AI Industry Transparency Guidelines

The European Commission has officially published its draft guidelines on AI transparency obligations (Article 50). While much of the recent political debate in Brussels has focused on the delayed timelines for high-risk systems, these new guidelines deal with the immediate requirement for transparency. I have reviewed the 40-page document. Here are the four most critical takeaways for your HR technology strategy: 1️⃣ The end of the 'generic assistant' trap Many recruitment teams use AI chatbots that are given human names or labelled vaguely as 'virtual assistants'. The draft guidelines explicitly target this practice. You must clearly inform candidates about the artificial, non-human nature of the interacting counterpart. A single disclosure buried in your Terms and Conditions is no longer sufficient. The guidelines strongly recommend multi-modal disclosures, such as persistent badges visible throughout the interaction. 2️⃣ Emotion recognition is a prohibited practice The guidelines address the transparency requirements for emotion recognition systems but they include a crucial reminder for the HR sector. The use of emotion recognition is outright prohibited in the workplace. If a vendor pitches an assessment tool claiming to analyse a candidate's facial expressions or vocal tone to infer their emotional state, reject it. It is not just poor science; it is a prohibited practice under the AI Act. 3️⃣ There is no 'grandfathering' for transparency You might assume that because you procured your AI screening tool years ago it is exempt from these new rules. The draft guidelines clarify that while a special grandfathering rule applies to high-risk compliance for legacy systems, it does not apply to transparency obligations. Every AI system you use that interacts with humans or generates synthetic content must be updated to meet these transparency standards regardless of when you bought it. 4️⃣ Mandatory transparency for GenAI communications If your team uses generative AI to draft candidate rejection emails, automate interview feedback, or write job adverts, you can no longer seamlessly pass this off as human-authored. The guidelines dictate that AI-generated synthetic text (or images, audio etc.) must be marked in a machine-readable format and be fully detectable. Furthermore, individuals must be informed clearly at the very first point of exposure. If you rely heavily on AI to mass-produce automated communications, your workflow will require immediate structural updates to remain compliant. The consultation period for these guidelines closes on 3 June 2026. We must stop treating AI transparency as a legal hurdle and start viewing it as a fundamental pillar of candidate trust. I have attached the full draft guidance document below and I have dropped the link to the official consultation in the comments. Are your technology vendors prepared to meet these stringent transparency standards? Are your internally built tools (agents)?

Yesterday, the AI Office published the third draft of the General-Purpose AI Code of Practice, a key regulatory instrument for AI providers seeking to align with the EU AI Act. Developed with input from 1,000 stakeholders, the draft refines previous versions by clarifying compliance requirements and introducing a structured approach to regulation. GPAI providers must meet baseline obligations on transparency and copyright compliance, while models classified as having systemic risk face additional commitments under Article 51 of the AI Act. The final version, expected in May 2025, aims to facilitate compliance while ensuring AI models adhere to safety, security, and accountability standards. The Code introduces the Model Documentation Form, requiring AI providers to disclose key details such as model architecture, parameter size, training methodologies, and data sources. Transparency obligations include specifying the provenance of training data, documenting measures to mitigate bias, and reporting compute power and energy consumption. GPI providers must also outline their models’ intended uses, with additional requirements for systemic-risk models, including adversarial testing and evaluation strategies. Documentation must be retained for twelve months after a model is retired, with copyright compliance mandatory for all providers, including open-source AI. GPAI providers must establish formal copyright policies and comply with strict data collection rules. Web crawlers cannot bypass paywalls, access piracy sites, or ignore the Robot Exclusion Protocol. The Code also requires providers to prevent AI-generated copyright infringement, mandate compliance in acceptable use policies, and implement mechanisms for rightsholders to submit copyright complaints. Providers must maintain a point of contact for copyright inquiries and ensure their policies are transparent. For AI models with systemic risk, the Code introduces a Safety and Security Framework, aligning with the AI Act’s high-risk requirements. Providers must assess risks in areas such as cyber threats, manipulation, and autonomous AI behaviours. They must define risk acceptance criteria, anticipate risk escalations, and conduct assessments at key development milestones. If risks are identified, development may need to be paused while safeguards are implemented. GPAI providers must introduce technical safeguards, including input filtering, API access controls, and security measures meeting at least the RAND SL3 standard. From 2 November 2025, systemic-risk models must undergo external risk assessments before release. Providers must maintain a Safety and Security Model Report, report AI-related incidents within strict timeframes, and implement governance structures ensuring responsibility at all levels. Whistleblower protections are also required. With the final version expected in May 2025, AI providers have a short window to prepare before the AI Act takes full effect in August.

