← All posts

Compliance & Regulation

84 posts on compliance & regulation.

EU AI Act Deployer Checklist: 22 Items Every Enterprise Deployer Needs Before August 2, 2026

August 2, 2026 is the enforcement date for the high-risk system obligations under Chapter III, Section 2 of the EU AI Act. Most enterprise compliance teams have a checklist for the provider-side obligations. Fewer have a structured checklist for the deployer side, where the runtime-evidence obligation lands. This article walks through 22 specific items a deployer of a high-risk AI system needs to have in place before August 2, organized into pre-deployment artifacts, runtime-evidence infrastructure, human oversight workflow, notification mechanisms, and ongoing operational requirements. Each item references the specific article of the act it satisfies.

eu-ai-actdeployer-obligationscompliance-checklistarticle-26enforcementaugust-2026
Read post →

EU AI Act Implementation Timeline: What Triggers When Between February 2025 and August 2027

The EU AI Act entered into force August 1, 2024, but its obligations phase in across multiple dates between February 2025 and August 2027. The prohibited practices under Article 5 became enforceable on February 2, 2025. The general-purpose AI provider obligations under Articles 53 and 55 became enforceable August 2, 2025. The high-risk system obligations under Chapter III, Section 2 become enforceable August 2, 2026. The remaining obligations for high-risk systems already on the market follow on August 2, 2027. This article walks through each phase, the operational consequences for providers and deployers at each date, and the evidence each phase expects to find when a market surveillance authority inspects.

eu-ai-actcompliancetimelineenforcementgpaihigh-risk-ai
Read post →

EU AI Act Deployer vs Provider: Who Owns Which Obligation in a High-Risk Deployment

The EU AI Act splits obligations between the provider that places an AI system on the market and the deployer that puts it into use. The split matters because deployers regularly assume they only have to consume the provider''s documentation, while providers regularly assume the deployer carries the runtime-evidence burden. Both assumptions leave gaps the regulator will surface. This article walks through the provider obligations under Articles 16, 17, and 43, the deployer obligations under Article 26, the shared traceability obligation under Article 12, and the operational division most enterprise deployments need to land before the August 2, 2026 enforcement date for high-risk systems.

eu-ai-actcompliancedeployer-obligationsprovider-obligationshigh-risk-aiarticle-26
Read post →

What the EU Commission''s May 2026 High-Risk Classification Guidelines Change About Your AI Scope Assessment

On May 19, 2026, the European Commission published its draft guidelines clarifying which AI systems fall within the high-risk classification under Annex III of the EU AI Act. The guidelines arrive 75 days before the August 2 enforcement date for high-risk obligations. They tighten the criteria for "intended purpose," reshape how deployers and providers classify HR screening, clinical decision support, and fraud detection systems, and accelerate the scope assessment timeline. This article walks through the new criteria, applies them to three concrete enterprise deployments, and identifies the per-decision evidence each will need to produce on demand from August 2 onward.

eu-ai-acthigh-risk-aicomplianceannex-iiiclassificationenforcement
Read post →

AI Governance Tools Comparison: Where Each Category Sits and Which Obligation It Closes

AI governance tools comparison work usually treats the category as a flat list of competitors. The 2026 reality is that the category covers four very different product shapes that sit at different layers and close different obligations under EU AI Act Article 12, Fannie Mae LL-2026-04, NIST AI RMF, and ISO 42001. This piece compares the four shapes against each obligation and shows the combination most regulated buyers actually need.

ai-governanceai-governance-toolscomplianceeu-ai-actvendor-evaluationprocurement
Read post →

HIPAA BAAs for AI Vendors: What the Agreement Has to Cover

A Business Associate Agreement with an AI vendor transfers HIPAA obligations under specific conditions. OpenAI, Anthropic, Microsoft, AWS, and Google offer BAAs to enterprise tiers. The agreement covers what the vendor does with PHI; it does not eliminate the covered entity duty to record disclosures.

hipaabaahealthcare-aicompliancevendor-managementaudit
Read post →

DORA Third-Party Risk for AI: What ICT Third-Party Providers Have to Show

DORA took effect January 17, 2025. The regulation treats AI vendors as ICT third-party service providers. Financial entities must maintain a register of contractual arrangements, monitor concentration risk, and demonstrate exit strategies. AI inference sits squarely inside the obligation.

dorathird-party-riskfinancial-servicescomplianceai-governanceict-risk
Read post →

AI Governance and Risk Management: How the Two Programs Fit Together

AI governance sets the policies, roles, and accountability for AI use. Risk management identifies, measures, and treats the AI-specific risks the governance framework recognizes. The two programs share inputs (data classification, use case inventory, vendor list) and produce different outputs (policies versus risk treatments). This piece walks through how the programs fit together under NIST AI RMF, ISO 42001, and SR 11-7, the shared infrastructure they depend on, and the per-request evidence both programs need to demonstrate operation.

ai-governanceai-risk-managementnist-ai-rmfiso-42001complianceaudit
Read post →

EU AI Act Article 99: The Penalty Tiers and What Triggers Each One

Article 99 of the EU AI Act sets three penalty tiers reaching 35M EUR or 7% of global turnover for prohibited practices, 15M EUR or 3% for high-risk non-compliance, and 7.5M EUR or 1% for supplying misleading information. The mandate takes effect August 2, 2026.

eu-ai-actai-governancecompliancepenaltiesenforcementregulation
Read post →

NIST AI RMF Implementation: From Govern, Map, Measure, Manage to Production Controls

NIST AI RMF 1.0 defines four functions: Govern, Map, Measure, Manage. The framework is voluntary, but federal procurement and state AI laws increasingly cite it as the baseline. Implementation runs to dozens of decisions across identity, classification, policy enforcement, and audit. Most deployments stop at Govern.

nist-ai-rmfai-governancecomplianceai-securityrisk-managementaudit
Read post →

EU AI Act Article 72: Post-Market Monitoring as a Runtime Architecture Requirement

Article 72 of the EU AI Act requires providers of high-risk AI systems to set up and document a post-market monitoring system that actively and systematically collects data on the performance of the AI throughout its lifetime. The monitoring has to feed back into the risk management process under Article 9 and into the technical documentation under Article 11. The architectural requirement is for a runtime evidence pipeline, not for periodic reporting. Most providers run product analytics and call it post-market monitoring, and the regulator will not accept that under inspection.

eu-ai-actai-governancecompliancemonitoringauditregulation
Read post →

AI Vendor Due Diligence Questionnaire: What to Ask Before You Buy

AI vendor due diligence happens at the procurement gate, runs against a standard questionnaire, and produces an attestation file. The questionnaire most teams inherited from cloud SaaS vendors does not cover the questions a regulator will actually ask about AI use. The Fannie Mae LL-2026-04 framework, the EU AI Act, and the NIST AI RMF all expect ongoing due care, not one-time due diligence. This piece walks through the question categories an AI-aware procurement gate has to cover, the answers that have to live in the file, and the runtime evidence that closes the gap between due diligence and due care.

ai-governancevendor-riskcomplianceprocurementdue-diligenceaudit
Read post →