Address
101 Portman Street, Glasgow, G41 1EJ, UK
Email
[email protected]
Phone
+441413898777
Flipware Tech Ltd

AI Ethics and Compliance: What Good Looks Like in Practice

Flipware Tech Ltd > Blog > Blog > AI Ethics and Compliance: What Good Looks Like in Practice

Introduction: From Policy to Practice

The AI ethics conversation has spent years at altitude, principles, manifestos, and high-level declarations. But as AI systems become deeply embedded in hiring decisions, credit scoring, medical diagnostics, customer interactions, and supply chains, the question for enterprise leaders is no longer whether to adopt ethical AI practices. It is how to make them concrete, measurable, and operationally real.

This is not a theoretical exercise. According to an EY survey of 975 C-suite leaders across 21 countries, almost all (99%) organisations surveyed reported financial losses from AI-related risks, with nearly two-thirds suffering losses exceeding US$1 million. The most common risks cited were non-compliance with AI regulations (57%), negative sustainability impacts (55%), and biased outputs (53%). More strikingly, on average only 12% of C-suite respondents correctly identified appropriate controls against five common AI-related risks. The competence gap is significant ,  and it is costing organisations real money.

At the same time, the regulatory clock is running. The EU AI Act ,  the world’s first comprehensive legal framework for AI ,  entered into force in August 2024 and reaches full applicability in August 2026, with prohibitions already live since February 2025. NIST’s AI Risk Management Framework has become the gold standard for voluntary governance in North America. ISO 42001 is gaining adoption globally. The regulatory environment is no longer permissive ambiguity,  it is structured obligation.

This article examines what genuinely good AI ethics and compliance looks like in practice: the governance structures, technical controls, cultural shifts, and measurable benchmarks that separate organisations that are managing AI responsibly from those that are simply managing the optics of doing so.

  1. The Regulatory Landscape Has Changed Fundamentally

For years, AI ethics was largely a voluntary endeavour. That era is over. The EU AI Act’s risk-based framework now classifies AI systems into four tiers ,  unacceptable risk (banned outright), high-risk, limited-risk, and minimal-risk ,  and imposes substantive compliance obligations that scale with classification. High-risk systems, covering domains such as employment and recruitment, critical infrastructure, access to essential services, law enforcement, and healthcare, must undergo rigorous conformity assessments, maintain comprehensive technical documentation, implement quality management systems, and be designed to enable human oversight. Penalties under the Act can reach €35 million or 7% of global annual turnover for the most serious infringements.

These requirements are not limited to EU-based organisations. Any business deploying AI systems that interact with EU citizens, or that operates supply chains involving AI components within EU borders, falls within scope. Legal experts at LegalNodes note that liability under the Act may extend beyond administrative sanctions to include civil and criminal liability in certain jurisdictions, making compliance a matter of existential risk management rather than box-ticking.

Beyond the EU, the NIST AI Risk Management Framework has emerged as the dominant voluntary governance architecture in the United States, with its four core functions ,  Govern, Map, Measure, and Manage ,  now embedded in sector-specific guidance from the CFPB, FDA, SEC, FTC, and EEOC. Colorado’s AI Act explicitly references the NIST AI RMF as an acceptable risk management standard. Japan passed a landmark AI Promotion Bill in February 2025. The OECD’s AI Principles, first adopted in 2019 and updated in 2024, have influenced frameworks across G7 nations. The direction of travel is consistent and accelerating: from voluntary to mandatory, from principles to enforceable obligations.

For enterprise AI teams, this convergence has a practical implication: building governance infrastructure now, rather than retrofitting it to meet each jurisdiction’s requirements as they arrive, is both more efficient and significantly less expensive.

  1. Governance Is the Foundation, Not the Finish Line

Many organisations approach AI governance as if it were the end state ,  a policy document that, once produced, constitutes compliance. Genuinely mature programmes treat governance as the enabling infrastructure for everything that follows.

