For AI projects handling regulated data (such as financial or personal information), PMI-aligned guidance for Managing AI emphasizes that regulatory and compliance requirements must be understood upfront, before data is collected, processed, or shared. The very first step is to perform a comprehensive assessment of data regulations and compliance requirements across all applicable jurisdictions (e.g., privacy laws, banking/financial regulations, sectoral rules, cross-border data transfer constraints, retention rules, and consent requirements).

This assessment provides the foundation for trustworthy AI, because ethical principles, privacy safeguards, transparency mechanisms, and accountability structures must map directly to concrete legal and regulatory obligations. Only when these requirements are clearly identified can the project manager design an appropriate data governance framework, define lawful bases for processing, set access controls, and specify documentation and audit-trail expectations.

Drafting governance (option B), stakeholder meetings (option C), or high-level data collection strategies (option D) are useful later steps, but if they are done before a regulatory and compliance assessment, they risk misalignment with the law and may require costly rework. Therefore, in line with PMI-CPMAI’s focus on responsible and compliant AI lifecycle management, the project manager should first perform a comprehensive assessment of data regulations and compliance requirements.