Most boards prepare for regulatory review by improving their governance documentation. They update their AI risk frameworks. They commission external audits. They strengthen their board reporting on AI oversight.

None of that is what regulators ask about when something goes wrong.

When a regulator examines a specific adverse AI-assisted decision, a credit refusal that triggered a complaint, a benefits determination that was overturned on appeal, an employment decision that attracted a discrimination claim, the questions they ask are forensic. They are about a specific moment in time, a specific system state, and a specific record.

Understanding those questions in advance is the only preparation that matters.

Across the major regulatory frameworks relevant to UK and European AI deployment, the FCA, ICO, the EU AI Act supervisory authorities, and the emerging national competent authorities for AI, the examination pattern for AI-assisted adverse outcomes follows a consistent structure. It has four phases.

Phase 1: System identification. The regulator establishes which AI system produced the output under examination, what version of that system was deployed at the relevant time, and what authorisation the system had for the category of decision it was making. The questions in this phase are: what system was this, who authorised it, and under what conditions?

Phase 2: Decision reconstruction. The regulator attempts to reconstruct the specific decision: what inputs the system received, what processing steps it applied, what output it produced, and what human involvement, if any, occurred between the system's output and the final decision communicated to the affected party. The questions in this phase are: what happened, in what sequence, at what moment?

Phase 3: Risk state assessment. The regulator assesses what the organisation knew, at the moment of the decision, about the risk that materialised. Was a relevant threshold breached? Was an anomaly flagged? Was a monitoring alert triggered and if so, what action did it produce? The questions in this phase are: what was known, and when?

Phase 4: Governance adequacy assessment. Having established the facts of the decision and what was known at the time, the regulator assesses whether the governance framework was adequate to have detected and responded to the risk. This is where director liability under the applicable regime, SM&CR, Companies Act, EU AI Act, is assessed. The questions in this phase are: given what you knew, was your governance response adequate?

Most organisations can partially answer Phase 1. Fewer can answer Phase 2. Almost none can answer Phase 3 with the specificity regulators require. Phase 4 is therefore almost always an adverse finding.

Phase 2, decision reconstruction, is where most governance programmes fail, and where the failure has the most direct legal consequences.

The specific questions regulators ask in Phase 2 are not general. They are the kind of questions that can only be answered by a contemporaneous record, a log entry that exists whether or not anyone anticipated the need for it.

Can you produce the exact input dataset the model received for this specific decision? Not the category of inputs. The exact dataset, at the exact moment.

Can you identify which version of the model, including any weights, hyperparameters, or configuration settings relevant to this decision category, was in production at the relevant time?

Can you produce a record of any pre-processing applied to the input data before it reached the model?

If the system involved a chain of models or processing steps, preprocessing, classification, ranking, output formatting, can you produce the record at each step?

Can you identify the specific human oversight action, if any, that occurred between the model's output and the final decision? Who reviewed it, what were they shown, and what did they decide?

If no human oversight action occurred, was the absence of human oversight consistent with the governance framework the board had approved?

These questions can only be answered by records that were created at the time of the decision. Retrospective reconstruction, attempting to approximate the system state from general documentation, is not accepted as governance evidence by the FCA, by the ICO under UK GDPR Article 22 requirements, or by EU AI Act supervisory authorities under Article 12.

Phase 3, risk state assessment, is less well understood as a regulatory focus, but it is where personal director liability most directly attaches.

The FCA's SM&CR requires that senior managers can demonstrate the specific steps they took to satisfy themselves that a system was operating as intended. This is not a question about governance policy. It is a question about what the senior manager actually saw, at what point in time, and what they did with it.

If a system was operating outside its approved risk parameters at the moment of a specific decision, the regulator will ask: was this visible in the monitoring data? If it was visible and not acted upon, the question becomes: who had access to that data, and what was their responsibility to act?

If a monitoring threshold was breached, the regulator will ask: what was the escalation protocol, and can you show it was followed?

If no monitoring data exists for the relevant period, the regulator will ask: why was the system authorised to operate without continuous monitoring?

These questions have answers. But the answers must exist in contemporaneous records. A board that can produce its monitoring protocol but cannot produce evidence that monitoring was actually occurring at the relevant time has documented an intention it cannot verify was carried out.

The preparation most boards undertake, improving governance documentation, commissioning audits, strengthening board reporting, addresses Phase 1 adequacy and Phase 4 framework assessment. It does not address Phases 2 and 3, which are where liability concentrates.

Preparation for Phases 2 and 3 requires something different. It requires building, testing, and verifying the logging and monitoring infrastructure that will produce the records regulators will require.

Specifically, it requires being able to answer yes to three questions for every AI system the board has authorised.

First: if a regulator issued a notice tomorrow requiring you to produce a complete record of every decision this system made in the last 90 days, inputs, processing steps, outputs, oversight actions, monitoring state, could you produce that record from existing logs, without reconstruction?

Second: if a specific decision made three months ago is identified as producing an adverse outcome, could you reconstruct the complete information picture, model version, input data, system risk state, oversight actions, from contemporaneous records alone?

Third: does the board receive, at defined intervals, not a summary of AI system performance but actual decision records, specific outputs, specific oversight actions, specific monitoring data, sufficient to demonstrate that the governance conditions it authorised are being maintained in operation?

If the answer to any of these is no, the organisation is not prepared for the regulatory examination it will eventually face. It is prepared for the examination it expects, which is not the same thing.

Regulatory preparation that focuses on governance documentation is preparation for Phase 1 and Phase 4.

The liability attaches in Phases 2 and 3. And the only preparation that works is the record that exists at the moment the decision is made.

Dr. Ivan Roche FRSS FRSA MInstP
Founder and Principal Advisor · Otopoetic Limited · Belfast