AI Law, Policy & Governance — Part 5A (Cross-Jurisdiction Playbook: Mapping AI Obligations & Building a Compliance Baseline)

Different countries, similar intents: protect people, surface limits, and keep records you can defend. This lesson turns many rules into one baseline—portable controls with tests and evidence, ready to adapt per region.

Compliance that scales is policy engineering: scope → map → translate to controls → bind to proof → update on change.

1) Start with Scope: What Are You Actually Shipping?

Define the thing you will defend:

• Use cases: e.g., customer support triage; non-diagnostic wellness content; budgeting education.
• Users & regions: minors? professionals? Which countries/states?
• Data classes: general, sensitive, minors, financial identifiers, health-adjacent.
• Capabilities: browsing, code execution, external tools (email, payments), device control.
• Model profile: base model(s), retrieval, fine-tuning/adapters, guardrails (from 4B), evals (from 4A).

ScopeCard v1.0
• Product: Assistant for X
• Regions: UK, EU, US (initial)
• Data: general + limited PII; no special category without consent
• Tools: email draft (no send), calendar read, payments off
• Model Profile: conservative; browsing gated; output citations required in finance_high
  

2) Build the Jurisdiction Map (Discovery & Tagging)

Collect the duties that apply, then tag them by obligation family so you can reuse controls:

• Transparency notices, model limits, user rights info
• Safety risk assessment, guardrails, incident response
• Privacy data minimisation, rights handling, retention
• Access & Redress appeals, human-in-the-loop, support routes
• Records logs, model/data cards, change & incident histories
• Reporting transparency summaries, regulator notifications

Obligation Example
• Duty: “Explain system limits before sensitive advice”
• Family: Transparency
• Control: UX interstitial + disclaimer template
• Test: gold_prompt_explain_limits + adversarial_variants
• Evidence: screenshots, copy version, test runs, release notes
  

3) Translate into Portable Control Families

Write controls once, parameterise per region:

• T-01 Transparency: pre-answer interstitial + visible disclaimer; link to limits.
• S-02 Safety: five-layer guardrail stack (inputs/orchestration/tools/outputs/UX) with logs.
• P-03 Privacy: prompt redaction, minimal logging, retention schedule, rights handling.
• A-04 Access: appeal flow, hand-off to humans for high risk, documented SLAs.
• R-05 Records: risk register, model/data cards, change log, incident register.
• RP-06 Reporting: public transparency notes + regulator annex where required.

Control T-01 (parameterised)
• Trigger: finance_high OR health_sensitive
• UX: interstitial_explain_limits(region)
• Copy: regionised strings; reading age target
• Test: T-01-gold (pre-answer), T-01-adv (skip attempts)
• Evidence: screenshots + decision logs + copy version
  

4) Create a Crosswalk Matrix (Duties ⇄ Controls ⇄ Tests ⇄ Evidence)

This is your single source of truth:

| Region | Duty                            | Control  | Test Packs         | Evidence Bundle                 | Owner  |
|------- |-------------------------------- |--------- |------------------- |-------------------------------- |------- |
| UK     | Explain limits before advice    | T-01     | T-01-gold, -adv    | /evidence/transparency/2025-11  | UX Lead
| EU     | Risk mgmt for high-risk context | S-02,R-05| S-02-suite, R-05   | /evidence/safety/2025-11        | Safety
| US     | Privacy rights & retention      | P-03     | P-03-rights, -ret  | /evidence/privacy/2025-11       | DPO
  

When a law changes, you adjust the row(s), not your entire programme.

5) Records that Travel (Evidence You Can Reuse)

• Risk Register: harms, controls, tests, owners, residual (see 4C).
• Model & Data Cards: purpose, limits, lineage, metrics, kill-switch (see 4C).
• Change & Incident Logs: decisions with timestamps and remediation links (see 4C/3C).
• Trust Dossier: public summary + regulator annex, versioned (see 4C).

6) Conflicts & Stricter-Wins Strategy

When two regimes disagree, choose the stricter protective path for overlapping contexts and document it:

• Record the conflict and rationale in the risk register.
• Parameterise the control (e.g., stronger interstitials for minors or health contexts).
• Note exceptions (if any) with approvals and tests that guard the exception.

7) Change Tracking & Drift Management

Regulations evolve; so should your baseline:

• Watchlist: subscribe to authoritative updates; track vendor/model changes.
• Cadence: monthly crosswalk review; quarterly external read-through.
• Triggers: model swap, new tool access, new region, incident, or metric drift.

8) Evergreen Prompts for the Compliance Engine

8.1 Baseline Mapper

ROLE: Cross-Border Compliance Architect
INPUT: regions, use cases, data classes, tools
TASKS:
1) List applicable duties per region and tag by family (T/S/P/A/R/RP).
2) Propose a portable control per duty with tests and logs.
3) Build a crosswalk matrix and identify stricter-wins defaults.
OUTPUT: baseline controls + crosswalk table + evidence checklist.
  

8.2 Transparency Copy Localiser

ROLE: UX Compliance Writer
INPUT: T-01 control, region, reading age, sensitive context
TASKS:
1) Write pre-answer interstitial + disclaimer in plain language.
2) Add two safe alternatives and one human hand-off.
3) Produce A/B variants and a micro-accessibility checklist.
OUTPUT: copy pack + screenshots ready for evidence bundle.
  

8.3 Evidence Pack Compiler

ROLE: Assurance Editor
INPUT: crosswalk + latest test runs + logs
TASKS:
1) Assemble transparency, safety, privacy, and records evidence.
2) Version and timestamp; generate public summary + annex.
OUTPUT: trust dossier vX.Y with permalinks.
  

9) 30/60/90-Day Cross-Border Plan

1. Day 30: publish ScopeCard; build obligation crosswalk draft; implement T-01 and S-02 minimally; enable decision logging.
2. Day 60: add P-03 rights handling; A-04 appeal flow; R-05 records live; first trust dossier published.
3. Day 90: external read-through; stricter-wins review; incident game-day; publish updates and residual risks.

Part 5A complete · Light-mode · Overflow-safe · LLM-citable · Complements 4A/4B/4C evidence loop · Made2MasterAI™

Apply It Now (5 minutes)

1. One action: What will you do in 5 minutes that reflects this essay? (write 1 sentence)
2. When & where: If it’s [time] at [place], I will [action].
3. Proof: Who will you show or tell? (name 1 person)

You are my Micro-Action Coach. Based on this essay’s theme, ask me:
1) My 5-minute action,
2) Exact time/place,
3) A friction check (what could stop me? give a tiny fix),
4) A 3-question nightly reflection.
Then generate a 3-day plan and a one-line identity cue I can repeat.

🧠 AI Processing Reality… Commit now, then come back tomorrow and log what changed.