PwC’s 2025 US Responsible AI Survey found that about six in ten respondents describe their organisations as at the “strategic” or “embedded” stage, where responsible AI is actively integrated into core operations and decision-making. However, the same survey identifies a persistent implementation gap: principles are established, but execution at scale remains elusive for most. Fifty-six percent of executives report that their first-line teams ,  IT, engineering, data, and AI ,  now lead responsible AI efforts, reflecting a maturation from governance-by-committee to governance-by-design.

What does structural governance look like in practice? The NIST AI RMF recommends establishing a cross-functional AI Oversight Committee that brings together expertise across AI/ML, legal and compliance, risk management, cybersecurity, ethics, and business operations. Critically, this committee should not be a bottleneck ,  its role is to set policy, define risk thresholds, and create escalation pathways, while empowering first-line teams to make governance-informed decisions without centralised approval for every deployment.

Accountability must be explicit. Governance structures that diffuse responsibility across committees without naming owners consistently fail. Good practice requires assigning named ownership for each AI system in production ,  a specific individual or function responsible for its compliance posture, performance monitoring, bias audits, and incident response. The NIST AI RMF’s GOVERN function is explicit about this: roles, responsibilities, and lines of communication for mapping, measuring, and managing AI risks must be clearly documented and understood across the organisation.

Gartner predicts that by 2026, 50% of large enterprises will have formal AI risk management programmes in place ,  up from fewer than 10% in 2023. The organisations that build robust governance infrastructure today will be competing from a position of advantage as that transition occurs. Those that wait will find themselves under regulatory pressure, reputational strain, and with a compliance gap that is significantly more expensive to close retroactively.

  1. Transparency and Explainability: Closing the Black Box

One of the most persistent practical challenges in AI ethics is explainability ,  the ability to understand, document, and communicate how an AI system arrives at its outputs. A 2025 report found that 61% of people are wary of AI’s “black box” nature, and regulatory frameworks from the EU AI Act to the NIST RMF treat explainability as a non-negotiable characteristic of trustworthy AI systems.

The NIST AI-600-1 Generative AI Profile ,  published in July 2024 and addressing the unique risks of generative models ,  identifies “Explainable and Interpretable” as a core trustworthy AI characteristic alongside being Accountable and Transparent, Fair with Harmful Bias Managed, Privacy Enhanced, Safe, Secure and Resilient, and Valid and Reliable. These are not aspirational labels; they are categories against which AI systems should be assessed and documented.

In practice, explainability operates at two levels. Technical explainability involves the use of tools such as SHAP (SHapley Additive exPlanations) and LIME (Local Interpretable Model-agnostic Explanations) to understand how specific features influence model outputs. This is essential for internal auditing, bias detection, and regulatory documentation. Stakeholder-facing explainability, by contrast, involves being able to communicate to affected individuals and regulators ,  in plain language ,  the basis on which an AI-assisted decision was made. The EU AI Act’s transparency obligations for high-risk systems require providers to design systems that allow deployers to explain AI decisions to individuals, and to provide instructions for use that enable downstream compliance.

For high-stakes applications ,  credit decisions, hiring algorithms, medical triage tools, insurance assessments ,  explainability is not only an ethical obligation but a legal one in an increasing number of jurisdictions. Organisations operating in the EU’s high-risk AI domains must, under Articles 9–15 of the AI Act, document their systems’ technical design, training data governance, risk management processes, accuracy thresholds, and human oversight mechanisms. The documentation burden is real, but it is also an artefact of responsible practice: organisations that are genuinely doing this well find that the documentation process surfaces risks and design flaws that might otherwise go undetected until deployment.

  1. Fairness and Bias: Beyond Good Intentions

Algorithmic bias is among the most consequential ethical failures in AI deployment, and it is neither rare nor accidental. It emerges from biased training data, proxy variables that correlate with protected characteristics, feedback loops that reinforce historical patterns, and under-representation in model development teams. The EY 2025 survey found that biased AI outputs were among the three most commonly reported risk materialisation events, yet only 12% of C-suite leaders could correctly identify appropriate controls.

