Module 4: AI Regulation · BoK IV.C
Deployers, importers and distributors
Deployer obligations are fewer than a provider's but broader, centred on transparency and monitoring (EU six-month minimum log retention; FRIA in the EU for public bodies). Importers and distributors share five duties: verify compliance, check filings, preserve integrity, supply documentation and report incidents.
Deployer obligations are fewer than provider duties but broader, centred on transparency and monitoring (EU Art. 26 territory).
- 📑 Assessment before first use → conduct a conformity or impact assessment where mandated (FRIA in the EU for public bodies or private entities providing public services; AIA in Colorado for consequential decisions).
- 🎯 Proper use → use the system only for its intended purpose and per provider instructions.
- 🙋 Adequate human oversight → qualified oversight able to interpret, intervene and override; staff training required.
- 📡 Monitoring & incidents → monitor performance in use; inform the provider and regulators promptly when risks or serious incidents arise.
- 🧾 Logs & documentation → retain system-generated logs and deployment records for audits → EU six-month minimum; maintain AIA/FRIA documentation.
- 🪟 Transparency to individuals → inform people when high-risk AI makes or substantially influences decisions about them; Colorado requires pre-decision notice for consequential decisions.
- 👷 Workplace transparency → inform workers before putting a high-risk AI system into service in the workplace (EU).
- ⚖️ Adverse decision rights → Colorado requires disclosures plus channels for explanation, correction and human review or appeal.
Registration cross-check
Public authorities (and EU institutions) must verify the high-risk system is registered in the EU database before use → if not registered, do not use it and inform the provider or distributor.
Importers and distributors share five common duties:
- Verify compliance before placing or making systems available.
- Check required filings and registrations (EU public database, CAC filings, SK designation confirmation).
- Preserve the integrity of the system - do not alter in ways affecting compliance, and recheck conformity if modified.
- Provide documentation to regulators on request (technical files, assessments, testing results).
- Report incidents or risks discovered in the supply chain.
| Importer specifics | Distributor specifics |
|---|---|
| EU → confirm the conformity assessment, EU database registration and correct CE marking; South Korea → the domestic representative serves this function; China → foreign GenAI developers partner with local entities and file with the CAC. | EU → verify conformity, preserve documentation, stop distribution if risks arise; Colorado → downstream parties use systems consistent with developer disclosures and retain AIAs; China → platforms ensure labelling and traceability of AI content. |
Key terms - quick answers
What is “Domestic representative / agent”?
Local appointee required of foreign AI operators above thresholds (South Korea, EU representative equivalents).
What is “CE marking”?
EU conformity mark importers must confirm on high-risk AI alongside the conformity assessment and database registration.