AI compliance is not regular compliance. Here is the difference.
4 Views
Summarize Article
Related Blogs
Summarize Article
Key takeaways
|
Most organizations have a compliance posture for their software systems. SOC 2 covers security controls. HIPAA covers data handling in healthcare. PCI-DSS covers payment card data. These frameworks share a common structure: they define what controls must be in place for a system that handles certain types of data or provides certain services.
AI compliance operates differently. The EU AI Act, the NIST AI Risk Management Framework, and the emerging state-level AI regulations in the US do not only regulate what data an AI system handles. They regulate the AI system itself, its risk classification, its transparency obligations, the documentation of its design and training, its explainability requirements, and the human oversight structures that must govern its operation. These are not additive requirements on top of existing compliance. They are a different category of obligation.
Gartner identifies AI governance compliance as one of the top five priorities for legal leaders in 2025. The EU AI Act began taking effect in February 2025 with prohibited practices provisions, extended to general-purpose AI rules in August 2025, and will apply to high-risk AI systems from August 2026. IBM advises all clients to take AI governance seriously and prepare for compliance now, well before the full implementation timeline reaches their specific use cases.
| Building AI systems and need to scope compliance architecture from the start? WebOsmotic builds AI systems with compliance architecture, EU AI Act controls, NIST AI RMF governance, audit logging, and explainability, as first-class deliverables, not retrofits. |
The EU AI Act adopts a risk-based approach to regulating AI systems. The compliance burden is proportional to the risk the AI system poses, lower-risk systems face minimal obligations while high-risk systems face the most demanding requirements. IBM’s EU AI Act overview documents the timeline: prohibited practices took effect February 2025, general-purpose AI (GPAI) rules for new models from August 2025, high-risk AI system rules from August 2026, and rules for AI in regulated product safety components from August 2027.
Microsoft’s EU AI Act compliance documentation notes that the Act includes over 60 secondary regulatory efforts that will materially impact compliance. Microsoft has dedicated working groups on EU AI Act compliance and was among the first organizations to sign the EU AI Pact’s voluntary pre-compliance commitments. The Act’s transparency obligations, risk assessments, and human oversight requirements are not optional for organizations deploying AI in EU markets or organizations whose AI affects EU residents.
The structural differences between AI compliance and traditional IT compliance are not matters of degree. They are matters of a kind. Understanding the differences prevents organizations from attempting to satisfy AI compliance requirements with IT compliance controls that do not address what AI compliance actually requires.
| Dimension | Traditional IT compliance (SOC 2, HIPAA) | AI compliance (EU AI Act, NIST AI RMF) |
| What is regulated | The system’s security controls and data handling practices | The AI system itself, its design, training data, capabilities, risk level, and ongoing behavior |
| Risk classification | Not risk-tiered. Requirements apply uniformly based on data type (PHI, PCI data) | Explicitly risk-tiered. High-risk AI faces documentation, oversight, and audit requirements that minimal-risk AI does not |
| Explainability | Not required. A system can work as a black box if security controls are in place | Required for high-risk AI. Decisions affecting individuals must be explainable. Technical documentation of how the model makes decisions is a compliance artifact |
| Human oversight | Required for administrative access controls. Not required for automated decisions | Explicitly required for high-risk AI systems. Humans must be able to understand, monitor, and override AI decisions |
| Ongoing monitoring | Periodic audits and continuous control monitoring (CC7.2 for SOC 2) | Continuous performance monitoring, bias monitoring, and drift detection. Post-market surveillance for high-risk AI |
| Documentation scope | System design, access logs, incident response procedures | Full technical documentation including training data, model architecture, evaluation methodology, known limitations, and risk assessment |
| Audit trail | Activity logs for access and system events | Decision-level audit trails. For high-risk AI, records sufficient to reconstruct why a specific decision was made |
NIST’s AI Risk Management Framework, released January 2023, is the primary voluntary US standard for AI governance. It organizes AI risk management into four functions: Govern, Map, Measure, and Manage. While voluntary, it is increasingly referenced in US state AI regulations and by enterprise buyers as a procurement requirement.
The NIST AI RMF’s four functions, Govern, Map, Measure, and Manage, each carry specific implications: Govern establishes AI risk management policies and accountability; Map identifies and categorizes AI risks per deployment; Measure establishes performance and fairness metrics; Manage implements mitigations and incident response. Gartner identifies three principles common across the EU AI Act and US state AI laws, Colorado, Illinois, Utah, and New York City have all implemented AI laws, that provide a practical compliance foundation: transparency, risk management, and fairness. Organizations that build compliance programs around these three principles are positioned for both current requirements and future regulations.
