Day 49

The regulatory landscape is live — EU AI Act enforcement has begun, US policy is shifting.

Context

AI regulation is no longer theoretical — enforcement has begun. The EU AI Act’s phased rollout is underway, US federal AI policy shifted significantly in early 2025, and sector-specific regulators are applying existing authority to AI systems. For PMs building AI products, regulatory compliance is now a product requirement, not a future concern.

EU AI Act enforcement timeline (CRITICAL). The EU AI Act uses a phased enforcement schedule: February 2025: Prohibited AI systems banned — social scoring, real-time biometric surveillance in public spaces (with limited exceptions), and manipulative AI practices. These prohibitions are now in effect. August 2025: General-Purpose AI (GPAI) provisions take effect. This directly affects Claude: GPAI providers must publish model documentation, comply with copyright rules, and provide safety evaluations for models with systemic risk. Anthropic has already committed to compliance through EU AI Office engagement. February 2026: High-risk AI system requirements become enforceable — AI used in employment, education, critical infrastructure, and law enforcement must meet strict requirements for risk management, data governance, transparency, and human oversight. PMs building products in these categories need compliance architecture now.

GPAI provisions now in effect for Claude. As of August 2025, Claude qualifies as a GPAI model, triggering specific obligations: (1) Technical documentation describing model capabilities and limitations. (2) Compliance with EU copyright law (transparency on training data sources). (3) For models with systemic risk (which frontier models like Claude likely qualify for): adversarial testing, incident monitoring and reporting, and cybersecurity protections. Anthropic’s formal commitments to the EU AI Office address these requirements. PMs should understand GPAI obligations because enterprises building on Claude will ask how these requirements flow through to their products.

US AI policy: significant shifts. The Biden administration’s Executive Order on AI (October 2023) established federal AI safety requirements including reporting obligations for frontier model developers. In January 2025, the incoming Trump administration partially rescinded this executive order, removing several reporting requirements and shifting focus from safety regulation to AI competitiveness. The practical impact: federal AI safety requirements are now less prescriptive, but sector-specific regulations remain in full force, and state-level AI legislation continues to advance. Note: California’s SB 1047 (frontier model safety bill) failed to become law, but other state bills have progressed, and California remains the most active state for AI legislation.

Sector-specific regulation. While horizontal AI regulation (EU AI Act) gets the most attention, sector-specific regulators are the most immediate enforcement risk: FDA — regulates AI/ML in medical devices and clinical decision support. Pre-market approval now accounts for AI-specific risks. FTC — actively enforcing against deceptive AI practices and algorithmic discrimination under existing consumer protection authority. CFPB — regulating AI in consumer lending, credit scoring, and financial services under existing fair lending laws. EEOC — guidance on AI in employment decisions, focusing on disparate impact from automated hiring tools. For PMs, sector-specific regulation often matters more than the EU AI Act because enforcement is more immediate and penalties are more concrete.

AI liability landscape. The EU AI Liability Directive establishes liability rules for AI systems, making it easier for individuals harmed by AI to seek compensation. Key principle: if a high-risk AI system fails to meet EU AI Act requirements and causes harm, the burden of proof shifts to the AI provider/deployer to demonstrate the AI wasn’t at fault. For PMs, this changes the risk calculus: a safety failure in Europe isn’t just a reputational risk but a concrete financial liability. Build compliance into product design from day one.

Practical compliance for PMs. (1) Map your product’s risk category under the EU AI Act (prohibited, high-risk, limited-risk, minimal-risk). (2) Document your AI system’s purpose, capabilities, limitations, and human oversight mechanisms. (3) Implement logging sufficient for audit and incident reporting. (4) Build transparency features: users should know when they’re interacting with AI. (5) Establish an incident response plan for AI failures that trigger regulatory reporting requirements.

