Legal

AI Governance

AI regulation asks operators of AI that touches employment, money or filings to evidence what the system did, keep a human in control, and be transparent. Our products are built so those controls and records exist by default. This maps the main obligations to what we provide — and is honest about what stays your organisation’s responsibility as the deployer. We provide the controls and the audit record; we do not perform a conformity assessment or claim a certification we don’t hold.

Last reviewed: 2026-07-05.

ProvidedPartialRoadmapYour duty — we evidence it

European Union — EU AI Act

Automatically record events over the system’s lifetime so activity is traceable.

EU AI ActArt. 12 — record-keeping / logging

Provided

Every agent action and workflow step is logged append-only and tamper-evident — what ran, on what data, when, and who approved it — and is exportable at any time.

Ensure a human can oversee, intervene in, and stop the system.

EU AI ActArt. 14 — human oversight

Provided

Anything that moves money, files to an authority, sends externally or is otherwise irreversible is default-deny and held for a human’s explicit approval, with a preview. It never runs on its own; the system fails safe (holds).

Users are informed they are interacting with AI and given the information to interpret output.

EU AI ActArt. 13 / 50 — transparency

Provided

Agents present as AI, cite the source behind a domain answer, and say when they don’t know and route to a human rather than fabricating a figure or a legal position.

Govern the data the system uses; manage access and quality.

EU AI ActArt. 10 — data governance

Provided

Per-organisation isolation on every record, per-department document scoping, and least-privilege connectors you authorise. Your data is not used to train third-party models.

For high-risk uses, run a risk-management process and conformity assessment.

EU AI ActArt. 9 — risk management & conformity assessment

Your duty — we evidence it

Where your use is high-risk (e.g. employment decisions), the assessment and CE process remain your organisation’s duty as deployer. We supply the logs, oversight controls and documentation to evidence it — we do not perform the assessment for you.

United States — federal framework

A voluntary framework for trustworthy AI — governance, risk mapping, measurement and management.

NIST AI RMFGovern / Map / Measure / Manage

Partial

The approval gate (Manage), the audit trail (Measure/Govern) and source-grounded answers support an RMF programme. It is a framework, not a certification — we align to it; we don’t claim conformance.

United States — state employment rules

No consequential employment decision made solely by an automated tool; human involvement required.

Colorado AI Act / NYC Local Law 144 / EEOC guidanceAutomated employment-decision rules

Provided

The product never makes an employment decision autonomously — HR agents prepare and recommend; a human approves every consequential action through the gate. The record shows the human decided.

Independent bias audit of an automated employment-decision tool and notice to candidates.

NYC Local Law 144Bias audit + candidate notice

Your duty — we evidence it

The bias audit and candidate notice remain your legal duty as the employer. We provide the action log and inputs/outputs an auditor needs; we do not issue the audit or the notice on your behalf.

This page describes the controls and records Mellow provides and the duties that remain with you as the deployer of the system. It is not a certification, conformity assessment, or legal advice.