Closing: Compliance Without the Theater

You leave this course knowing the regulatory landscape is dense but coherent. Build governance once, properly, and you satisfy all of it. The pattern: EU AI Act, NIST AI RMF, ISO 42001, GDPR. The frameworks overlap more than they conflict. Risk classification under the EU AI Act drives the legal obligations. NIST functions (govern, map, measure, manage) drive the operational discipline. ISO 42001 documentation drives audit-ready evidence. GDPR overlays everywhere personal data appears. Done as one program, not four, you build compliance that scales. The weXare thesis applies here too: compliance is design discipline, not paperwork. The teams that treat it as paperwork get the worst of both worlds (slow AND non-compliant). The teams that bake it in get fast AND compliant. The same human-in-the-loop patterns that improve product quality satisfy regulator demands for human oversight. **Five takeaways to keep:** 1. Classify each AI system under the EU AI Act first. Risk tier drives everything else. 2. NIST RMF is the operational backbone. Govern, map, measure, manage. 3. ISO 42001 is your audit evidence layer. Document or it did not happen. 4. GDPR/DPIA is mandatory for personal data in AI. Plan for it. 5. Anti-discrimination law applies to AI outputs. Audit your model for bias the same way you audit your hiring practices. **What is next:** Take [Building AI Products Responsibly](/en/learn/building-ai-products-responsibly) for the design side. Take [Advanced HITL Patterns](/en/learn/advanced-hitl-patterns) for the human oversight side. Take [Scaling Human-Centered AI](/en/learn/scaling-human-centered-ai) when governance has to scale across the org. Now go build compliance into the product, not around it.