The EU AI Act, US executive orders, UK AI policy, China AI regulations, and practical compliance implications for AI engineers building and deploying language models.

How does GPAI work in practice?

EU AI Act and Global AI Regulation covers EU AI Act, GPAI, AI regulation from first principles with code examples. Free lesson at https://engineersofai.com/docs/llms/alignment-and-safety/eu-ai-act-and-regulation

What is the difference between EU AI Act and AI regulation?

See the full breakdown at https://engineersofai.com/docs/llms/alignment-and-safety/eu-ai-act-and-regulation

EU AI Act and Global AI Regulation

Reading time: 22 min | Relevance: AI Engineer, Research Engineer, ML Engineer, Product Engineer

The Legal Letter That Arrived on a Tuesday

It's October 2024. Your company's legal team forwards you an email from the EU regulator. Your AI-powered CV screening system, used to filter job applications for a major European employer, has been identified as a "high-risk AI system" under the EU AI Act. The Act entered into force in August 2024. You have 24 months to achieve compliance. The requirements include: registration in the EU AI Act database, completion of a conformity assessment, ongoing human oversight mechanisms, detailed technical documentation, and data governance measures covering the training data.

You realize your team had no idea this was coming. The model was trained two years ago on a licensed dataset. You don't know if the dataset meets the Act's data governance requirements. You don't have the technical documentation the Act requires. You don't have a conformity assessment process. And your legal team is asking when they can tell the regulator you'll be compliant.

This scenario is playing out in hundreds of European companies right now. The EU AI Act is the world's first comprehensive AI regulation. It applies to anyone who places AI systems on the EU market - including non-EU companies selling to EU customers. Understanding it is no longer optional for AI engineers. And the EU Act is just one part of an emerging global regulatory landscape that AI engineers need to understand to build products that can actually be deployed.

Historical Context

April 2021: The European Commission publishes the original EU AI Act proposal.

December 2023: EU Parliament and Council reach political agreement on the Act text after two years of negotiation.

March 2024: Final text agreed, incorporating new provisions for "General Purpose AI" (GPAI) models, added late in negotiations in response to the GPT-4 launch.

August 2024: The EU AI Act enters into force (publication in the Official Journal of the EU). The two-year countdown to most compliance deadlines begins.

February 2025: Prohibitions on unacceptable risk AI (the first enforcement deadline).

August 2026: Most compliance obligations become enforceable, including high-risk AI system requirements.

2027: Requirements for GPAI models trained before the Act's entry into force.

October 2023: US President Biden signs Executive Order 14110 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Less legally binding than the EU Act but sets policy direction for US federal agencies and includes reporting requirements for frontier models.

May 2024: The Biden administration releases its AI safety policy for agencies. The Trump administration revokes several Biden AI policies in January 2025.

The EU AI Act: Structure and Key Concepts

The EU AI Act takes a risk-based approach: obligations scale with the risk level of the AI system. Four risk tiers.

Tier 1: Unacceptable Risk - Prohibited

These AI applications are banned outright:

Social scoring systems by government entities that evaluate citizens based on behavior or personal characteristics
Real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions)
Subliminal manipulation using techniques that bypass conscious awareness to influence behavior
Exploitation of specific vulnerable groups using AI to influence their behavior in harmful ways
Predictive policing based purely on profiling without individual suspicious behavior
AI-powered emotion recognition in workplaces and educational institutions

These prohibitions take effect in February 2025 (6 months after the Act entered into force).

