Roles & definitions

• Provider: Places the AI system on the market or puts it into service under their name/brand.
• Deployer: Uses an AI system in their operations; configures purpose, settings, cohorts.

Provider obligations

• Technical file; risk management; data governance; accuracy/robustness/cybersecurity; human oversight design.
• CE/UKCA where applicable; post-market plan; incident reporting; instructions of use; transparency artefacts.

Deployer obligations

• Use per intended purpose; implement oversight; train operators; monitor PMM signals; keep records.
• Conduct DPIAs/LIAs where needed; communicate incidents; respect user transparency duties.

Shared responsibilities

• Security controls; logging; incident collaboration; fair & lawful data processing with evidence.

Contracts & flow-downs

• Evidence rights; audit rights; incident SLAs; supplier attestations; use constraints; termination/return-of-data.

Foundation model specifics

• Obtain model safety/security statements; document limitations; align guardrails and acceptable use.

Integrations & APIs

• Track each integration’s risk; restrict egress; rotate keys; verify provenance of responses where used in RAG.

Evidence & attestations

• Index of supplier docs; internal approvals; training logs; PMM dashboards; audit snapshots per release.

Change & substantial modification

• Triggers: model swap, data overhaul, new purpose, removal of safeguards; reassess role and obligations.

Liability & insurance

• Map risks to coverage (professional indemnity, cyber); define regress and caps; keep incident proof trails.

Common pitfalls

• Ambiguous roles; missing PMM; stale instructions of use; no evidence of operator training.

Responsibility checklist

• Roles assigned; contracts cover safety/evidence; oversight implemented; PMM and incidents integrated.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 05 Nov 2025 • This page is general guidance, not legal advice.