ModelCharter

AI Compliance: What It Is and What Your Business Must Do

Scales of justice representing AI compliance and legal obligations for business

Photo: Sora Shimazaki / Pexels

AI compliance is the process of ensuring your organisation uses AI in line with applicable laws, regulations, and contractual commitments. For most small and mid-sized businesses, the relevant obligations cluster around four frameworks: the EU AI Act, GDPR, HIPAA (for US healthcare teams), and SOC 2 (for B2B software companies). You are probably not subject to all four, but you are likely subject to at least one.

EU AI Act: the deployer's obligations

If your organisation uses AI tools and any part of your operation reaches the EU, the EU AI Act applies, even if you are based outside the EU. For deployers of general-purpose AI tools, which is most SMBs, the practical duties are: ensure staff using AI have basic AI literacy, maintain transparency when AI interacts with end users, and avoid prohibited practices (such as social scoring or real-time biometric surveillance in public spaces). The AI literacy duty has applied since February 2025.

GDPR: the data processing layer

Any AI tool that processes personal data of EU residents is a data processor on your behalf. You need a Data Processing Agreement with the vendor, a lawful basis for the processing, and records of that processing in your Register of Processing Activities. Consumer AI tiers often do not come with DPAs, which is why they are unsuitable for work involving EU personal data regardless of any other factors.

HIPAA: the healthcare boundary

US healthcare organisations and their business associates must ensure any AI tool handling protected health information has a signed Business Associate Agreement before use. Without one, using the tool with PHI is a violation, the incident does not need to occur for the obligation to apply. Check the tier: enterprise plans usually include BAAs; consumer and standard business plans usually do not.

SOC 2: the B2B evidence question

SOC 2 does not create AI-specific legal obligations, but enterprise customers conducting vendor due diligence increasingly expect you to have an AI governance policy as part of your security posture. A written AI usage policy, a record of approved tools, and attestation records are the artefacts that satisfy most SOC 2 AI-related audit questions. Getting those in place prepares you for customer scrutiny as well as regulatory scrutiny.

Start with a policy

AI compliance does not start with a legal team; it starts with a policy. ModelCharter's free policy generator produces a compliance-oriented AI usage policy tailored to your regulatory context in minutes. From there, add a tool register and attestation records. Together they cover the documentation trail that most regulators and auditors want to see.

Put this into practice

Generate a free AI usage policy for your team, then see which of your tools are safe to use.

Open the generator