When your company sets a rule about how its AI should behave, there are two ways to enforce it.
You can put up a sign that states the rule and hopes the system follows it. That's how speed limits work. Or you can build a guardrail, where the rule is physical and a driver who wanted to leave the road can't. One relies on cooperation. The other is a structural fact about the road.
Most AI controls inside growth companies are signs. They live in policies, training decks, and acceptable-use documents. The AI itself, the system actually doing the work, can still produce a non-compliant output, action, or disclosure at the moment it runs.
That gap is on a clock. The EU's AI Act, which applies to AI systems used inside the European Union and to outputs used there even when generated elsewhere, hits its next major stage on August 2, 2026, when "high-risk" AI systems (the law's term for AI used in hiring, lending, public infrastructure, and other consumer-facing decisions that can hurt people) come under a strict oversight requirement. Article 14 of the Act doesn't ask whether you have a policy. It asks whether the system was designed so a human can step in and prevent a bad outcome. Different question. Different answer.
Three U.S. regulators have already won enforcement cases on the same logic at adjacent layers. Here's a test for your own AI controls: walk through the five categories below, mark each one Sign or Guardrail, and watch which column gets crowded. Almost always, it's the first one.
1. Tool Scope (What an AI Agent Is Allowed to Do)
When your company deploys an AI agent, the agent has access to a set of tools: calendars, customer databases, payment systems, vendor portals.
Sign: A written policy that says which tools the agent should use, which it shouldn't touch, and which data it shouldn't pull from. The policy is published. Whether it gets followed depends on the agent's behavior at runtime.
Guardrail: The agent's tool list is configured at the system level so the off-limits tools aren't available at all. The agent can't pick what isn't on its menu, the way a child-locked phone can't open apps that aren't on its home screen.
Why it matters: The U.S. government's voluntary AI risk framework (the NIST AI Risk Management Framework, which most American AI programs anchor to) calls for "mechanisms to supersede, disengage, or deactivate" AI systems that drift. The EU AI Act requires that human oversight be "built into" the system before release. "Built into" is statutory shorthand for guardrail. A policy in a wiki isn't built in.
2. Output Filtering (What an AI Is Allowed to Say at the End)
Every AI system produces outputs: chatbot answers, decisions, recommended actions. Some of those outputs are sensitive, biased, factually wrong, or non-compliant.
Sign: A content moderation policy plus a queue where humans review what the AI said after it's gone out. By the time someone catches the bad output, the user has already seen it.
Guardrail: A filter sitting between the model's output and the user, blocking sensitive categories before delivery rather than retracting them after. Amazon Bedrock Guardrails, NVIDIA NeMo Guardrails, and Lakera Guard are commercial examples that work this way: architecture between input and output rather than policy on a wiki page.
Why it matters: The EU AI Act has a small but instructive rule. For AI used to identify a person from a face scan in a public place, no consequential action can follow the identification "unless that identification has been separately verified and confirmed by at least two natural persons." A two-person rule before action is preventive by design. The Act treats that pattern as a useful template for the rest of high-risk AI: blocked until a person clears it.
3. Pre-Execution Approval (Stopping the AI Before It Acts)
Some AI systems take actions, not just produce text. They pay invoices, submit filings, send customer emails. Once those actions run, they're hard to take back.
Sign: The system runs the action, then logs it for human review. The review happens after the money moves, the email lands, the filing is submitted.
Guardrail: The action stops at a gate. A human authorizes it before it runs. For things you can't undo (financial transactions, customer-facing communications, regulatory filings), the gate isn't optional.
Why it matters: Article 14 of the EU AI Act says human oversight has to be designed "to prevent or minimise" risks to health, safety, or fundamental rights. "Prevent" is preventive. A log is detective. The clearest example is the Federal Trade Commission's December 2023 order against Rite Aid. The pharmacy chain had policies on facial recognition use. The deployment had no preventive control. The policies didn't save them: the FTC banned the company from using facial recognition for surveillance for five years.
4. Data Access (What the AI Can Reach in the First Place)
AI models learn from data and process more data at runtime. If the model can reach data it shouldn't (regulated personal data, confidential customer records, employee files), the policy on top isn't the actual control.
Sign: A data classification policy and an acceptable-use document saying what data may train the model. Whether that holds depends on whether the engineer running the pipeline follows it.
Guardrail: The architecture decides for them. Sensitive data sits in a separate, restricted environment the training pipeline can't reach. Permissions are set at the level of individual data fields, not at the level of policy pages.
Why it matters: The EU AI Act requires high-risk AI to follow specific data governance practices, including bias review and appropriate measures around training data. California's main privacy law, the California Consumer Privacy Act, takes the same approach to data deletion: not "we have a deletion policy," but architectural enforcement. The cautionary case is the FTC's June 2024 settlement with Avast, the antivirus company, for $16.5 million. Avast's privacy policy promised it blocked online trackers. Its architecture sold the browsing data anyway, through a subsidiary called Jumpshot, to over a hundred third parties. Two layers, opposite stories.
5. Pre-Input Filtering (What the AI Sees in the First Place)
Before the model produces an output, it sees an input: a prompt, a query, a data feed. If sensitive personal information enters that input, the model "knows" it, regardless of what your policy says.
Sign: A privacy or PII handling document describing what data shouldn't enter prompts. A consent or opt-out flow that requires the user to click an email link to confirm before the preference takes effect.
Guardrail: A detection layer at the input boundary that strips, redacts, or refuses sensitive data before the model sees it. A consent or opt-out flow that takes effect on the user's first click, with no extra verification gate.
Why it matters: Article 13 of the EU AI Act requires high-risk AI to be designed so it's "sufficiently transparent to enable deployers to interpret a system's output and use it appropriately." Transparency without input control is a documentation exercise. The California Privacy Protection Agency makes the same point at the privacy layer. In March 2026, the Agency fined Ford $375,703 because Ford's opt-out flow required users to click an emailed confirmation link before the opt-out took effect. The Agency called that confirmation step "unnecessary friction" and ruled the opt-out wasn't, operationally, an opt-out at all. Friction is what separates a sign from a guardrail.
What To Do
Pull the list of AI controls in your company. Mark each one Sign or Guardrail. Anything you can't confidently call Guardrail is, by default, a Sign. Thirty-minute exercise, general counsel and engineering lead together.
For every Sign, write down what actually enforces the rule. If the honest answer is "the policy says so," the control is unenforced. Engineering owns that answer.
Sort the five categories by exposure. Anything public-facing, regulated, or irreversible needs a guardrail first. The rest can wait one cycle. The CEO sets the order.
Add one question to the next vendor renewal: which controls do you enforce in the architecture, and which do you only document? The contract should reflect the answer in actual clauses, not in marketing assurances.
Calendar a controls review for August 2, 2026, when the EU AI Act's high-risk requirements take effect. Either you have time before then, or you have a record of asking the question on time.
This article is general educational analysis. It does not provide individualized legal advice, client-specific recommendations, outcome guarantees, or jurisdiction-specific directives without factual context.
This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before making compliance decisions based on the developments discussed here.