137AI > Compliance & Conformity

AI Compliance

Compliance is the work of demonstrating to regulators, auditors, insurers, and contractual counterparties that an AI system meets the requirements the operator is obligated to meet. The compliance landscape for autonomous and ambient agents is in active formation. The EU AI Act conformity assessment regime is being operationalized through notified bodies and harmonized standards. Voluntary standards like UL 4600 for autonomous product safety cases and ISO/IEC 42001 for AI management systems are gaining adoption. The NIST AI Risk Management Framework is being cited in procurement and contractual obligations. Sector-specific compliance frameworks for healthcare, finance, transportation, and critical infrastructure are being adapted to handle AI components. Insurance markets are developing underwriting standards for autonomous agent exposure. Across all of these, the artifacts that satisfy compliance obligations — model cards, datasheets, system cards, conformity declarations, audit reports — are the evidence operators produce to prove their systems meet the requirements.

EU AI Act Conformity Assessment

The EU AI Act sets out a tiered risk classification with the heaviest obligations falling on high-risk AI systems. High-risk systems must complete a conformity assessment before placement on the market, demonstrating adherence to requirements that include risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity. The conformity assessment is conducted either through internal control by the provider or through a notified body, depending on the system category. Notified bodies are independent organizations designated by member states to assess high-risk AI systems against harmonized standards. The conformity assessment regime is still being operationalized: harmonized standards are under development through CEN-CENELEC JTC 21, notified bodies are being designated unevenly across member states, and case-by-case interpretation of the high-risk classification continues to evolve. EU AI Act Conformity Assessment covers the risk classification, the Article 43 procedures, the technical documentation requirements under Article 11, the harmonized standards landscape, and the notified body designation status.

UL 4600 and Autonomous Product Safety Cases

UL 4600 is the standard for safety cases for evaluation of autonomous products. It originated in the autonomous vehicle context but has been written generically enough to apply to autonomous physical agents more broadly, including industrial robots, delivery robots, and emerging humanoid platforms. The standard prescribes the structure of a safety case: an explicit argument that the product is acceptably safe for its intended use, supported by evidence covering hazard analysis, risk treatment, validation, and operational deployment. Adoption is voluntary, but UL 4600 has been cited in procurement and regulatory commentary as a workable reference for what an autonomous product safety case should look like. UL 4600 & Autonomous Product Safety Cases covers the safety case structure, the evidence categories the standard expects, the adoption status across autonomous product manufacturers, and the practical experience operators have reported in producing UL 4600-conformant safety cases.

ISO/IEC 42001 AI Management Systems

ISO/IEC 42001 is the international standard for AI management systems, published in 2023. It provides a framework for organizations to establish, implement, maintain, and improve an AI management system that systematically addresses AI risks across the lifecycle from development through deployment and decommissioning. The standard borrows the management system structure familiar from ISO 27001 for information security and ISO 9001 for quality, applying it to AI-specific concerns including fairness, transparency, robustness, accountability, and human oversight. Certification against ISO/IEC 42001 by an accredited certification body provides external validation that an organization's AI practices conform to the standard. Adoption is early but accelerating, particularly among large enterprises that already operate other ISO management systems and need a recognized framework for the AI dimension. ISO/IEC 42001 AI Management Systems covers the management system structure, the AI-specific requirements, the certification process, and the integration patterns with other ISO management systems.

NIST AI Risk Management Framework Application

The NIST AI Risk Management Framework is voluntary, but it has emerged as a de facto reference cited in procurement requirements, federal agency guidance, contractual obligations, and regulatory commentary on AI risk. The framework's four functions of govern, map, measure, and manage provide a structured approach to AI risk that organizations apply both as a standalone discipline and as the AI extension of an existing enterprise risk management program. Generative AI Profile and other use-case-specific profiles extend the core framework to handle context-specific concerns. In a compliance context, NIST AI RMF application produces artifacts that demonstrate the organization has identified, assessed, and treated AI risks systematically, even where the framework is not strictly required. NIST AI RMF Application covers the four functions in compliance practice, the profile additions, the artifacts that satisfy procurement and contractual references to NIST AI RMF, and the integration patterns with EU AI Act conformity assessment for organizations subject to both.

