Non-Legislative AI Obligation Tracker
Identify and track AI governance obligations that arise outside formal legislation, including procurement rules, bilateral agreements, sandbox exit conditions, and regulatory guidance letters.
Objective
Ensure AI governance obligations that arise from non-legislative sources (contracts, regulatory guidance, procurement conditions, bilateral agreements) are captured, owned, and actioned with the same rigor as statutory obligations.
Maturity Levels
Initial
Non-legislative obligations are tracked only when they surface in a dispute or audit finding.
Developing
Procurement and Legal teams flag major non-legislative obligations informally, but there is no central register.
Defined
A register captures all material non-legislative AI obligations, with source, obligation text, effective date, owner, and review cadence.
Managed
Non-legislative obligations feed into the unified compliance register. Contract review includes a standard check for AI governance clauses. Obligations are reviewed before any major procurement or partnership agreement is signed.
Optimizing
Automated contract analysis flags AI governance clauses for compliance review. The tracker integrates with procurement workflows so obligations are captured at the point of contract signature.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Non-legislative obligation tracker listing source, obligation description, effective date, owner, review date, and compliance status.
- —Evidence that contract review checklists include a standard AI governance clause check.
Implementation Notes
Key steps
-
Identify the main sources of non-legislative AI obligations in your context:
- Government procurement rules (US Federal Acquisition Regulation AI clauses, EU public procurement AI requirements)
- Bilateral or multilateral agreements (AI safety MOUs, standards cooperation agreements)
- Regulatory guidance and supervisory expectations letters (not statutes but treated as binding by regulators in practice)
- Sandbox or pilot program exit conditions
- Contractual AI governance requirements from enterprise customers or public sector clients
- Industry body membership conditions that carry compliance obligations
-
For each source, extract the specific AI governance obligation and document it as a discrete requirement.
-
Assign an obligation owner and a review trigger (e.g., before contract renewal, annually, or when the source document is updated).
-
Flag obligations that could become statutory: regulators frequently convert guidance into regulation, and voluntary procurement conditions can become mandatory.
Common gaps
- Treating regulatory guidance letters as informational rather than as compliance obligations.
- Missing AI governance clauses buried in master services agreements or public sector contracts.
- Forgetting sandbox exit conditions once a pilot product moves to production.
Example Implementation
Non-Legislative AI Obligation Tracker (excerpt)
| Source | Type | Obligation | Effective | Owner | Next Review | Status |
|---|---|---|---|---|---|---|
| US DoD DFARS AI clause | Procurement | AI systems must comply with DoD AI Ethics Principles; annual self-attestation required | 2024-01 | US Procurement Counsel | 2026-12 | Attested |
| UK FCA AI guidance letter | Regulatory guidance | AI models used in credit decisioning must be explainable; documentation retained 7 years | 2025-03 | UK Compliance | 2026-03 | In progress |
| EU sandbox exit conditions | Sandbox | Post-sandbox bias audit required within 6 months; audit report submitted to DPA | 2025-09 | EU Product Counsel | 2026-03 | Overdue — escalated |
| Enterprise customer MSA | Contract | AI outputs reviewed by human before customer-facing use; quarterly accuracy report | 2024-06 | Account Legal | Ongoing | Active |