Regulatory Change Engine

EU AI Act: High-Risk AI System Obligations Apply

From 2 August 2026, all high-risk AI systems listed in Annex III must comply with the full suite of obligations under Chapter III, Section 2, including conformity assessments, technical documentation, human oversight, and registration in the EU AI database.

High-risk AI systems in employment, credit, insurance underwriting, biometric identification, education, law enforcement, and critical infrastructure must have full compliance.

Any AI system making or assisting decisions in Annex III categories must be architected with human override capability, immutable audit logging, and model performance monitoring from day one.

EU AI Act Article 6, Annex III. Applicability timeline per Article 113(c).

APRA Issues Supervisory Letters to 4 Entities for AI Governance Failures

APRA identified material AI governance failures at four regulated financial institutions during supervisory reviews and issued formal supervisory letters. This is the first material APRA AI-specific enforcement action.

Formal supervisory letters issued requiring remediation within defined timeframes. APRA made clear that CPS230 and CPS234 obligations extend to LLM-based and AI-assisted decision systems.

Organisations subject to APRA oversight must have a centralised AI model register, a documented AI risk classification process, an approval workflow before AI deployment, and AI-specific incident response runbooks.

APRA supervisory activity Q2 2026.

EU AI Act: GPAI Model Obligations Apply

From 2 August 2025, all providers of General-Purpose AI (GPAI) models must comply with transparency, technical documentation, and copyright policy requirements under Articles 53-55.

GPAI providers must publish model training data summaries, maintain technical documentation, implement copyright compliance policies, and publish model capability evaluations.

Enterprises building on top of GPAI models must assess whether their downstream use creates systemic risk. Data lineage documentation becomes a compliance requirement.

EU AI Act Article 53-55. Applicability timeline per Article 113(b).

Australia Voluntary AI Safety Standard Published

The Australian Government published a voluntary AI Safety Standard with ten guardrails for organisations deploying AI in high-risk settings. The standard signals the direction of future mandatory regulation.

Ten guardrails established: accountability structures, risk management, data governance, testing and evaluation, human oversight, transparency, security, monitoring, incident response, and safe use practices.

Organisations in government, financial services, and healthcare that deploy AI in high-risk settings should treat the ten guardrails as pre-regulatory baseline requirements.

Australian Government, Voluntary AI Safety Standard, Department of Industry, Science and Resources, September 2024.

EU AI Act Enters into Force

The EU Artificial Intelligence Act was published in the Official Journal and entered into force on 1 August 2024. It is the world's first comprehensive legal framework for AI, establishing risk-based obligations across four tiers.

Legal framework created. Full compliance timeline activated. 12-month clock for GPAI model obligations began. 24-month clock for high-risk AI system obligations began.

All AI systems serving EU users must now be classified by risk tier. High-risk systems require conformity assessments, human oversight mechanisms, technical documentation, and logging.

Official Journal of the European Union, Regulation (EU) 2024/1689, 12 July 2024.

NIST Generative AI Risk Profile Published

NIST published the Generative AI Profile (NIST AI 600-1) as a companion to the AI RMF, addressing risks unique to GenAI systems including hallucination, confabulation, data privacy, and CBRN information risks.

Introduced 12 GenAI-specific risks including confabulation, data privacy violations, obscene content generation, information hazards, intellectual property issues, and data poisoning.

Organisations deploying LLMs in regulated contexts must now address hallucination detection, output filtering, prompt injection defence, and PII leakage prevention as explicit risk categories.

NIST AI 600-1, July 2024.

ISO/IEC 42001:2023 AI Management System Standard Published

ISO/IEC 42001:2023 establishes requirements for an AI management system (AIMS) — the first internationally recognised management system standard specifically for AI.

New international standard creates certification pathway for AI governance. Annex A contains 38 controls spanning AI policy, resources, impact assessments, system design, data use, and third-party AI.

Organisations pursuing ISO 42001 certification must document AI objectives, maintain an AI register, conduct impact assessments for high-risk applications, implement controls for responsible AI.

ISO/IEC 42001:2023, published by ISO December 2023.

G7 Hiroshima AI Code of Conduct for Advanced AI

The G7 Hiroshima AI Process produced an International Code of Conduct for Advanced AI Systems signed by G7 nations. The 11-point code covers risk identification, incident reporting, information sharing, and transparency obligations.

Eleven international obligations for advanced AI: risk identification and mitigation, incident tracking and reporting, information sharing with governments, responsible capability disclosure, data input transparency.

Organisations deploying foundation models in G7 markets should align their governance architecture with the 11 points as a geopolitical baseline.

G7 International Code of Conduct for Advanced AI Systems, Hiroshima AI Process, October 2023.

US Executive Order on Safe, Secure, and Trustworthy AI

President Biden's Executive Order on AI directed federal agencies to establish AI safety standards, required frontier model providers to report safety test results to the government, and tasked NIST with developing red-teaming guidance.

