For this quarter’s legal and information governance update, I’d like to take a slightly different path, one inspired by the many conversations I’ve been having with colleagues who are grappling with the rapid rise of artificial intelligence and what it means for records management.
In countless exchanges with long-time records managers, I’m hearing over and over that they’ve “… barely gotten a handle on cloud compliance, now how are we supposed to manage AI?” This is a question that I’ll attempt to answer in this update.
AI may be a source of anxiety for many who manage records and information, but it doesn’t have to be. By exploring the current legislation through the lens of records management requirements and regulatory philosophies, I hope to provide clarity and reassurance, helping you feel more confident and prepared in the face of this evolving landscape.
Throughout the update, we’ve included links to relevant legislation and documents where applicable.
The European Union is one of the most talked about leaders in artificial intelligence regulation after passing the EU AI Act (2024/1689) in May 2024; the first comprehensive AI legislation in the world. The Act introduced a risk-based framework identifying specific areas of EU society where AI has a high risk of impacting the health, safety, or fundamental rights of EU citizens. The areas specifically identified by the Act include biometric identification and categorization, education, critical infrastructure management, employment, worker management, access to essential services, policing, migration, and the administration of justice. The EU AI Act can expand the areas of protection by amending the Annex without the need to change the regulations, thus giving the EU the opportunity to quickly update the legislation to guard against AI’s use in other spaces.
Depending on how an organization participates in the lifecycle of an AI product the records being managed might include documentation concerning:
(1) the quality management system,
(2) approved changes to the learning model,
(3) technical documentation,
(4) the EU declaration of conformity, and
(5) automatically generated logs from the AI.
Most of the records requirements fall into a 10-year requirement bucket, but the log data being gathered from the AI is only required to be kept for 6 months. Log data includes situations that may result in the AI system presenting a risk or data generated during the post-market monitoring of AI behaviors either by the developer or the deployer.
The EU AI Act requires keeping not only the usual records found in consumer protection laws, but also data related to how AI is developed, trained, supported, and used. The type of data you need to keep depends on what the AI is trained to do. For example, AI used in low-risk areas like product recommendations, customer service chatbots, or marketing personalization faces fewer rules. But when AI is used to make decisions about people, such as in hiring, performance evaluations, or promotions, the rules are much stricter, and detailed data logs must be kept.
The EU is matching pace with China, their only real competition in legislating AI, now with plans and schedules for expanding the EU framework to be implemented in each country of the European Union. The EU is on its third draft of the Code of Practice for general-purpose AI (GPAI) model providers, and the non-legally binding code is expected to be available by August of 2025 providing confident compliance with the EU AI Act, before binding standards take effect in 2027. The European Union’s effort to create a framework for responsible AI governance, that includes protecting citizens, has the benefit of encouraging trust in the market for and use of AI, and solidifies the EU formula as the model by which all other global AI legislation will be measured against.
Join us as we break down the realities of AI, discuss practical steps to future-proof your governance strategies, and have some fun along the way. You’ll hear from experts who know exactly what’s happening (and not happening) in AI regulation,…
The United States is considered one of the most heavily regulated nations in the world because of the complex and fragmented regulatory environment of the federalist system. In the absence of a federally mandated solution, privacy laws passed by the states produce complicated applicability questions around how each regulation is to be applied depending on where the organization is located. The regulatory complexity is made more complicated by the nonuniform business revenue thresholds being applied in each state. The 20 laws on the consumer and data privacy landscape appear like reflections in a fun house of mirrors—they are so similar but obviously different.
To date, the regulatory complexity around consumer and data privacy has not materialized in the United States as it applies to artificial intelligence legislation. The pursuit of AI legislation both in the federal and state systems has been active since 2020 but has had limited follow-through and success, and even less impact on the regulatory landscape for records management. Colorado is the first and only state with comprehensive AI legislation (COLO. REV. STAT. §§ 6-1-1701 — 6-1-1707), and its provisions mirror many elements of the EU AI Act. The Colorado provisions for records management around AI are limited to a 3-year requirement to retain impact assessments related to high-risk AI capable of making consequential decisions. Those consequential decisions similarly target areas of society where Colorado residents could be adversely impacted, and include education enrollment, employment, financial or lending opportunities, essential government services, healthcare, housing, insurance, and legal services.
