← All posts

Compliance & Regulation

77 posts on compliance & regulation.

AI Vendor Risk Management: The Diligence Questions That Actually Bind Under Audit

AI vendor risk management sits at the intersection of traditional third-party risk and the new AI-specific obligations. The questionnaire that holds up against EU AI Act Article 26, Fannie Mae LL-2026-04, DORA, and sector-specific regimes asks for evidence the vendor can produce on demand. This article walks through the question set, the runtime evidence behind each answer, and the ongoing supervisory obligation that procurement attestations do not discharge.

ai-governanceai-compliancecomplianceeu-ai-actdora
Read post →

AI Risk Register Template: What Each Row Has to Capture and Where the Evidence Comes From

An AI risk register is the operational artefact that records the risks the deployer has identified for each AI system, the controls applied, the residual risk, and the evidence that the controls are working. EU AI Act Article 9, NIST AI RMF, ISO 42001, and Fannie Mae LL-2026-04 each expect a register the deployer can produce on demand. This article walks through the columns that hold up across regimes and the runtime evidence each column depends on.

ai-governanceai-complianceeu-ai-actiso-42001audit
Read post →

AI Impact Assessment Template: The Fields a Regulator and an Auditor Both Read

An AI impact assessment template that holds up under EU AI Act Article 27, GDPR Article 35 DPIA, Fannie Mae LL-2026-04, and NIST AI RMF inquiries has to cover the same architectural primitives in the same vocabulary the regulators use. This article walks through the fields the template has to include, the questions each field answers, and the runtime evidence the deployer needs in order to keep the assessment current.

ai-complianceai-governanceeu-ai-actcomplianceaudit
Read post →

EU AI Act Codes of Practice: What the GPAI Provisions Expect and Where Deployers Sit

The Codes of Practice in the EU AI Act are the operational mechanism that translates the GPAI obligations under Articles 53 and 55 into concrete commitments providers can sign. The Code on General-Purpose AI Models, published by the AI Office, sets out the transparency, copyright, and safety expectations the providers have agreed to. Deployers that build on top of GPAI inherit downstream obligations and a set of expectations the deployer cannot delegate to the provider.

eu-ai-actai-complianceai-governanceregulationllm
Read post →

EU AI Act Prohibited Practices: What Article 5 Bans and How Enforcement Catches It

Article 5 of the EU AI Act lists the practices the regulation prohibits outright. Subliminal manipulation, exploitation of vulnerability, social scoring by public authorities, predictive policing based on profiling, untargeted facial scraping, emotion inference in workplaces and schools, biometric categorisation by protected characteristic, and most real-time biometric identification in public spaces. The prohibitions took effect February 2, 2025. The €35 million / 7% penalty tier applies. This article walks through the eight prohibitions and the architecture that catches them at the AI request boundary.

eu-ai-actai-complianceregulationai-governanceinline-enforcement
Read post →

EU AI Act Article 15: What the Accuracy, Resilience, and Cybersecurity Obligation Requires

Article 15 of the EU AI Act sets the accuracy, resilience, and cybersecurity floor for high-risk AI systems before the August 2, 2026 deadline. The obligation runs end to end across the deployment, from the declared accuracy metric in the technical documentation to the runtime behavior under adversarial pressure. This article walks through the regulation text, the structural gaps in most deployments, and the architectural pattern that satisfies all three properties together.

eu-ai-actai-complianceai-securityregulationinline-enforcement
Read post →

The Future of AI Governance: Five Architectural Shifts Already Underway in 2026

The future of AI governance is not a question of which framework will win. The shift is from documentation-based programs to per-decision evidence captured at the AI request boundary. The five concrete moves already underway in 2026 are convergence on the inline enforcement boundary, codification of per-decision audit records, identity-attached AI requests, machine-readable policies, and external certification bodies for AI management systems. Each shift moves the governance work from quarterly committee meetings into the AI request path itself.

ai-governanceeu-ai-actiso-42001complianceregulation
Read post →

AI Governance Audit: What an Auditor Asks For and How Architecture Produces It

An AI governance audit asks for system inventory, identity context per AI call, data classification on prompt content, policy state at decision time, and an evidence trail an external party reads. Application-controlled logs collapse under those questions because the system being audited is also the system producing the audit record. The architecture that survives an AI governance audit is a decoupled enforcement layer that produces structured, signed decision records the application never had custody over.

ai-governanceauditcomplianceeu-ai-actregulation
Read post →

AI Decision Records: The Structured Evidence Layer the Compliance Set Reads Across Regimes

AI decision records are the structured evidence layer that captures who acted, what model handled the request, what policy governed it, what data classifications applied, and what the outcome was. The 2026 regulatory set reads decision records as the primary evidence for AI system operation. EU AI Act Article 12, Fannie Mae LL-2026-04, NIST AI RMF Manage, ISO 42001 clause 8.3, and Texas TRAIGA each expect the records at a specific granularity. I walk through what a portable decision record schema looks like, what each regime reads from it, and how the same record satisfies multiple regimes at once.

auditdecision-recordscomplianceeu-ai-actnist-ai-rmfiso-42001
Read post →

LLM Prompt Logging: What an Article 12 Compliant Record Has to Contain

LLM prompt logging records every prompt sent to an LLM, the response the model returned, the identity that initiated the call, the policy that governed the decision, and the data classifications detected. The EU AI Act Article 12 obligation, the NIST AI RMF Manage function, and the Fannie Mae LL-2026-04 disclosure mandate each expect this record at a specific granularity. I walk through what the record contains, where most application logging falls short, and how the architectural pattern that produces a compliant record differs from application-side logging.

llm-loggingauditeu-ai-actcompliancearticle-12audit-trail
Read post →

EU AI Act Fines vs GDPR Fines: How the Two Penalty Regimes Compare

The EU AI Act and GDPR operate parallel penalty regimes. GDPR caps the highest tier at 20 million EUR or 4% of global annual turnover. The AI Act caps its highest tier at 35 million EUR or 7% for prohibited AI practices, with 15 million EUR or 3% for high-risk non-compliance and 7.5 million EUR or 1% for misleading information. The two regimes can apply concurrently. This piece walks through the tiers, the trigger conditions, the enforcement bodies, and where the obligations actually overlap.

eu-ai-actgdprcompliancepenaltiesregulationfines
Read post →

EU AI Act Article 9: What the Risk Management System Obligation Requires

Article 9 of the EU AI Act requires a risk management system for every high-risk AI system, running as a continuous iterative process across the lifecycle. The obligations include risk identification, risk estimation, risk evaluation, and the adoption of risk management measures. The August 2, 2026 deadline applies. Most enterprise AI deployments treat risk management as a documentation exercise that ends at conformity assessment. The Article 9 reading expects an operating system that produces evidence at every decision point.

eu-ai-actarticle-9risk-managementcompliancehigh-risk-aigovernance
Read post →