AI oversight is arriving from many directions at once. For each framework below: what it is in plain language, who it applies to, how we help — and a link to the authoritative source so you can read it first-hand. We've kept specific compliance dates off this page deliberately, since several timelines are still shifting; check the official source for current deadlines.
The EU's comprehensive, risk-based law for AI. It sorts AI systems into tiers — from a small set of prohibited uses, through a larger "high-risk" category (areas like employment, credit, education, and essential services) that carries the heaviest obligations, down to lighter-touch and minimal-risk uses.
Who it applies to: Any organization whose AI is placed on the market or used in the EU, or whose AI output is used in the EU — so it reaches many non-EU companies. Obligations and deadlines phase in over time.
How we help: EU AI Act readiness assessments, risk classification of your AI systems, and the technical documentation high-risk systems require.
A voluntary US framework for identifying and managing AI risk, organized around four functions — Govern, Map, Measure, and Manage. It is a structured way to think about what can go wrong with an AI system, not a certification or a pass/fail checklist.
Who it applies to: Any organization that designs, develops, deploys, or uses AI and wants a recognized, sector-agnostic way to manage AI risk. Widely adopted as a de facto standard.
How we help: Gap assessments against the four functions and mapping your existing controls onto the framework.
The international standard for an Artificial Intelligence Management System — the AI counterpart to ISO 27001 for information security. It sets out how to establish, run, and continually improve a governance system for AI, and it is certifiable.
Who it applies to: Organizations that want certifiable, auditable AI governance — often those who already work with ISO standards or whose customers expect them.
How we help: Readiness assessment and implementation support toward an AI management system.
A New York City law requiring an independent bias audit of automated employment decision tools (AEDTs) before they are used, with the audit summary published and notice given to candidates. The audit checks selection rates across sex, race/ethnicity, and intersectional categories.
Who it applies to: Employers and employment agencies using automated tools to hire or promote NYC candidates — the law follows the job, so it reaches employers outside NYC who hire city residents.
How we help: Independent bias audits, published audit summaries, and the surrounding governance to stay compliant year to year.
US supervisory guidance for financial institutions on managing model risk, co-issued by the Federal Reserve (SR 11-7) and the OCC (Bulletin 2011-12). Its core principle is "effective challenge" — independent, qualified review of models — across their full life: development, implementation, use, and ongoing validation.
Who it applies to: Banks and other financial institutions whose decisions rely on models, and which face examiner expectations for how those models are governed and validated.
How we help: Independent model validation and documentation built to meet examiner expectations.
A widening set of state-level AI rules (for example, in Colorado and other states) addressing AI in consequential decisions, transparency, and discrimination. The landscape is shifting quickly and varies by state.
Who it applies to: Organizations operating across multiple US states, where obligations differ by jurisdiction and continue to evolve.
How we help: Monitoring the changing landscape and building readiness that holds up across jurisdictions.
We track current state-law sources for clients as they develop.
A practical self-assessment across all the frameworks above. Enter your details and we'll send the checklist to your inbox.