AI Compliance (May 2026)
TL;DR: AI compliance in 2026 is the demonstrable adherence of your AI systems to nine major external regimes. EU AI Act (binding), NIST AI RMF (US-led), ISO 42001 (certifiable), HIPAA, GDPR, SEC, OCC, FDA, CMMC. Most organisations map a unified control library against multiple frameworks at once.
Nine AI compliance regimes that matter
| Regime | Applies to | Focus | Enforcement |
|---|---|---|---|
| EU AI Act | Any AI placed on the EU market | Risk-tiered obligations, technical documentation, conformity assessment for high-risk AI | Phased through 2027 |
| NIST AI RMF | US federal contractors + most Fortune 1000 by procurement contract | Voluntary framework. Govern, Map, Measure, Manage | Reference standard cited in many federal RFPs |
| ISO/IEC 42001 | Any organisation seeking certifiable AI management | AIMS, auditable AI management system | Third-party certification via accredited bodies |
| HIPAA + OCR AI guidance | US healthcare (covered entities + BAs) | PHI handling, BAA with model providers, ZDR contracts | HHS Office for Civil Rights |
| GDPR + AI | EU personal data processing (global reach via Article 3) | Lawful basis, data subject rights, automated decision-making (Article 22) | National Data Protection Authorities |
| SEC AI disclosure rules | US public companies | Material AI risks disclosed in 10-K + 10-Q. AI in financial reporting subject to ICFR. | SEC enforcement actions |
| OCC + FRB SR 11-7 update | US banks + bank holding companies | Model risk management for AI / ML: validation, ongoing monitoring, governance | Federal banking regulators |
| FDA AI/ML SaMD guidance | US medical device manufacturers | Software-as-a-Medical-Device using AI; predetermined change control plans | FDA |
| CMMC + DoD AI guidance | US defence contractors | AI use in defence supply chain, and cybersecurity + sovereignty + provenance | DoD contracting officers |
Ten-control unified compliance map
The same control usually maps across multiple frameworks. Building a unified library against ten core controls covers 80-90% of obligations across NIST AI RMF, EU AI Act, ISO 42001, HIPAA, and sector overlays.
| Control | Maps to |
|---|---|
| AI inventory + risk-tiering | NIST AI RMF (Map), EU AI Act Art. 17, ISO 42001 §7 |
| Model card + technical documentation | NIST AI RMF (Govern), EU AI Act Art. 11, Annex IV |
| Eval harness + ongoing monitoring | NIST AI RMF (Measure), EU AI Act Art. 15, ISO 42001 §9 |
| Human oversight | EU AI Act Art. 14, ISO 42001 §6.1.3 |
| Data governance + lineage | EU AI Act Art. 10, GDPR Art. 5, ISO 42001 §6.2 |
| Cybersecurity + robustness | EU AI Act Art. 15, NIST AI RMF (Manage), ISO 27001 overlay |
| Transparency + user disclosure | EU AI Act Art. 13 + Art. 52, NIST AI RMF (Govern) |
| Conformity assessment + audit evidence | EU AI Act Art. 43 (high-risk), ISO 42001 certification |
| Incident reporting | EU AI Act Art. 62, ISO 42001 §8.3 |
| Supplier risk + ZDR contracts | NIST AI RMF (Govern), HIPAA BAA, EU AI Act Art. 16 |
FAQ
What is AI compliance?
AI compliance is the operational process of meeting external requirements that apply to your AI systems. the EU AI Act for EU market placement, NIST AI RMF for US federal procurement, ISO/IEC 42001 for international certifiable evidence, HIPAA for US healthcare data, GDPR for personal data, and sector-specific overlays (SEC, OCC, FDA, DoD). In 2026 most organisations maintain a unified controls library mapped against multiple frameworks.
Is the EU AI Act the most important AI compliance regime?
For most multinationals, yes. The EU AI Act is binding (not voluntary), has global reach (any AI placed on the EU market), and carries fines up to 7% of global turnover for prohibited practices. Even US-only organisations with no current EU footprint usually map against the AI Act because customer procurement teams increasingly require it.
What is the difference between AI compliance and AI governance?
AI governance is the internal programme, policies, roles, controls, evidence. AI compliance is the external-facing demonstration that the programme satisfies a specific requirement (a regulation, a standard, a customer contract). Governance is the activity; compliance is the outcome.
How do I make my AI HIPAA compliant?
Four requirements. (1) Business Associate Agreement with every model provider that touches PHI. (2) Zero Data Retention contract: the provider does not retain prompts or completions. (3) Encryption in transit + at rest, per the HIPAA Security Rule. (4) Audit logging that captures every PHI-touching request, retained per OCR guidance. Most regulated healthcare orgs route through Swfte / AWS Bedrock / Azure OpenAI for the BAA + ZDR posture.
What AI compliance software do I need?
Three layers. A gateway (Swfte, Portkey, TrueFoundry, LiteLLM) for request-time policy enforcement; ZDR, model allowlist, audit log. An eval / monitoring tool (Swfte, LangSmith, Langfuse, Arize, Galileo) for ongoing quality + bias + drift evidence. An AI-GRC overlay (Credo AI, Holistic AI, Trustible, Saidot) for policy library, framework mapping, and conformity reporting. Smaller orgs combine the first two on Swfte and skip the third.
How long does AI compliance take to implement?
A working baseline programme, and inventory, risk tiers, policy, gateway-enforced controls, eval harness, mapped to one external framework. takes 6-12 months for a mid-market org and 12-24 months for a global enterprise. Full conformity assessment with auditable evidence binder takes another 6-12 months on top.
What does AI compliance cost?
Annual programme cost ranges $300k-$25M depending on org size. Mid-market: $300k-$1.5M (1-3 people + tooling + audit). Global enterprise: $5M-$25M (10-30 people + tooling + multiple audits + regulator engagement). The tooling layer is typically $50k-$500k/year; the rest is people, audit fees, and legal.
Is open-source AI compliant?
It can be, the open-source license is orthogonal to the compliance posture. The compliance question is whether the deployment satisfies the controls, not whether the model weights are public. Self-hosted DeepSeek V4 inside a regulated VPC, with eval and audit logging, is typically more defensible than a hosted closed-model API without those controls.
Who certifies AI compliance?
ISO/IEC 42001 is certifiable by accredited third-party bodies. EU AI Act conformity assessment for high-risk systems requires CE marking and (in some cases) Notified Body involvement. NIST AI RMF is voluntary: no certification, but auditors will evaluate alignment as part of broader AI due diligence. HIPAA, SOC2, and sector-specific posture are evaluated by the appropriate regulator or auditor.
Demonstrate AI compliance with auditable evidence
Gateway-enforced controls, OpenTelemetry traces, an integrated eval harness, and a compliance binder mapped against NIST AI RMF, EU AI Act, and ISO 42001.
Free tier · OpenAI-compatible API · SOC2 Type II · On-prem available