Last updated: 2026-04-11
What SpendLil Covers
Which compliance requirements SpendLil helps with today and what's on the roadmap.
SpendLil is building toward comprehensive AI governance. Here's what's covered today, what's coming next, and what you'll still need to handle yourself.
Covered Today
| Requirement | How SpendLil Helps | Relevant Regulation |
|---|---|---|
| AI inventory / asset register | Auto-discovers every API key and provider in use across your account | EU AI Act Art. 26(1), UK AI principles |
| Usage logging | Every AI request is logged with timestamp, model, tokens, cost, and key identifier | EU AI Act Art. 26(6), GDPR Art. 30 |
| Spend tracking | Real-time cost visibility by key, provider, and model | Internal governance, budget control |
| Alerting | Configurable thresholds for spend, volume spikes, and new key detection | Risk management, oversight |
| Audit trail | Dashboard activity logging with 365-day retention | EU AI Act Art. 26(6), GDPR Art. 5(2) |
| Data minimisation (SpendLil itself) | No prompt storage, no key storage, no response storage — metadata only | GDPR Art. 5(1)(c) |
Coming in Phase A
| Feature | What It Does | Relevant Regulation |
|---|---|---|
| PII detection | Scans prompts for personal data (emails, NI numbers, phone numbers) and alerts | GDPR Art. 5, 6, 9 — lawful processing of personal data |
| DLP rules | Configurable data loss prevention — flag or alert on sensitive data categories | GDPR, sector-specific data protection |
| Prompt injection detection | Detects attempts to manipulate AI via prompt injection (async, non-blocking) | EU AI Act Art. 15 — accuracy and robustness |
| Bias auditing | Monitors AI outputs for patterns of bias across protected characteristics | EU AI Act Art. 10, Equality Act 2010 |
| Human-in-the-loop approvals | Require human review before AI decisions are actioned in high-risk cases | EU AI Act Art. 14 — human oversight |
| EU AI Act compliance suite | Transparency disclosures, conformity assessments, rights impact assessments, incident reports | EU AI Act Art. 13, 26, 27, 62 |
| Quality scoring | Score AI outputs for quality and track degradation over time | EU AI Act Art. 9 — risk management |
| Outgoing webhooks | Send events to Zapier/Make for custom compliance workflows | Governance automation |
You Still Need To Handle
SpendLil covers the AI-specific technical layer. These broader requirements sit with your business:
- AI policy — a written policy covering how your business uses AI, who's responsible, and what's allowed
- Risk assessments — for high-risk use cases, a formal assessment of potential harm (FRIA for EU AI Act)
- Staff training — ensuring your team has AI literacy and understands their responsibilities
- Data protection impact assessments (DPIAs) — required under GDPR when AI processes personal data at scale
- Sector-specific compliance — FCA, SRA, GMC, Ofsted, etc. requirements specific to your industry
- Incident response plan — what to do if an AI system causes harm or produces a discriminatory outcome
- Supplier due diligence — assessing the AI providers you use (OpenAI, Anthropic, etc.) for their compliance posture
- Record keeping beyond SpendLil — maintaining records of AI-related decisions, risk assessments, and compliance activities
SpendLil gives you the data; you provide the governance
Think of SpendLil as the technical foundation. We give you visibility, logging, and alerts. You build the policies, training, and decision-making frameworks on top.