AI compliance frameworks

United States Federal

FedRAMP is the U.S. federal program that standardizes security assessment, authorization, and continuous monitoring for cloud services used by federal agencies. AI governance vendors serving federal or defense customers typically need FedRAMP Moderate or High authorization.

United States

HIPAA governs the privacy and security of Protected Health Information (PHI) in the United States. AI vendors operating in healthcare must meet HIPAA Security Rule requirements (access controls, audit logs, integrity, encryption) and sign BAAs with covered entities. HIPAA applies directly to many AI use cases in clinical decision support, diagnostics, and healthcare operations.

International (ISO)

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It complements ISO/IEC 42001 (AI management systems) and is often held by AI governance vendors as a baseline information-security certification. Required by many enterprise procurement processes globally.

International (PCI SSC)

PCI DSS governs the handling of payment card data. AI vendors serving fintech, retail, and payment processors often need to demonstrate PCI DSS alignment when their platforms touch cardholder data or are integrated with payment flows.

United States (AICPA)

SOC 2 is an AICPA auditing standard for service organizations, evaluating controls relevant to security, availability, processing integrity, confidentiality, and privacy. While not AI-specific, SOC 2 Type II reports are table stakes for B2B SaaS vendors — including AI governance platforms — and are frequently mapped to AI-specific risk frameworks.

EU

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive horizontal regulation of artificial intelligence systems. It entered into force on August 1, 2024 and applies in tiered phases: prohibitions on unacceptable-risk practices apply from February 2, 2025; obligations for general-purpose AI (GPAI) models from August 2, 2025; and the bulk of high-risk system requirements from August 2, 2026, with extended timelines for high-risk systems embedded in regulated products through 2027. The Act takes a risk-based approach, sorting systems into prohibited, high-risk, limited-risk (transparency obligations), and minimal-risk tiers. Enforcement is split between the European Commission's AI Office (for GPAI and cross-border matters) and national market-surveillance authorities. Maximum fines reach €35 million or 7% of worldwide annual turnover for prohibited practices, whichever is higher.

EU

Article 22 of the EU General Data Protection Regulation gives data subjects the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning them or similarly significantly affects them. The right applies across the EU and EEA and has been in force since May 25, 2018. The European Data Protection Board's Guidelines 1/2024 (adopted December 2024) clarify the scope, including how it applies to large language models and recommender systems. The CJEU's SCHUFA ruling (Case C‑634/21, December 2023) confirmed that automated credit scoring constitutes a "decision" under Article 22 where the score effectively determines whether a loan or contract is granted. Enforcement is by national Data Protection Authorities; penalties for Article 22 violations fall under the GDPR's higher tier — up to €20 million or 4% of worldwide annual turnover.

US

New York City Local Law 144 of 2021 prohibits employers and employment agencies from using an automated employment decision tool (AEDT) to screen a candidate or employee for a position located in NYC unless the tool has been the subject of a bias audit conducted no more than one year before its use. The law has been in force since July 5, 2023 and is enforced by the NYC Department of Consumer and Worker Protection. Penalties start at $500 for a first violation and $500–$1,500 per subsequent violation, with each day a non-compliant tool is used counted as a separate violation. The required audit must measure selection rates and impact ratios across sex, race/ethnicity, and intersectional categories, with results published on the employer's public-facing website.

US

The SEC has brought enforcement actions and issued guidance requiring public companies to accurately disclose their use of AI in securities filings, avoid "AI washing," and ensure investment advisers do not misrepresent their use of AI in client communications.

US

Colorado SB 24-205, the Colorado Artificial Intelligence Act, was signed into law in May 2024 and takes effect on February 1, 2026. It is the first comprehensive U.S. state law regulating high-risk AI systems and imposes obligations on both developers and deployers of AI systems that make, or are a substantial factor in making, a "consequential decision" — defined to include decisions in education, employment, financial or lending services, essential government services, healthcare, housing, insurance, and legal services. The Act establishes a duty of reasonable care to protect Colorado consumers from algorithmic discrimination, with the Colorado Attorney General as the sole enforcement authority. Violations are deceptive trade practices under the Colorado Consumer Protection Act, with penalties up to $20,000 per violation and elevated penalties for elder-targeted violations.

Global

ISO/IEC 42001:2023 is the first international management-system standard for artificial intelligence, published in December 2023 jointly by ISO and IEC. It specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS) within an organisation. The standard follows the harmonised high-level structure used by ISO 27001 and ISO 9001, making integration with existing management systems straightforward. ISO 42001 is voluntary but is the most credible signal a vendor or operator can provide that AI risk is governed at the management-system level. Certification is granted by accredited third-party certification bodies (the ISO/IEC body itself does not issue certificates) and follows a typical 3-year cycle with annual surveillance audits.

US

The NIST AI Risk Management Framework (AI RMF 1.0) was published by the U.S. National Institute of Standards and Technology in January 2023, with a Generative AI Profile (NIST-AI-600-1) added in July 2024. It is a voluntary, sector-agnostic framework that organises AI risk management around four functions: Govern, Map, Measure, and Manage. Although adoption is voluntary, the AI RMF is referenced by the U.S. Executive Order on AI, several federal agency directives, and is increasingly cited by procurement teams and insurance carriers as a baseline expectation. NIST also publishes a companion AI RMF Playbook with concrete implementation suggestions and a Crosswalk that maps AI RMF actions to ISO/IEC 42001, ISO/IEC 23894, OECD AI Principles, and EU AI Act provisions.

UK

The UK's pro-innovation, context-specific approach to AI regulation relies on existing regulators (ICO, FCA, CMA, MHRA, Ofcom) applying five cross-sectoral principles: safety; transparency; fairness; accountability; and contestability. A central AI Safety Institute evaluates frontier models.