77 posts on compliance & regulation.
Most AI governance policies are written for the auditor but cannot be evaluated at the request layer. A policy that lacks classification rules, identity definitions, and enforcement decision points is prose, not control. Article walks through what the policy has to specify to be enforceable.
AI governance certifications split into institutional certifications like ISO 42001 that examine the AI management system and professional certifications like IAPP AIGP that credential individuals. Article walks through what each program covers and where certification meets per-decision evidence.
AI governance audits turn on per-decision evidence. The auditor asks who initiated each request, what data was involved, what policy applied, and what the outcome was. Application logs collapse under those questions. Article walks through what an audit actually examines and the architecture that survives it.
AI ethics committees set principles. AI governance translates those principles into per-decision enforcement and audit records. Article walks through the seam between the two functions and what each one has to produce so a regulator can trace a principle to the decisions made under it.
AI data governance fails when the classification engine runs on documents and not on prompts. The data lake is sorted, the AI request path is not. Article walks through the prompt-level classification, lineage, and disclosure architecture that satisfies the regulators asking new questions about model inputs.
AI compliance certification has shifted from a nice-to-have to a procurement gate. Customers ask vendors for ISO 42001 or NIST AI RMF alignment, SOC 2 with AI extensions, and per-decision audit evidence. Article walks through what to prepare, in what order, and where each certification meets the runtime evidence requirement.
Q2 2026 closed with the EU AI Act high-risk system requirements 60 days from effect, the Fannie Mae and Freddie Mac AI governance frameworks already in force, and the first major enforcement actions under the EU AI Act risk-management obligations on the docket. This quarterly mini-report walks through the regulations that took effect or shifted in Q2 2026, the enforcement and litigation actions that landed, the recurring evidence gaps auditors cited, and the architectural patterns enterprises adopted to close them.
Due diligence is the procurement check a deployer runs once when selecting an AI vendor. Due care is the ongoing operational obligation that runs every time the AI system produces a decision. Most enterprises confuse the two. The vendor security questionnaire, the SOC 2 report, and the BAA cover the diligence side. The due care side is the per-decision evidence the regulator reads at audit time. This piece walks through the legal distinction, the regulatory regimes that depend on it, and the request-layer architecture that produces due care evidence on demand.
The EU AI Act assigns AI systems to four risk tiers (prohibited, high-risk, limited-risk, minimal-risk). The classification determines which obligations apply and when they take effect. This page walks through the classifier the DeepInspect team built to score your AI system against the Annex III high-risk categories, the supporting articles, and the inputs the classifier needs to produce a defensible verdict.
Article 12 of the EU AI Act takes effect August 2, 2026 for high-risk systems. The text requires automatic event recording over the system lifetime, identification of the natural persons involved, and retention for at least six months. This guide walks through the architecture that satisfies the mandate, the four decisions that have to be made at the request layer, and the audit-record schema that survives a regulator review.
A shadow AI policy is the document a regulator reads first when something goes wrong. Most copy-paste templates fail because they list rules without the enforcement architecture behind them. The DeepInspect AI policy generator takes 12 questions about your organization and produces a defensible policy document with the seven sections an EU AI Act reviewer or a HIPAA auditor will recognize. The output is a markdown file your legal team edits and your CISO signs.
The NIST AI Risk Management Framework (AI RMF 1.0, released January 2023) organizes AI risk controls into four functions: Govern, Map, Measure, Manage. The framework is voluntary, but US federal procurement, Fannie Mae LL-2026-04, and the GSA AI Acquisition Resource Guide all reference it directly. This guide walks each of the four functions to the request-layer control on an AI gateway that satisfies it.