AI Compliance: More Complex Than I Expected

AI Compliance: More Complex Than I Expected

Recently, I was chatting with a friend who runs an AI product company. He told me they recently hired a full-time AI compliance specialist with an annual salary of 400,000 RMB.

My first reaction: Is that really necessary?

He did the math for me: if fined by the EU for compliance issues, the minimum tier is 7.5 million euros or 1.5% of revenue; the maximum is 35 million euros or 7%. His company has 200 million euros in annual revenue — at the top tier, that's 14 million euros. Hiring someone at 400,000 RMB? The math works out.

This made me start taking AI compliance seriously. And once I started digging, I realized the regulatory landscape in 2026 is completely different from two years ago.

The EU AI Act: Not a "Suggestion" — It's Mandatory

Many people's impression of the EU AI Act is still stuck on "that strict AI law." But the key change is: it is fully in force in 2026. No longer a draft, no longer "coming soon."

Its core logic is not complicated: risk-based classification.

Prohibited outright: Social scoring (dystopian operations that rate every individual), subliminal manipulation, real-time facial recognition law enforcement in public spaces. No gray area.

High-risk: The scope is broader than you might think. AI in critical infrastructure, education scoring systems, HR recruitment screening, financial credit scoring, law enforcement assistance — all of it. The requirements are specific: risk management, compliant training data, complete technical documentation, human oversight, and accuracy/robustness metrics.

Limited risk: Primarily transparency requirements. Chatbots must tell users "I am AI"; AI-generated content must be labeled. The bar is not high, but violations still draw fines.

My friend's company spent three months on a compliance assessment and discovered their AI customer service system was classified as "high-risk" — because it affects user complaint resolution outcomes. This means they had to build an entire compliance process from scratch, including data audits, model interpretability reports, and continuous monitoring mechanisms.

"If only we had considered compliance at the design stage," he said. "The cost of rework now is three times what it would have been."

China: Multiple Tracks in Parallel

China did not create a single unified "AI Law" — instead, it advances regulation by sector. This approach is flexible, but it also leaves companies a bit uncertain.

Algorithm recommendation management has been in effect for some time. You have the right to turn off algorithmic recommendations; platforms cannot force you to use them. But honestly, I tried turning off recommendations on several apps, and the result wasn't "no more recommendations" — it was "recommendation quality dropped significantly." That's arguably a form of coercion too.

Deep synthesis (AIGC) management requires AI-generated content to be labeled. But in terms of actual enforcement... just go check how much AI-generated content on short video platforms is actually labeled. There is still a long way to go at the execution level.

The Interim Measures for the Management of Generative AI Services is currently the most direct regulation targeting large models. Data must be legal, content must be compliant, personal information must be protected, and filings with the Cyberspace Administration are required. Most domestic large model products have gone through the filing process before launch — this one is enforced relatively solidly.

The Data Security Law and Personal Information Protection Law, while not specifically targeting AI, have a significant impact on the collection and use of AI training data. This is especially true for cross-border data operations, where compliance requirements are extremely strict.

A friend working in AI exports complained to me: "EU rules are strict, but at least they clearly tell you what you can and cannot do. In China, sometimes it's not that the rules are unclear — it's that enforcement standards are always changing, and you never know if new requirements will come next month."

For Small Teams, Is Compliance Really Within Reach?

At first, I thought compliance was for large companies. But after some research, I found that regulations don't distinguish by company size. If you serve EU users or operate in the Chinese market, you must comply — whether you are a 3-person team or a 30,000-person corporation.

The good news is that the core requirements are not as complex as you might think:

  1. Figure out what risk level your product falls into. Most consumer-facing tool products are "minimal risk" or "limited risk" — no need for full compliance.
  2. Data sources must be legal. Don't scrape or buy training data of unknown origin — this is the easiest pitfall to step into.
  3. Maintain transparency. Tell users you are using AI; give them the option to turn off AI features.
  4. Basic monitoring. It doesn't need to be complex, but you must at least be able to detect if AI outputs are going off the rails.

Many cloud platforms now offer ready-made compliance tools — data masking, content moderation APIs, model auditing — and the technical barrier has been significantly reduced.

A Real-World Cautionary Tale

An independent developer I know built an AI writing assistant targeting overseas markets. The product was well-made, and user growth was fast.

Then he received an inquiry letter from an EU regulatory authority.

The reason: he had not conducted an AI impact assessment, had no compliant user data processing statement, and did not provide AI-generated content identification. Although his product was not high-risk, he failed to meet basic transparency obligations.

Resolving the matter took two months, during which the product's downloads in Europe stopped entirely. By the time compliance was completed and the app re-listed, he had lost nearly 30% of his European users.

His summary: "Compliance is something nobody praises you for doing, but not doing it will eventually cause problems."

My Assessment

AI regulation is still evolving rapidly, but the direction is already clear: increasingly detailed, increasingly strict, increasingly enforceable.

For those serious about AI business, my advice is:

  • Don't wait until you are fined to act. The cost of compliance is far lower than fines plus brand damage.
  • Build compliance in from day one. Reworking after the fact costs three to five times as much as considering it upfront.
  • Pay attention to industry technical standards. ISO/IEC and NIST frameworks are not laws, but many regulatory requirements reference these standards.

AI compliance is not a problem to "solve" — it is a subject to "manage continuously." Just as you would not do a single security audit and never think about it again, compliance is a process that iterates alongside regulations and technology.

Building a system early is far more cost-effective than reacting passively.


Looking ahead, I believe the compliance landscape will follow a pattern we have seen before with GDPR: initial confusion and panic, followed by a wave of compliance tooling, followed by a new normal where compliance is simply part of building software. Companies that invest in understanding and building compliant systems now will not just avoid fines — they will build products that customers, partners, and governments trust more. In a market where AI tools are increasingly interchangeable, trust is a powerful competitive advantage. The companies that treat compliance as a feature rather than a burden are the ones that will win in the long run. One additional consideration that is already on the horizon is the concept of "model cards" and "data sheets for datasets" becoming standardized regulatory requirements. Similar to how nutritional labels give consumers standardized information about food products, these documentation standards would provide users and regulators with clear, comparable information about how an AI model was trained, what data it was built on, and what its known limitations are. Organizations like Hugging Face and major AI labs have already begun voluntarily adopting these practices, and making them mandatory would dramatically increase transparency across the entire AI ecosystem while giving compliance teams a concrete framework to follow. An important practical tip for teams navigating the current regulatory uncertainty is to document your design decisions and their rationale as you build, not after the fact. When regulators come knocking — and they will — having a clear record of why you chose a particular data source, how you evaluated model fairness, and what safeguards you put in place will be far more persuasive than trying to reconstruct those decisions under time pressure after a compliance inquiry has already begun.

Building compliant AI systems is increasingly viewed by sophisticated investors as a signal of operational maturity rather than a regulatory burden to be minimized.

Documentation plays a critical role in AI security and compliance. Every model deployed in a production environment should have an accompanying model card, which is a structured document describing the model intended use cases, performance characteristics across different demographics, known limitations, and ethical considerations. Frameworks like Google Model Card Toolkit and IBM AI FactSheets provide templates that make this process systematic rather than ad hoc. Beyond model cards, teams should maintain audit logs for every inference request in regulated industries. These logs become essential during regulatory examinations or incident investigations, providing a chronological record of who accessed what data and what decisions the AI made in response. Treating documentation as an afterthought is one of the most common mistakes organizations make when deploying AI systems under compliance constraints. Investing in documentation infrastructure early reduces both legal risk and the cost of future audits.