AI Regulatory Compliance: Different Laws, One Set of Runtime Controls
The EU AI Act, US state laws, and sector rules use different vocabulary and converge on the same three runtime controls: identity-bound access to AI, policy evaluation on every request, and records detailed enough to reconstruct decisions. This piece maps the major regulations to that shared control set and shows why building the control once satisfies most of the map.

Article 12 of the EU AI Act requires high-risk AI systems to automatically record events over the lifetime of the system, in enough detail to reconstruct what happened. Fannie Mae's Lender Letter LL-2026-04 requires an audit trail for AI-assisted decisions in mortgage origination. Texas TRAIGA, in force since January 1, 2026, requires disclosure and record-keeping. Three regulators, three vocabularies, one architectural requirement: a record of what an AI system did, bound to the identity that triggered it. I want to map the regulatory landscape to the controls it actually demands, because the map is far smaller than the list of laws suggests.
The landscape, briefly
The regulations arriving through 2026 and 2027 fall into three groups.
The EU AI Act. Article 50 transparency obligations apply from August 2, 2026. Under the Digital Omnibus that the EU Council approved on June 29, 2026, standalone high-risk obligations under Annex III moved to December 2, 2027, which changed the deadline but not the controls, as covered in the Omnibus deferral analysis. Article 12 record-keeping and the Article 99 penalties reaching 15 million euro or 3% of global turnover define the stakes.
US state laws. Texas TRAIGA took effect January 1, 2026 with civil penalties and attorney-general enforcement. The California AI Transparency Act, effective the same day, mandates disclosure for AI systems with more than one million monthly users. Colorado's revised AI Act follows on January 1, 2027. Each adds vocabulary, and each rests on the same evidence.
Sector rules. Fannie Mae LL-2026-04, effective August 6, 2026, governs AI in mortgage origination and servicing. DORA, HIPAA applied to AI, and ISO 42001 as a certifiable standard extend the same requirements into finance, healthcare, and management systems.
The three controls underneath the map
Read the operative text of any of these and the same three controls appear.
Identity-bound access. Every regime assumes the organization can say which identity, human or agent, initiated an AI action. Disclosure rules, audit-trail rules, and access provisions all fail without it.
Policy evaluation per request. Transparency, human-oversight, and prohibited-use provisions all require that some rule was applied to an AI request before it executed. A policy that is not evaluated at request time governs nothing a regulator can verify.
Reconstructable records. Article 12's logging, LL-2026-04's audit trail, and the state disclosure statutes all reduce to one artifact: a record detailed enough to reconstruct a specific decision, held independently of the application that made it. This is the substrate the AI audit trail requirements by regulation map out in detail.
Gartner projects that unlawful AI-informed decision-making will generate over $10 billion in remediation costs and damages by mid-2026. That figure is the cost of failing these three controls, not of failing to read the statutes.
Build once, satisfy the map
The practical consequence is that compliance scales better than the regulation count implies. An organization that builds identity-bound access, per-request policy evaluation, and reconstructable records at the AI request layer has built the substrate every regulation on the map asks for. What differs across regimes is the reporting format, which the AI compliance audit checklist handles by mapping the shared records to each law's language.
Anchoring the build to NIST AI RMF and ISO 42001 gives auditors a recognized structure to test against, and both frameworks describe the same identity, policy, and logging controls the laws require.
DeepInspect
DeepInspect builds the three controls in one place. It sits at the AI request boundary as a stateless proxy between authenticated users or agents and any LLM, evaluating each request against identity-bound policy before the model receives it.
Identity-bound access is structural, because the proxy binds every call to the identity that made it. Policy evaluation runs on every request, inline, before the model responds. Each decision produces a signed record with identity, role, policy version, data classification, outcome, and timestamp, committed before the application sees the response. One control layer produces the evidence Article 12, LL-2026-04, TRAIGA, and the state disclosure laws each ask for in their own words.
If you are mapping controls to a growing list of AI regulations and building a separate answer for each, the map is smaller than it looks. If you are facing the August deadline, let's talk.
Frequently asked questions
- What is AI regulatory compliance?
Demonstrating to specific regulations, the EU AI Act, US state laws, and sector rules, that the organization's AI controls exist and worked. Most of these regulations reduce to three shared controls: identity-bound access, per-request policy, and reconstructable records.
- Which AI regulations take effect in 2026?
EU AI Act Article 50 transparency obligations apply August 2, 2026, with standalone high-risk obligations deferred to December 2, 2027 under the Digital Omnibus. Texas TRAIGA and the California AI Transparency Act took effect January 1, 2026, and Fannie Mae LL-2026-04 takes effect August 6, 2026.
- Do different AI laws require different systems?
Rarely. They use different vocabulary for the same three controls. An organization that builds identity-bound access, per-request policy, and reconstructable records at the AI request layer has the substrate nearly all of them require.
- How does AI regulatory compliance relate to governance?
Compliance is the evidence a regulation asks for. Governance is the running control that produces it. The governance versus compliance distinction determines which work closes a given gap.