← All posts

Compliance & Regulation

143 posts on compliance & regulation.

EU AI Act for Fintech: Why Credit Scoring, Fraud Detection, and Insurance Pricing Land in the High-Risk Bucket

Annex III point 5(b) of the EU AI Act puts AI used in evaluating the creditworthiness of natural persons in the high-risk bucket. Annex III point 5(c) puts AI used in life and health insurance pricing in the same bucket. Fraud-detection AI used in retail banking sits in scope where it affects access to essential services. DORA, the Digital Operational Resilience Act, runs in parallel with overlapping log retention and incident reporting obligations. The August 2, 2026 high-risk deadline and the January 17, 2025 DORA effective date are both already binding.

eu-ai-actfintechdoracomplianceai-governanceaudit
Read post →

EU AI Act for Healthcare: Why AI in Diagnostics, Triage, and Clinical Decision Support Lands in the High-Risk Category

Healthcare AI sits in the high-risk category by two paths. Annex III lists AI used in employment and essential services. The Medical Device Regulation pulls in any AI that meets the definition of a medical device, including most diagnostic and triage tools. The combination means most clinical AI deployments owe both the EU AI Act high-risk obligations and the MDR conformity assessment. The August 2, 2026 deadline applies, and the record-keeping infrastructure most hospitals run today fails the Article 12 test.

eu-ai-acthealthcarecomplianceai-governancemedical-deviceaudit
Read post →

EU AI Act Conformity Assessment: The Two Routes, Who Performs Each One, and What the Audit File Has to Contain

A high-risk AI system cannot be placed on the Union market without a conformity assessment. Article 43 allows two routes: an internal control procedure based on Annex VI, and a third-party procedure involving a notified body and Annex VII. The route depends on the system category. The audit file must contain the technical documentation listed in Annex IV, including the system architecture, the risk management process, the data governance approach, and the record-keeping system. Most enterprise deployers have not yet built the record-keeping side.

eu-ai-actcomplianceai-governanceauditregulationhigh-risk-ai
Read post →

EU AI Act Fines: How Article 99 Sets €35M / €15M / €7.5M Tiers and Who Pays Each One

Article 99 of the EU AI Act sets three penalty tiers. €35 million or 7% of global turnover for prohibited practices. €15 million or 3% for high-risk non-compliance. €7.5 million or 1% for supplying misleading information. The high-risk tier is the one that lands on most enterprise deployers, and the math is set up so that the higher of the absolute number and the percentage applies.

eu-ai-actcomplianceai-governanceregulationauditai-security
Read post →

AI Governance Maturity Model: The Five Stages and Where Most Enterprises Actually Sit

AI governance maturity models tend to read as aspirational ladders that everyone climbs eventually. The version that matches what regulators ask for in 2026 has five concrete stages defined by the per-decision evidence the deployer can produce at each level. This piece walks through the five stages, where each stage sits against EU AI Act Article 12 and Fannie Mae LL-2026-04 obligations, and the architectural control that moves an organization to the next stage.

ai-governanceai-governance-maturity-modelcomplianceeu-ai-actrisk-managementaudit
Read post →

AI Governance Failure: What the Headline Incidents Have in Common and Where the Architecture Fails

AI governance failures cluster around the same architectural defects in incident after incident: identity unbound at the request layer, audit logs written by the application under audit, shadow AI traffic outside the inspection boundary, and vendor AI usage the deployer never sees. This piece walks through the recurring failure pattern, the recent incident record, and the architectural control that closes each defect before the next breach gets reported.

ai-governanceai-governance-failureincident-responsecomplianceshadow-aiaudit
Read post →

AI Governance Challenges: The Seven Failures That Show Up in the First Regulator Review

AI governance challenges show up in a specific order during the first EU AI Act, NIST AI RMF, and Fannie Mae LL-2026-04 review. The seven failure modes cluster around identity binding, per-decision audit, shadow AI exposure, vendor AI usage, policy version drift, model registry gaps, and disclosure obligations. This piece walks each failure mode through the regulatory question that surfaces it and the architectural control that closes it.

ai-governanceai-governance-challengescomplianceeu-ai-actrisk-managementaudit
Read post →

AI Governance Tools: What the Category Has To Cover and Where Most Products Stop

The AI governance tools category bundles four very different product shapes: model registries, policy authoring platforms, posture and inventory scanners, and runtime enforcement layers. Each shape covers a different obligation under the EU AI Act, NIST AI RMF, ISO 42001, and Fannie Mae LL-2026-04. This piece walks through what each shape does, where each one stops, and the runtime gap most buyers discover after the procurement decision.

ai-governanceai-governance-toolscomplianceeu-ai-actnist-ai-rmfiso-42001
Read post →

EU AI Act vs GDPR: How the Two Regimes Diverge on Record-Keeping, Identity, and the Per-Decision Trace

Compliance teams reach for the GDPR record-keeping playbook when the EU AI Act lands on the legal calendar. The two regimes overlap on data subject rights and personal-data scope. They diverge on the cadence of evidence, the identity of the actor the record describes, and the per-decision trace the AI Act requires. This piece walks through the five axes where the regimes diverge, the record formats each regulator reads, and the architectural changes the AI request path needs before August 2, 2026.

eu-ai-actgdprcompliancearticle-12audit-logsgovernance
Read post →

Compliance After the Act: The EU AI Act Mindset Shift From Documentation to Per-Decision Evidence

EU AI Act Article 12 takes effect August 2, 2026 and changes what regulators ask of high-risk AI systems. Compliance teams that came from GDPR are familiar with management-level documentation regimes. The Act asks for operational-level per-decision evidence. This piece walks through the four mindset shifts a security and compliance organization has to make: from policy documents to live audit records, from quarterly reviews to per-request decisions, from third-party attestation to first-party evidence, and from boundary controls to per-route enforcement.

eu-ai-actarticle-12complianceaudit-logshigh-risk-aigovernance
Read post →

SOC 2 AI Controls: Mapping the Trust Services Criteria to AI Deployments

SOC 2 reports cover five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. AI deployments touch all five. The audit evidence that AICPA expects has to be operational, not architectural. Application logs and policy documents fail. The records that pass are per request.

soc-2ai-governancecompliancetrust-services-criteriaauditaicpa
Read post →