Assess legal considerations for every AI use case

No AI feature at Bizzi enters sprint planning until one artifact is signed. A five-question legal assessment. The questions are short, blunt, and the same for every team. They form the compliance gate inside the six-step intake process from Pillar I §1.2.

Context

A legal review arriving after engineering has chosen a vendor, picked an architecture, and built a prototype is a legal review arriving too late. The five questions push the decisions changing architecture to the front of the funnel, before anyone writes code. DPIA, human-in-the-loop, residency, OSS license, disclosure. The questions are also the contract between squads and Legal. If a squad cannot answer them with evidence, the case does not move.

Principle: The five questions

Every proposed AI feature must answer all five before it enters a sprint. Unanswered questions are not silently waived. They block the intake.

How we implement

The five questions, with the trigger each one fires.

• 1. Does the feature process personal data? If yes, a DPIA is mandatory. Legal is Accountable. The Data/AI Steward is Responsible. If the feature processes sensitive financial data without personal data, a narrower disclosure risk assessment still runs.
• 2. Does the feature automate decisions with material legal or financial consequences? If yes, human-in-the-loop is mandatory (Pillar III §3). Cross-map to GDPR Article 22 and Decree 13 Article 19 on automated decisions. AI auto-approving payments is yes. AI summarizing a contract is no.
• 3. Does data leave Vietnamese territory? If yes, the residency assessment in §4 runs. Enterprise and banking customers contractually require in-country hosting. Any vendor processing in an offshore region requires a Data Processing Addendum and Standard Contractual Clauses analog.
• 4. Does the feature use an open-source model? If yes, Legal reviews the license matrix in §6. Some OSS licenses (SSPL, AGPL in specific configurations) are not compatible with commercial use.
• 5. Does the feature need an end-user AI disclosure? Every chatbot interaction and every material AI-generated artifact must carry an AI Disclaimer. Cross-map to EU AI Act Article 50 transparency obligations.

The workflow

1. The squad submits the proposal with the five answers attached.
2. The Data/AI Steward triages. Anything touching personal data routes to the DPO.
3. DPO and Legal score the legal risk. Low, Medium, or High.
4. High-risk items require AI Governance Board approval.
5. The output becomes one of the formal inputs to the six-step intake framework.

Standards mapping

Standards Mapping

Decree 13/2023 Article 19 (automated decisions), Article 22 (DPIA). ISO/IEC 42001 A.5.4 (external and internal context), A.6.1 (internal organization). NIST AI RMF GOVERN-1.6, MAP-1. EU AI Act Article 9 (risk management system), Article 50 (transparency obligations).

Worked example. AI assistant

The accountant-facing AI assistant. Running it through the five questions.

• Q1. Yes. The assistant sees queries containing personal data. Vendor contact names, signatory ID numbers. DPIA required.
• Q2. No. The assistant retrieves and explains. It does not approve payments.
• Q3. Conditional. Depends on the LLM vendor chosen. You must pin a vendor able to guarantee Vietnamese residency for enterprise tenants.
• Q4. Partially. You use embeddings from an OSS model. Legal confirms license compatibility before the model enters production.
• Q5. Yes. The UI carries a visible “You are talking to an AI assistant” disclaimer.

Assessment result. Medium risk. Required controls. DPIA, HITL fallback for sensitive queries, AI Disclaimer, and private hosting for banking tenants. The feature enters the sprint with these controls written into its acceptance criteria.