TL;DR: Use this 25-question yes/no scorecard to measure your AI regulatory readiness across foundation controls, EU AI Act obligations, employment AI, biotech-specific rules, and advanced governance. Total your score out of 25 and match it to the tiered verdict at the bottom to know exactly where to focus before August 2026.
Why August 2026 matters for software and biotech teams
Three significant AI regulatory deadlines converge around August 2026. The EU AI Act's original deadline for high-risk AI system compliance was 2 August 2026. California's SB 942 (AI transparency for synthetic content) came into force in January 2026. The FDA is expected to publish updated AI/ML Software as a Medical Device guidance in mid-2026, building on its 2024 action plan and clarifying post-market monitoring expectations for AI-assisted clinical tools.
Software and biotech teams carry the heaviest overlap from these three tracks. A software company selling a hiring tool to EU clients may be in scope for the EU AI Act Annex III employment category, California SB 942's content labelling rules, and EEOC guidance simultaneously. A biotech startup running an AI diagnostic aid faces FDA SaMD obligations, GDPR, and potentially the EU AI Act's medical device provisions. This scorecard maps your readiness across all five relevant dimensions so you can see which gaps to close first.
How to use this scorecard
Score 1 point for every Yes answer and 0 for every No or Not sure. Total your score out of 25 at the end, then match it to the tiered verdict in the scoring section below. Biotech teams should answer all 25 questions. Software-only teams may skip questions 20-22 but should note that skipping them caps their maximum score at 22.
Print this page or copy the questions into a spreadsheet. Assign each question to the person in your organisation who owns that area. Revisit quarterly.
Part 1: Foundation (questions 1-8, all teams)
These eight questions apply to every organisation using AI, regardless of sector or size.
1. Do you have a written AI acceptable use policy?
A documented policy that defines which AI tools are approved, what data categories may be processed, and which uses are prohibited. Verbal agreements or informal norms do not count.
2. Do you maintain an AI system inventory (register) documenting every AI tool in use?
A live list of every AI tool your team uses, including vendor name, purpose, data categories processed, and the internal owner. Shadow AI in individual workflows counts against this.
3. Do you have signed Data Processing Agreements (DPAs) with all AI vendors?
Every AI vendor that processes personal data on your behalf needs a signed DPA under GDPR. CCPA requires similar contractual protections. "We clicked agree to the terms" is not sufficient.
4. Do you know which AI systems process personal data about EU residents?
Specifically: can you name each system, what data it holds, and where it is stored or transferred? This is the minimum threshold for GDPR Article 30 records of processing.
5. Do you have an AI incident response procedure?
A documented process for what to do when an AI system produces a harmful output, is breached, or fails in a consequential way. This should name a responsible person and set a response timeline.
6. Have employees received AI governance training in the last 12 months?
At minimum, staff who use or oversee AI systems should have received training covering your acceptable use policy, data handling rules, and how to report concerns.
7. Do you review AI vendor subprocessors annually?
AI vendors frequently subcontract to other providers (cloud infrastructure, annotation services, model APIs). Your DPA should list subprocessors, and you should confirm the list is current at least once per year.
8. Do you have a process to receive and respond to individual rights requests (access, deletion) for AI-processed data?
Under GDPR and CCPA, individuals can request access to or deletion of their personal data. If AI systems hold or have processed that data, your response process must cover them.
Part 2: High-risk AI and EU AI Act (questions 9-16)
These questions apply if you deploy AI systems that make or assist in consequential decisions. If you have no EU users and no systems in Annex III categories, you may score lower here, but document that reasoning.
9. Have you classified your AI systems by risk level (per EU AI Act categories)?
A documented classification exercise mapping each AI system to: prohibited practice, high-risk (Annex III), GPAI model, or minimal risk. This is the starting point for all EU AI Act compliance work.
10. If you deploy any EU AI Act Annex III high-risk system, have you registered it in the EU database?
High-risk systems in certain categories (employment, biometrics, critical infrastructure access) must be registered in the EU's public database before deployment or placing on the EU market.
11. Do you have technical documentation for each high-risk AI system?
Article 11 requires technical documentation covering intended purpose, architecture, training data, accuracy metrics, known limitations, and cybersecurity measures. This document must be kept current.
12. Do you conduct conformity assessments for high-risk AI systems before deployment?
Some high-risk categories require third-party conformity assessment; others allow internal self-assessment. Either way, the process must be completed and documented before the system is deployed.
13. Do you log AI system outputs for high-risk decisions (audit trail)?
Automatic logging of inputs, outputs, and timestamps for high-risk AI decisions is required under Article 12. Logs must be retained for a defined period and accessible for audits.
14. Have you implemented human oversight mechanisms for high-risk AI outputs?
Article 14 requires that high-risk AI systems allow a human operator to monitor, intervene, and override outputs. Document who holds that role and what the override procedure is.
