1. Purpose
AI regulation is accelerating. Federal legislation (the AMERICA AI Act), state laws in California, Colorado, and Texas, and industry-specific requirements like HIPAA now impose real obligations on businesses deploying AI tools. Salt & Pixel builds every AI-powered feature -- chatbots, lead scoring, automated outreach, client dashboards -- with compliance built in, not bolted on after.
What This Framework Covers
- Classification of AI features by risk level
- Bias testing methodology for AI-powered tools we build
- Transparency and disclosure requirements for end users
- Data handling and privacy compliance (HIPAA, CCPA, etc.)
- Multi-state considerations for clients with distributed locations
- Ongoing monitoring and audit cadence
2. AI Feature Classification
Every AI-powered feature Salt & Pixel builds is classified during the scoping phase. Classification drives the compliance requirements we build into the project.
| Risk Level | Definition | Examples | Requirements |
|---|---|---|---|
| Standard | AI that handles general business tasks. No decisions about individuals. | FAQ chatbot, content generation, internal analytics | AI label, basic documentation |
| Elevated | AI that influences business decisions involving customer data or lead prioritization. | Lead scoring, AI-driven follow-ups, customer segmentation, appointment prioritization | Bias testing, transparency labels, data handling review |
| High-Risk | AI that makes or directly influences consequential decisions about healthcare, employment, lending, or housing. | Patient intake scoring, care recommendation engines, insurance qualification, hiring screeners | Full bias audit, impact assessment, legal review, ongoing monitoring, regulatory documentation |
3. Bias Testing
All Elevated and High-Risk AI features undergo bias testing before deployment and on a recurring schedule.
3.1 Pre-Launch Testing
Required Before Deployment
- Input Review: Audit data sources for demographic representation gaps
- Output Testing: Run test cases across demographic groups, measure outcome variance
- Protected Class Check: Verify no materially different outcomes based on race, gender, age, disability, religion, national origin, or political affiliation
- Edge Cases: Test with ambiguous, incomplete, or adversarial inputs
- Documentation: Record methodology, findings, and remediation steps
3.2 Recurring Schedule
| Risk Level | Frequency | Scope |
|---|---|---|
| Standard | Annual | Documentation review, output spot-check |
| Elevated | Semi-annual | Full output analysis, demographic variance check |
| High-Risk | Quarterly | Full audit, third-party review option, regulatory doc update |
4. Transparency & Disclosure
4.1 Every AI Feature (Universal)
- AI Label: Visible indicator on any user-facing AI interaction (e.g., "AI-assisted" badge on chatbots, dashboards)
- System Documentation: Plain-language description of what the AI does and what data it uses
- Human Fallback: Where feasible, users can reach a human instead of AI
4.2 Elevated & High-Risk Additions
- Methodology Disclosure: Scoring/ranking logic explained in accessible language
- Data Source Transparency: All data inputs documented
- Contestability: Process for users to challenge AI-driven decisions
- State-Specific Notices: Written disclosures per applicable state laws (CA, CO, TX, etc.)
5. Data Handling & Privacy
PHI / Healthcare Data
AI features processing Protected Health Information must comply with HIPAA:
- Data isolation per entity (no cross-location visibility without authorization)
- Encryption at rest and in transit
- Access logging and audit trails
- BAA with all AI vendors processing PHI
- Minimum necessary standard: AI accesses only the PHI required for its function
General Data Requirements
- Data retention policy defined per project
- PII handling documented and minimized
- CCPA compliance for California residents
- No client data used for model training without written consent
- Vendor data processing agreements reviewed
6. Regulatory Reference
Key AI regulations that may apply to client projects, depending on industry and location:
| Jurisdiction | Law | Effective | Key Requirements |
|---|---|---|---|
| Federal | AMERICA AI Act (draft) | TBD | Bias audits for high-risk AI, protected class protections |
| California | SB 942 | Jan 2026 | AI content disclosure |
| California | AB 489 | 2026 | AI cannot imply it holds a healthcare license |
| Colorado | SB 24-205 | Feb 2026 | Impact assessments, consumer notice for high-risk AI |
| Texas | TRAIGA | Jan 2026 | Written disclosure for AI in patient care |
Multi-Location Clients
If your business operates in multiple states, each location must comply with its state's laws. Salt & Pixel identifies applicable regulations during project scoping and builds compliance into the tool from the start.
7. Our Build Process
Compliance is integrated into how Salt & Pixel builds, not treated as an afterthought:
- Scoping: Classify every AI feature by risk level at project kickoff
- Spec: Compliance requirements written into the technical specification
- Build: Transparency labels, data isolation, and audit logging built during development
- Pre-Launch: Bias testing and disclosure review before going live
- Handoff: Compliance documentation delivered with the project
- Ongoing: Audit schedule set, regulatory updates flagged to client
8. What You Receive
Every SP project with AI components includes compliance deliverables scaled to the risk level:
All Projects
- AI Feature Classification (Standard, Elevated, or High-Risk)
- Transparency Disclosure Templates (user-facing copy, reusable)
- Data Handling Summary
- Audit Schedule (review cadence based on risk tier)
Elevated & High-Risk Projects
- Bias Test Report (pre-launch testing results and methodology)
- Vendor Risk Flags (known data handling concerns with third-party tools)
Enterprise & Multi-Location Add-Ons
For clients with multi-state operations or heightened regulatory exposure, additional deliverables are available:
- Multi-state regulatory compliance map
- Full vendor data processing agreement review
- Ongoing regulatory monitoring and proactive updates