Tier 2: High Risk - Regulated

High-risk AI systems are allowed but subject to extensive compliance requirements. The Act defines high-risk systems as those in eight areas:

Biometric identification and categorization
Critical infrastructure management (energy, water, transport)
Educational and vocational training (admission decisions, performance evaluation)
Employment (recruitment, promotion, task allocation, termination)
Access to essential private services (credit scoring, insurance)
Law enforcement (risk assessment, evidence evaluation)
Migration and asylum (border control, visa assessment)
Administration of justice

If your AI system falls in these areas, compliance obligations include:

Risk management system: Continuous process to identify and mitigate risks
Data governance: Documented training data practices, bias testing
Technical documentation: Detailed technical file about the system
Record keeping: Automatic logging of system events enabling auditability
Transparency: Information to users about the system's capabilities and limitations
Human oversight: Mechanisms ensuring humans can monitor, override, and intervene
Accuracy and robustness: Testing for accuracy and cybersecurity resilience
Conformity assessment: Third-party evaluation (for some subcategories) before deployment
EU AI Act database registration: High-risk systems must be registered

Tier 3: Limited Risk - Transparency

AI systems that interact directly with users must disclose they are AI. Specifically:

Chatbots: Users must be informed they're interacting with an AI (unless obvious from context)
Deepfakes: AI-generated or AI-manipulated content must be labeled as such
Emotion recognition systems: Must inform users they're being subject to emotion recognition
AI-generated content intended to influence: Elections, public discourse - specific disclosure requirements

No prior approval or certification required - just mandatory disclosure.

Tier 4: Minimal Risk - No Obligations

The vast majority of AI applications fall here. AI-powered spam filters, content recommendation systems, AI in video games, product search - no obligations under the Act.

GPAI: General Purpose AI Provisions

The most significant addition to the Act's final text was the GPAI (General Purpose AI) chapter, added to address foundation models like GPT-4, Gemini, and Claude after those systems demonstrated capabilities far beyond narrow AI tools.

What is a GPAI model?

A GPAI model is defined as an AI model trained on large amounts of data using self-supervision at scale, capable of competently performing a wide range of tasks and which can be integrated into a variety of downstream systems or applications.

This definition clearly covers: GPT-4, Claude, Gemini, Llama, Mistral, and similar foundation models.

GPAI obligations (all providers)

All GPAI model providers must:

Maintain technical documentation: Model architecture, training process, training data sources and policies, intended and prohibited uses, performance evaluation results
Comply with copyright law: Provide a summary of content used for training; respect opt-outs for text and data mining
Publish information: Publicly accessible summary of training data (though not the full dataset)
Distribution controls: Pass technical documentation requirements through the value chain - if you provide a GPAI to another provider who builds on it, they must receive sufficient documentation to understand and comply

Systemic risk threshold

The Act defines a higher tier for "GPAI models with systemic risk" - models that pose significant risks at the EU scale due to their capabilities. The threshold: 10^25 FLOPs of training compute (approximately GPT-4's training compute as of the Act's writing).

At the time of writing (2024-2026), this threshold covers: GPT-4, GPT-4o, Gemini Ultra, Claude 3 Opus, and likely GPT-4.5/Claude 3.5 Sonnet when fully evaluated. Open-source models like Llama 3.1 405B may be close to or exceed this threshold.

Systemic risk obligations (higher-tier)

Providers of GPAI models with systemic risk must additionally:

Conduct model evaluations: Adversarial testing (red teaming), capability evaluations, and document results
Assess and mitigate systemic risks: CBRN risks, large-scale cyberattacks, critical infrastructure threats
Incident reporting: Report serious incidents to the European AI Office within 15 days
Cybersecurity protection: Maintain appropriate technical measures protecting model weights, APIs, and infrastructure
Energy efficiency reporting: Disclose energy consumption of the model

Enforcement

The EU AI Office (a new body within the European Commission) oversees enforcement for GPAI models. National market surveillance authorities handle other AI systems.

Fines:

Prohibited AI applications: up to €35 million or 7% of global annual turnover (whichever is higher)
Other violations: up to €15 million or 3% of global annual turnover
Incorrect or misleading information to regulators: up to €7.5 million or 1.5% of global annual turnover

US Executive Order on AI Safety

President Biden signed Executive Order 14110 "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence" in October 2023. Key requirements:

Reporting for dual-use models: Companies training AI systems using more than $100M of compute must report to the US government (via Department of Commerce) with safety test results before and during training. This threshold corresponds roughly to GPT-4-level training runs.

