You’ll get asked about AI compliance over and over—by customers during procurement, by investors during diligence, by acquirers during M&A. The questions are predictable: What AI do you use? How do you know it works? What happens to our data? Who’s responsible?
If you maintain three core documents and keep them updated quarterly, you can answer about 80% of those questions on the spot. You’ll close deals faster, move through diligence more smoothly, and avoid scrambling every time someone asks.
Let’s walk through what these documents are, what they should contain, and how to build them without over-engineering.
Document 1: AI Use Case Inventory
This is a simple table that catalogs every place AI touches your business—customer-facing products and internal operations.
What to include:
| Use Case Name | Purpose | Data Inputs | Outputs/Decisions | Risk Classification | Model Type | Owner |
|---|---|---|---|---|---|---|
| Resume screening | Rank candidates for recruiting | Resume text, job description | Candidate score (1-100) | High-risk (EU), ADMT (CA) | OpenAI GPT-4 fine-tuned | Product |
| Customer support chatbot | Answer product questions | User query, help docs | Text response | Low-risk, transparency required | Anthropic Claude | Eng |
| Fraud detection | Flag suspicious transactions | Transaction data, user history | Risk score, block/allow | Medium-risk, consumer impact | Custom model | Security |
Why it matters:
This inventory forces you to think systematically. It surfaces risks you didn’t realize existed (like that internal tool someone built in a hackathon). It’s the first thing customers and investors ask for. And it makes it easy to assess impact when regulations change—you can quickly scan for which use cases are affected.
How long does it take?
1–2 hours to build initially. 15–30 minutes to update quarterly.
Keep it living:
Review it every quarter or whenever you launch a new feature, enter a new market, or add a new vendor.
Document 2: Model/Vendor Dossier
For every third-party AI model or vendor you use, maintain a short dossier.
What to include:
Vendor/Model: OpenAI GPT-4
What we use it for: Customer support chatbot, internal content drafting
Data we send: User queries (no PII), help documentation, prompt templates
Data retention: OpenAI retains for 30 days for abuse monitoring, then deletes (per Enterprise agreement)
Training: Our data is not used for training (per contract)
Security posture: SOC 2 Type II, ISO 27001, annual penetration testing
Contractual terms: Enterprise agreement, DPA in place, $2M liability cap, 30-day notice for material changes
Compliance support: OpenAI provides GDPR/CCPA documentation; EU AI Act GPAI compliance handled by OpenAI
Change control: We receive 30 days’ notice for model version changes; we can pin to specific versions
Why it matters:
When a customer asks “What happens to our data when you use GPT?” you have a documented answer. When an investor asks “What’s your AI vendor risk?” you hand them this dossier. It also helps you spot gaps—like vendors that won’t commit to zero training or won’t provide compliance documentation.
One dossier per vendor relationship.
If you use GPT for three different use cases, that’s one dossier with multiple use cases listed. If you also use Claude, that’s a second dossier.
Document 3: Evaluation and Monitoring Summary
This documents what you’ve tested, what you monitor, and how you respond when things go wrong.
What to include:
Use Case: Resume screening AI
Testing Performed:
- Baseline accuracy testing on 10,000 labeled resumes (historical hires vs. non-hires)
- Bias testing across protected categories (gender, race, age) using synthetic test data
- Adversarial testing (malformed resumes, keyword stuffing, irrelevant content)
Metrics Tracked:
- Weekly score distribution (detect drift)
- False positive / false negative rates
- Interview-to-hire conversion by candidate score
- User feedback (recruiters flagging bad recommendations)
Monitoring Cadence:
- Real-time dashboard for score distribution and anomalies
- Weekly review by Product and Engineering
- Quarterly audit by Legal and People Ops
Thresholds for Intervention:
- If accuracy drops below 80% → retrain model
- If protected category bias detected (>5% disparity) → pull model offline, investigate
- If user complaints spike → manual review and root cause analysis
Incident Response:
- Documented process for investigating and resolving accuracy or bias issues
- Communication plan for affected candidates and customers
- Post-mortem and corrective action tracking
Why it matters:
This is your proof that “we take AI risk seriously” isn’t just a talking point. It shows you’re actively measuring, monitoring, and improving. If something goes wrong, you have a documented process for catching and fixing it.
Hypothetical scenario:
Your lead scoring AI starts drifting because your customer base shifted. Your monitoring catches it within a week. You retrain the model and notify affected customers. In the post-mortem, you document the root cause and update your retraining schedule. When a customer asks “How do you ensure quality?”, you point to this exact incident as proof your system works.
Bonus: The One-Page Compliance Map
In addition to the three core documents, keep a simple one-page map that tracks five variables:
- Jurisdictions we sell into: U.S. only? EU? U.K.? Canada? California-specific considerations?
- Do we process personal data? Yes/No → If yes, privacy compliance applies
- Do we do automated decision-making? Yes/No → If yes, ADMT and high-risk categories apply
- Do we use third-party models? Yes/No → If yes, vendor risk applies
- Do we train or fine-tune models? Yes/No → If yes, data governance and IP considerations apply
Update this quarterly or when you enter a new market. It takes 5 minutes to review in a board meeting or leadership sync, and it keeps everyone aligned on where compliance risk is expanding.
How These Show Up in Diligence
Even at Seed stage, these documents surface in three contexts:
1. Investor diligence:
“Do you have a process for managing AI risk? Can you show it to us?”
→ You hand over the inventory, dossier, and evaluation summary. The investor sees you’ve thought systematically about risk and have documentation. Deal moves forward.
2. Enterprise customer questionnaires:
“What are your controls around AI accuracy, bias, and data retention? Are they documented?”
→ You reference the specific use case from your inventory, pull the relevant vendor dossier, and share your evaluation summary. The procurement team sees you’re buttoned-up. Deal closes faster.
3. M&A transaction diligence:
“Are there any gaps in your AI governance that could create post-close remediation costs or regulatory exposure?”
→ Buyers and their counsel dig into your documents. Gaps can crater a deal or lead to painful indemnification negotiations. Complete, current documentation protects your valuation.
The fastest way to keep all three of these efficient: maintain the documents quarterly, not in response to requests.
Action Item
Pick one document to build this month. Start with the AI Use Case Inventory—it’s the easiest and unlocks the other two. Block 90 minutes, pull in your head of product or engineering, and fill out the table. Don’t aim for perfection. Aim for “good enough to show a customer.”
Once the inventory exists, schedule a quarterly review and commit to keeping it current.