Brazil's AI Law Is a Dated Forcing Function. Build For It Now.

On December 10, 2024, the Brazilian Senate approved PL 2338/2023, the Marco Legal da Inteligência Artificial. The text now sits in the Câmara dos Deputados, declared a 2026 legislative priority, with no fixed date for a final vote. That combination is the part worth acting on. The substance is settled enough to plan against, and the timing leaves a window to prepare before obligations become law.

The bill organizes its requirements around risk. The higher a system’s potential impact on people’s rights, safety, and opportunities, the heavier the regulatory burden it carries. A tool that organizes internal documents is not treated like a tool that approves a loan. That single design principle determines almost everything a company will owe once the text passes.

The Risk Tiers Decide Your Obligations

Per the bill text as summarized by Exame, PL 2338 sorts AI systems by level of risk, in a structure that mirrors the EU AI Act. Systems with higher potential to affect rights, safety, or access to opportunities fall into a high-risk category that triggers the strictest controls. Lower-impact systems carry lighter requirements.

This matters because it changes the first question a company has to answer. Before debating which model to use or how to integrate it, the relevant question is what the system decides and who it affects. The regulatory weight follows the decision, not the technology.

The bill names its high-risk examples explicitly. Two of them are common in almost every mid-sized company: approving credit, and selecting job candidates. If you already run AI in either function, you are not speculating about future exposure. You are already operating a system the bill would classify as high-risk. The hiring case is especially exposed, since automated screening tends toward the algorithmic monoculture the bill’s discrimination concerns are written to catch.

What High-Risk Systems Will Owe

According to the approved Senate text as summarized by Exame, high-risk systems carry three obligations that companies should read carefully.

The first is transparency about automated decisions. Depending on classification, a company may have to demonstrate how a given decision was reached, which data fed it, and which criteria shaped the result. A rejected loan applicant or a screened-out candidate could be entitled to that explanation. A model that cannot reconstruct its own reasoning becomes a liability the moment someone asks.

The second is a pre-deployment impact assessment. High-risk systems require an algorithmic impact assessment before going into operation, identifying risks of discrimination, security failures, and privacy violations. This is not a post-incident audit. It is a gate the system passes through before it touches a real decision.

The third is shared accountability. The bill distributes responsibility across the developer who built the model, the supplier who provides it, and the company that deploys it. “We just bought the tool” stops being a defense. The deployer carries obligations regardless of who wrote the code.

The sectors named as most exposed are predictable once you see the pattern: HR, finance, health, insurance, and consumer service. These are the functions where automated decisions land directly on a person’s access to money, work, care, or coverage. Health is its own warning, given the governance vacuum already visible in healthcare AI.

Why This Resembles the EU AI Act, and Why That Helps

The risk-tier structure is not novel. It borrows directly from the EU AI Act, which already classifies systems from minimal to unacceptable risk and loads obligations onto the high-risk band. For Brazilian companies, that lineage is useful rather than coincidental.

It means the readiness work is not theoretical. European companies have spent two years building the exact artifacts PL 2338 will require: decision logs, impact assessments, documentation of training data and criteria, and clear accountability lines between vendor and deployer. The playbook exists. A Brazilian company can study what worked in that rollout instead of inventing a response from scratch.

It also means multinational operators may already hold most of what they need. If your group built AI Act compliance for European operations, the Brazilian requirement looks less like a new project and more like extending an existing one.

What To Put In Place Now

The bill is still moving, which is precisely why this is the moment to act. Building governance under deadline pressure produces brittle documentation. Building it now, while the text is in the Câmara, produces controls that actually work. Start with four steps.

Inventory your AI decisions by impact. List every system that touches a decision about a person: credit, hiring, claims, pricing, service routing. Rank them by how directly they affect someone’s rights or opportunities. The high-impact ones are your priority.

Make the high-impact systems explainable. For each one, confirm you can reconstruct how a decision was made, which data was used, and which criteria applied. If you cannot, that is the first thing to fix, because transparency is the obligation hardest to retrofit.

Run an impact assessment on the high-risk ones. Document the risks of discrimination, security failure, and privacy violation before the law requires it. The assessment itself surfaces problems while they are still cheap to fix.

Map accountability across your vendors. Know who built each model, who supplies it, and what your contracts say about responsibility. Shared accountability means the deployer’s exposure is real even when the code is someone else’s.

A company that does this work now will not be scrambling when PL 2338 passes. It will already hold the decision logs, the assessments, and the accountability map the law asks for. This is the same trajectory we traced when governance started shipping as a product feature: the controls regulators eventually mandate are the ones early movers already treat as infrastructure. The cost of building governance ahead of a deadline is a fraction of the cost of building it under one.

---

This analysis synthesizes Marco Legal da Inteligência Artificial (PL 2338): o que muda para empresas (Exame, June 2026), the PL 2338/2023 tramitação record (Câmara dos Deputados, 2026), and the PL 2338/2023 Senate record (Senado Federal, December 2024).

Victorino Group helps companies build AI governance that is ready before the regulation arrives. Let’s talk.