🤖‼️Today, the AI Office (European Commission) published for public consultation the draft Guidelines on the implementation of the transparency obligations for certain AI systems under Article 50 #AIAct. It is a 40-page document, and here are the insights I found most interesting. Article 50 AI Act should not be read as a narrow labelling provision. It creates a horizontal transparency layer for several AI use cases. A key point is the allocation of responsibility. Providers are responsible for transparency-by-design where systems interact directly with people or generate/manipulate synthetic content. Deployers are responsible for using emotion recognition or biometric categorisation systems, or publishing deep fakes or AI-generated public-interest text. The Guidelines also clarify that employees, freelancers or contractors acting under the control of a legal person should not normally be treated as separate deployers. The personal-use exclusion is interpreted narrowly. A natural person creating AI-generated Christmas cards for relatives may fall outside the deployer's obligations, but a person publicly sharing a political deepfake of a local mayor would not. This is important because public dissemination may take the activity outside the purely personal and non-professional sphere, even without economic benefit. For synthetic content, the draft draws an important distinction between machine-readable marking and detectability. Providers must not only mark outputs, but also ensure that detection is possible. Marking alone is not enough. The technical solution should be effective, reliable, robust and interoperable. This points to a compliance architecture involving watermarks, metadata, cryptographic methods, provenance tools, fingerprints, or a combination of these. Mere reproduction, ranking or arrangement of existing content, source code, machine-to-machine outputs, short technical strings, and closed-loop industrial outputs not intended for human interpretation may fall outside Article 50(2). At the same time, agentic AI and multimodal systems may fall within the scope in which their outputs are perceptible to natural persons as text, audio, images, or video. The guidelines explain what consutities a deepfake under Article 50(4) AI Act. A deepfake requires a strong resemblance to real people, objects, places, entities, or events, and a false appearance of authenticity or truthfulness. The intention to deceive is not decisive. The assessment must consider the actual audience, including children, elderly persons and persons with lower digital or AI literacy. Even artistic, fictional or satirical deep fakes are not exempt; they benefit only from a lighter disclosure regime that must not hamper the enjoyment of the work.

The European Commission published its first draft of the “Code of Practice on Transparency of AI‑Generated Content” designed as a tool to help organizations demonstrate alignment with the transparency requirements (Art. 50) of the AI Act. Article 50 of the AI Act includes obligations for providers to mark AI-generated or manipulated content in a machine-readable format, and for users who deploy generative AI systems for professional purposes to clearly label deepfakes and AI-text publications on matters of public interest. The document is divided into two sections. The first section covers rules for marking and detecting AI content, applicable to providers of generative AI systems, including to: - Use a Multi‑layered machine-readable marking of AI‑generated content - Use imperceptible watermarks interwoven within content - Adopt a digitally signed “manifest/provenance certificate” for content that can’t securely carry metadata - Offer free detection interfaces/tools, including confidence scoring, and complementary forensic detection that does not rely on active marking - Test against common transformations and adversarial attacks - Use open standards and shared/aggregated verifiers to enable cross-platform detection and lower compliance friction The second section covers labelling deepfakes and certain AI-generated or manipulated text on matters of public interest and is applicable to deployers of generative AI systems, including: - Deepfake labelling - Modality‑specific labelling rules for real-time video, non-real-time video, images, multimodal content, and audio-only - Operational governance: encourages internal compliance documentation, staff training, accessibility measures, and mechanisms to flag and fix missing/incorrect labels.

Businesses that offer generative AI systems or services in California should be aware that the state's Generative AI Training Data Transparency Act takes effect on January 1, 2026. It imposes documentation and disclosure obligations on developers of such systems released on or after January 1, 2022. Specifically, covered developers must post on their website documentation describing the data used to train, test, validate, or fine-tune the system, including: · Sources or owners of datasets and how they support the system’s intended purpose. · The size of datasets (ranges permitted; estimates for dynamic datasets). · Types and characteristics of data points and labeling practices. · Whether datasets include copyrighted, trademarked, or patented material versus public domain content. · Whether datasets were purchased or licensed. · Whether datasets include personal information or aggregate consumer information as defined under California law. · Any cleaning, processing, or modifications performed and their purposes. · Data collection periods, including whether collection is ongoing, and the dates first used in development. · Whether synthetic data generation was used, and the functional need for it if included. There are certain exemptions, including if the system (i) is made available only to a federal entity exclusively for national security, military or defense purposes (ii) or made available solely to a hospital medical staff member. Businesses offering generative AI systems and services in California should consider taking the following next steps: · Conducting a data provenance and licensing assessment for all covered systems released since January 1, 2022. · Building a standardized disclosure template aligned with the statute’s enumerated elements to support publication before January 1, 2026 and at each substantial modification. · Establishing change‑management triggers so that retraining or fine‑tuning that materially affects performance prompts updated disclosures. · Mapping exemptions, if any apply, and document the basis for relying on them. #geospatiallaw #geoai

At the end of September, Governor Gavin Newsom signed the Transparency in Frontier Artificial Intelligence Act (S.B. 53), requiring large AI companies to report the risks their systems pose and the safeguards they have in place. Unlike last year’s vetoed S.B. 1047, this new version de-emphasizes liability. It explicitly caps financial penalties—even for catastrophic AI failures—and focuses instead on transparency and reporting. As Senator Scott Wiener explained, “Whereas SB 1047 was more of a liability-focused bill, SB 53 is more focused on transparency.” In this new piece for Institute for Law & AI (LawAI), https://lnkd.in/gAig3vSz, Josephine Wolff and I argue that SB 1047's basic approach makes sense, as expanding liability for AI harms won’t necessarily make AI systems safer or more secure. Liability almost always brings insurers into the picture—and as we’ve seen in the cyber insurance market, insurers often struggle to model or mitigate complex, evolving risks. When that happens, insurance helps firms manage liability exposure, not safety risk. California’s transparency-first approach is a smarter place to start. By requiring companies to report on AI risks and incidents, regulators can help build the data needed to understand what works—and what doesn’t—when it comes to preventing AI-related harms. That kind of foundation is critical if we want policy, regulation, and insurance to actually make emerging technologies safer.