A regulator or your legal team flags that your AI feature may fall under high-risk AI rules like the EU AI Act. As the PM, how do you respond?
role-specific · Mid level · product-management
What the interviewer is really asking
Test whether the candidate can turn AI regulatory obligations into concrete product requirements — risk classification, documentation, human oversight, logging, transparency — and partner with legal rather than treating compliance as a blocker to route around.
What to say
- First establish the actual classification with legal: does the feature genuinely meet the high-risk criteria for its use case, because the obligations and the bar scale with that determination.
- Translate the requirements into product and roadmap work, not just paperwork: human oversight and override, data-governance and bias controls, logging with retention, technical documentation, and user-facing transparency about AI involvement.
- Partner with legal and compliance as co-owners, build the obligations into the launch plan and timeline rather than bolting them on, and weigh whether the use case is worth the compliance burden at all.
What to avoid
- Treat compliance as legal's problem and a blocker, and look for ways to ship around it or quietly launch in a lower-scrutiny market.
- Dismiss it as paperwork and assume engineering will sort the technical requirements out without product involvement.
- Panic and kill the feature without first confirming whether it actually meets the high-risk classification.
Example answers
Strong: My first move was to nail the classification with legal rather than assume — our AI feature touched hiring screening, which is explicitly a high-risk use case, so the obligations were real. I then turned the requirements into backlog items: a human-oversight step so the model never auto-decided, decision logging with retention for auditability, a data-governance and bias review, technical documentation, and clear user disclosure that AI was involved. I sequenced these into the launch plan with legal as a co-owner so we shipped compliant on the first date, not retrofitted later.
Weak: Compliance is legal's job — I'd hand it to them and keep building, and we'd deal with the requirements if they actually become a problem.