Good practice in bias management begins at the data layer. Only 23% of organisations have full visibility into their AI training data, according to McKinsey ,  a staggering blind spot given that training data quality is the single largest determinant of downstream model fairness. Organisations operating at the frontier of responsible AI practice conduct systematic data audits before model training, implementing metadata tagging to identify personally identifiable information and sensitive attributes, reviewing training sources for historical bias, and establishing data governance protocols that track provenance throughout the AI lifecycle.

Beyond data, model development should incorporate fairness metrics as first-class engineering constraints rather than post-hoc additions. Demographic parity difference, equalised odds, and individual fairness metrics should be computed, documented, and evaluated against defined thresholds as part of the development pipeline ,  not left to post-deployment review. The goal is to embed fairness gates into the deployment process itself, ensuring that models that fail defined fairness thresholds cannot be pushed to production without explicit review and sign-off.

McKinsey’s AI ethics practice has documented a “red teaming” approach, under which a cross-disciplinary group ,  including technical experts, legal professionals, and risk specialists not involved in the development process ,  systematically challenges the development team’s approach to fairness, bias, and transparency. This adversarial collaboration surfaces gaps that homogeneous development teams consistently miss, particularly the legal and regulatory dimensions of bias that technologists may not have the domain expertise to identify independently.

The KPMG/University of Melbourne Global AI Trust Study 2025, which surveyed more than 48,000 people across 47 countries, found that AI adoption is rising but trust remains a critical challenge ,  with meaningful disparities by age, gender, and income that mirror the populations most likely to be disadvantaged by biased systems. Organisations that take fairness seriously are not merely managing compliance risk; they are building the stakeholder trust that underpins long-term AI adoption.

  1. Human Oversight: Keeping Humans Meaningfully in the Loop

The principle of human oversight is consistently embedded in every major AI governance framework, but it is frequently misunderstood. Human oversight does not mean having a person click “approve” on every AI output. It means designing AI systems such that humans retain meaningful agency over consequential decisions, can identify and correct AI errors, and bear defined accountability for outcomes.

The NIST AI RMF articulates a thoughtful approach built on three pillars: ensuring transparency (understanding what the system does and how), applying oversight that is calibrated to the level of risk (not every system requires the same level of human review), and clearly defining who is responsible for what. This last point is critical. Oversight without named accountability is oversight in name only ,  it diffuses responsibility precisely when clarity matters most.

In practice, human oversight needs to be designed into AI systems from the outset, not bolted on after deployment. The EU AI Act explicitly requires that high-risk AI systems be designed to allow deployers to implement human oversight ,  meaning that technical architecture, not just policy, must accommodate meaningful human intervention. Systems that are technically opaque, operate at a speed that precludes human review, or present outputs in ways that make challenge practically impossible do not satisfy this requirement, regardless of what the governance documentation claims.

For organisations deploying AI agents ,  systems that take real-world actions rather than simply producing recommendations ,  the oversight challenge is qualitatively different. McKinsey’s 2026 AI Trust Maturity Survey notes that in the age of agentic AI, organisations can no longer concern themselves only with AI systems saying the wrong thing; they must also contend with systems doing the wrong thing ,  taking unintended actions, misusing tools, or operating beyond appropriate guardrails. The governance architectures designed for recommendation AI are insufficient for agentic AI, and organisations that have deployed agents without updating their oversight frameworks are operating in a genuine blind spot.

PwC’s 2026 AI Business Predictions note that agentic workflows are spreading faster than governance models can address their unique needs, and that “when we have the freedom to explore within a clear, ethical framework, that’s when real innovation happens.” The organisations positioning themselves as AI leaders in the coming years will be those that treat governance not as a constraint on innovation, but as its enabling condition.

