Padme

Contact

+44 7557561697
Mail

ori.das@padme.services

Smart AI Compliance Across the UK, EU and US

Why the EU, the US and the UK have taken three very different approaches to AI – and what a sensible, proportionate compliance programme actually looks like for a smaller business that does not have a Fortune 500 budget.

Ori Das

Padme Law

Feature image

I am asked some version of the same question every week. A founder, a Head of Operations, or a slightly anxious CFO, will sit down and say:

We have started using AI for X. Are we doing anything wrong?”

The question is rarely accompanied by a six-figure compliance budget.

The honest answer is that AI compliance for a small or mid-sized business (“SME”) is no longer about whether you “do AI”. You almost certainly do. Generative tools sit inside your customer-service software, your recruitment platform, your accounting package, your marketing suite, even the Integrated Development Environment your developers open in the morning. The real question is whether you can demonstrate, if asked, what those tools do and how you control them.

That, in essence, is the whole of AI compliance. The trouble is that the EU, the US and the UK each ask the question slightly differently.

Brussels, Westminster, Washington — three jurisdictions, three temperaments

Unfortunately, for technology companies, the EU, USA, and UK have all taken different approaches when it comes to regulating AI.

The European Union has gone furthest. The EU AI Act, in force since August 2024, sorts every AI system into one of four buckets:

  • outright banned;
  • high-risk and tightly regulated;
  • limited-risk with light transparency duties; or
  • low-risk and largely left alone.

The heavy lifting falls on the high-risk category. Parts of the regime are already biting: the bans, and the Article 4 AI-literacy duty, took effect in February 2025; rules for general-purpose AI models followed last August. The date most boardrooms had circled was 2 August 2026, when the bulk of the high-risk obligations were due. Earlier this month, however, Brussels blinked: the “Digital Omnibus” deal pushed those deadlines back to December 2027 for most systems, and August 2028 for AI embedded in regulated products. SME reliefs — lighter paperwork, sandbox access, lower fines — were kept and widened. A welcome pause; not a reprieve.

The United Kingdom has, so far, declined to legislate a comprehensive AI statute. The choice is deliberate: the 2023 Pro-Innovation White Paper argued that a prescriptive EU-style statute would freeze rules around fast-moving technology and dampen the UK’s appeal as a place to build AI. The same model, the Government observed, may summarise an article or dispense medical advice; the regulator best placed to police each is already in place. The Labour Government has signalled binding rules for frontier-AI providers, but confirmed in February 2025 that for everyone else “existing expert regulators are best placed”.

The White Paper set out five cross-sector principles –
  • safety,
  • transparency,
  • fairness,
  • accountability and
  • contestability

and left existing regulators to apply them. The Information Commissioner’s Office (“ICO”) is the regulator most SMEs will encounter. On 12 May 2026 its new statutory Code of Practice on AI and Automated Decision-Making came into force, explaining how the UK GDPR and the Data (Use and Access) Act apply to four battlegrounds: foundation models, solely automated decisions, explainability, and children’s data. This code is technically a guidance — but courts and the ICO will treat it as the benchmark, and a business that cannot show alignment is exposed to GDPR-level fines. The UK rulebook is, for now, essentially the UK GDPR and sectoral regulation — dressed in AI clothing.

The United States is the messy one. With no federal AI statute, individual states have rushed to fill the vacuum: by the start of 2026, well over a hundred AI laws had been passed across some thirty-eight different states. Some are already affecting daily business.

  • Since 2023, New York City has required employers using automated hiring tools to commission bias audits and notify candidates; Illinois added AI to its Human Rights Act in January 2026.
  • California has new laws on training-data transparency, watermarking and patient-facing AI disclosures; Texas has its own Responsible AI Governance Act.
  • Colorado was meant to lead the pack but its AI Act has had a torrid launch — postponed to 30 June 2026, then put on ice by a federal court on 27 April 2026, after a free-speech challenge brought by xAI.
  • Washington is meanwhile pushing back, with a White House executive order on AI and parallel FTC work signalling a federal-preemption fight that will not resolve quickly.

For an SME selling across state lines, the practical assumption is simple: build to the strictest rule in the states where you have customers.

So what does a sensible programme actually look like?

Compliance for a smaller business is not about copying a multinational’s playbook. It is about doing a few things consistently well, and being able to evidence them. The seven steps below are what I run through with clients. None are exotic; all separate the businesses that sleep at night from those that do not.
Step 1: Build an honest AI inventory. 

In one transaction I was counterparty to, the target e-commerce business was certain it “did not really use AI” — until diligence uncovered seven AI features inside its SaaS stack, from generative product descriptions and fraud scoring to a chatbot and a transcriber. Management was caught flat-footed. You cannot govern what you have not catalogued. A simple spreadsheet — tool, vendor, purpose, data in, decisions affected, users’ jurisdiction — is a respectable start. Here is an additional tip. – appoint an owner to refresh it quarterly.

Step 2: Pick a “regulatory lane” for each use case.

