Module 4: AI Regulation · BoK IV.C
High-risk provider obligations
Providers carry the heaviest load because they build the system and put it on the market, so duties span the whole life cycle. Eight converging global themes run from governance and data documentation through logging, incident handling, assessment, registration, transparency and safety testing.
Providers build the system and put it on the market, so duties span the whole life cycle. Eight converging global themes:
- 🏛️ Governance & quality management → life cycle risk management and quality system covering design, testing, deployment, monitoring (EU Arts. 8–9, 17).
- 🗄️ Data governance & documentation → comprehensive documentation; demonstrate data is relevant, representative and monitored for bias (EU Arts. 10–11, 18; California AB 2013).
- 🧾 Logging & traceability → systems automatically log inputs, outputs, key decisions, human interventions; keep logs for audit (EU Arts. 12, 19; China traceability rules).
- 🚨 Corrective action & incidents → detect and correct malfunctions; notify regulators or users of serious incidents (EU Arts. 20, 73).
- ✅ Assessment & assurance → pre-deployment assessments (EU conformity assessment, Colorado AIA, China safety assessment) → update on substantial modification.
- 🗃️ Registration & disclosure → EU public database of high-risk systems; China CAC filings; South Korea domestic representative for foreign providers above thresholds.
- 🪟 Transparency & user information → clear instructions for safe use including limitations and human-oversight steps; label or watermark outputs where required.
- 🛡️ Safety, robustness & testing → regular testing for accuracy, robustness, resilience and cybersecurity (EU Art. 15).
Key terms - quick answers
What is “Model card”?
Documentation communicating a model's characteristics, usage conditions and limitations to downstream providers.
What is “California AB 2013”?
Law requiring GenAI training-data transparency (1 Jan 2026).