← All posts

Compliance & Regulation

77 posts on compliance & regulation.

EU AI Act GPAI: What General-Purpose AI Model Providers Owe Under Article 51 and the Article 53 Code of Practice

Article 51 sets a separate obligation track for general-purpose AI models. Article 52 lists what counts as systemic-risk GPAI. Article 53 requires the provider to draw up technical documentation and to make information available to downstream providers. The GPAI obligations took effect August 2, 2025, ahead of the high-risk obligations. The Code of Practice published by the AI Office sets the practical compliance roadmap for the most-deployed foundation models in 2026.

eu-ai-actgpaifoundation-modelscomplianceai-governanceregulation
Read post →

EU AI Act for Fintech: Why Credit Scoring, Fraud Detection, and Insurance Pricing Land in the High-Risk Bucket

Annex III point 5(b) of the EU AI Act puts AI used in evaluating the creditworthiness of natural persons in the high-risk bucket. Annex III point 5(c) puts AI used in life and health insurance pricing in the same bucket. Fraud-detection AI used in retail banking sits in scope where it affects access to essential services. DORA, the Digital Operational Resilience Act, runs in parallel with overlapping log retention and incident reporting obligations. The August 2, 2026 high-risk deadline and the January 17, 2025 DORA effective date are both already binding.

eu-ai-actfintechdoracomplianceai-governanceaudit
Read post →

EU AI Act for Healthcare: Why AI in Diagnostics, Triage, and Clinical Decision Support Lands in the High-Risk Category

Healthcare AI sits in the high-risk category by two paths. Annex III lists AI used in employment and essential services. The Medical Device Regulation pulls in any AI that meets the definition of a medical device, including most diagnostic and triage tools. The combination means most clinical AI deployments owe both the EU AI Act high-risk obligations and the MDR conformity assessment. The August 2, 2026 deadline applies, and the record-keeping infrastructure most hospitals run today fails the Article 12 test.

eu-ai-acthealthcarecomplianceai-governancemedical-deviceaudit
Read post →

EU AI Act Conformity Assessment: The Two Routes, Who Performs Each One, and What the Audit File Has to Contain

A high-risk AI system cannot be placed on the Union market without a conformity assessment. Article 43 allows two routes: an internal control procedure based on Annex VI, and a third-party procedure involving a notified body and Annex VII. The route depends on the system category. The audit file must contain the technical documentation listed in Annex IV, including the system architecture, the risk management process, the data governance approach, and the record-keeping system. Most enterprise deployers have not yet built the record-keeping side.

eu-ai-actcomplianceai-governanceauditregulationhigh-risk-ai
Read post →

EU AI Act Fines: How Article 99 Sets €35M / €15M / €7.5M Tiers and Who Pays Each One

Article 99 of the EU AI Act sets three penalty tiers. €35 million or 7% of global turnover for prohibited practices. €15 million or 3% for high-risk non-compliance. €7.5 million or 1% for supplying misleading information. The high-risk tier is the one that lands on most enterprise deployers, and the math is set up so that the higher of the absolute number and the percentage applies.

eu-ai-actcomplianceai-governanceregulationauditai-security
Read post →

AI Governance Tools Comparison: Where Each Category Sits and Which Obligation It Closes

AI governance tools comparison work usually treats the category as a flat list of competitors. The 2026 reality is that the category covers four very different product shapes that sit at different layers and close different obligations under EU AI Act Article 12, Fannie Mae LL-2026-04, NIST AI RMF, and ISO 42001. This piece compares the four shapes against each obligation and shows the combination most regulated buyers actually need.

ai-governanceai-governance-toolscomplianceeu-ai-actvendor-evaluationprocurement
Read post →

AI Governance Maturity Model: The Five Stages and Where Most Enterprises Actually Sit

AI governance maturity models tend to read as aspirational ladders that everyone climbs eventually. The version that matches what regulators ask for in 2026 has five concrete stages defined by the per-decision evidence the deployer can produce at each level. This piece walks through the five stages, where each stage sits against EU AI Act Article 12 and Fannie Mae LL-2026-04 obligations, and the architectural control that moves an organization to the next stage.

ai-governanceai-governance-maturity-modelcomplianceeu-ai-actrisk-managementaudit
Read post →

AI Governance Failure: What the Headline Incidents Have in Common and Where the Architecture Fails

AI governance failures cluster around the same architectural defects in incident after incident: identity unbound at the request layer, audit logs written by the application under audit, shadow AI traffic outside the inspection boundary, and vendor AI usage the deployer never sees. This piece walks through the recurring failure pattern, the recent incident record, and the architectural control that closes each defect before the next breach gets reported.

ai-governanceai-governance-failureincident-responsecomplianceshadow-aiaudit
Read post →

AI Governance Challenges: The Seven Failures That Show Up in the First Regulator Review

AI governance challenges show up in a specific order during the first EU AI Act, NIST AI RMF, and Fannie Mae LL-2026-04 review. The seven failure modes cluster around identity binding, per-decision audit, shadow AI exposure, vendor AI usage, policy version drift, model registry gaps, and disclosure obligations. This piece walks each failure mode through the regulatory question that surfaces it and the architectural control that closes it.

ai-governanceai-governance-challengescomplianceeu-ai-actrisk-managementaudit
Read post →

AI Governance Tools: What the Category Has To Cover and Where Most Products Stop

The AI governance tools category bundles four very different product shapes: model registries, policy authoring platforms, posture and inventory scanners, and runtime enforcement layers. Each shape covers a different obligation under the EU AI Act, NIST AI RMF, ISO 42001, and Fannie Mae LL-2026-04. This piece walks through what each shape does, where each one stops, and the runtime gap most buyers discover after the procurement decision.

ai-governanceai-governance-toolscomplianceeu-ai-actnist-ai-rmfiso-42001
Read post →

EU AI Act vs GDPR: How the Two Regimes Diverge on Record-Keeping, Identity, and the Per-Decision Trace

Compliance teams reach for the GDPR record-keeping playbook when the EU AI Act lands on the legal calendar. The two regimes overlap on data subject rights and personal-data scope. They diverge on the cadence of evidence, the identity of the actor the record describes, and the per-decision trace the AI Act requires. This piece walks through the five axes where the regimes diverge, the record formats each regulator reads, and the architectural changes the AI request path needs before August 2, 2026.

eu-ai-actgdprcompliancearticle-12audit-logsgovernance
Read post →

Compliance After the Act: The EU AI Act Mindset Shift From Documentation to Per-Decision Evidence

EU AI Act Article 12 takes effect August 2, 2026 and changes what regulators ask of high-risk AI systems. Compliance teams that came from GDPR are familiar with management-level documentation regimes. The Act asks for operational-level per-decision evidence. This piece walks through the four mindset shifts a security and compliance organization has to make: from policy documents to live audit records, from quarterly reviews to per-request decisions, from third-party attestation to first-party evidence, and from boundary controls to per-route enforcement.

eu-ai-actarticle-12complianceaudit-logshigh-risk-aigovernance
Read post →