Companies Can Tackle AI Compliance by Using Multipart Framework

The Bottom Line

• Companies should tackle artificial intelligence compliance regulations and obligations by analyzing them through a four-dimensional, stable framework.
• Jurisdiction and industry tell you which rules matter; the stakeholder roles explain why you carry certain obligations in the AI pipeline; and the risk categories clarify why the underlying problems are harmful and what kinds of controls they require.
• The result is a program that absorbs new rules instead of breaking under them, and moving early shows regulators you’re acting responsibly.

Artificial intelligence regulation is multiplying faster than most compliance programs can track it. The pressing question isn’t which rules apply today or even how they apply, but whether an organization has a method for answering those questions efficiently and reliably as the rules continue to change. The organizations that stay ahead aren’t the ones reading every new statute; they are the ones analyzing it through the right dimensions.

A framework built around four dimensions can describe virtually every AI compliance obligation: the geography and industry in which a system is used, the stakeholder role the organization plays in the AI pipeline, and the risk category the obligation is designed to address. Understanding regulation through these lenses produces a stable, portable compliance framework that remains useful even as the specific rules continue to evolve.

Because most regulatory tracking is already organized by jurisdiction, we’ll focus on the remaining three dimensions and use California as the example. California’s regulatory framework is the nearest available preview of a mature, fully developed, multi-layered regulatory model.

AI Pipeline’s Stakeholders

Before any regulatory mapping is possible, an organization must identify where it sits in the AI pipeline. That position determines which regulations apply, which obligations follow, and which governance controls matter most. Four distinct stakeholder groups define the pipeline.

Input data owners supply the data used to train models, and aspects of that data flows through systems at runtime. Sitting upstream in the pipeline, their decisions about what is collected, licensed, and shared constrain everything that follows, including the compliance obligations of every downstream actor.

Model developers design and train the models determining how the system learns and generalizes. These decisions are often invisible to the teams downstream in the pipeline but carry legal and operational consequences that travel with the models.

Model deployers integrate models into products and workflows, determining how capabilities are exposed and how users interact with the system in practice. Deployers frequently inherit risks they didn’t create.

End users provide inputs to deployed systems and receive outputs; they bear their own obligations tied to how they use the system. Their behavior shapes real-world system performance in ways that weren’t always apparent during development.

Each role maps to a distinct set of obligations. Organizations that take on multiple roles carry obligations associated with these roles simultaneously.

The Risk Map

Compliance obligations don’t just emerge from legislative preference; they also come from the risks AI systems create at each stage of the pipeline. Those risk categories must be complete enough to surface necessary obligations, granular enough to support concrete controls, and stable enough to anchor cross-jurisdictional comparison.

Seven categories meet that standard: bias, privacy intrusion, intellectual property infringement, opacity, inaccuracy, deception, and complacency. These risks can arise from different components and stages of the pipeline.

Inputs are where training data choices cascade downstream. Biased inputs produce biased models regardless of intent. Unlicensed data creates IP liability that travels. Privacy‑intrusive data, which becomes more common as datasets get larger and less curated, is a growing regulatory exposure.

AI models that produce systematically different outcomes for similarly situated groups also create discrimination liability. Opacity—the inability to explain how a decision was reached within AI models—stops accountability. Without a clear view of the underlying process, it becomes impossible to explain what went wrong, determine responsibility, or identify remedies.

Outputs including hallucinations, synthetic media, and misrepresentation are the most obvious failures, but they are symptoms of earlier-stage problems. Addressing output-layer risks without fixing root causes risks diluting meaningful accountability with appearances.

AI systems and pipeline problems arise when issues accumulate and interact as work moves through the pipeline. Transitions between stages both creating additional points of leakage and reducing visibility into where issues originated or how they evolved.

Through widespread use and at scale, any flaw in a single AI decision becomes systemic when replicated millions of times daily. Overreliance on AI, and the erosion of human scrutiny and accountability, turns small defects into cascading failures.

Framework in Action

The risk taxonomy and stakeholder-role structure described above apply across geographies; what changes is which specific laws map to which risk categories and how aggressively they are enforced.

Industry adds another variable; the sector in which an AI system is deployed typically determines which regulatory layer applies and shapes which risk categories carry the most weight. California illustrates how all three dimensions work together. Roughly 30 AI-related statutes and regulations, effective since 2025, span many industries, all four stakeholder roles, and every risk category in the taxonomy.

Each dimension—industry, targeted role, and risk category—shows something the other two can’t. Together, they can answer which rules apply to you, which risks they target, and how those risks are distributed across your organization’s roles and functions in the pipeline.

By industry: Cross-industry obligations are the largest segment, meaning that virtually every company using AI at any significant scale has compliance obligations. Healthcare is the largest industry-specific cluster, reflecting both the high stakes of clinical AI decisions and California’s historically robust health data regulation.

