← All posts

Compliance & Regulation

77 posts on compliance & regulation.

ISO 42001 vs ISO 27001: How the AI Management System Layers on Top of Information Security

ISO 42001 and ISO 27001 share the same management-system structure (the Annex SL Harmonized Structure) and a substantial portion of the Annex A control catalog. Organizations with an ISO 27001 certification have a head start on ISO 42001 because the management-system processes transfer with modifications. The two standards address different risk domains: 27001 covers information security risks to confidentiality, integrity, and availability of information assets, while 42001 covers AI-specific risks to fairness, reliability under adversarial pressure, transparency, accountability, and the responsible use of AI systems. This piece walks through the structural overlap, the additive AI-specific controls 42001 introduces, the integration pattern for combined audits, and the inspection-layer architecture that produces evidence under both standards.

iso-42001iso-27001aimsismsai-compliancecertification
Read post →

ISO 42001 Implementation Guide: How to Stand Up an AI Management System That Passes Certification

ISO/IEC 42001:2023 is the first international management-system standard for AI. The standard takes the ISO management-system structure (the same Annex SL Harmonized Structure used in ISO 9001, ISO 27001, and ISO 14001) and applies it to AI. Certification requires a documented AI management system covering scope, leadership, planning, support, operations, performance evaluation, and improvement. This piece walks through the certification path step by step, the Annex A controls that have to be operational, the audit evidence the certification body expects, the implementation timeline a typical mid-market organization runs, and where the AI-specific controls intersect the inspection-layer architecture.

iso-42001aimsai-management-systemai-compliancecertificationaudit-logs
Read post →

PCI DSS and AI: How v4.0 Reaches Production AI Deployments Touching Cardholder Data

PCI DSS v4.0 took full effect on March 31, 2025. The standard reaches AI deployments wherever cardholder data passes through an AI prompt, a tool result, or a retrieval corpus the AI system queries. The applicable requirements include the data flow documentation under Requirement 1, the cardholder data discovery and scope reduction under Requirement 3, the access control restrictions under Requirement 7, the logging obligations under Requirement 10, and the security testing obligations under Requirement 11. This piece walks through the requirements that reach AI deployments, where most implementations fail the QSA review, and the inspection-layer architecture that produces the audit evidence and the scope reduction the assessor will accept.

pci-dsscardholder-dataai-complianceaudit-logsinline-enforcementpayments
Read post →

GDPR Article 22 and AI: What Automated Decision-Making Requires of Production Deployments

GDPR Article 22 limits decisions based solely on automated processing that produce legal or similarly significant effects on the data subject. AI deployments that produce loan approvals, credit decisions, hiring decisions, fraud-detection outcomes, or insurance underwriting fall inside the scope. The exemption pathways carry their own obligations: explicit consent, contract necessity, or Union or member state authorization. The Article 22(3) right to obtain human intervention and the transparency obligation require records that demonstrate the meaningful intervention happened and that the data subject received meaningful information. This piece walks through the article, the exemption pathways, the meaningful-intervention test, and the inspection-layer architecture that produces the evidence the supervisor will accept.

gdprarticle-22automated-decisionsai-complianceaudit-logsdata-protection
Read post →

GDPR and AI: Where Article 5, Article 22, and Article 32 Reach Production AI Deployments

GDPR applies to AI deployments wherever the AI system processes personal data of EU residents. The applicable articles overlap with the EU AI Act but predate it and reach a broader surface. Article 5 imposes the lawfulness, purpose limitation, and data minimization principles. Article 22 limits automated individual decision-making. Article 32 imposes the security of processing obligation that the audit log is evidence against. This piece walks through the GDPR articles that reach production AI deployments, the specific obligations each creates, where most AI implementations fail the test, and the inspection-layer architecture that produces the evidence the data protection authority will accept.

gdpreu-ai-actai-compliancedata-protectionaudit-logsinline-enforcement
Read post →