20 posts on compliance & regulation.
NIS2 took effect at the Member State level by October 18, 2024. The directive covers essential and important entities across 18 sectors. AI used in those operations falls under Article 21 cybersecurity risk management and Article 23 incident reporting. Audit trail expectations are operational.
DORA took effect January 17, 2025. The regulation treats AI vendors as ICT third-party service providers. Financial entities must maintain a register of contractual arrangements, monitor concentration risk, and demonstrate exit strategies. AI inference sits squarely inside the obligation.
HIPAA Security Rule audit controls require recording activity in systems that contain PHI. AI deployments produce that activity at the prompt layer. OCR audits request per-request records of PHI exposure to AI services. Application logs fail. The architecture that survives is independent of the application.
ISO 27001 is the information security management system standard. ISO 42001 is the AI management system standard published December 2023. The two standards integrate at the controls layer. Annex A controls in ISO 27001:2022 cover the same evidence ISO 42001 expects for AI-specific risk treatment.
SOC 2 reports cover five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. AI deployments touch all five. The audit evidence that AICPA expects has to be operational, not architectural. Application logs and policy documents fail. The records that pass are per request.
A Business Associate Agreement with an AI vendor transfers HIPAA obligations under specific conditions. OpenAI, Anthropic, Microsoft, AWS, and Google offer BAAs to enterprise tiers. The agreement covers what the vendor does with PHI; it does not eliminate the covered entity duty to record disclosures.
HIPAA requires that PHI is redacted or de-identified before disclosure to entities outside a Business Associate Agreement. AI prompts routinely contain PHI. Inline redaction at the AI request boundary is the only architecture that produces the per-request evidence HHS expects under a HIPAA audit.
NIST AI RMF is a voluntary US framework. The EU AI Act is binding law with penalties reaching 35M EUR or 7% of global turnover. The two frameworks converge on the same operational evidence: per-request records that capture identity, classification, policy state, and decision outcome.
NIST AI RMF 1.0 defines four functions: Govern, Map, Measure, Manage. The framework is voluntary, but federal procurement and state AI laws increasingly cite it as the baseline. Implementation runs to dozens of decisions across identity, classification, policy enforcement, and audit. Most deployments stop at Govern.
SaaS companies that embed AI features in product flows are pulled into the EU AI Act through their customers. If the customer uses the SaaS in a high-risk use case, the customer is the deployer and the SaaS company is often the provider. The mandate takes effect August 2, 2026.
GDPR governs the processing of personal data. The EU AI Act governs the operation of AI systems. The two regimes overlap on automated decision-making and divergent on per-decision evidence. GDPR records describe what data is processed. AI Act records describe what an AI system did with a specific request.
A 23-item operational checklist for EU AI Act high-risk compliance, organized across scope, documentation, evidence, monitoring, and incident reporting. The mandate takes effect August 2, 2026. Items 12 to 18 are where most deployments fail.