AI Governance Briefing — January 23, 2025

Executive briefing: Regulation (EU) 2024/1689 prohibits unacceptable-risk AI systems starting on 2 February 2025. The Commission’s Q&A reiterates that deployers must ensure biometric categorisation, untargeted facial scraping, manipulative systems, and social scoring are withdrawn everywhere. Zeph Tech has locked a supplier cutover window ending this week so procurement, legal, and engineering teams can collect technical-file evidence and executive approvals before market-surveillance authorities request proof.

Control checkpoints

• Portfolio reconciliation. Match every AI-enabled product and vendor module to Article 5 risk statements and document whether the capability was removed, redesigned, or contractually barred.
• Third-party attestations. Require vendors to certify withdrawal steps, data purges, and human-rights impact findings, keeping the artefacts with Article 71 technical documentation.
• Service desk gating. Update change-management queues so any request that could re-enable prohibited functions automatically routes to legal and compliance review.

Evidence package

• Archive source-code diffs, model retirement reports, and dataset destruction logs alongside supplier attestations for rapid disclosure to national authorities.
• Record procurement approvals showing how contracts were amended or terminated to remove banned features and prevent shadow use.
• Capture validation test results proving that customer-facing channels, SDKs, and partner APIs no longer expose prohibited inference paths.

Enablement moves

• Brief customer-success and trust teams on acceptable replacement workflows so clients understand why functionality changed.
• Feed lessons into Zeph Tech’s 2025 general-purpose AI programme to accelerate documentation and systemic-risk assessments ahead of August obligations.
• Schedule post-mortems with critical vendors to benchmark readiness levels against NIST AI RMF Govern/Map functions and ISO/IEC 42001 controls.