Tasks (4)

Map your product’s regulatory exposure (25 min)
For an AI product that automates resume screening for enterprise customers: map the regulatory exposure under EU AI Act (which risk category? what requirements apply?), US federal regulation (EEOC guidance on AI hiring, FTC fairness requirements), and state law. Identify the three highest-priority compliance requirements and their timelines. Save as /day-49/regulatory_exposure_map.md.
Build an EU AI Act compliance checklist (25 min)
Create a compliance checklist for a PM shipping an AI product in the EU. Sections: prohibited use screening, GPAI documentation requirements (if applicable), high-risk classification test, transparency obligations, human oversight requirements, incident reporting procedures, and data governance. For each item: what’s required, who owns it, and deadline per the phased timeline. Save as /day-49/eu_ai_act_checklist.md.
Analyze the US policy shift impact (25 min)
Write an analysis of how the partial rescission of the Biden AI Executive Order (January 2025) affects AI product strategy. Cover: what requirements were removed, what remains in force (sector-specific regulation), how this affects competitive positioning relative to EU-regulated competitors, and what state-level legislation PMs should monitor. Save as /day-49/us_policy_analysis.md.
Create an AI liability risk assessment (25 min)
For a healthcare AI product deployed in the EU: create a liability risk assessment under the AI Liability Directive. Cover: potential harm scenarios, who bears liability (provider vs deployer), how burden of proof shifts work, what documentation you need to demonstrate compliance, and insurance/indemnification considerations. Save as /day-49/liability_risk_assessment.md.

Interview question

How do you think about AI regulation when building an AI product?

Regulation is a product requirement, not a legal afterthought. I integrate it from day one.

EU AI Act is the most concrete framework. Enforcement has started with prohibited systems (February 2025) and GPAI provisions (August 2025). High-risk requirements become enforceable in February 2026. My first step for any product: classify it under the EU AI Act risk framework. If we’re in the high-risk category (employment, education, critical infrastructure), we need compliance architecture from the start — risk management system, data governance, transparency, human oversight, and audit logging. Retrofitting compliance is 5x more expensive than building it in.

GPAI provisions affect Claude directly. Claude qualifies as a GPAI model with systemic risk provisions. Anthropic handles model-level compliance, but PMs building on Claude need to understand how GPAI obligations flow through. Documentation, safety evaluation transparency, and incident reporting requirements affect how we communicate with customers about our AI stack.

Sector-specific regulation is the immediate risk. The FDA, FTC, CFPB, and EEOC are enforcing AI requirements under existing authority — they don’t need new legislation. If our product touches healthcare (FDA), consumer lending (CFPB), or hiring (EEOC), sector regulation applies today. I map sector-specific exposure before EU AI Act exposure because enforcement is more immediate.

US policy is evolving. The Biden EO was partially rescinded in January 2025, reducing federal reporting requirements but not eliminating sector-specific enforcement. State legislation continues to advance. My approach: design for the strictest applicable regulation (typically EU) because regulatory requirements only tighten over time.

AI liability changes the risk calculus. The EU AI Liability Directive introduces burden-of-proof shift — if our AI causes harm and we can’t demonstrate compliance, liability is presumed. That’s a concrete financial risk that needs to be factored into product decisions, not just legal review.

PM angle

The PM who treats regulation as a constraint to work around ships a legal liability. The PM who treats regulation as a product requirement builds a defensible market position. In regulated industries, compliance is a moat: enterprises will pay premium prices for AI products that solve their compliance problem rather than creating a new one.

Resources

DOCS EU AI Act Full Text — Complete EU AI Act with annotations and timeline.
DOCS EU AI Act GPAI Provisions — GPAI obligations affecting Claude and other frontier models.
DOCS NIST AI Risk Management Framework — US federal AI safety framework (still referenced despite EO changes).
DOCS Anthropic Responsible Scaling Policy — How Anthropic’s safety commitments align with regulatory requirements.
BLOG Stanford HAI: AI Policy — Academic analysis of AI policy developments.
DOCS EU AI Liability Directive — AI liability framework for EU deployments.