Rulix AI
← All sections
§31

Compliance landscape (2026)

We track multiple regulations concurrently, not just one. The registry's "Jurisdictional exposure" field exists for this reason.

31.1 EU AI Act (Regulation (EU) 2024/1689) — binding

  • 4-tier risk model: unacceptable / high-risk / limited / minimal.
  • Article 5 prohibitions in force since 2025-02-02.
  • Most remaining provisions activate 2026-08-02 — transparency obligations, high-risk system obligations, national enforcement.
  • Articles 9–15 obligations for high-risk: risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy/robustness/cybersecurity.
  • Article 50: transparency obligations (disclose AI; mark synthetic content).
  • Article 99 penalties: up to €35M or 7% global turnover for prohibited practices; up to €15M or 3% for high-risk violations.
  • Extraterritorial: applies to non-EU companies whose outputs are used in the EU.

31.2 NIST AI Risk Management Framework (AI RMF 1.0)

  • Voluntary. The U.S. enterprise baseline.
  • Four core functions: Govern, Map, Measure, Manage.
  • Companion: NIST AI 600-1 GenAI Profile (covers hallucination, prompt injection, data poisoning).
  • Companion: NIST IR 8596 "Cyber AI Profile" (draft Dec 2025), bridges CSF 2.0 and AI RMF.
  • Practical: adopt for the risk methodology and the GenAI Profile.

31.3 ISO/IEC 42001 — AI management system standard

  • First international AI management system standard (2023).
  • Plan-Do-Check-Act, same shape as ISO 27001 / 9001.
  • 38 Annex A controls across 9 control objectives.
  • Certifiable third-party (ISO/IEC 42006 conformity assessment, 2025).
  • Practical: align with the clause structure structurally; pursue certification when enterprise customers ask for it.

31.4 U.S. state AI laws — the patchwork

  • Colorado AI Act (consumer protections, algorithmic discrimination prohibitions).
  • California proposed Automated Decision Systems Accountability Act.
  • Active and evolving. Build architecture that tracks jurisdictional changes; do not target a single state law.

31.5 Other references to know

  • UK pro-innovation AI framework — non-statutory; flexible, context-driven.
  • OECD AI Principles (2019, updated 2024) — non-binding, broadly adopted.
  • UNESCO Recommendation on the Ethics of AI — first global ethics standard.
  • G7 Code of Conduct for Advanced AI (2023) — voluntary commitment.
  • U.S. Executive Order 14179 (2025) — "Removing Barriers to American Leadership in AI." Replaced EO 14110.
  • AI Bill of Rights (2022) — non-binding U.S. principles document.

31.6 Practical compliance stacking order

  1. EU AI Act — primary compliance benchmark if any EU exposure.
  2. NIST AI RMF + GenAI Profile — risk methodology, regardless of jurisdiction.
  3. ISO/IEC 42001 — certification when ready to demonstrate maturity to customers / auditors / regulators.