National security assessments: Models that could provide serious uplift to creating CBRN weapons must undergo national security risk assessments.

Watermarking guidance: NIST directed to develop technical standards for watermarking AI-generated content.

Federal agency AI governance: All federal agencies must develop AI governance policies.

Algorithmic discrimination: Treasury, DOJ, and other agencies directed to address algorithmic discrimination in housing, credit, and other domains.

Status (2025): The Trump administration revoked EO 14110 in January 2025. The reporting requirements and national security provisions have been replaced with a different policy framework emphasizing deregulation and competitiveness over safety mandates. The details continue to evolve.

UK Approach: Pro-Innovation, Sector-Specific

The UK has explicitly chosen not to enact EU-style horizontal AI regulation. Instead, the UK framework is:

Principles-based: Five high-level principles (safety, transparency, fairness, accountability, contestability) to be applied by existing regulators in their own domains, rather than a new overarching law.

Sector-specific: The FCA handles AI in financial services. MHRA handles AI medical devices. ICO handles data protection. Each regulator issues guidance for their sector.

AI Safety Institute: The UK established the world's first AI Safety Institute (now the AI Security Institute), which publishes technical research on frontier model risks and coordinates with safety institutes in the US and other countries.

Post-Brexit divergence: The UK's approach is significantly lighter-touch than the EU Act. UK companies operating only in the UK face substantially lower compliance burden. UK companies selling to EU customers must still comply with the EU Act.

China AI Regulations

China has enacted several AI-specific regulations:

Algorithmic Recommendation Regulations (2022): Rules governing how platforms can use AI to recommend content. Requirements: inform users that recommendations are algorithmic, allow users to opt out, prohibit using recommendations to induce excessive consumption or addiction.

Deep Synthesis Regulations (2022): Rules on AI-generated media (deepfakes). Requirements: label AI-generated content, prohibit using deepfakes to spread disinformation or impersonate officials, registration requirements for deep synthesis service providers.

Generative AI Regulations (2023): Rules specifically covering generative AI services in China. Requirements: content must reflect "core socialist values," prevent generating harmful content, label AI-generated content, security assessment for services affecting over 1 million users. Significant compliance burden for any generative AI service operating in China.

Practical Implications for AI Engineers

The regulatory landscape creates concrete engineering requirements. Here are the most important ones:

1. Technical documentation as a first-class artifact

Under the EU AI Act, technical documentation is a legal requirement for high-risk systems and GPAI models. This means documentation must be created and maintained throughout development, not written after the fact.

What documentation is required:

Training data sources, selection criteria, and preprocessing
Model architecture and training methodology
Evaluation results (accuracy, bias testing, safety testing)
Known limitations and intended uses
System design decisions and their rationale

Engineering implication: treat technical documentation like code. Version it. Review it. Keep it updated as the system changes.

2. Bias testing as mandatory, not optional

High-risk AI systems must demonstrate they have been tested for bias and don't discriminate against protected groups. This requires:

Representative test sets that include demographic diversity
Statistical analysis of outcome disparities by demographic group
Documentation of testing methodology and results
Remediation process when biases are found

from collections import defaultdict
import numpy as np

def compute_demographic_disparities(
    predictions: list[int],
    labels: list[int],
    demographics: list[str],
    metric: str = "accuracy"
) -> dict:
    """
    Compute performance disparities across demographic groups.
    Required for high-risk AI system bias testing.
    """
    groups = defaultdict(lambda: {"predictions": [], "labels": []})
    for pred, label, demo in zip(predictions, labels, demographics):
        groups[demo]["predictions"].append(pred)
        groups[demo]["labels"].append(label)

    results = {}
    for group, data in groups.items():
        preds = np.array(data["predictions"])
        labs = np.array(data["labels"])

        if metric == "accuracy":
            score = (preds == labs).mean()
        elif metric == "positive_rate":
            score = preds.mean()
        elif metric == "false_positive_rate":
            negatives = (labs == 0)
            score = preds[negatives].mean() if negatives.sum() > 0 else 0.0
        else:
            raise ValueError(f"Unknown metric: {metric}")

        results[group] = {
            "score": score,
            "n": len(preds),
        }