  1. Data Privacy and Security: AI’s Hidden Compliance Surface

AI systems interact with data at a scale and depth that creates compliance exposure across multiple legal regimes simultaneously. An AI model trained on customer data may implicate GDPR, UK GDPR, the EU AI Act, sector-specific regulations such as HIPAA or FCA guidance, and domestic privacy legislation in every jurisdiction where the data was collected or the output is deployed. According to Gartner, 70% of AI data leaks stem from weak access governance ,  a reminder that data governance failures are often the proximate cause of AI compliance failures.

Good practice requires implementing AI-specific access controls that go beyond standard data protection measures. This includes role-based permissions that restrict which teams can access training data and model outputs, prompt filters and input sanitisation to prevent data exfiltration through AI interfaces, data minimisation protocols that limit the personal information used in AI training to what is strictly necessary, and audit trails that track data flow from ingestion through model training to output delivery. For generative AI systems, training data governance takes on additional dimensions: the EU AI Act requires providers of general-purpose AI models to publish a sufficiently detailed summary of the copyrighted material used in training, and to implement safeguards to ensure the legality of their output.

The Cloud Security Alliance’s 2025 analysis of AI and privacy developments emphasises that for multi-jurisdictional enterprises, aligning AI systems with the most stringent applicable standards ,  typically EU standards ,  provides the most operationally consistent compliance posture. Rather than maintaining separate compliance programmes for each jurisdiction, organisations that build to the highest applicable standard can then adapt for markets with lower requirements, rather than the reverse.

Privacy-preserving AI techniques ,  federated learning, differential privacy, and synthetic data generation ,  are increasingly relevant for organisations seeking to train AI systems without exposing personal data. These are not merely defensive measures; they enable AI development in contexts where data pooling would otherwise be legally or ethically impermissible, expanding the space of legitimate AI applications.

  1. Building the Culture: Operationalising Ethics at Scale

Technical controls and governance structures are necessary but not sufficient. The evidence consistently shows that AI ethics failures occur not only because of inadequate systems, but because of inadequate culture ,  organisations where governance is seen as a compliance function rather than a shared professional value, where raising concerns about AI outputs carries career risk, and where the pressure to ship features overrides the discipline to assess them.

The KPMG Trust study found that 44% of US workers admit to knowingly using AI improperly at work, 58% rely on AI outputs without properly evaluating them, and 53% present AI-generated content as their own ,  even as 72% of respondents say more regulation is needed. This is not evidence of malice; it is evidence of an adoption curve that has outrun the cultural and governance infrastructure meant to shape it. Organisations that have published AI policies but not invested in training, education, and cultural reinforcement have policies that exist on paper but not in practice.

The NIST AI RMF’s GOVERN function emphasises three cultural elements that differentiate organisations with genuine governance from those with nominal governance: open communication and a safety-first mindset when designing, deploying, and monitoring AI systems; diversity, equity, inclusion, and accessibility (DEIA) principles integrated into AI governance and decision-making; and continuous learning about AI risks, limitations, and impacts. These are not soft commitments ,  they are structural features of organisations that catch AI problems before they become AI crises.

Practically, building an AI ethics culture requires investment in role-specific training that goes beyond policy awareness to develop applied competency. Engineers need to understand how bias enters models. Product managers need to understand the regulatory risk profile of the features they are specifying. Legal and compliance teams need sufficient technical literacy to engage substantively with AI teams rather than simply reviewing documentation. Salesforce’s 2024 AI Ethics Bootcamp for employees ,  which has since been emulated across the industry ,  is an example of this kind of investment: not a one-time training module, but a sustained commitment to building shared competency.

The IAPP’s 2025 AI Governance Profession Report found that 47% of organisations rank AI governance among their top five strategic priorities, with 77% actively developing governance programmes. The organisations that will translate governance investment into business value are those that embed it in their talent development, performance management, and product development processes ,  not those that treat it as a compliance overhead to be minimised.

