Frameworks
AI compliance frameworks
The rules that decide how you must govern AI, explained for teams without a compliance department, with the practical first steps for each. An AI usage policy and a tool register cover most of what they ask for.
EU AI Act
European UnionRegulation (EU) 2024/1689, the EU Artificial Intelligence Act
The EU AI Act is the world's first comprehensive AI law. It takes a risk-based approach: it bans a small set of 'unacceptable-risk' uses, places strict obligations on 'high-risk' systems, sets transparency rules for limited-risk systems (like chatbots and deepfakes), and largely leaves minimal-risk uses free. It also adds duties for providers of general-purpose AI models.
Read the guide →NIST AI RMF
U.S. National Institute of Standards and TechnologyNIST AI Risk Management Framework 1.0
The NIST AI RMF is a voluntary, practical framework for managing AI risks across the lifecycle. It is organised around four functions (Govern, Map, Measure and Manage) and is paired with a Generative AI Profile (NIST AI 600-1, July 2024) that tailors it to generative tools like ChatGPT.
Read the guide →ISO 42001
International Organization for StandardizationISO/IEC 42001:2023, AI management system
ISO/IEC 42001 is the first certifiable international standard for an AI management system (AIMS). Like ISO 27001 did for information security, it sets out how to establish, run and continually improve governance over AI, including policy, risk assessment, controls and an AI impact assessment.
Read the guide →SOC 2
American Institute of Certified Public Accountants (AICPA)SOC 2 (AICPA System and Organization Controls 2)
SOC 2 is an attestation report on a service organisation's controls against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. It is the most-requested trust report in US B2B SaaS. As AI use has grown, SOC 2 auditors increasingly expect a documented AI usage policy and vendor governance for AI subprocessors.
Read the guide →