AI compliance is a controls system, not a statement.

The work of AI compliance is the work of producing artefacts an auditor can inspect: a register of every place AI does work, a written rule for what AI may and may not be used for, a documented record of vendor reviews, a verifiable trail of every AI-assisted decision, a measured set of outcomes refreshed on a known cadence. The work happens whether or not anyone has written a values statement. The values statement is optional; the artefacts are not.

When an AI compliance function is working, a question like "what controls apply to alert triage" should be answerable in a few minutes by reading the use-case register entry, following its references to the controls library, and checking the most recent test result. When the function is not working, the answer requires a meeting.

The six gates are: use-case registration, data classification, access scoping, source attribution, human oversight, and vendor due diligence. Each is documented, owned by a named person, and verifiable from the audit log. None is optional. The gates are the operational definition of AI compliance at Veetso: a workflow that clears all six is compliant; one that does not is not deployed.

The gates were designed to be cheap enough to clear in a day. Expensive controls get worked around; cheap controls get cleared. The discipline is in keeping the gates lightweight enough to survive contact with deadline-driven product work, without sacrificing what they exist to produce.

The audit trail is the operational truth of AI compliance. Every query, source match, gate check, draft, and approval writes an entry; each entry's hash is computed over its own contents plus the previous entry's hash. Modifying any historical entry invalidates every entry after it, so tampering becomes visible by inspection rather than requiring an audit. A regulator can verify the chain end to end without trusting our word for it.

The trail is also the input to the metric pack the AI Steering Committee reviews every month. Six numbers refreshed weekly, visible without a ticket: precision and recall on alert triage, decision latency on KYC review, draft acceptance rate, audit-log integrity status, and the weekly gate-violation count. Numbers that get exposed are the numbers that get watched.

AI compliance and AI ethics are sometimes treated as synonyms; they are not. AI ethics is the work of asking whether a use case should exist at all, with an audience of staff, board, customers, and the public. AI compliance is the work of operating an approved use case under the controls that govern it, with an audience of auditors, supervisors, and regulators. The two disciplines overlap where the ethics decision becomes a binding rule; otherwise they sit alongside one another.

A platform can have a strong ethics posture and a weak compliance posture, or the reverse. Veetso treats both as load-bearing: the ethics work shapes which use cases enter the register; the compliance work shapes how the use cases in the register are operated. Neither replaces the other.