At the start of this year, I anticipated a slow and steady rollout of comprehensive AI regulation across the United States. I expected state-level legislation to continue following a cautious, methodical approach, integrating AI language into existing frameworks through amendments, while gradually introducing training, tools, and curricula into government and education. Encouraging signs like bipartisan support for a federal bill aimed at banning the use of AI in the creation and distribution of deepfake pornographic content suggested real momentum was building.
However, recent developments have shifted the landscape. A surprising provision in the latest federal budget bill, SEC. 43201 (c)(1), proposes a 10-year ban on state-level AI regulation. While it is clear the current administration is not prioritizing new federal AI legislation, the idea of restricting state innovation in this space feels like a step backward. If passed, this provision would effectively freeze meaningful regulatory progress, leaving Colorado as the only state with substantial protections for its residents against high-risk AI applications.
That said, even in the face of legislative uncertainty, there are silver linings. From a records management perspective, this regulatory pause could simplify compliance in the short term. With fewer changes to track and adapt to, organizations can focus on building solid foundations for handling AI-generated data.
More importantly, this moment is a reminder that proactive, principled governance does not have to wait on legislation. It remains best practice, now and moving forward, to treat records and data generated or processed by AI with the same care and compliance standards as any other business information. Most of the laws already in place treat AI as just another operational tool, and in cases where tasks transition from human-led to AI-assisted, the same rules for records management still apply.
China’s approach for AI regulation is much less centralized for those of us pursuing an understanding of the records management impact, and records professionals are forced to evaluate several pieces of legislation to gain a complete picture of how different activities involving AI might be regulated. In the measures and provisions that follow, there are clear distinctions about what kind of data driven activity each regulation is meant to apply to, but they all seem to have the same general records management requirements, regardless of the type of data service the document is designed to regulate. Each of the provisions will be subject to requirements from the Personal Information Protection Law (PIPL).
Each measure below lacks a definitive retention period in the text. However, based on some legal analysis of overlapping areas of law, the logs (which might include prompts, responses, timestamps, etc.) and the records regarding illegal behaviors are required to be retained for a period sufficient to support audits, investigations, and content traceability. In practice, a retention window of 3 to 6 months is in alignment with data retention guidelines from the Cybersecurity Law and Data Security Law.
Interim Measures for the Administration of Generative Artificial Intelligence Services
Preserve records in the event an AI provider discovers illegal content, but it does not set any standard on how long to keep those records.
Provisions on the Administration of Algorithm Recommendations for Internet Information Services
Algorithm recommendation service providers must retain network logs and preserve records in the event an AI provider discovers illegal content.
Provisions on the Management of Deep Synthesis of Internet Information Services
Deep synthesis service providers retain network logs and preserve relevant records regarding illegal behavior on the system.
These are a sampling of the many regulations China has implemented to address the growing opportunity of artificial intelligence. China is approaching the conclusion of a long process of constructing a deep regulatory support system to ensure they can respond to many eventualities in the development of AI. That principle is highlighted by China’s goal to have produced 50 national and industrial AI standards by 2026.
Several countries are responding to the rise of AI by working on new laws or sharing guidance to help developers, users, and businesses prepare for upcoming regulations. You can expect these informative and voluntary materials to lay out the framework for future regulation in each country, but do not expect these materials to formalize a records management approach. This is especially true for the private sector, where new recommendations are likely to redirect to other pieces of legislation about cyber security and privacy. Until legislation specific to artificial intelligence is officially passed, the records management landscape will defer to existing regulations. Again, it’s a good principled approach, both now and in the future, to treat any records or data generated or processed by AI as though it was generated or processed in the normal course of business.
To find out how you can lower your retention schedule management costs, improve the efficiency of your teams, and keep pace with evolving regulations applicable to your business, then request a 30-minute consultation with our privacy, policy and security experts.
Share