both the EU and UK is moving toward treating AI outputs as products, which creates exposure most legal teams haven&#8217;t fully worked through yet.</p><p>If the answer to this question is &#8220;our vendor indemnifies us,&#8221; check that indemnity carefully before relying on it. Most vendor contracts don&#8217;t cover the scenarios where liability is actually likely to arise. I&#8217;ve seen organisations sign enterprise AI contracts where the indemnity clause, read carefully, covers almost nothing that matters.</p><p><strong>What won&#8217;t we do, and have we written it down?</strong></p><p>Prohibited practices under Article 5 of the EU AI Act include social scoring by public authorities and manipulation of vulnerable groups. These are absolute bans with no compliance pathway. The more useful question for most commercial organisations is the softer version: what AI applications are you capable of deploying but have decided you won&#8217;t?</p><p>A media company that decides it won&#8217;t use AI to generate synthetic content without disclosure has made a governance decision, not just a product decision. A financial services firm that decides it won&#8217;t use AI to price insurance products based on inferred behavioural data (even where that inference is technically legal) has made a governance decision. These decisions need to be written down, owned by someone senior, and revisited when strategy changes.</p><p>Without this list, the default answer to every &#8220;can we do this?&#8221; question is yes, because nobody has formally said no. That&#8217;s how organisations end up surprised by their own AI systems.</p><p><strong>How will we know when an AI system is doing something we didn&#8217;t intend?</strong></p><p>This belongs in the governance conversation before it gets delegated to the technology team. AI systems drift. Models trained on historical data start producing different outputs as the world changes. A hiring tool trained on five years of successful employee data starts screening out good candidates the moment the labour market shifts. A fraud detection model trained before a recession starts flagging legitimate behaviour that simply looks different from the pre-recession norm.</p><p>Your governance structure needs to specify who is responsible for monitoring each deployed AI system, what they&#8217;re watching, what threshold triggers a review, and who has the authority to pause or pull a system if something looks wrong. The EU AI Act requires this for high-risk systems. The standard is worth adopting broadly regardless, because an AI system running unchecked creates reputational and legal consequences that aren&#8217;t confined to systems the Act formally classifies as high-risk.</p><p><strong>If this decision made the front page, would we be comfortable explaining it?</strong></p><p>Old question, new context. The test works because it forces specificity. &#8220;Our AI hiring tool screens out candidates who haven&#8217;t followed a linear career path, because our training data reflects our existing workforce&#8221; is a defensible position if you&#8217;ve thought it through, disclosed it, and built human review into the process. It becomes very hard to explain if you haven&#8217;t done those things, and you&#8217;re explaining it to a journalist rather than a regulator.</p><p>Reporters covering AI failures in 2025 and 2026 are specifically looking for the gap between what organisations claim their AI does and what it actually does. Close that gap in the boardroom, not in a press statement.</p><div><hr></div><h2>Getting the answers on the record</h2><p>These questions don&#8217;t need a separate governance workstream or a six-week consulting engagement. They can be addressed in a single board or leadership team session before an AI programme is approved. What matters is that the answers are documented, attributed to the people who gave them, and referenced when specific deployment decisions come up later.</p><p>The organisations that get into trouble aren&#8217;t usually the ones that made bad decisions. They&#8217;re the ones that made no decision at all, left the questions implicit, and then found themselves defending choices nobody formally owned.</p><p>If your leadership team can answer these questions with enough specificity to be held to account for the answers, your AI strategy probably reflects who your organisation actually is. If the answers are vague enough that nobody would be embarrassed by them, they&#8217;re not answers yet.</p><p></p><div><hr></div><h6><em><strong>NOT ADVICE</strong></em></h6><h6><em>The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full <a href="https://aigovernanceplaybook.substack.com/p/disclaimer">DISCLAIMER</a></em></h6><h6></h6>]]></content:encoded></item><item><title><![CDATA[AI Deadline | Thursday 11 June 2026]]></title><description><![CDATA[Things moving through AI regulatory pipelines that will matter in the next 3 to 6 months]]></description><link>https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-11-june-2026</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-11-june-2026</guid><pubDate>Thu, 11 Jun 2026 10:43:07 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/cc65ca74-fd00-419d-a6cc-4184bcd509fd_1456x1048.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h3>&#128308; Act now</h3><p><strong>&#127468;&#127463; UK | 8 days to have a data protection complaints process</strong></p><p>The Data (Use and Access) Act 2025 added Section 103: a statutory requirement for all data controllers to maintain a formal comp&#8230;</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-11-june-2026">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[The one-hour AI approval workshop your managers actually need]]></title><description><![CDATA[AI risk assessment for managers - a step-by-step workshop for non-technical teams]]></description><link>https://www.aigovernanceplaybook.com/p/the-one-hour-ai-approval-workshop</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/the-one-hour-ai-approval-workshop</guid><pubDate>Tue, 09 Jun 2026 08:24:11 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/107c2874-f82f-4999-936e-bbbbaa4fc161_1232x928.