Sector-Specific Compliance Gaps

Most autonomous and ambient agents operate inside sectors with their own established compliance frameworks. Healthcare operates under HIPAA, FDA SaMD guidance, and clinical decision support frameworks. Financial services operates under model risk management guidance including SR 11-7, the SEC and CFTC AI rules where they apply, and anti-money-laundering frameworks. Transportation operates under NHTSA, FMCSA, and FAA compliance regimes that are being adapted to autonomous variants. Critical infrastructure operates under CISA guidance and sector-specific risk management agency frameworks. Each sector framework predates current AI agent capability, and each is being adapted at different rates with different priorities. The gaps that result vary by sector: AI as medical device has the most developed framework but does not fully address conversational AI in clinical settings; financial services has strong model risk discipline but unsettled treatment of agentic AI with transaction authority; autonomous trucking has FMCSA engagement but unsettled cross-state operating rules. Sector-Specific Compliance Gaps covers the sectoral landscape and the specific gaps that operators must navigate while regulators catch up.

Insurance and Underwriting Response

Insurance is one of the most consequential compliance-adjacent disciplines because it allocates financial risk and creates economic incentives for safer operation. The insurance market response to autonomous and ambient agents has been uneven. Auto insurance has products for autonomous vehicle exposure but not standardized treatment across carriers. Product liability insurance for humanoid manufacturers exists but does not contemplate directed criminal use of the products. Cyber insurance is being extended to cover AI-specific risks, but the products are early and the coverage terms vary widely. Facilities deploying humanoids have no settled insurance coverage for third-party harm caused by a humanoid acting outside intended parameters. Underwriting standards for autonomous agent exposure are being developed, with carriers experimenting on factors like operator track record, safety case quality, telemetry availability, and incident response capability. Insurance & Underwriting Response covers the market landscape across auto, product liability, cyber, and emerging autonomous-specific products, and the underwriting factors carriers are converging on.

Third-Party Audit Methodology

Third-party audit of AI systems is an emerging discipline. Conventional information security audit has decades of methodology and a mature ecosystem of audit firms, frameworks, and certification regimes. AI audit is younger, with methodology drawing from algorithmic auditing research, fairness and bias testing practices, and the conformity assessment regimes described above. The scope of an AI audit varies widely: some audits cover only model behavior on a defined test set, some cover the full management system around the AI, some cover specific use cases such as hiring or lending. Independent third-party audit has emerged as the most credible form of compliance evidence because internal audit has structural conflicts of interest and self-attestation is not validated by an outside party. Third-Party Audit Methodology covers the emerging audit methodologies, the audit firm landscape, the scope-of-engagement patterns, and the integration of AI audit with conformity assessment regimes.

Notified Bodies and Certification Regimes

Notified bodies are independent organizations authorized to perform conformity assessment against regulatory requirements, most prominently under the EU AI Act high-risk regime. Certification bodies serve a similar function for voluntary standards such as ISO/IEC 42001. The designation and accreditation of these bodies is the institutional infrastructure that gives conformity assessment its credibility: a self-declaration by the operator has limited weight, while a conformity assessment performed by an independently accredited body carries the weight of the regulatory or standards regime behind it. The notified body landscape for AI is still developing under EU AI Act implementation, with member states designating bodies unevenly and the body capacity for high-volume conformity assessment still being built out. ISO/IEC 42001 certification bodies are being accredited through the IAF and ILAC member accreditation bodies. Notified Bodies & Certification Regimes covers the designation status, the accreditation infrastructure, the capacity constraints operators are encountering, and the recognition arrangements that allow conformity assessment in one jurisdiction to satisfy requirements in another.

AI Documentation as Compliance Evidence

Model cards, datasheets, system cards, and related AI documentation artifacts originated as transparency tools published voluntarily by research groups and AI labs. In the compliance context, the same artifacts function as evidence. EU AI Act Article 11 requires technical documentation for high-risk AI systems that closely parallels a model card and datasheet combined: the intended purpose, design specifications, training data characterization, training methodology, performance metrics, risk management measures, human oversight provisions, and post-market monitoring approach. ISO/IEC 42001 requires similar documentation as part of the AI management system. NIST AI RMF produces documentation artifacts through its map and measure functions. The artifacts in a compliance context are different from the artifacts in a transparency context in two ways: they are mandatory rather than voluntary, and they are produced for a regulator or auditor rather than for the general public. The same operator may produce two versions of the same artifact, one detailed enough to satisfy compliance and one summarized for public transparency. AI Documentation as Compliance Evidence covers the documentation requirements across EU AI Act, ISO/IEC 42001, and NIST AI RMF, the relationship between compliance documentation and voluntary transparency artifacts, and the operational patterns operators are adopting to produce both efficiently.

Related Coverage

Governance | Risks & Management | Security & Trust | Controls