Este artigo está disponível apenas em inglês no momento.
AI Regulatory Investigation: How to Respond When a Regulator Comes Asking
Regulatory investigations into AI use are increasing. The OAIC, FCA, CFPB, and national DPAs are all active. When a regulator contacts you about your AI, the first 48 hours matter most. This is the response guide.
Key Takeaways
Regulatory investigations into AI have increased significantly in 2025-2026 — the OAIC, ICO, CNIL, FCA, CFPB, and national DPAs are all conducting both own-motion investigations and responding to complaints about AI use.
The first 48 hours of a regulatory inquiry determine the trajectory of the investigation — organisations that respond promptly, co-operatively, and with a genuine commitment to addressing concerns achieve significantly better outcomes than those that are defensive or unresponsive.
Preserve all documentation immediately upon receiving a regulatory inquiry — email, system logs, AI model documentation, governance records, incident reports. Document preservation is a legal obligation and the foundation of your response.
Engage external legal counsel with regulatory investigation experience as early as possible — AI regulatory investigations involve privilege considerations, document production decisions, and strategic engagement choices that require specialist expertise.
The regulatory investigations that end most favourably are those where the organisation demonstrates: genuine governance infrastructure (not assembled post-inquiry), proactive identification and remediation of issues, and substantive co-operation without waiving privilege on legal advice.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
How to respond to an AI regulatory investigation
Regulatory investigations into AI practices are increasing. Whether triggered by a complaint, a supervisory examination, a media report, or a regulator's own initiative, the first 48-72 hours shape the organisation's position for months or years. This guide covers what to do when a regulator comes calling about your AI.
Likely trigger points
Regulators open AI-related investigations in several ways: routine supervisory examination uncovers AI governance gaps (APRA, FCA, Fed, OCC); individual complaint about an AI-driven decision (ICO, OAIC, CFPB, PDPC); media coverage of an AI incident or failure; self-reported incident or breach notification; market-wide thematic review (ASIC REP 798 was a thematic review of AI governance in Australian financial services); whistleblower disclosure; cross-regulator referral.
First 48-72 hours
Preserve evidence. Impose a litigation hold on all relevant documents, emails, logs, model outputs, and system configurations. AI systems create evidence that may be transient — model versions, training data snapshots, decision logs. Preserve the specific model version and configuration at the time of the relevant events, not the current version.
Engage legal counsel. External legal counsel with AI regulatory experience. Legal privilege applies to communications with legal counsel — ensure privilege is properly established before substantive internal discussions.
Identify the scope. What specifically is the regulator investigating? Which AI systems, which decisions, which time period, which legal basis? The scope determines which team members, documents, and systems are relevant.
Assemble the response team. Legal, compliance, risk, technology (AI/ML team), business owner of the relevant AI system, communications. Named coordinator for all regulator interactions. Single point of contact avoids conflicting communications.
What regulators typically request
AI system inventory and risk classification for the relevant system(s). Model documentation — model cards, validation reports, bias testing results. Decision logs and audit trails for affected individuals. Data governance documentation — data sources, data quality, DPIA. Governance framework — AI policy, committee minutes, board reporting. Vendor documentation — contracts, due diligence, sub-processors. Incident response — prior incidents, remediation actions. Staff training records.
What helps your position
Having an AI inventory you can produce quickly. Being able to show governance operated before the investigation, not built in response to it. Documentation that demonstrates considered decision-making — rationale for risk classification, control design, monitoring approach. Evidence of board engagement and challenge. Vendor due diligence that includes AI-specific assessment. Prompt, complete, and accurate responses to regulator requests — regulators notice when organisations are responsive versus obstructive.
What hurts your position
No AI inventory — the regulator's first question is "what AI do you have?" and not being able to answer is immediately problematic. Governance documentation created after the investigation began. Inconsistencies between what you tell the regulator and what the evidence shows. Defensive or obstructive behaviour. Evidence of known problems that weren't addressed.
Primary sources: APRA · FCA · ICO