← All posts

Compliance & Regulation

143 posts on compliance & regulation.

State of AI Compliance Q2 2026: The Regulations That Took Effect, the Enforcement Actions That Landed, and the Evidence Gaps Auditors Cited

Q2 2026 closed with the EU AI Act high-risk system requirements 60 days from effect, the Fannie Mae and Freddie Mac AI governance frameworks already in force, and the first major enforcement actions under the EU AI Act risk-management obligations on the docket. This quarterly mini-report walks through the regulations that took effect or shifted in Q2 2026, the enforcement and litigation actions that landed, the recurring evidence gaps auditors cited, and the architectural patterns enterprises adopted to close them.

ai-complianceeu-ai-actfannie-maehipaaquarterly-reportai-governance
Read post →

Due Diligence Is Not Due Care: The AI Compliance Gap That Closes at the Request Layer

Due diligence is the procurement check a deployer runs once when selecting an AI vendor. Due care is the ongoing operational obligation that runs every time the AI system produces a decision. Most enterprises confuse the two. The vendor security questionnaire, the SOC 2 report, and the BAA cover the diligence side. The due care side is the per-decision evidence the regulator reads at audit time. This piece walks through the legal distinction, the regulatory regimes that depend on it, and the request-layer architecture that produces due care evidence on demand.

due-careai-complianceai-governanceaudit-logseu-ai-actliability
Read post →

EU AI Act Classifier: A Free Tool to Score Your AI System Against Annex III High-Risk Categories

The EU AI Act assigns AI systems to four risk tiers (prohibited, high-risk, limited-risk, minimal-risk). The classification determines which obligations apply and when they take effect. This page walks through the classifier the DeepInspect team built to score your AI system against the Annex III high-risk categories, the supporting articles, and the inputs the classifier needs to produce a defensible verdict.

eu-ai-actclassifierannex-iiicompliancerisk-assessmentfree-tool
Read post →

Implementing EU AI Act Article 12 Logging: An Architectural Walkthrough

Article 12 of the EU AI Act takes effect August 2, 2026 for high-risk systems. The text requires automatic event recording over the system lifetime, identification of the natural persons involved, and retention for at least six months. This guide walks through the architecture that satisfies the mandate, the four decisions that have to be made at the request layer, and the audit-record schema that survives a regulator review.

eu-ai-actcomplianceaudit-logsimplementation-guideai-governancearticle-12
Read post →

AI Policy Generator: A Free Tool That Produces a Defensible Internal AI Use Policy in 15 Minutes

A shadow AI policy is the document a regulator reads first when something goes wrong. Most copy-paste templates fail because they list rules without the enforcement architecture behind them. The DeepInspect AI policy generator takes 12 questions about your organization and produces a defensible policy document with the seven sections an EU AI Act reviewer or a HIPAA auditor will recognize. The output is a markdown file your legal team edits and your CISO signs.

ai-policypolicy-generatorcomplianceai-governancefree-toolemployee-policy
Read post →

NIST AI RMF Mapping for AI Gateways: How the Four Functions Land on Request-Layer Controls

The NIST AI Risk Management Framework (AI RMF 1.0, released January 2023) organizes AI risk controls into four functions: Govern, Map, Measure, Manage. The framework is voluntary, but US federal procurement, Fannie Mae LL-2026-04, and the GSA AI Acquisition Resource Guide all reference it directly. This guide walks each of the four functions to the request-layer control on an AI gateway that satisfies it.

nist-ai-rmfcomplianceai-governanceai-gatewayauditcontrols-mapping
Read post →

ISO 42001 vs ISO 27001: How the AI Management System Layers on Top of Information Security

ISO 42001 and ISO 27001 share the same management-system structure (the Annex SL Harmonized Structure) and a substantial portion of the Annex A control catalog. Organizations with an ISO 27001 certification have a head start on ISO 42001 because the management-system processes transfer with modifications. The two standards address different risk domains: 27001 covers information security risks to confidentiality, integrity, and availability of information assets, while 42001 covers AI-specific risks to fairness, reliability under adversarial pressure, transparency, accountability, and the responsible use of AI systems. This piece walks through the structural overlap, the additive AI-specific controls 42001 introduces, the integration pattern for combined audits, and the inspection-layer architecture that produces evidence under both standards.

iso-42001iso-27001aimsismsai-compliancecertification
Read post →

ISO 42001 Implementation Guide: How to Stand Up an AI Management System That Passes Certification

ISO/IEC 42001:2023 is the first international management-system standard for AI. The standard takes the ISO management-system structure (the same Annex SL Harmonized Structure used in ISO 9001, ISO 27001, and ISO 14001) and applies it to AI. Certification requires a documented AI management system covering scope, leadership, planning, support, operations, performance evaluation, and improvement. This piece walks through the certification path step by step, the Annex A controls that have to be operational, the audit evidence the certification body expects, the implementation timeline a typical mid-market organization runs, and where the AI-specific controls intersect the inspection-layer architecture.

iso-42001aimsai-management-systemai-compliancecertificationaudit-logs
Read post →

PCI DSS and AI: How v4.0 Reaches Production AI Deployments Touching Cardholder Data

PCI DSS v4.0 took full effect on March 31, 2025. The standard reaches AI deployments wherever cardholder data passes through an AI prompt, a tool result, or a retrieval corpus the AI system queries. The applicable requirements include the data flow documentation under Requirement 1, the cardholder data discovery and scope reduction under Requirement 3, the access control restrictions under Requirement 7, the logging obligations under Requirement 10, and the security testing obligations under Requirement 11. This piece walks through the requirements that reach AI deployments, where most implementations fail the QSA review, and the inspection-layer architecture that produces the audit evidence and the scope reduction the assessor will accept.

pci-dsscardholder-dataai-complianceaudit-logsinline-enforcementpayments
Read post →

GDPR Article 22 and AI: What Automated Decision-Making Requires of Production Deployments

GDPR Article 22 limits decisions based solely on automated processing that produce legal or similarly significant effects on the data subject. AI deployments that produce loan approvals, credit decisions, hiring decisions, fraud-detection outcomes, or insurance underwriting fall inside the scope. The exemption pathways carry their own obligations: explicit consent, contract necessity, or Union or member state authorization. The Article 22(3) right to obtain human intervention and the transparency obligation require records that demonstrate the meaningful intervention happened and that the data subject received meaningful information. This piece walks through the article, the exemption pathways, the meaningful-intervention test, and the inspection-layer architecture that produces the evidence the supervisor will accept.

gdprarticle-22automated-decisionsai-complianceaudit-logsdata-protection
Read post →

GDPR and AI: Where Article 5, Article 22, and Article 32 Reach Production AI Deployments

GDPR applies to AI deployments wherever the AI system processes personal data of EU residents. The applicable articles overlap with the EU AI Act but predate it and reach a broader surface. Article 5 imposes the lawfulness, purpose limitation, and data minimization principles. Article 22 limits automated individual decision-making. Article 32 imposes the security of processing obligation that the audit log is evidence against. This piece walks through the GDPR articles that reach production AI deployments, the specific obligations each creates, where most AI implementations fail the test, and the inspection-layer architecture that produces the evidence the data protection authority will accept.

gdpreu-ai-actai-compliancedata-protectionaudit-logsinline-enforcement
Read post →