Technology, media and entertainment, and education follow healthcare, and four more sectors are subject to the law. The right compliance question isn’t “Are we covered?” but “Which specific obligations apply to our role in our sector?”

By stakeholder role: Model deployers carry the largest share of California’s AI obligations. The entity that puts AI into operational use is held primarily accountable for its effects, even when it didn’t build the underlying model and can’t fully control its behavior. Model developers are right behind, and the other two roles also carry distinct, enforceable duties.

By risk category: Deception and privacy intrusion receive the broadest regulatory attention, reflecting California’s consumer protection heritage and public concern around synthetic media and AI-generated misinformation. But all seven risk categories receive explicit legislative attention, making California one of the few regulatory models that addresses the full spectrum of AI risk, not just the most visible failure modes.

Four California statutes illustrate how the method’s dimensions interact because each can touch multiple roles and risk categories while cutting across industry lines.

SB 361 (Defending Californians’ Data Act) effective Jan. 1, 2026, requires data brokers to disclose in their annual California Privacy Protection Agency registration whether they sold or shared consumer personal information to generative AI developers in the prior year.

The legislation targets input data owners, placing a disclosure obligation at the point where consumer data enters the AI training stage. It mainly addresses privacy intrusion by making the nature of that data flow visible to regulators and the public. Its coverage spans industries and is particularly relevant for data aggregators and anyone that compiles or licenses consumer datasets.

AB 2013 (GenAI Training Data Transparency Act), effective Jan. 1, 2026, requires generative AI developers to publish high-level summaries of their training datasets, including data sources, types and whether personal or copyrighted data was used.

The legislation targets model developers, at the upstream end of the pipeline. The disclosure requirement addresses IP infringement, privacy intrusion, and opacity by forcing developers to disclose relevant details of the training sets to regulators, deployers, and the public. Its application, while wide-ranging industry-wise, is particularly relevant for any developer using web-scraped or licensed data.

SB 1120 (Physicians Make Decisions Act), effective Jan. 1, 2025, regulates the use of AI by healthcare service plans and disability insurers in utilization review and management. The legislation targets model deployers in the healthcare sector.

It addresses inaccuracy by requiring AI-based determinations to be grounded in each patient’s individual clinical history and circumstances rather than group datasets, a direct response to AI systems denying care based on statistical patterns. The law addresses bias by requiring AI tools to be applied fairly and equitably and not discriminate in violation of state or federal law.

AB 2876 (AI and Media Literacy in Schools Act), signed into law in October 2024, requires California’s Instructional Quality Commission to consider incorporating AI and media literacy into K-12 curriculum frameworks at its next curriculum revision.

The legislation targets end users, specifically students and teachers in the education sector. The law responds directly to students already overrelying on AI without understanding its limitations, and it aids transparency by teaching how AI actually works. The law also addresses deception by training students to critically evaluate information sources, including AI-generated content.

These four statutes show that the same compliance dimensions surface across contexts and regulatory approaches. The method isn’t derived from the law; it is the lens through which the regulation can be systematically understood.

Compliance Program

A compliance program anchored to this framework adds a necessary structural foundation and delivers three concrete capabilities that conventional approaches can’t replicate.

Role-based obligation mapping. Every applicable obligation is assigned to the specific role (developer, deployer, data owner or end user) that bears it. This prevents the failure mode of treating compliance as an undifferentiated legal department responsibility rather than a set of cross-functional, role-specific requirements with distinct owners and controls.

Full risk-taxonomy coverage. Deception, privacy, and IP infringement receive attention because they generate litigation. Opacity, bias, and complacency are routinely underinvested, until an enforcement action or discovery request makes them expensive. Inaccuracy is particularly insidious because it can go undetected until significant harm has occurred. A compliance program built against all seven risk categories prevents that asymmetry before it becomes a liability.

Portability across jurisdictions and over time. The risk taxonomy and stakeholder-role structure are stable across geographies and industries. When a new statute or rule arrives from a state or federal legislative, executive, or even judicial branch, the right questions are already built in: Which risk categories does it address, which roles does it target, and which industries does it affect? A compliance program organized around those dimensions absorbs the new obligation without starting over.

This portability is also why acting now, rather than waiting for a settled federal framework, is the correct compliance strategy. Organizations building programs against these dimensions demonstrate to regulators that they understand the technology, have assessed its risks, and are acting in good faith. That demonstration has concrete value in enforcement decisions, regulatory relationships, and litigation defense.

This article does not necessarily reflect the opinion of Bloomberg Industry Group Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Agatha H. Liu is a partner in Duane Morris’ AI strategy practice. She is a certified AI governance professional.

Interested in writing? Review our author guidelines, and submit pitches to Insights@bloombergindustry.com.