    # Compute max disparity
    scores = [r["score"] for r in results.values()]
    max_disparity = max(scores) - min(scores)
    results["_summary"] = {
        "max_disparity": max_disparity,
        "metric": metric,
        "groups": list(results.keys()),
    }

    # Flag if disparity exceeds threshold (typical threshold: 0.1)
    if max_disparity > 0.1:
        results["_summary"]["flag"] = (
            f"WARNING: {metric} disparity of {max_disparity:.3f} exceeds 0.1 threshold"
        )

    return results

3. Logging and auditability

High-risk AI systems must automatically log events enabling post-hoc auditability. For LLMs, this means:

Log all prompts, responses, and metadata (timestamp, model version, user ID hash)
Retain logs for the legally required retention period
Enable retrieval of specific interactions for investigation
Protect logs from tampering

import hashlib
import json
import time
from pathlib import Path

class AuditLogger:
    """
    Audit log for EU AI Act compliance.
    Logs all interactions with sufficient detail for post-hoc review.
    """

    def __init__(self, log_dir: str, retention_days: int = 365):
        self.log_dir = Path(log_dir)
        self.log_dir.mkdir(parents=True, exist_ok=True)
        self.retention_days = retention_days

    def log_interaction(
        self,
        session_id: str,
        user_id_hash: str,  # Never store raw user IDs
        model_version: str,
        system_prompt_hash: str,  # Hash system prompt, don't store it
        user_input: str,
        model_output: str,
        metadata: dict = None,
    ) -> str:
        """
        Log a model interaction for auditability.
        Returns the interaction log entry ID.
        """
        timestamp = time.time()
        entry_id = hashlib.sha256(
            f"{session_id}{timestamp}".encode()
        ).hexdigest()[:16]

        log_entry = {
            "entry_id": entry_id,
            "timestamp": timestamp,
            "session_id": session_id,
            "user_id_hash": user_id_hash,
            "model_version": model_version,
            "system_prompt_hash": system_prompt_hash,
            "user_input": user_input,  # Consider hashing/encrypting PII
            "model_output": model_output,
            "output_length": len(model_output.split()),
            "metadata": metadata or {},
            "log_version": "1.0",
        }

        # Write to daily log file
        date_str = time.strftime("%Y-%m-%d", time.gmtime(timestamp))
        log_file = self.log_dir / f"interactions_{date_str}.jsonl"

        with open(log_file, "a") as f:
            f.write(json.dumps(log_entry) + "\n")

        return entry_id

    def retrieve_interaction(self, entry_id: str) -> dict | None:
        """Retrieve a specific logged interaction by entry ID."""
        for log_file in sorted(self.log_dir.glob("interactions_*.jsonl")):
            with open(log_file) as f:
                for line in f:
                    entry = json.loads(line)
                    if entry["entry_id"] == entry_id:
                        return entry
        return None

4. Human oversight mechanisms

High-risk AI systems must support human oversight. For LLMs, this typically means:

Clear indication when an AI is making a decision (transparency)
Ability for a human to review the AI's reasoning
Override mechanism: human can reject or modify AI output
Escalation pathway: routing high-stakes decisions to human review

5. Training data documentation

GPAI providers must document training data sources and demonstrate compliance with copyright law. This creates new requirements for:

Maintaining records of training data sources and licenses
Implementing mechanisms to honor text/data mining opt-outs (EU copyright directive)
Auditing training data for copyrighted content from opted-out sources
Publishing a summary of training data sources