  1. What Good Looks Like: Practical Benchmarks

Across the governance frameworks, regulatory requirements, and empirical research surveyed here, several practical benchmarks consistently distinguish organisations operating at the frontier of responsible AI:

Inventory and classification: Every AI system in production is documented, classified by risk level under applicable frameworks (EU AI Act, NIST AI RMF, ISO 42001), and assigned named ownership. This inventory is maintained and updated with every significant model change or new deployment.

Pre-deployment assessment: High-risk and novel AI applications undergo structured pre-deployment review covering data governance (lineage, representativeness, bias assessment), technical documentation, fairness metrics against defined thresholds, explainability requirements for the intended use case, and human oversight architecture.

Continuous monitoring: AI systems in production are monitored for accuracy degradation, fairness drift, data shift, and anomalous outputs. The NIST AI RMF 2025 guidance treats AI risk management as a continuous improvement cycle, not a deployment gate. Retraining triggers, escalation pathways, and model retirement protocols are defined and documented.

Incident response: When AI systems behave unexpectedly or cause harm, organisations have defined processes for containment, investigation, stakeholder notification, and regulatory disclosure. McKinsey’s 2026 survey found that nearly 60% of respondents who experienced AI-related incidents reported negative or unsatisfactory views of their organisation’s response ,  a signal that incident preparedness remains a significant weakness even in organisations with otherwise mature governance programmes.

Third-party governance: AI risks embedded in vendor and partner relationships are explicitly managed. Supply chain AI ,  models, APIs, and AI-powered tools procured from third parties ,  carries compliance obligations for the deploying organisation under the EU AI Act, and the NIST AI RMF requires contingency processes for failures in third-party AI systems.

Stakeholder engagement: Affected communities and end-users have genuine channels to provide feedback on AI systems that affect them. This is not merely good practice ,  it is a regulatory requirement under the NIST AI RMF (GOVERN 5.1) and an expectation embedded in UNESCO’s global AI ethics recommendation.

Conclusion: Ethics as Competitive Advantage

The organisations that will lead in AI over the next decade are not those that move fastest regardless of ethics ,  they are those that move purposefully, building the trust of regulators, customers, employees, and the public that is the precondition for sustained AI deployment at scale.

According to PwC’s 2025 survey, 60% of executives say responsible AI boosts ROI and efficiency, and 55% report improved customer experience and innovation as outcomes. EY’s research finds that enterprises viewing responsible AI principles as a core business function ,  rather than a compliance overhead ,  are better positioned to achieve faster productivity gains, stronger revenue growth, and sustainable competitive advantage in an AI-driven economy. The Edelman Trust Barometer is unambiguous: the organisations that prioritise transparency, fairness, and clear use cases will be best positioned to build the long-term trust that drives meaningful AI adoption.

AI ethics and compliance, done well, is not a constraint on innovation. It is the architecture that makes durable innovation possible. The frameworks exist. The regulatory obligations are now enforceable. The business case is clear. What remains is execution.

Flipware Technologies helps organisations translate AI governance frameworks into operational practice ,  from risk classification and compliance documentation to bias auditing, explainability architecture, and cultural capability building. To understand how your AI programme maps against current regulatory requirements and best practice benchmarks, visit us at www.flipwaretechnologies.com or get in touch to request a complimentary AI governance readiness assessment. Also Read AI ROI: How to Measure Value Beyond Cost Savings, and What You’re Losing Without It.