Every regime turns on what a system is being used to do. A marketing copywriter rewriting blog posts is a different beast from an algorithm scoring loan applicants. I once worked with a fintech that had quietly slipped from “personalisation” into “creditworthiness assessment” because a product manager added new features without telling Legal.

The closest thing to a common organising principle is the EU AI Act’s four-tier risk pyramid — prohibited, high-risk, limited-risk and minimal-risk — and most other regimes line up behind it. I translate it into three lanes a business can actually work with:

  • Low-touch productivity — the email assistant, the meeting transcriber, the coding assistant. The AI Act’s minimal-risk tier. Needs an internal use policy, basic data hygiene (do not paste your client list into a public chatbot), and the AI-literacy training Article 4 now requires.
  • Customer-facing transparency — your chatbot, your AI-generated marketing, your recommendation engine. The limited-risk tier, triggering Article 50: tell the user, clearly, that they are interacting with — or being shown content produced by — AI. California’s SB 942 and AB 489 demand the same.
  • High-risk decisioning — anything materially affecting livelihood, finances, healthcare, education or employment. The high-risk tier (Article 6, Annex III): impact assessments, bias testing, human review of adverse decisions, vendor due diligence, a regulator-ready paper trail. The same activity is captured by Article 22 UK GDPR, the Colorado AI Act, NYC Local Law 144 and the Illinois HRA amendments.
Classify by use, not by tool — the same product can sit in different lanes. Once each use is in its lane, the size and shape of the compliance response — light, moderate or heavy — becomes much clearer.
Step 3: Keep a human in the loop where it matters.
A recruitment platform I advised was shortlisting candidates at scale. We built in a structured human review before any rejection, recorded the reviewer and time-stamped the decision. That one choice took the platform out of the worst of NYC Local Law 144, lifted it out of the Article 22 UK GDPR prohibition on solely automated decision-making, and gave the founders something concrete to show enterprise procurement. “Human in the loop” is not a slogan; done properly, it is the most cost-effective compliance control I know.
Step 4: Right-size your impact assessments.
A Data Protection Impact Assessment (“DPIA”) under the UK GDPR, a Fundamental Rights Impact Assessment under the EU AI Act and an algorithmic impact assessment under the emerging US state laws all turn on the same handful of questions:
  • What does this system do, and what is it for?
  • Whose data does it process, and of what kind?
  • Who could be affected by its outputs, and how?
  • What could plausibly go wrong — discrimination, error, opacity, harm to a vulnerable group?
  • How serious and how likely are those risks in our actual deployment?
  • What controls keep the risks within tolerable limits — human oversight, bias testing, vendor diligence, a route for users to contest a decision?
  • How will we know if the system starts to drift, and who is responsible for catching it?
The ICO has been clear in its 2026 consultation that existing DPIAs too often lack the specificity required. Generic templates nobody reads will not protect you.
Step 5: Do diligence on the AI you buy.
For most SMEs the AI risk lives in the supply chain, not the source code. I insist on three things in vendor contracts: a written representation as to whether the system is “high-risk” under the EU AI Act, a flow-down of the deployer’s transparency obligations, and a right to receive bias-audit reports. A SaaS HR tool quietly retraining on your candidate data is a problem you did not bargain for.
Step 6: Train the team — Article 4 of the EU AI Act now requires it. 
The AI-literacy duty catches anyone developing or deploying AI in the Union, SMEs included. A two-hour induction, refreshed annually, is enough for most teams. A marketing agency I worked with filmed its training in-house and recorded attendance; a BPO client kept a training log and issued completion certificates. That is what “evidence of literacy” looks like when a regulator asks.
Step 7: Govern lightly but consistently.
A short AI Use Policy, a register, a named owner (often the COO), a quarterly review and a clear incident-reporting line. Five pages of policy that is actually followed will beat fifty pages nobody has read — every time.

A final word

Being smaller is not, in itself, a compliance disadvantage. The risks AI creates for an SME are rarely disproportionate to its size. A common-sense approach to controllership, a handful of practical steps, and focused advice on the points that genuinely matter are usually enough to keep an SME on the right side of regulators in all three jurisdictions. You do not need a Fortune 500 programme. You need an inventory, a few good policies, a culture of asking before deploying, and the judgment to bring in expert help on the questions that warrant it.

General commentary only — not legal advice and no solicitor-client relationship is created. Written by Orijit Das, a solicitor of England and Wales (SRA No. 342008). Full regulatory information: padme.services/disclaimer

EXPLORE ALL RESOURCES
Customize Consent Preferences

We use cookies to deliver the best possible experience on our website. However you can change your cookie settings at any time.
By accepting you consent to our use of cookies. To respect your privacy rights, we have given you the option to choose not to allow some types of cookies.
For more detailed information, please check our Privacy Policy and Cookie Policy

Strictly necessary cookies

These cookies are essential to enable you to move around our websites and to allow the features of the sites to work correctly. Without these, services you request – such as navigating between pages – cannot be provided and you may experience some problems in using our website. These cookies cannot be switched off in our systems. However, you can manage your browser settings to block or alert you about these cookies. These cookies do not store any information that directly identifies you.