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p>AI risk assessment for managers - a step-by-step workshop for non-technical teams</p></div><p>There&#8217;s a job that almost every mid-sized organisation has quietly handed to people who weren&#8217;t asked if they wanted it: AI gatekeeper. Someone has to say yes or no when a team member wants to start using an AI writing tool, or an AI scheduling assistant, or an AI that reads CVs. In most companies right now, that someone is a mid-level manager with no technical background, a full diary, and no training whatsoever for the decision they&#8217;re being asked to make.</p><p>I&#8217;ve started thinking about what a genuinely useful one-hour workshop for that person would look like. Not a compliance lecture. Not a slide deck about large language models. Something that would actually change how they make the next approval decision.</p><p>Here&#8217;s what I&#8217;d build.</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/the-one-hour-ai-approval-workshop">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[AI Deadline | Thursday 4 June 2026]]></title><description><![CDATA[Things moving through AI regulatory pipelines that will matter in the next 3 to 6 months]]></description><link>https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-4-june-2026</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-4-june-2026</guid><pubDate>Thu, 04 Jun 2026 06:58:12 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/5bbb3db6-965d-4631-b3a3-3f0de7fe2cc7_1456x1048.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h3>&#128308; Act now</h3><p>On June 2, President Trump signed a new AI executive order. Two weeks after the White House killed a near-identical order under pressure from tech executives, a narrower version went throug&#8230;</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-4-june-2026">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Nobody's asking if the regulators are ready]]></title><description><![CDATA[Nobody's asking if the AI regulators are ready. The other side of the August 2 deadline.]]></description><link>https://www.aigovernanceplaybook.com/p/nobodys-asking-if-the-regulators</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/nobodys-asking-if-the-regulators</guid><pubDate>Tue, 02 Jun 2026 10:55:51 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/6be5df11-4594-40ed-954f-1a3cabc8bb93_1232x928.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p>Forget Industry Readiness. Who's Asking About the Regulators?</p></div><p>On May 8, the European Commission published draft guidelines on AI transparency obligations. Eighty-six pages covering how companies must &#8230;</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/nobodys-asking-if-the-regulators">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[AI Deadline | Thursday 28 May 2026]]></title><description><![CDATA[Things moving through AI regulatory pipelines that will matter in the next 3 to 6 months]]></description><link>https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-28-may-2026</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-28-may-2026</guid><pubDate>Thu, 28 May 2026 10:35:39 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/da106084-ac6e-45e5-b54d-b7de804eb4f6_1456x1048.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h3>&#128308; Act now</h3><p>The FTC settled with Cox Media Group and two smaller marketing firms for just under $1 million this week. The charge: CMG told clients its AI service could target ads using conversations ca&#8230;</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-28-may-2026">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[AI employee monitoring: what the law requires in the US, UK and EU]]></title><description><![CDATA[How to Monitor Employees with AI Without Breaking the Law]]></description><link>https://www.aigovernanceplaybook.com/p/ai-employee-monitoring-what-the-law</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/ai-employee-monitoring-what-the-law</guid><pubDate>Wed, 27 May 2026 13:51:44 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/02f25eac-5811-45aa-87e4-ee78a65fe03d_1232x928.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>AI-powered employee monitoring was a remote-work experiment in 2020. Now it&#8217;s infrastructure. Employers are using it to track keystrokes, mouse movement, application usage, screen content, call sentiment and, in some cases, physical location and facial expressions. The productivity case writes itself. The legal exposure is catching up fast.</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/ai-employee-monitoring-what-the-law">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[AI Governance in HR and Hiring - Spring 2026]]></title><description><![CDATA[What EU, US and UK law requires in 2026.]]></description><link>https://www.aigovernanceplaybook.com/p/ai-governance-in-hr-and-hiring-spring</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/ai-governance-in-hr-and-hiring-spring</guid><pubDate>Tue, 26 May 2026 13:15:54 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!gt1r!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p></p><p><strong>Issue 04 is now available: AI governance in HR and Hiring</strong></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!gt1r!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!gt1r!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg 424w, https://substackcdn.com/image/fetch/$s_!gt1r!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg 848w, https://substackcdn.com/image/fetch/$s_!gt1r!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!gt1r!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!gt1r!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg" width="1456" height="813" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:813,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:912024,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.aigovernanceplaybook.com/i/199292195?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!gt1r!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg 424w, https://substackcdn.com/image/fetch/$s_!gt1r!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg 848w, https://substackcdn.com/image/fetch/$s_!gt1r!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!gt1r!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5bbf0124-94c3-40a9-828e-5eff4b4280ae_2752x1536.