Steven's Knowledge

Regulations

EU AI Act, US executive orders, China's rules, and what engineers actually need to do about them

AI regulation is no longer hypothetical. Laws are on the books, enforcement is ramping up, and "we didn't know" is not a defense. The good news: most of what regulators want — risk assessment, documentation, human oversight — is just good engineering practice you should be doing anyway.

You don't need to become a lawyer. You do need to know what category your system falls into and what that implies for the code you write.

EU AI Act

The EU AI Act is the most comprehensive AI regulation to date. It uses a risk-based tiering system that determines your obligations:

  1. Unacceptable risk (banned) — social scoring by governments, real-time biometric surveillance in public spaces (with narrow exceptions), manipulation of vulnerable groups. If your system does this, stop.
  2. High risk — systems in healthcare diagnostics, hiring/HR, credit scoring, law enforcement, critical infrastructure, education. These carry the heaviest obligations.
  3. Limited risk — chatbots, deepfake generators, emotion recognition. Mainly transparency obligations: tell the user they're interacting with AI.
  4. Minimal risk — spam filters, recommendation engines, most internal tools. Largely unregulated, though voluntary codes of conduct are encouraged.

What high-risk means for engineers

  • Risk management system — documented, maintained, updated through the system lifecycle.
  • Data governance — training data must be relevant, representative, and as free from errors as reasonably possible.
  • Technical documentation — detailed enough for authorities to assess compliance.
  • Logging — automatic recording of events during operation, retained for an appropriate period.
  • Human oversight — the system must be designed so humans can effectively oversee it.
  • Accuracy, robustness, cybersecurity — appropriate levels for the intended purpose.

General-purpose AI (GPAI) rules

Foundation model providers have separate obligations: publish training data summaries, comply with copyright rules, and if the model poses systemic risk (currently: >10^25 FLOPs training compute), conduct adversarial testing and report serious incidents.

US Executive Orders and Federal Guidance

The US approach is less prescriptive but still consequential:

  • Executive Order 14110 (Oct 2023) — required dual-use foundation model developers to share safety test results with the government. Established AI safety standards and watermarking guidance. Note: executive orders can change with administrations.
  • NIST AI Risk Management Framework — voluntary but increasingly referenced in procurement requirements. If you sell to the US government, treat it as mandatory.
  • Sector-specific agencies — the FDA regulates AI in medical devices, the SEC watches AI in financial advice, the FTC enforces against deceptive AI claims. Each has its own rules.

The practical impact: even without a single federal AI law, you face a patchwork of agency rules that collectively cover most high-stakes use cases.

China's AI Regulations

China regulates AI through a series of targeted rules:

  • Algorithmic recommendation rules (2022) — transparency requirements for recommendation algorithms, user opt-out rights.
  • Deep synthesis rules (2023) — deepfakes and synthetic content must be labeled; providers need real-name registration.
  • Generative AI rules (2023) — training data must be lawful, generated content must align with "core socialist values," providers bear responsibility for outputs.
  • AI safety governance framework — risk classification similar in spirit to the EU approach.

If you serve Chinese users or operate in China, these are not optional. The enforcement mechanism is swift: non-compliance can mean service shutdown.

Sector-Specific Rules

Some sectors have had AI-relevant regulation for years:

  • Healthcare — FDA's Software as a Medical Device (SaMD) framework. If your model informs clinical decisions, it's likely a medical device. Pre-market clearance or approval may be required.
  • Finance — model risk management expectations (SR 11-7 in the US), explainability requirements for credit decisions (ECOA), algorithmic trading rules (MiFID II in EU).
  • Employment — NYC's Local Law 144 requires bias audits for AI used in hiring. Illinois requires consent for AI video interview analysis. More jurisdictions are following.

Draw a clear line:

Engineers own:

  • Classifying your system's risk tier (you know what it does)
  • Building logging and audit infrastructure
  • Implementing human oversight mechanisms
  • Maintaining technical documentation
  • Running bias and safety evaluations
  • Ensuring data governance in training pipelines

Legal owns:

  • Regulatory filings and certifications
  • Interpreting ambiguous regulatory text
  • Cross-jurisdiction compliance strategy
  • Contract terms with customers and providers
  • Responding to regulatory inquiries

Both own together:

  • Deciding what constitutes "high risk" in edge cases
  • Defining acceptable use policies
  • Incident response planning

The worst outcome is assuming legal will handle everything. By the time legal reviews your system, the architecture decisions that determine compliance are already baked in.

On this page

EU AI ActWhat high-risk means for engineersGeneral-purpose AI (GPAI) rulesUS Executive Orders and Federal GuidanceChina's AI RegulationsSector-Specific RulesWhat Engineers Own vs What Legal Handles