The Spreadsheet That Decides Whether AI Regulation Can Actually Protect You

Right now, somewhere inside your company, there's probably an A.I. system no one on the legal team even knows exists. It might be buried inside your H.R. software, screening resumes. It might be tucked into your building's security camera, scanning faces at the door. And under the European Union's new A.I. law, that invisible system could trigger compliance obligations that nobody's preparing for — because nobody wrote down what it actually does.

This matters whether you run a company or just walk

This matters whether you run a company or just walk into one. If your face gets scanned at a mall entrance, at an office lobby, at a stadium gate — the protections you're supposed to have depend entirely on whether someone, somewhere, filled out the right paperwork about that system. And if that feels unsettling, it should. But understanding how this process works is exactly how you stop feeling powerless about it. Today I want to pull back the curtain on the unglamorous machinery that actually decides whether A.I. regulation can protect you. It's not the algorithm. It's not the ban list. It's a spreadsheet. So what's actually in that spreadsheet, and why does everything depend on it?

When most people hear about the E.U. A.I. Act, they picture a simple checklist. Banned uses at the top. High-risk systems in the middle. Low-risk at the bottom. You look up your A.I. tool, find its category, and follow the rules. That's how headlines make it sound, and honestly, that's a reasonable assumption. Regulatory summaries lead with the dramatic stuff — no untargeted facial scraping, no workplace emotion detection. But those prohibitions are just the visible tip. The real regulatory machine runs underneath, and it starts with three deeply unglamorous questions. What A.I. systems do we actually have? Who's responsible for each one? And does each one qualify as high-risk?

That first question — what do we actually have — is where most organizations stumble. According to the article in Information Age, most companies discover their A.I. footprint is far larger and more scattered than anyone expected. A.I. features are hiding inside customer relationship platforms, analytics dashboards, procurement tools, security products. The legal team might know about the chatbot on the website. But they almost never know about the A.I. quietly scoring job applicants inside the H.R. platform, or the algorithm flagging unusual behavior in the security feed. That gap between what a company thinks it's running and what it's actually running — that's the single biggest compliance blind spot in A.I. regulation today.

What does a proper inventory actually look like

So what does a proper inventory actually look like? A weak one just lists product names. Chatbot. Analytics tool. Resume screener. A minimum viable inventory — the kind the regulation actually demands — documents at least twelve distinct facts about every single system. Who's the business owner. Who's the technical owner. What vendor built it. What's its intended purpose. Who uses it. What kind of data goes in. How the output gets used. Where a human reviews the decision. What risk category it likely falls into. What transparency notices users need to see. Who owns the evidence trail. And what happens when something goes wrong. Twelve facts, per system, and every compliance obligation downstream traces back to whether those facts are accurate.

Now, why does this matter for something like facial recognition — the kind of technology that might scan your face at a building entrance or a shopping mall? Under the E.U. A.I. Act's Annex Three, biometric identification and categorization systems are classified as high-risk. Those high-risk obligations kick in starting 2 August 2026. But the Act draws a sharp line between two uses of the same technology. Verification is one-to-one matching. Your face compared against your own stored template to unlock a door. Identification is one-to-many matching. Your face compared against a database of thousands to figure out who you are. Identification faces much stricter requirements. And the algorithm in both cases could be identical. Same code. Same neural network. Same accuracy rate. The difference isn't the technology — it's the documented role. How someone wrote down what the system is for.

A facial comparison system controlling access to a single office building might not qualify as high-risk if it only performs verification. Deploy that exact same system in a shopping mall to identify individuals from a watchlist, and it clearly falls into the high-risk category. Same hardware. Same software. Completely different legal obligations. And which category applies? That depends on whether someone documented the system's purpose, its data inputs, its decision outputs, and its human oversight points — all twelve of those inventory facts. Skip the inventory, and you can't classify. Misclassify, and you end up with weaker safeguards than the law actually requires. For anyone who's ever had their face scanned walking into a building, that means your protections hinge on paperwork you'll never see.