Editorial
Good AI governance supports tangible business objectives through four pillars. In this series of articles we're scoping out each of those pillars in turn to establish a sketch of what good AI governance looks like:
The four pillars:
- AI System Inventory
- AI Use Case Inventory
- AI Regulatory Crosswalk
- AI Governance Roadmap
We’ve explored the first two pillars, how to approach an AI system inventory and how to develop an AI use case inventory, in previous articles. Today, we’ll look at how to approach an AI regulatory crosswalk.
Start With How You’re Using AI
Covering the wide range of AI laws and regulations is daunting; there are simply too many of them, in too many jurisdictions, across different industries. A more effective approach is to start from the set of use cases in your AI use case inventory to narrow the field of potentially applicable laws and regulations.
This approach takes the ways your organization uses AI (such as employee productivity, hiring, pricing and underwriting) and zeroes in on the regulatory entities that would be relevant (such as EEOC, FTC and state departments of insurance.). From there, you can find the laws and regulations those entities enforce (such as Title VII, FTC Act and COPPA).
It’s important when developing this inventory to think broader than just AI — the lion’s share of laws and regulations relevant to AI today are not AI-specific. Rather, they address market behaviors that interest regulators, regardless of whether they use AI.
For example, hiring: When evaluating and selecting candidates, organizations are subject to Title VII at the U.S. federal level as well as laws and regulations for the state in which the candidate is being hired (such as the California Fair Employment and Housing Act or NYC's Local Law 144). Beyond that, there may be additional state-level laws not directly related to hiring that would also apply, such as the California Privacy Rights Act, which has requirements for automated decision-making technology.
What’s Your Business and Where Do You Operate?
Once you’ve scanned the legal and regulatory landscape for obligations related to your use cases, you next consider your industry and the jurisdictions in which you operate, as both will affect which laws and regulations you need to follow in your use of AI.
For example, if your organization is a Healthcare Delivery Organization, it will be subject to HIPAA at the U.S. federal level, but may or may not be subject to state-level laws, as some carve out HIPAA covered entities (partially or entirely), but some do not.
This same dynamic between U.S. federal and state-level laws and regulations will be the case for most industries and will be even more complex if your organization operates globally, as you would need to consider laws and regulations in those jurisdictions at the national and state/provincial levels. For example, if you had operations in Montreal, you would need to look at PIPEDA nationally and also Quebec Law 25.
With this done, you’ll have a final list of the laws and regulations relevant to your organization’s use of AI, its industry and the jurisdictions where it operates.
Consolidate Your Requirements
To turn the final list of laws and regulations into concrete steps, document the requirements in each that relate to how your organization usesAI. Sometimes, it will be obvious what the requirements are, such as Article 11 of the EU AI Act; other times, the requirements for AI will need to be teased out to connect the dots, such as Title VII.
In either case, the result will be a long list of requirements tied to at least one of your AI use cases, and many will be tied to more than one use case. To make the list manageable and actionable, remove redundancy, clarify overlaps and eliminate unnecessary details to get it down to its core requirements.
To do this, you create a matrix that shows the relationship between use cases, laws and regulations and specific requirements. A range of software products help create and manage this crosswalk, but you can also do it with a spreadsheet that contains related tabs.
The basic idea is that you’ll have a tab for use cases, where each row is a use case; a tab for laws and regulations, where each row is a specific law or regulation; and a tab for requirements, where each row is a requirement. You’ll give each row an ID number that uniquely identifies it (e.g., Hiring could be UC010, the EU AI Act could be LR053, and Conduct a model risk analysis could be REQ089, etc.).
Then, on each tab, you add columns to indicate the relationship between use cases, requirements and laws and regulations using the ID number. In the example above, Hiring would be cross-referenced to LR053 and REQ089; the EU AI Act would be cross-referenced to UC010 and REQ089; and Conduct a model risk analysis would be cross-referenced to UC010 and LR053.
Aggregating AI Requirements to Handle Them More Easily
Now that you have your use cases, laws and regulations and requirements cross-referenced, the final step is to group the requirements into big buckets to make addressing them easier. For example, multiple AI laws require some form of risk analysis — Colorado’s AI Act requires an impact assessment, and the EU AI Act requires a risk management system. Addressing these individually will be inefficient; it’s better to bucket them and determine where they overlap, so both can be addressed with one effort. Where they don’t overlap, you know where distinctive controls are needed.
Webinar
Sep
25
CMS Briefing: A Live Look at What’s Next in AI-Driven Platforms
Learn how leading organizations are using AI‑driven tools to publish faster, personalize smarter and stay secure.
Register
Webinar
On demand
Ready or Not: How Data-First Organizations Are Unlocking Agentforce Potential
Learn how to cut through the noise, activate Agentforce and build a Salesforce AI strategy that actually delivers.
Watch Now
Webinar
On demand
AI in Customer Service: Faster Resolutions, Happier Customers
Don’t let rising demand burn out your team. See how to build a smarter, more resilient support org.
Watch Now
Webinar
On demand
From Hype to High-Impact CX Strategies That Actually Scale
Turn buzzworthy AI and outsourcing trends into measurable CX wins with fresh 2025 data.
Watch Now
Webinar
On demand
Insights to Action Rethinking the Contact Center for Real Business Impact
Join our exclusive webinar to hear CX executives share their innovative strategies for transforming service delivery.
Watch Now
Webinar
On demand
Accelerating Healthcare Ops with AI
Sign up to see how your peers are putting AI to work — and making it stick.
Watch Now
The result is a rationalized short list of requirements that your organization will use as the basis of its AI governance efforts, which will be structured in an AI Governance Roadmap, the subject of the final article in this series.
Editor's Note: Further reading on AI governance, rules and regulations below:
- We've Only Seen the Start of Regulations Around AI in Recruiting — New York City may have been the first to introduce legislation regulating the use of automated employee decision tools, but it definitely won't be the last.
- Best Practices for Establishing an AI Governance Plan — As AI-driven tools become more prevalent and data enters corporate databases, the importance of information governance strategies has never been more critical.
- AI's Use in Talent Acquisition Raises Questions of Responsibility — HR leaders need to pay attention to an active lawsuit that could mean big changes to where AI fits in recruiting strategies.
Learn how you can join our contributor community.