IBM’s EU AI Act compliance guidance documents three critical steps for achieving compliance. IBM advises all clients to begin now rather than waiting for specific implementation deadlines.
AI compliance is not only a legal obligation. It is an architectural decision made at the beginning of development that determines whether a system can demonstrate compliance when required. Compliance retrofitted onto a deployed AI system is substantially more expensive and often incomplete.
WebOsmotic’s AI development practice builds responsible AI systems for clients in fintech, healthcare, and regulated industries. EU AI Act compliance architecture, NIST AI RMF governance documentation, and audit trail design are included in the architecture phase of every regulated industry engagement.
| Building an AI system for a regulated industry and need compliance architecture from day one? WebOsmotic builds AI systems with EU AI Act compliance controls, NIST AI RMF governance, audit logging, and explainability as first-class deliverables. We work with fintech, healthcare, and enterprise clients across India and the US. |
What is the EU AI Act and when does it apply?
The EU AI Act is the world’s first comprehensive AI regulation, adopting a risk-based approach that classifies AI systems by risk level and applies proportional compliance requirements. Prohibited practices took effect February 2025. Rules for general-purpose AI models took effect August 2025 for new models. Rules for high-risk AI systems take effect August 2026. Rules for AI in regulated product safety components take effect August 2027. IBM advises organizations to begin compliance preparation now rather than waiting for their specific deadline. The Act applies to providers placing AI systems on the EU market, deployers using AI systems in the EU, and providers and deployers in third countries whose AI output is used in the EU.
How is AI compliance different from SOC 2 or HIPAA compliance?
SOC 2 regulates security controls for systems handling customer data. HIPAA regulates data handling practices for systems processing protected health information. Both focus on what the system does with data. AI compliance under the EU AI Act and NIST AI RMF regulates the AI system itself, its risk classification, training data documentation, design and evaluation methodology, explainability requirements, and human oversight structures. A system can be SOC 2 Type II certified and HIPAA-compliant while having significant EU AI Act compliance gaps if it is a high-risk AI system without the required technical documentation, risk management system, and human oversight architecture.
What is a high-risk AI system under the EU AI Act?
The EU AI Act defines high-risk AI systems as those deployed in: critical infrastructure (energy, water, transport), education (grading, admissions), employment (CV screening, performance evaluation), access to essential services (credit scoring, social benefits, health services), law enforcement, migration and border control, and administration of justice. High-risk AI systems face the most demanding compliance requirements: a risk management system, technical documentation of training data and architecture, data governance, transparency measures, human oversight, accuracy controls, and EU AI database registration. These requirements apply from August 2026.
What is the NIST AI RMF and is it mandatory?
The NIST AI Risk Management Framework is a voluntary governance standard for AI systems released by the National Institute of Standards and Technology in January 2023. It organizes AI risk management into four functions: Govern, Map, Measure, and Manage. It is not legally mandatory in the US at the federal level, but it is referenced in US state AI regulations from Colorado, Illinois, Utah, and New York City, and is increasingly referenced by enterprise buyers as a procurement requirement. Organizations that implement the NIST AI RMF are well-positioned for both current voluntary requirements and the emerging mandatory requirements from state-level AI legislation.
What does explainability mean for AI compliance?
Explainability in AI compliance means that the system can produce a meaningful account of why it produced a specific output or made a specific decision, meaningful to the affected person and to a regulator. For high-risk AI systems under the EU AI Act, this is a technical requirement: the system must be designed with an explainability mechanism that can produce decision-level explanations on demand. This is different from providing general documentation of how the model works. The EU AI Act requires that individuals affected by high-risk AI decisions have the right to an explanation and the right to human review. Building this capability into an AI system after deployment is substantially more expensive than designing it from the start.
How does WebOsmotic approach AI compliance?
WebOsmotic treats AI compliance as an architectural input that determines system design rather than a documentation task added after deployment. For regulated industry engagements, the architecture phase includes: classifying the AI system by risk level under the EU AI Act; designing the technical documentation structure required for the system’s risk category; implementing audit logging sufficient to reconstruct AI decisions; building explainability controls appropriate to the use case; designing human oversight checkpoints and override mechanisms; and documenting the governance structure against the NIST AI RMF functions. These are all first-class deliverables alongside the application code.
