AI Governance
& Compliance

Yes, in two situations. First, if your team uses AI tools (ChatGPT, Claude, Cursor, Copilot, Gemini) day to day, you need an Acceptable Use Policy that names which tools are approved and what data can be entered. Second, if your product uses AI to make decisions affecting users, you need a governance charter that documents oversight, risk classification, and escalation. Both are gates for enterprise procurement and investor diligence.

Yes, if your AI system is used by, or affects, people in the European Union. The EU AI Act has extraterritorial reach similar to GDPR and applies regardless of where your company is incorporated. U.S. SaaS and AI startups with even modest EU usage often fall within scope, especially when their tools generate output used inside the EU. Risk classification is the first step; obligations cascade from the risk tier.

An AI system that poses significant potential harm to health, safety, or fundamental rights. Examples named in the EU AI Act on EUR-Lex include AI used in critical infrastructure, employment screening, education, law enforcement, healthcare devices, and creditworthiness scoring. High-risk systems carry the heaviest compliance load: risk management, data governance, technical documentation, human oversight, and conformity assessment before going to market. Most consumer SaaS does not hit 'high-risk,' but many companies assume the answer until classified.

They serve three different audiences and three different surfaces. The Privacy Policy is your public-facing notice to users about data practices; that lives on our Terms of Service & Privacy Policy page. The DPA is the contract between you and a vendor or customer governing how personal data is processed; that lives on our Data Processing Agreements page. AI Governance covers the operational layer above both: how your company decides what AI to build, deploy, and let employees use, and the documentation that shows it.

Which AI tools your employees and contractors may use, what data they may enter, who owns the resulting output, and the consequences for breach. The policy also addresses confidentiality (do not paste client data into a public chatbot), security (only approved enterprise tiers), and disclosure (when AI use must be flagged in deliverables). The U.S. National Institute of Standards and Technology publishes the AI Risk Management Framework that informs current best practice on internal AI policy design.

It depends on the AI vendor's terms and current copyright law. The U.S. Copyright Office does not register works that lack meaningful human authorship, which means purely AI-generated output is typically not copyrightable. Many AI vendor agreements assign output ownership to the customer but reserve rights to use inputs for training, model improvement, or quality review. The AI Vendor Contract Playbook in the AI Governance Stack tier identifies the clauses that change which side actually keeps the value.

U.S. state AI laws now stack on top of federal and EU obligations, and each state imposes its own duties. The Colorado AI Act SB 24-205 targets consequential decisions; the Texas Responsible AI Governance Act covers state agency AI deployment with private-sector ripple effects; California has layered transparency duties on synthetic media generators and political deepfakes through bills like SB 942 and AB 2655. The Full AI Compliance Program tier produces a multi-state map showing which laws apply to your company's specific footprint.

Three risks compound quickly without a written policy. First, employees paste confidential client data, source code, or trade secrets into consumer-tier AI tools whose terms allow training on inputs. Second, AI-generated work product carries hallucination and infringement risk that flows to whoever signs the deliverable. Third, when a customer or regulator asks how your company controls AI use and you have nothing to show, the absence is the finding. The Federal Trade Commission has been clear that 'we govern AI' claims without supporting policy are themselves enforceable misrepresentations.

If your AI generates faces, voices, or likenesses, multiple regimes apply at once. California has layered disclosure and election-deepfake duties through bills like SB 942 and AB 2655 on the state's Legislative Information site. Federal scrutiny of non-consensual deepfakes has increased through the FTC and DOJ. The EU AI Act adds transparency obligations on generators of synthetic content. Brand-side defense (someone deepfaked your client) lives on our AI Brand Infringement & Deepfake Defense page; this page covers the build-side: the policies your platform needs before it ships.

Each tier is flat fee, billed at engagement. After the strategy call we send the engagement letter, you pay upfront, and the work begins. Delivery timing is set on the strategy call based on scope, urgency, and current capacity. Rush handling is available; we will tell you the cost before adding it.