← All posts

Compliance & Regulation

143 posts on compliance & regulation.

NIST AI RMF MEASURE Function: The Controls That Produce Auditable Evidence

The NIST AI Risk Management Framework organizes risk management into four functions: GOVERN, MAP, MEASURE, and MANAGE. MEASURE is the function that produces the operational evidence the other three functions depend on. The framework defines four categories under MEASURE, with 18 subcategories that specify what to assess and how to assess it. This article walks each category, the controls a deployer needs in production to satisfy them, the artifacts the controls produce, and where a stateless policy gateway sits in the evidence chain.

nist-ai-rmfcompliancerisk-managementmeasurementauditai-governance
Read post →

EU AI Act Conformity Assessment Bodies: Which Notified Bodies Will Sign Off Your High-Risk System

The EU AI Act requires high-risk AI systems to undergo a conformity assessment before being placed on the market. For some categories, the provider self-assesses. For others, the provider has to engage a notified body that the member state has designated under Article 31. With August 2, 2026 thirty-two days away, providers need a working understanding of which Annex III categories trigger third-party conformity assessment, how the notified body designation process works, and what the assessment record looks like when it lands in a market surveillance investigation.

eu-ai-actconformity-assessmentnotified-bodiescompliancehigh-risk-airegulation
Read post →

Serious Incident or Malfunction: The Article 73 Trigger That Decides Whether the Clock Starts

The EU AI Act Article 73 reporting obligation hinges on whether an event qualifies as a serious incident under the Article 3(49) definition. Operationally, the difference between a serious incident and an internal malfunction is the difference between a 15-day external reporting clock and an internal incident review. The provider that misclassifies a serious incident as a malfunction has missed the regulatory window. This article walks the Article 3(49) definition, the decision criteria the supervisory authorities apply, the borderline case patterns that recur in enterprise deployments, and the operational record the triage decision requires.

eu-ai-actincident-responsecompliancearticle-73high-risk-airegulation
Read post →

EU AI Act Article 5 Prohibited Practices: The Eight AI Use Cases That Cannot Be Deployed in the EU

EU AI Act Article 5 prohibits eight categories of AI use that the regulation treats as incompatible with Union values. The prohibition has been in force since February 2, 2025. Penalties under Article 99 reach EUR 35 million or 7 percent of global annual turnover, the highest tier in the regulation. Enterprises preparing for the August 2, 2026 high-risk deadline often skip Article 5 because the prohibitions sound like edge cases. The operational reality is that several prohibitions catch mainstream enterprise use cases when the system is examined against the actual statutory text.

eu-ai-actarticle-5prohibited-aicomplianceregulationai-governance
Read post →

EU AI Act August 2, 2026 Readiness Checklist: The 32-Day Operational Sweep

On August 2, 2026, the EU AI Act high-risk system obligations take effect. Providers and deployers operating in the EU have 32 days from today to close the gap between the regulation as written and the operational evidence the supervisory authorities will ask for. This checklist walks the eight artifacts a high-risk deployer needs in production before August 2: the inventory, the classification, the Article 11 documentation, the Article 12 logging architecture, the Article 14 human oversight record, the Article 19 retention plan, the Article 26 deployer obligations, and the Article 73 incident reporting workflow.

eu-ai-actcompliancehigh-risk-airegulationauditai-governance
Read post →

EU AI Act EU Database Registration: Article 49 Obligations for High-Risk Systems

EU AI Act Article 49 requires providers of most high-risk AI systems to register the system in the EU database for high-risk AI systems before placing it on the EU market or putting it into service. Article 49(2) creates a parallel obligation for public-authority deployers and certain EU institution deployers to register the systems they use. The database is maintained by the Commission and is publicly accessible for the information that is not commercially sensitive. With the August 2, 2026 high-risk enforcement date 34 days away, providers and the in-scope deployers need a clear read on what gets registered, who registers it, and what the registration record contains.

eu-ai-actcompliancedatabase-registrationhigh-risk-airegulationarticle-49
Read post →