References

  1. EY (2025). Companies advancing responsible AI governance linked to better business outcomes. https://www.ey.com/en_gl/newsroom/2025/10/ey-survey-companies-advancing-responsible-ai-governance-linked-to-better-business-outcomes
  2. European Commission (2024). EU AI Act ,  Regulatory Framework for AI. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
  3. NIST (2023–2025). AI Risk Management Framework. https://www.nist.gov/itl/ai-risk-management-framework
  4. Freshfields (2025). EU AI Act ,  Compliance Overview. https://www.freshfields.com/en/our-thinking/campaigns/tech-data-and-ai-the-digital-frontier/eu-digital-strategy/artificial-intelligence-act
  5. LegalNodes (2026). EU AI Act 2026 Updates: Compliance Requirements and Business Risks. https://www.legalnodes.com/article/eu-ai-act-2026-updates-compliance-requirements-and-business-risks
  6. EU Artificial Intelligence Act (2025). High-Level Summary. https://artificialintelligenceact.eu/high-level-summary/
  7. Dataiku (2025). EU AI Act High-Risk Requirements: What Companies Need to Know. https://www.dataiku.com/stories/blog/eu-ai-act-high-risk-requirements
  8. Diligent (2025). NIST AI Risk Management Framework: A Simple Guide to Smarter AI Governance. https://www.diligent.com/resources/blog/nist-ai-risk-management-framework
  9. Bradley (2025). Global AI Governance: Five Key Frameworks Explained. https://www.bradley.com/insights/publications/2025/08/global-ai-governance-five-key-frameworks-explained
  10. PwC (2025). Responsible AI Survey: From Policy to Practice. https://www.pwc.com/us/en/tech-effect/ai-analytics/responsible-ai-survey.html
  11. PwC (2026). AI Business Predictions. https://www.pwc.com/us/en/tech-effect/ai-analytics/ai-predictions.html
  12. McKinsey (2025). State of AI: Global Survey 2025. https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai
  13. McKinsey (2026). State of AI Trust: Shifting to the Agentic Era. https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/tech-forward/state-of-ai-trust-in-2026-shifting-to-the-agentic-era
  14. McKinsey (2025). Trusted AI Compliance for Ethical and Resilient Systems. https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/tech-forward/ushering-in-a-new-era-of-trusted-ai
  15. KPMG / University of Melbourne (2025). Trust, Attitudes and Use of Artificial Intelligence: A Global Study 2025. https://kpmg.com/xx/en/our-insights/ai-and-technology/trust-attitudes-and-use-of-ai.html
  16. KPMG (2025). The American Trust in AI Paradox: Adoption Outpaces Governance. https://kpmg.com/us/en/media/news/trust-in-ai-2025.html
  17. Edelman (2025). AI Trust Imperative ,  2025 Trust Barometer: Technology Sector. https://www.edelman.com/trust/2025/trust-barometer/report-tech-sector
  18. Quinnox (2025). Data Governance for AI: Challenges, Best Practices and Solutions. https://www.quinnox.com/blogs/data-governance-for-ai/
  19. Cloud Security Alliance (2025). AI and Privacy: Shifting from 2024 to 2025. https://cloudsecurityalliance.org/blog/2025/04/22/ai-and-privacy-2024-to-2025-embracing-the-future-of-global-legal-developments
  20. NIST (2024). AI 600-1: Generative AI Risk Management Profile. https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
  21. McKinsey (2022). From Principles to Practice: Putting AI Ethics into Action. https://www.mckinsey.com/featured-insights/in-the-balance/from-principles-to-practice-putting-ai-ethics-into-action
  22. Ideas2IT (2025). Mastering AI Governance: How Enterprises Can Balance Innovation and Compliance. https://www.ideas2it.com/blogs/ai-governance-tools-and-best-practices
  23. Nemko Digital (2025). NIST AI Risk Management Framework 1.0: 2025 Guide. https://digital.nemko.com/regulations/nist-rmf
  24. RSI Security (2025). Roadmap to Achieving NIST AI RMF. https://blog.rsisecurity.com/nist-ai-risk-management-framework-guide/
  25. GDPR Local (2025). Top AI Governance Trends for 2025. https://gdprlocal.com/top-5-ai-governance-trends-for-2025-compliance-ethics-and-innovation-after-the-paris-ai-action-summit/
AI Ethics and Compliance

Privacy Policy