← All posts

Compliance & Regulation

143 posts on compliance & regulation.

NIST AI RMF vs EU AI Act: Where the Frameworks Overlap and Diverge

NIST AI RMF is a voluntary US framework. The EU AI Act is binding law with penalties reaching 35M EUR or 7% of global turnover. The two frameworks converge on the same operational evidence: per-request records that capture identity, classification, policy state, and decision outcome.

nist-ai-rmfeu-ai-actai-governancecomplianceregulationaudit
Read post →

NIS2 AI Requirements: How the Directive Captures AI-Driven Operations

NIS2 took effect at the Member State level by October 18, 2024. The directive covers essential and important entities across 18 sectors. AI used in those operations falls under Article 21 cybersecurity risk management and Article 23 incident reporting. Audit trail expectations are operational.

nis2cybersecurityai-governancecomplianceincident-reportingaudit
Read post →

ISO 27001 AI Compliance: How ISO 42001 Sits On Top of the ISMS

ISO 27001 is the information security management system standard. ISO 42001 is the AI management system standard published December 2023. The two standards integrate at the controls layer. Annex A controls in ISO 27001:2022 cover the same evidence ISO 42001 expects for AI-specific risk treatment.

iso-27001iso-42001ai-governancecomplianceismsaudit
Read post →

How to Comply with the EU AI Act: The Six-Workstream Operating Plan

EU AI Act compliance breaks into six operational workstreams: scope classification, technical documentation, conformity assessment, runtime evidence, deployer monitoring, and incident reporting. The mandate takes effect August 2, 2026. Most organizations are running three of the six and missing the rest.

eu-ai-actai-governancecomplianceimplementationauditregulation
Read post →

HIPAA PHI Redaction in AI Prompts: What Inline Enforcement Requires

HIPAA requires that PHI is redacted or de-identified before disclosure to entities outside a Business Associate Agreement. AI prompts routinely contain PHI. Inline redaction at the AI request boundary is the only architecture that produces the per-request evidence HHS expects under a HIPAA audit.

hipaaphihealthcare-aicomplianceai-securityaudit
Read post →

HIPAA AI Audit Trail: What Records OCR Asks For After an AI Incident

HIPAA Security Rule audit controls require recording activity in systems that contain PHI. AI deployments produce that activity at the prompt layer. OCR audits request per-request records of PHI exposure to AI services. Application logs fail. The architecture that survives is independent of the application.

hipaahealthcare-aiauditcomplianceai-securityocr
Read post →

EU AI Act High-Risk Classification: The Article 6 Two-Branch Test

Article 6 of the EU AI Act establishes a two-branch test for classifying an AI system as high-risk. Branch one covers safety components of regulated products. Branch two covers the Annex III use cases. The classification triggers the full operational regime from August 2, 2026.

eu-ai-actai-governancecompliancehigh-riskclassificationregulation
Read post →

EU AI Act Article 26: The Deployer Obligations Most Teams Miss

Article 26 of the EU AI Act puts operational obligations on the deployer of a high-risk AI system. The deployer must monitor operation, suspend use under specific risk conditions, keep automatically generated logs, and inform the provider and authorities. The mandate takes effect August 2, 2026.

eu-ai-actai-governancecompliancedeployer-obligationsauditregulation
Read post →