Ask a bank, an insurer, or a hospital group why their AI project is stuck, and you tend to get the same answer with a shrug: "Legal hasn't signed off." The compliance team gets cast as the villain β the department that says no, the reason a promising demo never left the sandbox.
That framing is not just unfair. It is expensive. In the most heavily regulated industries we work with, the compliance function is the single fastest path to production. The companies that treat it as a partner ship AI. The ones that treat it as an obstacle are still polishing slides a year later.
Legal is not asking "is it safe?" It is asking "can you show me what it did?"
The instinct is to answer a compliance review with reassurance: the model is accurate, we tested it, trust us. That is the wrong currency. A general counsel, an auditor, and a regulator do not run on reassurance. They run on evidence.
The question underneath almost every compliance objection is not "is this safe?" It is "when this goes wrong β and it will, at least once β can you show me exactly what happened, which data was used, who was accountable, and what you did about it?" If the honest answer is a shrug, the project deserves to die. If the answer is a clean record, the objection evaporates.
The EU AI Act already wrote your requirements document
Most teams read the EU AI Act as a threat. Read it again as a specification. It sorts AI uses into risk tiers and attaches concrete obligations to the higher ones: risk management, data governance, record-keeping and logging, human oversight, transparency, and post-market monitoring.
Strip away the legal language and that is a remarkably good engineering checklist for any AI you would actually trust with customers β regulated or not. A credit-scoring assist or a claims-triage workflow lands in the high-risk tier and inherits real duties. An internal meeting summarizer barely registers. The Act is not telling you to slow down. It is telling you which controls to build so you can move fast without getting hurt.
The audit trail is not paperwork. It is the product.
Here is the shift that unblocks regulated AI: stop treating logging as something you add at the end for the auditors, and start treating it as the core of the system.
Every run should emit a complete record β which connectors were called, what data they returned, which model ran against which prompt, every guardrail decision (including the PII that got masked before it reached the model), who approved the output, when, and what they changed before approving. That record is not overhead. It is the artifact that lets a compliance officer say yes, that lets an auditor reconstruct any decision months later, and that turns "trust us" into "look for yourself."
Governance is a routing problem, not a gate
The mistake is imagining governance as a single wall that every output slams into. Real governance is routing. Different outputs carry different risk, so they should take different paths.
A β¬200 quote to a returning customer can auto-complete. A β¬2M facility to a new counterparty routes to a named human. Anything customer-facing gets reviewed; internal summaries do not. High-risk categories get stricter checks and slower paths; low-risk work flows freely. Encode the risk tiers the regulation already defines directly into the workflow, and human oversight stops being a bottleneck on everything and becomes a precise instrument applied exactly where it is warranted.
Bring compliance in during week one, not week twenty
The teams that stall build the whole thing, demo it, and then walk it to legal for a blessing. Predictably, legal finds a problem the architecture cannot accommodate, and the rework kills momentum.
Invert it. In the first week, sit compliance down and ask one question: what would you need to see to approve this going to a customer? Their answer is your architecture β the log fields, the approval points, the data-handling rules. Build to that from the start and the final review becomes a formality, because you built the evidence in from day one.
Governance was never the thing slowing enterprise AI down. The absence of an audit trail was. Build the trail, route by risk, and the department everyone feared becomes the reason you shipped first.
References
- Regulation (EU) 2024/1689 of the European Parliament and of the Council (Artificial Intelligence Act), Official Journal of the European Union, 2024.
Want to see what an audit trail your compliance team would actually approve looks like? Book a 30-minute demo.
