AI governance in Latin America: what is declared and what can be verified

Latin America adopts artificial intelligence faster than it governs it. The regional picture shows countries already using generative AI across the board while their control frameworks remain in draft or have only just been enacted.

The Latin American Artificial Intelligence Index documents that asymmetry: dynamic adoption coexists with critical gaps in talent, infrastructure and governance. Much of the national strategy landscape lacks budget, implementation and evaluation.

For an auditor, that sentence has a precise meaning. A strategy with no follow-up budget and no ex-post evaluation mechanism is not a system of governance; it is a statement of intent. The difference becomes visible the day an automated system denies a benefit, biases a hiring decision or gets a diagnosis wrong.

The dominant regulatory model in the region is classification by risk level. Peru enshrined it in Law 31814 and its implementing regulation, requiring transparency, human oversight and provision for testing environments. Chile and Colombia are advancing bills with the same approach, centered on bias, privacy and labor transformation.

The EU AI Act serves as a comparative reference for that architecture: it prohibits certain uses, subjects high-risk systems to reinforced obligations and leaves the rest under transparency duties. The region is converging methodologically with that scheme without having yet produced a horizontal equivalent of its own.

The auditor does not audit the declared category; the auditor audits the consistency between the category and the controls actually in operation. A system labeled low-risk that in practice decides on rights is a finding, not a formality.

Responsible AI leaves a trace. That is the operational test that separates real governance from rhetoric. An auditable system retains, at a minimum, five things: the declared purpose, the training data and its provenance, the relevant design decisions, the operating logs, and the points where a person can intervene or reverse a decision.

The gap between requiring and verifying is where the credibility of the framework is decided. A transparency obligation with no format, no custodian and no retention period is unauditable. What is not recorded cannot be reviewed, and what cannot be reviewed cannot be held to account.

The audit question is deliberately simple. If this system causes harm tomorrow, what evidence remains, who holds it, and how quickly can it be retrieved? When the answer is silence, the control never existed.

ISO/IEC 42001 offers organizations an AI management system with controls over policies, roles, impact assessment and model lifecycle management. It is the piece that translates the regulatory principle into verifiable internal discipline.

A precision the market tends to erase is in order. Certification against ISO/IEC 42001 is today a non-accredited certification, outside the published accreditation scope. That does not invalidate it; it locates it. It attests that a body evaluated a management system, not that a state endorsed the legal compliance of the underlying AI system.

The IAC Observatory registers and verifies evidence; it does not accredit or certify. To verify is to confirm that a control exists and operates. The sensible sequence for an organization is the reverse of the marketing one: first build the traceability the law will require, then seek the mark that attests to it.

Accountability is the control that sustains all the others. Without an identifiable owner, a signed impact assessment and an ex-post review mechanism, human oversight becomes a ticked box with no content.

The region's more mature frameworks recognize this. Uruguay aligned its strategy with international human-rights and rule-of-law references, opting for legal interoperability rather than unprecedented obligations. Other countries are debating algorithmic audits and impact assessments at the parliamentary level.

The closing is a diagnosis, not a prescription. The region does not need more announced strategies; it needs preservable evidence, named owners and traceability that survives the turnover of governments and management. Responsible AI is recognized by what it can demonstrate when called to account, not by what it promised when it was unveiled.