Question 34 of 34
How do we prepare for AI regulation over the next 12 months?
A forward-looking compliance planning guide: identifying what regulations become enforceable in your jurisdictions over the next year, assessing your current gaps, and building a funded remediation roadmap.
If you only do 3 things, do this:
- 1.Build a 12-month regulatory calendar specific to your jurisdictions and use cases. Generic "AI regulation is coming" awareness is not preparation. Specific deadlines with owners are.
- 2.Run a gap assessment against each incoming obligation before the deadline, not at it. A gap assessment at the deadline leaves you no remediation time.
- 3.Assign a named person to monitor regulatory developments. This is not a once-a-year activity. Regulators publish guidance, interpretations, and enforcement priorities continuously.
The Situation
Who this is for: Compliance and legal teams responsible for anticipating and preparing for AI regulatory obligations
When you need this: During annual planning cycles, when new AI regulation is announced in your jurisdiction, or when board or executive leadership asks about regulatory preparedness
The Decision
What regulatory changes are coming for us in the next 12 months, where are our gaps, and what do we need to do now to be ready?
The Steps
- 1Identify which regulations become effective or enforceable in your key jurisdictions over the next 12 months
- 2For each upcoming obligation, assess your current compliance state: ready, gap identified, or not started
- 3Build a remediation roadmap: what needs to be done, by when, owned by whom, and at what cost?
- 4Prioritize by risk: regulations with enforcement penalties and short deadlines first
- 5Allocate resources — staff, budget, external counsel — for the remediation activities on the critical path
- 6Implement a quarterly regulatory monitoring process so you're not caught off-guard again
The Artifacts
- —12-month AI regulatory calendar (key obligations and deadlines by jurisdiction)
- —Compliance gap assessment template (incoming obligation × current state × required action)
- —Remediation roadmap template (action, owner, deadline, cost, dependencies)
- —Regulatory monitoring process template (sources, cadence, owner, escalation)
- —Board and executive regulatory briefing template
The Output
A 12-month regulatory calendar for your specific jurisdictions and use cases, a gap assessment for each incoming obligation, a funded remediation roadmap, and a monitoring process that keeps you current.
Key deadlines in the near term
The EU AI Act's most significant near-term deadlines center on high-risk AI systems. Organizations placing AI systems on the EU market must have conformity assessments, technical documentation, and EU database registrations in place before market placement. Provisions for GPAI models and their requirements under the Act became applicable in August 2025. These deadlines apply to non-EU organizations with EU market exposure.
In the US, the state-level regulatory calendar is accelerating. Colorado SB 205 is in effect. New York City's Local Law 144 on AI in hiring is in effect and being enforced. Illinois BIPA continues to generate significant class action exposure for biometric AI. California's AI-related legislation pipeline is active. Financial services and healthcare organizations face ongoing guidance from sector regulators that imposes AI-specific obligations without waiting for comprehensive AI legislation.
Running a gap assessment against an incoming regulation
A gap assessment maps each specific obligation in an incoming regulation against your current state. For each obligation, the assessment should answer: do we have a process, policy, or control that satisfies this requirement? If yes, is it documented and operating? If not, what would it take to build it?
The output is a prioritized list of gaps with effort and risk estimates. High-effort, high-risk gaps on short timelines are your critical path items. Low-effort gaps can often be resolved quickly — mandatory disclosure language, for example, requires a policy update and a template, not a major project. Separating the quick wins from the complex buildouts allows you to show early progress while managing the longer-term work.
Building a regulatory monitoring process
Compliance teams that learn about regulatory changes from press coverage are behind. The organizations with the most effective regulatory monitoring have direct subscriptions to relevant agency publications, track active legislation in their key jurisdictions through government and legal databases, and have established relationships with outside counsel who specialize in AI law and provide proactive alerts.
Monitoring needs to cover three categories: binding requirements (laws and regulations that create compliance obligations), guidance (interpretive documents from regulators that signal enforcement priorities and expected practices), and enforcement actions (cases that reveal how regulators apply the rules in practice). Enforcement actions are often the most informative: they demonstrate which obligations regulators are prioritizing, what documentation they expect to see, and what remediation they consider adequate.