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>Most agencies using AI to screen candidates have not run a bias audit. Most have not mapped where candidate data goes when it hits a third-party LLM. Most have not built the contestation routes the UK&#8217;s DUAA required from February 2026.</p><p>And that&#8217;s just the hiring side.</p><p>AI tools used to monitor placed workers, allocate tasks, evaluate performance, or influence contract renewals sit in exactly the same high-risk category under the EU AI Act as CV screening tools. Annex III covers both. The obligations,  risk management, human oversight, audit trails, candidate and worker notification, apply to the full employment lifecycle, not just the point of hire.</p><p>The ICO&#8217;s March 2026 recruitment ADM report named 16 organisations that have since committed to change how they operate. The New York Comptroller&#8217;s audit found at least 17 instances of potential non-compliance at companies DCWP had already reviewed and cleared. Both reports looked at hiring. The next wave of regulatory attention is likely to look further along the employment chain.</p><p><strong>The AI Governance Playbook&#8217;s HR edition covers what the rules require across the EU, US, and UK,  for agencies and in-house teams running the process, and for the founders building the tools.</strong></p><p><strong>The PDF is linked below [</strong>if you are a free subscriber, you can <strong><a href="https://www.aigovernanceplaybook.com/subscribe">upgrade</a></strong> to access the report.]</p><p>Previous Reports&#8230;</p><ol><li><p><a href="https://www.aigovernanceplaybook.com/p/ai-regulation-for-creators-spring">AI Regulation for Creators - Spring 2026</a></p></li><li><p><a href="https://www.aigovernanceplaybook.com/p/ai-governance-in-edtech-spring-2026">AI Governance in EdTech - Spring 2026</a></p></li><li><p><a href="https://www.aigovernanceplaybook.com/p/ai-governance-in-fintech-spring-2026">AI governance in FinTech</a></p></li></ol><div><hr></div><p><em>Note that this briefing is for informational purposes only and doesn&#8217;t constitute advice of any kind. For questions specific to your work, talk to a qualified lawyer in your jurisdiction. </em></p><p><em><strong>Here is the link &#8230;.</strong></em></p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/ai-governance-in-hr-and-hiring-spring">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[AI Deadline | Thursday 21 May 2026]]></title><description><![CDATA[Things moving through AI regulatory pipelines that will matter in the next 3 to 6 months]]></description><link>https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-21-may-2026</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-21-may-2026</guid><pubDate>Thu, 21 May 2026 12:52:46 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/5b80926d-1050-4a68-aadc-d07fbd13d3e4_1456x1048.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h3>&#128308; Act now</h3><p>The ICO&#8217;s consultation on automated decision-making closes in eight days, at 23:59 on May 29.</p><p>Two editions ago, this was in &#8220;Heads up&#8221; with 22 days to go. It&#8217;s here now because eight days go&#8230;</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-21-may-2026">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Before you green-light AI, answer these three questions]]></title><description><![CDATA[The boardroom AI decision looks simple. These three questions make it harder, on purpose.]]></description><link>https://www.aigovernanceplaybook.com/p/ai-rollout-checklist</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/ai-rollout-checklist</guid><pubDate>Wed, 20 May 2026 09:39:57 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/c1bb0ea0-12b3-44a8-849e-0ce9fbe80f05_1232x928.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p>Three questions every business leader should ask before going all-in on AI</p></div><p>There&#8217;s a pattern I keep seeing in boardrooms right now. Someone presents a slide deck showing what a competitor is doing wit&#8230;</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/ai-rollout-checklist">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[Automated content moderation - what you're required to do, what's still a guess]]></title><description><![CDATA[If your app lets users post things and an AI decides what stays up, you're regulated. Here's what that means in the US, UK and EU.]]></description><link>https://www.aigovernanceplaybook.com/p/automated-content-moderation-what</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/automated-content-moderation-what</guid><pubDate>Mon, 18 May 2026 08:19:54 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/950c03a3-f61a-4564-9d3c-c052574815fc_1232x928.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="pullquote"><p><strong>If your app lets users post things and an AI decides what stays up, you're regulated. Here's what that means in the US, UK and EU.</strong></p></div><p>If your product lets users post things, you&#8217;re probably already doing&#8230;</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/automated-content-moderation-what">
              Read more
          </a>
      </p>
   ]]></content:encoded></item><item><title><![CDATA[AI Deadline | Thursday 14 May 2026]]></title><description><![CDATA[Things moving through AI regulatory pipelines that will matter in the next 3 to 6 months]]></description><link>https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-14-may-2026</link><guid isPermaLink="false">https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-14-may-2026</guid><pubDate>Thu, 14 May 2026 13:29:49 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/ed5f7f50-561b-4af5-b8ea-c5a9d093e254_1456x1048.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h3>&#128308; Act now</h3><p>The EU Digital Omnibus deal closed on May 7. After months of failed trilogues, the European Parliament and Council reached a provisional agreement. A lot changed. But one thing didn&#8217;t: if y&#8230;</p>
      <p>
          <a href="https://www.aigovernanceplaybook.com/p/ai-deadline-thursday-14-may-2026">
              Read more
          </a>
      </p>
   ]]></content:encoded></item></channel></rss>