The AI Compliance Checklist Template for Product Launches

Complete before any model training or data collection begins.

• Regulatory landscape mapped. Identify all applicable regulations for your product’s geography and industry: EU AI Act risk classification, GDPR data processing requirements, CCPA consumer rights, sector-specific rules (HIPAA for health, ECOA for lending, EEOC for employment). Document which apply and why.
• AI risk classification completed. Under the EU AI Act, determine if your system is unacceptable risk, high risk, limited risk, or minimal risk. This classification determines your entire compliance obligation. Get legal sign-off on the classification.
• Data legal basis established. Document your legal basis for collecting and processing each category of data: consent, legitimate interest, contractual necessity, or legal obligation. If using personal data for training, verify consent covers this use.
• Data Processing Impact Assessment (DPIA) initiated. Required under GDPR for high-risk processing. Even if not legally required, a DPIA forces you to think through data risks before building. Start this now; it takes weeks, not days.
• Third-party AI vendor compliance verified. If using external models (OpenAI, Anthropic, Google), verify their data processing agreements, confirm where data is stored and processed, and ensure their terms allow your intended use case.

Verify continuously as you build. These are not one-time checks.

• Training data provenance documented. For every dataset used in training or fine-tuning, record: source, collection method, consent status, potential biases, and date range. This is your audit trail. If you cannot explain where your training data came from, you have a compliance gap.
• Bias testing conducted across protected classes. Run fairness evaluations across all applicable protected attributes: race, gender, age, disability, religion, national origin. Document results, thresholds, and any mitigations applied. This is not optional for high-risk systems.
• Model card or technical documentation drafted. Document model architecture, intended use, known limitations, performance metrics across subgroups, and training data characteristics. The EU AI Act requires this for high-risk systems. Best practice for all systems.
• Data minimization verified. Confirm you are collecting only the data necessary for the AI function. If you are collecting more than needed “in case it is useful later,” you are violating GDPR’s data minimization principle and creating unnecessary risk.
• Human oversight mechanisms built. For high-risk AI decisions, implement human-in-the-loop or human-on-the-loop controls. Document how a human can override, correct, or shut down the AI system. This is a hard requirement under the EU AI Act for high-risk systems.

Complete at least 2 weeks before your target launch date. These take time to remediate if issues are found.

• User-facing transparency implemented. Users must know when they are interacting with AI, what data is being used, and how to opt out. Verify that AI disclosure is prominent (not buried in terms of service), clear (not euphemistic), and accurate (describes what the AI actually does).
• User rights mechanisms functional. Verify that users can: access their data, request correction, request deletion, opt out of AI processing, and receive a human review of automated decisions. Test each pathway end-to-end. Broken rights mechanisms are compliance violations.
• Audit trail system validated. Confirm that all AI decisions are logged with: timestamp, input data (or reference), model version, output, and confidence score. Logs must be tamper-resistant and retained for the period required by applicable regulations.
• Legal review of all user-facing copy. Every piece of copy that describes what the AI does, how it uses data, or what users can expect must be reviewed by legal. This includes tooltips, help articles, marketing pages, and in-app disclosures.
• Incident response plan documented. Define what happens when the AI produces a harmful, biased, or incorrect output that affects users. Include: who is notified, how fast the response must happen, who decides whether to disable the feature, and how affected users are informed.

Ongoing obligations that continue for the life of the product.

• Continuous bias monitoring active. Production data distributions shift over time. Set up automated monitoring for performance disparities across protected groups. Define alert thresholds and response procedures. Review results at minimum quarterly.
• Model drift detection operational. Monitor for changes in model input distributions and output patterns. When drift is detected, trigger a review cycle that includes compliance re-evaluation. Model updates must go through the same compliance checks as the initial launch.
• User complaint tracking and resolution. Track complaints related to AI decisions separately from general product complaints. Analyze complaint patterns for compliance-relevant issues: bias, accuracy, transparency, and consent. Report trends to legal quarterly.
• Regulatory change monitoring. AI regulation is evolving rapidly. Assign someone (usually the PM) to monitor regulatory changes that affect your product. When new requirements emerge, assess impact and create a remediation timeline within 30 days.
• Annual compliance audit scheduled. Conduct a comprehensive review annually: re-run bias tests, verify all documentation is current, confirm user rights mechanisms still work, and update the risk classification if the product has changed. Document findings and remediation actions.