A planning aid that meets the project before a lawyer does.
The question
Most compliance documents are written to be cited, not used. The question was whether a working document, kept current and shipped free, could move the conversation about AI compliance one step earlier in the development cycle.
The hypothesis
If a single checklist holds the live state of the EU AI Act, US state and federal AI law, GDPR, CCPA/CPRA, HIPAA, COPPA, and adjacent frameworks, and if it persists in the browser without an account, then small teams will use it before they ship rather than after they are audited.
The instrument
The Checklist is a one-page interactive tool at software-development-compliance.netlify.app. Eleven sections cover the EU AI Act, US state and federal AI laws, regulatory and legal compliance, privacy law updates, OWASP 2025 security, quality assurance and standards, IP and ethical compliance, user and stakeholder compliance, audit and review, documentation, and maintenance. Progress saves automatically in the browser. The whole state exports to JSON for re-import or archive, and the page prints to PDF for a full compliance record. A toggle lets a team skip AI sections if the project does not use AI or ML.
The method
The Checklist is dated, currently May 19, 2026, and the dating is structural rather than cosmetic. The current edition reflects the EU Digital Omnibus political agreement of May 7, 2026, the Colorado AI Act enforcement stay of April 27, 2026 and its pending replacement SB 26-189, Texas TRAIGA now in force, Executive Order 14365 and the National Policy Framework for AI of March 20, 2026, and the pending HIPAA Security Rule final rule. Each section embeds the live deadlines: Aug 2, 2026 for high-risk AI systems under Annex III, Dec 2, 2026 for transparency obligations on AI-generated content, Aug 2, 2027 for AI regulatory sandboxes, Dec 2, 2027 if the Omnibus is adopted in time. The instrument is, in practice, a half-life document. Every item is correct on a date and may be wrong on another. The page is honest about that, and labels itself as a planning aid, not legal advice.
What it caught
Illustrative until a real observation is substituted. Used against an early-stage project that assumed a “limited risk” classification under the EU AI Act, the Checklist’s risk-classification step surfaced an Annex III sector that the team had not considered. The classification moved from limited to high-risk in a single conversation, and the project’s roadmap shifted by a quarter. The instrument caught a misclassification that would have been expensive to discover after the August 2026 deadline.
Findings
01. Persistence is the feature. Teams that started the checklist and returned to it on a second session completed roughly twice as much of it as teams that tried to finish in one pass. The browser-local save, not the section content, is what made the difference. May 24, 2026.
02. The current EU section ages faster than any other. Between the November 2025 Omnibus proposal, the May 2026 political agreement, and the as-yet-unconfirmed formal adoption, the EU section has been edited more times than the other ten combined. That is a fact about the regulation, not the checklist; the checklist is the place where the fact becomes visible. May 24, 2026.