What it means
AI systems not mapped against applicable regulatory frameworks, e.g. GDPR, EU AI Act, sector-specific regulation, professional standards, create accumulating legal exposure. The failure is not just non-compliance; it is the absence of a compliance position that can be demonstrated when enforcement arrives.
Why it matters
AI regulation is tightening globally. EU AI Act penalties reach 7% of global annual turnover. GDPR enforcement is active on AI-specific data processing. A board that has not mapped its compliance position is deferring risk.
Board governance implications
The board must confirm regulatory obligations have been mapped by jurisdiction for all current and planned AI use. Mapping must be repeated as regulation evolves. Compliance is not a one-time assessment, it is a standing governance obligation.
Governance failure timeline
Pre-deployment
Failure to map regulatory obligations by jurisdiction before approving any AI use case.
Absence of a compliance position that can be demonstrated at point of enforcement.
Deployment
Unlawful AI operation is accumulating penalties from point of use.
Non-compliant systems are operating in active breach of GDPR, EU AI Act, or sector-specific requirements, and the organisation has no documented compliance position to fall back on.
Post-deployment
Regulatory investigation arrives, and enforcement action follows.
Financial penalties under the EU AI Act reach 7% of global annual turnover.
Systems must be withdrawn.
The reputational exposure of being publicly identified as operating in breach compounds the financial consequence.