Mechanism
Deployment or governance violates a current regulatory obligation or fails to anticipate a near-term emerging one. Examples: a specific Article of the EU AI Act, an ICO guidance requirement under UK GDPR, sectoral regulator AI expectations (FCA, OCC, FDA, professional conduct authorities), court rules on AI disclosure.
Evidence (what the Evidence Register holds)
Current AI-use-case-to-regulatory-regime mapping; audit trail per obligation; ISO/IEC 42001 management-system template artefacts; regulator engagement log.
Mitigation
Quarterly regulatory horizon scan; named owner for each major regime; ISO/IEC 42001 / NIST AI RMF / EU AI Act control crosswalks; consumption of Advanta Quarterly Radar as external sensing.
Editorial Framing
Regulatory non-compliance is the class boards ask about first. The mitigation is a structured horizon scan + a named owner per major regime + control crosswalks against the three reference frameworks (ISO/IEC 42001, NIST AI RMF, EU AI Act). Functions that try to track regulations ad hoc lose ground every quarter.
Indicative Examples
- EU AI Act Article 4 literacy gap
- ICO guidance not addressed in DPIA
- Sectoral regulator AI expectations missed
- Court rules on AI disclosure not absorbed