15. Do your high-risk AI systems include accuracy and reliability testing?
Pre-deployment testing for accuracy, consistency, and resistance to adversarial input is required for high-risk systems. Test results should be documented and retained.
16. If you generate AI content for public use, do you label it as AI-generated (Article 50)?
Article 50 requires AI-generated text, images, audio, and video intended for public audiences to be disclosed as AI-generated. This applies to marketing content, product-generated media, and synthetic data used in public-facing materials.
Part 3: Employment and hiring AI (questions 17-19)
These questions apply to any organisation that uses AI tools in recruiting, candidate screening, performance review, or workforce planning.
17. If you use AI in hiring (screening, scoring, ranking candidates), have you reviewed for EEOC compliance?
The EEOC's 2024 guidance holds employers responsible for adverse impact caused by third-party AI hiring tools. Your review should include a disparate impact analysis against protected characteristics.
18. Do you provide advance notice to candidates before using AI in a hiring decision?
Several US state laws (Illinois, Maryland, New York City) require employers to notify candidates when AI is used in screening or assessment. Best practice is to adopt this notice for all candidates regardless of location.
19. If operating in Colorado, Illinois, or New York City, have you reviewed state-specific AI hiring laws?
Colorado SB 26-189, Illinois AI Video Interview Act, and New York City Local Law 144 each have distinct bias audit, notice, and disclosure requirements. Operating across multiple states means multiple compliance layers.
Part 4: Biotech-specific (questions 20-22)
Software-only teams may skip this section, but note that your maximum available score is then 22. Biotech teams should answer all three.
20. If your AI system assists in clinical decision-making, have you reviewed FDA AI/ML Software as a Medical Device (SaMD) guidance?
FDA's SaMD guidance, including the 2024 AI/ML action plan update, requires that AI-assisted clinical tools have a predetermined change control plan, documented intended use, and post-market monitoring protocols.
21. Do you have a change management protocol for AI model updates in clinical or diagnostic pipelines?
Model updates in a clinical AI system are not routine software releases. Each significant algorithmic change may require re-validation, updated documentation, and in some cases a new regulatory submission.
22. Have you assessed whether your AI system qualifies as a Medical Device under FDA or EU MDR?
The qualification threshold can be lower than expected. AI tools that assist in diagnosis, prognosis, or treatment selection may qualify even if marketed as decision-support software. Get a documented legal opinion if the boundary is unclear.
Part 5: Advanced governance (questions 23-25)
These questions distinguish organisations with mature AI governance programmes from those with baseline compliance only.
23. Do you conduct bias and fairness audits on AI systems that affect people differently by demographic group?
A bias audit tests whether an AI system produces systematically different outcomes for people in different demographic groups (by race, gender, age, disability status). Colorado SB 26-189 and New York City Local Law 144 require formal audits for certain systems; best practice is to apply the same standard internally regardless of jurisdiction.
24. Do you have a process to monitor AI systems for performance drift after deployment?
AI models can degrade over time as the data they operate on shifts. Monitoring should include automated alerts for accuracy drops, human review triggers, and a defined threshold for taking a system offline for retraining.
25. Have you conducted a regulatory horizon scan in the last 6 months to identify upcoming AI laws?
The AI regulatory calendar is moving quickly. A horizon scan reviews upcoming legislation, regulatory guidance, and enforcement actions relevant to your sector and geography. It should produce a prioritised list of obligations to prepare for in the next 12-18 months.
How to score yourself
Add up your Yes answers. Match your total to the tier below.
0-8: Not started. August 2026 deadlines are at material risk. Begin immediately with questions 1 (acceptable use policy), 2 (AI inventory), and 3 (DPAs with vendors). These three items are the minimum floor for any organisation using AI and take two to four weeks to complete with focused effort. Use the AI risk assessment tool to prioritise your gaps.
9-15: Foundation in place. Your basic controls exist but Part 2 (EU AI Act) likely has significant gaps. Work through questions 9-16 before August 2026 if you have any EU users or any system in an Annex III high-risk category. The EU AI Act August 2026 compliance checklist covers each Part 2 item in detail.
16-20: Solid baseline. You have documented most of the required controls. Focus on your vertical-specific gaps: biotech teams should close any open items in questions 20-22 first. Software teams with hiring AI should revisit questions 17-19. Your remaining risk is likely in advanced governance (questions 23-25) and in keeping existing documentation current.
21-25: Audit-ready. Your governance programme covers the material requirements. The priority now is documentation quality and maintenance cadence: schedule an annual review of all policies and DPAs, set up automated performance monitoring for deployed AI systems, and run a regulatory horizon scan every six months. Take the compliance quiz to check for any narrow gaps before your next internal audit.
Related reading
- EU AI Act August 2026 compliance checklist: step-by-step for teams with high-risk AI systems
- AI governance complete guide for small teams: the full framework behind this scorecard
- EEOC AI hiring guidance 2026 employer checklist: detailed action items for questions 17-19