Compliance Checklist for AI Engineers

For high-risk AI systems:
[ ] Technical documentation created and version-controlled
[ ] Risk management system established and documented
[ ] Training data sources documented, licenses verified
[ ] Bias testing completed and results documented
[ ] Human oversight mechanisms implemented
[ ] Automatic logging system deployed
[ ] Conformity assessment completed (if applicable)
[ ] EU AI Act database registration completed
[ ] Post-market monitoring plan established

For GPAI models serving EU users:
[ ] Training data summary published
[ ] Copyright compliance mechanisms implemented
[ ] Technical documentation maintained
[ ] (If systemic risk threshold): red teaming conducted
[ ] (If systemic risk threshold): incident reporting process established

For any AI product with EU users:
[ ] Risk tier assessment completed
[ ] If chatbot: AI disclosure implemented
[ ] If deepfake generation: labeling implemented
[ ] If prohibited use case: system not deployed

Common Mistakes

:::danger Assuming "low risk" without formal assessment "This probably isn't high-risk" is not a compliance strategy. The EU AI Act's high-risk categories are broader than they appear. CV screening tools, performance evaluation systems, credit risk assessment, and many other common business AI applications fall in high-risk categories. Conduct a formal risk classification assessment, document it, and have it reviewed by legal counsel familiar with the Act. :::

:::danger Building systems before considering regulatory requirements Regulatory compliance requirements need to be addressed at system design time, not bolted on afterward. Logging architecture, bias testing infrastructure, documentation practices, and human oversight mechanisms are all significantly easier and cheaper to build in from the start than to retrofit into a deployed system. :::

:::warning Treating EU AI Act compliance as EU-only The EU AI Act applies to any AI system placed on the EU market - regardless of where the provider is based. If your US or UK or Indian company sells AI products to EU customers, you must comply. Non-compliance exposes you to fines up to 7% of global revenue - not EU revenue, total global revenue. :::

:::warning Ignoring the supply chain provisions If you're building on a GPAI model (using GPT-4, Claude, or Gemini as a foundation), your compliance obligations depend on your role. Using an API doesn't exempt you from obligations for your downstream application. If you integrate a GPAI model into a high-risk application, you are responsible for high-risk system compliance obligations - even though you didn't train the foundation model. :::

:::tip Start documentation now, before regulators ask The most common compliance failure pattern: companies create documentation only when regulators request it, then scramble to reconstruct decisions made years earlier. Start maintaining technical documentation as a standard engineering practice. Capture training decisions, evaluation results, and safety testing in version-controlled documents alongside your code. This is good engineering practice regardless of regulation. :::

Interview Q&A

Q1: What is the EU AI Act and which AI systems does it cover?

The EU AI Act is the world's first comprehensive AI regulation, which entered into force in August 2024. It applies to any AI system "placed on the EU market" - meaning any company anywhere in the world that sells AI products to EU customers must comply.

The Act takes a risk-based approach: obligations scale with risk level. Four tiers: prohibited (social scoring, real-time biometric surveillance), high-risk (CV screening, credit scoring, medical devices, law enforcement tools), limited risk (chatbots require AI disclosure), and minimal risk (most AI applications, no obligations). A fifth category covers General Purpose AI models like GPT-4 and Claude, with obligations including technical documentation, copyright compliance, and (for models above 10^25 FLOPs) adversarial testing and incident reporting.

Q2: What are the key obligations for GPAI providers under the EU AI Act?

All GPAI providers serving EU users must: maintain detailed technical documentation (architecture, training process, training data), comply with EU copyright law including honoring text/data mining opt-outs, publish a summary of training data content, and pass documentation requirements to downstream providers who build on their models.

GPAI providers with "systemic risk" - defined as models trained using more than 10^25 FLOPs - have additional obligations: conduct adversarial testing (red teaming) before deployment, assess and mitigate systemic risks (CBRN, critical infrastructure), report serious incidents to the EU AI Office within 15 days, and maintain cybersecurity protections for model weights and APIs.

Q3: What does "high-risk AI system" mean and what are the compliance requirements?