Dual-use foundation model providers must notify the US government of training runs above compute thresholds and share red-team results. Federal agencies must appoint Chief AI Officers and complete AI use-case inventories.

Organisations operating frontier models in US market must have red-teaming pipelines, safety evaluation infrastructure, and reporting capability. Federal contractors must document AI use cases.

Executive Order 14110, Federal Register, October 2023.

APRA CPS 230 Operational Risk — AI Systems as Critical Operations

The new APRA CPS 230 standard (effective July 2024) explicitly includes AI-driven processes within the definition of critical operations. AI systems that materially affect financial outcomes, customer decisions, or regulatory reporting require operational resilience controls.

AI systems performing credit decisioning, fraud detection, or customer communication now require documented tolerance levels, tested failover procedures, supplier concentration risk assessment, and 72-hour notification to APRA for material AI incidents.

AI systems must be designed with recovery time objectives, rollback capability, and human fallback procedures. An AI model that goes into degraded accuracy is a CPS 230 event.

APRA Prudential Standard CPS 230 Operational Risk Management, effective 1 July 2024.

CJEU Ruling: GDPR Article 22 Applies to AI-Assisted Decisions

The Court of Justice of the EU clarified that GDPR Article 22 applies when an AI system contributes materially to a human decision. Human 'rubber-stamping' of AI recommendations does not exempt an organisation from Article 22 obligations.

The threshold for Article 22 compliance is lower than previously interpreted. Any AI system where human review is perfunctory is now in scope. Meaningful human oversight must be documented and evidenced.

Human-in-the-loop implementations must demonstrate genuine decision authority. Audit logs must capture evidence that human reviewers had access to model reasoning and exercised independent judgement.

CJEU Case C-634/21, SCHUFA Holding, judgment 7 December 2023.

UK ICO Guidance on AI and Data Protection

The UK ICO published updated guidance on AI and data protection, clarifying obligations when using personal data to train, test, and deploy AI systems. The guidance addresses lawful basis for AI training, data minimisation, automated decision-making transparency, and fairness requirements.

Explicit ICO position: organisations must complete a DPIA before training AI on personal data. Models trained on personal data retain it and may need to be 'forgotten'. Automated decisions require explanation capability.

AI systems processing personal data must have documented lawful basis, purpose limitation, and data minimisation built into the architecture. The 'right to erasure' may require model retraining capability.

ICO Guidance on AI and Data Protection, ico.org.uk, March 2023.

NIST AI Risk Management Framework 1.0 Released

NIST released the AI Risk Management Framework (AI RMF 1.0) as a voluntary framework for managing AI risks across the full lifecycle. It organises AI risk management around four core functions: GOVERN, MAP, MEASURE, and MANAGE.

Established the GOVERN-MAP-MEASURE-MANAGE framework as the dominant US framework for AI risk. AI RMF Playbook provides 100+ suggested actions.

The MEASURE function requires quantitative metrics for AI system trustworthiness. The MANAGE function requires incident response processes.

NIST AI RMF 1.0, NIST AI 100-1, January 2023.

APRA CPS 234 Third-Party Guidance Letter — AI Vendors Included

APRA issued guidance clarifying that AI model providers and LLM vendors are in-scope third-party service providers under CPS 234. Financial institutions using OpenAI, AWS Bedrock, Azure OpenAI, or similar services must apply the full third-party risk management framework.

AI/ML vendors explicitly in scope for CPS 234 third-party risk. APRA expects vendor security assessments before onboarding, contractual data protection clauses, data residency documentation, breach notification terms, and ongoing monitoring.

Any AI API call leaving the organisation's perimeter is now a CPS 234 event. Organisations must log what data leaves, to which vendor, under what contractual protection.

APRA Prudential Practice Guide CPG 234. APRA's third-party guidance letters 2022.

OAIC Orders Clearview AI to Destroy Australian Data

The OAIC found Clearview AI breached the Australian Privacy Act by collecting facial images from the web without consent and creating a biometric database used by law enforcement. The OAIC ordered Clearview to stop collecting facial images of Australians and destroy all data.

Established that web scraping to train AI models constitutes collection of personal information under the Privacy Act. Processing biometric data without a lawful basis breaches APP 3.

AI training pipelines scraping public web data may breach Privacy Act obligations if the data contains identifiable information. Privacy impact assessments must precede training data collection.

OAIC determination, Commissioner initiated investigation into Clearview AI Inc, November 2021.

MAS FEAT Principles for Responsible AI in Financial Services

The Monetary Authority of Singapore published the FEAT Principles — Fairness, Ethics, Accountability, Transparency — as the cornerstone guidance for responsible use of AI in financial services.

Established four principles: Fairness (no prohibited discrimination), Ethics (aligned with customer interests), Accountability (human accountability for AI decisions), Transparency (explainable to customers).

Explainability is a first-class architectural requirement, not a post-hoc addition. Models used in customer-facing decisions must generate human-readable explanations.

MAS FEAT Principles for Responsible Use of AI and Data Analytics, November 2018.