AI Compliance FAQ

The first international management-system standard for AI, published December 2023 — certifiable, auditable, and already adopted by major AI vendors.

Non-compliance with the EU AI Act can cost up to EUR 35 million or 7 percent of global annual turnover — higher than GDPR's 4 percent cap.

Two of the most-referenced AI governance frameworks — one is a voluntary US framework, the other an international standard that can be certified. Most mature programs use both.

If your AI system lands in the EU market or its output is used in the EU, you are in scope — regardless of where your company is headquartered.

Colorado SB 24-205 applies 30 June 2026 (delayed from 1 February 2026 by SB 25B-004) and imposes duties on both developers and deployers of high-risk AI used for consequential decisions.

Article 22 of the GDPR gives individuals the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects — with three narrow exceptions.

NYC employers using AEDTs must commission an independent bias audit each year, post a public summary, and notify candidates — enforced by DCWP since 5 July 2023 with $500–$1,500 per-day penalties.

Eight categories of AI practice are outright banned across the EU under Article 5 of the AI Act — enforced from 2 February 2025, with the highest fine tier (EUR 35M or 7% of turnover).

High-risk AI systems under the EU AI Act face the heaviest obligations — risk management, data governance, technical documentation, human oversight, conformity assessment — with most rules applying from 2 August 2026.

The SEC has brought enforcement actions and issued guidance requiring public companies to accurately disclose their use of AI in securities filings, avoid "AI washing," and ensure

HIPAA governs the privacy and security of Protected Health Information (PHI) in the United States. AI vendors operating in healthcare must meet HIPAA Security Rule requirements (ac

The UK's pro-innovation, context-specific approach to AI regulation relies on existing regulators (ICO, FCA, CMA, MHRA, Ofcom) applying five cross-sectoral principles: safety; tran

SOC 2 is an AICPA auditing standard for service organizations, evaluating controls relevant to security, availability, processing integrity, confidentiality, and privacy. While not

New York City Local Law 144 of 2021 prohibits employers and employment agencies from using an automated employment decision tool (AEDT) to screen a candidate or employee for a posi

ISO/IEC 42001:2023 is the first international management-system standard for artificial intelligence, published in December 2023 jointly by ISO and IEC. It specifies requirements f

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It complements ISO/IEC 42001 (AI management systems) and is often held by AI governa

PCI DSS governs the handling of payment card data. AI vendors serving fintech, retail, and payment processors often need to demonstrate PCI DSS alignment when their platforms touch

FedRAMP is the U.S. federal program that standardizes security assessment, authorization, and continuous monitoring for cloud services used by federal agencies. AI governance vendo

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive horizontal regulation of artificial intelligence systems. It entered into force on August 1, 2024 and a

The NIST AI Risk Management Framework (AI RMF 1.0) was published by the U.S. National Institute of Standards and Technology in January 2023, with a Generative AI Profile (NIST-AI-6

Article 22 of the EU General Data Protection Regulation gives data subjects the right not to be subject to a decision based solely on automated processing — including profiling — t

Colorado SB 24-205, the Colorado Artificial Intelligence Act, was signed into law in May 2024 and takes effect on February 1, 2026. It is the first comprehensive U.S. state law reg

Most AI governance platforms sell annual contracts in the low-to-mid five figures for mid-market and six figures for enterprise. Here is what we can verify from public sources.

Software that inventories every AI system at a company, assesses its risk, enforces internal policy, and produces the evidence auditors and regulators ask for.

Editorial best-of rankings, head-to-head comparison verdicts, and written commentary reflect editorial judgment based on public evidence only and cannot be bought. Vendors can pay for a Featured slot in directory listings; every Featured slot is clearly labeled.

SOC 2 and ISO/IEC 42001 are not substitutes — one attests to information security and operational trust, the other to AI-specific governance. Mature AI vendors carry both.

Editorial best-of rankings and comparison verdicts are not for sale. Vendors can pay only for a clearly labeled Featured slot in directory listings.