Terms, frameworks, and concepts for the law–AI–tech space — explained plainly. The jargon explained without condescension, the distinctions that actually matter in practice.
Under the EU AI Act, a "high-risk AI system" is one listed in Annex III — covering areas like biometric identification, critical infrastructure, employment decisions, access to education, law enforcement, and administration of justice. Being high-risk triggers obligations around data quality, transparency, human oversight, accuracy, and mandatory conformity assessments before market placement.
Why it matters — Most discourse about "regulating AI" treats all AI systems as equivalent. The EU Act's risk categorization is far more surgical. An HR recruitment tool screening CVs is high-risk; a spam filter is not. The legal obligations differ enormously. Understand the risk tier before you analyze the compliance requirements.
General Purpose AI (GPAI) models are AI systems with broad applicability across many tasks — large language models like GPT-4 or Claude being the clearest examples. The EU AI Act introduced a separate regulatory tier for GPAI models, with additional obligations for those deemed to have "systemic risk" (trained above a compute threshold of 10²⁵ FLOPs).
Why it matters — GPAI regulation was the most contested addition to the EU AI Act. The original text didn't cover foundation models at all. Understanding this distinction matters when advising companies on compliance: deploying a GPAI model in a high-risk context creates a layered obligation problem — both the model provider and the deployer carry duties.
The principle that automated or algorithmic decision-making systems should be auditable, their outputs explainable, and the entities deploying them responsible for the consequences. In legal contexts, this often attaches to Article 22 of the GDPR (rights related to automated decision-making) and equivalent provisions in national data protection laws.
Why it matters — "Accountability" in AI means different things in different documents. In the NIST AI RMF it is a governance posture. In the GDPR it refers to a specific legal obligation. In journalistic usage it often means "someone should be blamed." Clarify which meaning is operative before building any argument around it.
A supervised testing environment where companies can deploy AI systems under relaxed regulatory requirements to allow for innovation before full compliance is required. The EU AI Act mandates that member states establish AI regulatory sandboxes. Pakistan's fintech sector has used sandbox models through the State Bank — the concept is not new, but its application to AI is recent.
Why it matters — Sandboxes often sound more permissive than they are. Participation typically requires active disclosure, regulatory supervision, and explicit commitments about how findings will be used. They are testing environments, not exemption zones.
Under GDPR Article 6, every processing of personal data requires one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Consent is often incorrectly assumed to be the only basis — most organizational data processing actually rests on contract or legitimate interests.
Why it matters — Choosing the wrong lawful basis is a common compliance failure. If you rely on consent but then process data in ways that would be hard to withdraw (e.g., data embedded in a trained model), you have a structural problem. The basis chosen also determines what rights the data subject can exercise.
The GDPR principle (Article 5(1)(c)) that personal data collected must be adequate, relevant, and limited to what is necessary for the specified purpose. Collecting more data than needed — even if it might be useful later — violates this principle.
Why it matters — In AI development, training datasets are often assembled on the assumption that more data is always better. Data minimisation creates a legal floor below that assumption. It also creates genuine tension with machine learning best practices that organizations need to think through explicitly.
Data Protection Impact Assessment. A mandatory process under GDPR Article 35 for processing that is "likely to result in a high risk" to individuals' rights and freedoms — including systematic automated processing, large-scale processing of special categories, or systematic monitoring of public areas. The DPIA must document the nature of processing, necessity, proportionality, and risk mitigation measures.
Why it matters — DPIAs are often treated as a box-ticking exercise. A well-conducted DPIA is actually a useful internal governance tool that forces clarity about what data is processed and why. Supervisory authorities often ask to see DPIAs in investigations — they reveal a lot about how seriously an organization has thought through its data practices.
The electronic discovery process: identifying, collecting, and producing electronically stored information (ESI) in litigation or regulatory proceedings. In large matters, eDiscovery involves AI-assisted review tools (TAR — technology-assisted review) that use predictive coding to categorize documents for relevance and privilege.
Why it matters — eDiscovery is where legal tech adoption has been most mature for decades. The case law on what AI-assisted review must demonstrate to satisfy disclosure obligations is well-developed in US and UK courts. It's a useful proxy for understanding how courts reason about AI tools in legal practice generally.
Self-executing code stored on a blockchain that automatically performs contractual terms when specified conditions are met. "Smart contract" is a misnomer — they are not contracts in the legal sense and are not smart in any meaningful way. They are conditional transaction programs.
Why it matters — The legal enforceability of smart contracts varies by jurisdiction and depends heavily on whether the underlying code accurately represents the parties' intentions. In Pakistan, the Contract Act 1872 principles still apply — a smart contract that executes incorrectly doesn't automatically create a legally different result from a traditional contract breach.
The process by which a regulatory agency, created to act in the public interest, increasingly advances the commercial or political interests of the industry it is supposed to regulate. Originates in public choice theory. In AI governance contexts, regulatory capture is a recurring concern about industry-led standard-setting bodies.
Why it matters — When industry bodies produce AI safety standards and also lobby regulators about AI safety standards, the independence question matters. Identifying whose interests a given framework actually serves is a necessary step before deciding how much weight to give it.
The phenomenon by which EU regulations de facto become global standards because multinational companies find it more efficient to apply the stricter EU standard everywhere than to maintain separate compliance frameworks. Named and theorized by Anu Bradford. GDPR is the clearest example — its influence on data protection laws in Pakistan, India, and elsewhere is substantial despite having no extraterritorial legal force in those jurisdictions.
Why it matters — Understanding the Brussels Effect explains why studying EU AI governance matters even if you practice in Islamabad. The EU AI Act will shape how global technology companies design their systems — and those systems will be deployed in Pakistan regardless of what Pakistani law says.
A legal principle requiring that measures taken must be suitable to achieve their objective, necessary (no less restrictive alternative achieves the same result), and proportionate in the strict sense (the benefits outweigh the harms caused). Applies in EU law, Pakistani constitutional law, international human rights law, and data protection contexts.
Why it matters — Proportionality arguments appear in almost every domain covered by this field guide. A data collection practice that fails proportionality fails regardless of consent. An AI regulation that restricts a use case more than necessary to achieve its safety objective may fail proportionality review. Learning to build proportionality arguments is foundational.