EU AI Act Post-Market Monitoring: Article 72 Obligations and the Plan That Survives an Audit

EU AI Act Article 72 requires providers of high-risk AI systems to establish and document a post-market monitoring system that actively and systematically collects, documents, and analyzes data on the performance of the system throughout its lifetime. The monitoring system must be proportionate to the nature of the AI technologies and the risks, and it must allow the provider to evaluate continuous compliance with the requirements of Chapter III, Section 2 of the regulation. With the August 2, 2026 high-risk enforcement date 34 days away, providers and deployers need a clear read on what the monitoring plan must contain, what data feeds it, and what artifacts an auditor expects to see.

eu-ai-actcompliancepost-market-monitoringhigh-risk-airegulationarticle-72
Read post →

EU AI Act Incident Reporting: Article 73 Obligations Before the August 2 Date

EU AI Act Article 73 requires providers of high-risk AI systems to report serious incidents to the market surveillance authority of the member state where the incident occurred. The reporting window is 15 days from the moment the provider establishes the causal link between the incident and the AI system, with a 72-hour window for widespread infringements and a 2-day window for incidents resulting in death. With the August 2, 2026 high-risk enforcement date 34 days away, providers and deployers need a clear read on what counts as a serious incident, who reports, and what the reporting record needs to contain.

eu-ai-actcomplianceincident-responsehigh-risk-airegulationarticle-73
Read post →

EU AI Act FRIA Templates for Deployers: What the Article 27 Assessment Actually Has to Contain

Article 27 of the EU AI Act requires a Fundamental Rights Impact Assessment from certain deployers of high-risk AI systems before first use. The FRIA must cover the deployment process, the time period and frequency of use, the categories of natural persons affected, the specific risks of harm, the human oversight measures, and the measures to take if those risks materialize. The August 2, 2026 enforcement date means deployers of in-scope systems need a completed FRIA in hand at that point. This article walks through what Article 27 actually requires, which deployers are in scope, and the section-by-section structure a defensible FRIA needs.

eu-ai-actcomplianceai-governanceregulationfundamental-rightsfria
Read post →

EU AI Act Importers and Distributors: The Lesser-Known Article 23 and Article 24 Obligations

Article 23 covers importer obligations and Article 24 covers distributor obligations for high-risk AI systems in the EU. The roles get conflated with provider and deployer roles in practice. An importer is the operator that places a high-risk AI system from outside the EU onto the EU market. A distributor is the operator that makes a high-risk AI system available in the EU market without being the importer or the provider. Both have specific verification obligations before the system reaches the deployer. With the August 2, 2026 enforcement date approaching, EU resellers and EU branches of non-EU vendors need to understand which obligations belong to them.

eu-ai-actcomplianceai-governanceregulationhigh-risk-aiimporter-distributor
Read post →

EU AI Act Providers vs Deployers: Splitting the Obligations Before August 2, 2026

The EU AI Act assigns different obligations to providers and deployers of high-risk AI systems. Article 16 covers provider obligations; Article 26 covers deployer obligations. The split matters because most enterprises operating AI in the EU are deployers, not providers, and the deployer obligations are routinely underestimated. With the August 2, 2026 high-risk enforcement date 35 days away, deployers running on someone else''s foundation model need a clear read on which obligations belong to them. This article walks the provider-deployer split, the cases that change the assignment, and the architectural artifacts each side needs.

eu-ai-actcomplianceai-governanceregulationhigh-risk-aideployer-obligations
Read post →

EU AI Act Systemic-Risk Models: How the 10^25 FLOPs Threshold Triggers Article 55 Obligations

The EU AI Act treats a subset of general-purpose AI models as systemic-risk under Article 51, with the principal trigger set at 10^25 FLOPs of training compute. Models in that bucket inherit additional Article 55 obligations on model evaluation, systemic-risk assessment, serious-incident reporting, and cybersecurity. This article walks through the threshold mechanics, the Commission designation pathway, and the second-order obligations that flow to enterprise deployers integrating a systemic-risk model.

eu-ai-actsystemic-riskcompliancegpairegulationfoundation-models
Read post →