News · Meta puts AI at the core of its Risk Review process, moving compliance checks into the coding stage

Mar, 314 min to read
Platform

Meta puts AI at the core of its Risk Review process, moving compliance checks into the coding stage

Michel Protti describes how Meta rebuilt its product Privacy Review into a cross-company Risk Review program that prefills documentation and scans proposals during development.

From product Privacy Review to a cross-company Risk Review program

Michel Protti, Meta's Chief Compliance and Privacy Officer for Product, frames this announcement as more than a tooling upgrade. Meta says it is transforming its product Privacy Review into a broader, cross-company Risk Review program with AI at its core.

That scoping matters. The old process was described as focused on privacy; the new one folds privacy, safety, and security into one review flow. The stated driver is scale: Meta reports conducting tens of thousands of risk and compliance reviews each year, against a backdrop of hundreds of data protection laws worldwide that change as technology evolves.

The consolidation is the real structural move here. Rather than run parallel domain reviews, Meta is building a single system that cross-checks new products and features against what it calls a global library of policies and regulations.

The shift from intake forms to detection during development

The specific pain point Meta names is manual intake. Experts previously spent hours gathering information and completing standardized intake forms just to start a review. The AI system now pre-fills key documentation and surfaces relevant product requirements upfront.

More consequential is where the review happens. Meta says the system scans product proposals during the development phase, catching potential issues or coding gaps and suggesting solutions before development reaches testing.

In this way, our AI-powered Risk Review program is like an always-on risk detection tool that assists our teams at every stage of the risk review process, helping us catch potential issues and surface recommend mitigations for expert review while code is written, not afterward.Montana Labs

That is the core claim to weigh: compliance moving left, into the coding loop, instead of acting as a gate before launch. Meta's stated goal is a culture where manual processes are the fallback, not the default.

What the human-in-the-loop split actually looks like

Meta is explicit about the division of labor. In most cases, AI does a first pass; experts double-check for accuracy, conduct ongoing oversight, and focus on novel, high-impact cases that require human judgment.

The framing worth noting is that humans are described as the architects of the system — they make the rules for how AI is used and overseen. Technology handles scale; people set direction. This is a governance claim as much as a productivity one.

The unstated tension is calibration. When AI does the first pass on tens of thousands of reviews, the quality of what reaches human experts depends entirely on how well the system triages routine cases from the ones that need scrutiny. Meta does not share error rates, override rates, or how it measures whether the first pass is catching the right things — the metrics that would let outsiders judge whether the oversight is real or nominal.

The implication: compliance as continuous monitoring, not a launch gate

The most durable idea in this announcement is continuity. Meta describes ongoing monitoring to ensure protections keep working as products evolve, and continuous tracking of regulatory changes so products can be updated accordingly.

That reframes risk review from a point-in-time approval into a standing process that runs during development and after launch. For applied teams, that is the harder engineering problem — not automating a form, but keeping a policy library current across hundreds of jurisdictions and re-checking shipped products against it.

Meta positions this as an industry direction, noting that Data Protection Officers will discuss integrated, multi-domain risk management at the IAPP Global Summit. The announcement offers the model but not the proof; the open question is whether always-on detection genuinely improves outcomes or mainly accelerates a process whose accuracy still depends on the humans checking behind it.

Find this story relevant to you?

Contact us to find a unique solution

Contact us

Need an AI engineering partner that can actually build?

We help businesses integrate AI, build AI-powered products, automate high-value workflows, and modernize the software systems behind them.

Get in touch

Related reading

More analysis around product delivery, operational AI, and the systems work that makes deployment hold up in reality.

Jul, 134 min to read
Platform

Doppel automates phishing takedowns with a five-stage GPT-5 and RFT pipeline

Jul, 134 min to read
Platform

Deutsche Telekom's bet that voice networks become the AI interface

Jul, 134 min to read
Platform

Meta's 5GW Louisiana Expansion Is Announced Through Teacher Bonuses, Not Teraflops