High-risk AI systems are those used in areas like employment decisions (CV screening, performance evaluation), access to financial services (credit scoring), law enforcement, education, and critical infrastructure. These systems are allowed but subject to extensive requirements: risk management documentation, data governance with bias testing, detailed technical documentation, automatic logging for auditability, transparency requirements for users, human oversight mechanisms, accuracy and robustness testing, conformity assessment (third-party evaluation for some categories), and registration in the EU AI Act database.

The key distinction from prohibited AI: high-risk AI can be deployed if it meets all these requirements. Prohibited AI cannot be deployed at all.

Q4: How does the EU AI Act compare to the US and UK approaches?

The EU takes a comprehensive, legally binding, horizontal approach: one law covering all AI sectors, with enforceable obligations and substantial fines.

The US approach (under the Biden administration) was executive-order-based, requiring reporting from frontier model developers and directing agencies to develop guidance, but not enacting binding legislation. The Trump administration replaced this with a lighter-touch, competitiveness-focused approach.

The UK explicitly chose not to copy the EU model, instead applying existing regulations sector-by-sector (FCA for financial services, MHRA for medical devices) and relying on high-level principles rather than prescriptive rules. The UK is significantly more permissive than the EU.

China has enacted specific AI regulations covering algorithmic recommendations, deepfakes, and generative AI, with content requirements reflecting government values and mandatory security assessments for large-scale services.

Q5: What practical engineering changes does the EU AI Act require?

For high-risk systems: technical documentation maintained version-controlled alongside code; bias testing with demographic disparate impact analysis as part of the evaluation pipeline; automatic logging of all interactions with sufficient detail for post-hoc auditability; human oversight mechanisms (human review, override capability); and conformity assessment before deployment.

For GPAI models: training data provenance tracking and license verification; mechanisms to honor text/data mining opt-outs; training data summary publication; and for systemic risk models, red teaming documentation and incident reporting infrastructure.

For all AI products with EU users: risk classification assessment, disclosure for chatbots, labeling for AI-generated content, and compliance with prohibited use prohibitions.

Summary

The EU AI Act is the dominant AI regulation globally and applies to anyone selling AI products to EU customers. Its key concepts:

Risk tiers: Prohibited, high-risk, limited risk, minimal risk - obligations scale with risk
GPAI provisions: Foundation models have specific obligations; above 10^25 FLOPs training compute, systemic risk obligations apply
High-risk requirements: Documentation, bias testing, logging, human oversight, conformity assessment
Limited risk: Transparency requirements (AI disclosure, deepfake labeling)

The global landscape: US is deregulatory (post-2025), UK is principles-based and sector-specific, China has enacted specific generative AI regulations.

For AI engineers: regulatory compliance is now a first-class engineering concern. Technical documentation, audit logging, bias testing, and human oversight mechanisms need to be built in from the start, not bolted on when regulators arrive.

:::tip 🎮 Interactive Playground

Visualize this concept: Try the Constitutional AI & Alignment demo on the EngineersOfAI Playground - no code required.

:::

The Legal Letter That Arrived on a Tuesday​

Historical Context​

The EU AI Act: Structure and Key Concepts​

Tier 1: Unacceptable Risk - Prohibited​

Tier 2: High Risk - Regulated​

Tier 3: Limited Risk - Transparency​

Tier 4: Minimal Risk - No Obligations​

GPAI: General Purpose AI Provisions​

What is a GPAI model?​

GPAI obligations (all providers)​

Systemic risk threshold​

Systemic risk obligations (higher-tier)​

Enforcement​

US Executive Order on AI Safety​

UK Approach: Pro-Innovation, Sector-Specific​

China AI Regulations​

Practical Implications for AI Engineers​

1. Technical documentation as a first-class artifact​

2. Bias testing as mandatory, not optional​

3. Logging and auditability​

4. Human oversight mechanisms​

5. Training data documentation​

Compliance Checklist for AI Engineers​

Common Mistakes​

Interview Q&A​

Summary​