Skip to content
QUADRA.cafe

AI Regulations & Standards

The landscape

AI governance is fragmenting across jurisdictions and sectors. No single framework covers everything. Most organizations face overlapping requirements from multiple standards - and the gaps between them are where risk hides.

QUADRA tracks and cross-maps 30+ frameworks. Here’s what you need to know about the ones that matter most.


Horizontal Frameworks (Apply Across Sectors)

EU AI Act

Who it applies to: Any organization offering or deploying AI systems in the EU - regardless of where the organization is based.

What it requires:

  • Risk classification of all AI systems (unacceptable, high-risk, limited, minimal)
  • Conformity assessment and CE marking for high-risk systems
  • Transparency obligations (users must know when they’re interacting with AI)
  • Technical documentation, human oversight, and ongoing monitoring
  • Governance documentation and audit readiness

Enforcement: Fines up to 7% of global annual revenue for prohibited practices; 3% for other violations.

Key dates: Prohibited practices enforcement from February 2025. High-risk system obligations from August 2026.

NIST AI Risk Management Framework (AI RMF)

Who it applies to: Voluntary, but increasingly referenced by US regulators and procurement offices. Being “NIST-aligned” is becoming a de facto requirement.

What it requires:

  • Four core functions: Govern, Map, Measure, Manage
  • Risk identification across the AI lifecycle
  • Documented organizational governance structure
  • Measurement of AI system trustworthiness characteristics

Why it matters: NIST AI RMF is the most actionable framework available. It maps directly to operational decisions - who governs, what’s measured, how risk is managed.

ISO 42001 (AI Management Systems)

Who it applies to: Organizations seeking formal certification of their AI governance practices.

What it requires:

  • Management system approach (plan-do-check-act)
  • Annex A controls covering policy, risk, technical, and operational requirements
  • Internal audit and management review
  • Continuous improvement cycle

Why it matters: ISO 42001 is the certification standard. If your industry expects third-party audited governance, this is the target.

EU GDPR (AI-Specific Provisions)

Who it applies to: Any organization processing EU resident personal data - relevant wherever AI systems make or support decisions about individuals.

Key provisions for AI:

  • Article 22: Right not to be subject to solely automated decision-making
  • Profiling provisions: Transparency about logic, significance, and consequences
  • Data minimization: Use only what’s necessary
  • Purpose limitation: Don’t repurpose training data without legal basis

Sector-Specific Standards

Financial Services

Framework Jurisdiction Focus
SR 11-7 (Fed Reserve) US Model risk management - applies to all AI-driven financial models
EBA AI Guidelines EU Credit institutions’ use of AI and machine learning
MAS AI Governance Singapore Financial institution AI oversight

Healthcare & Life Sciences

Framework Jurisdiction Focus
FDA AI/ML SaMD US Clinical AI and software as a medical device
ONC Trustworthy AI US Health IT standards for AI trustworthiness

Security & Adversarial Risk

Framework Focus
OWASP LLM Top 10 Security vulnerabilities specific to large language models
MITRE ATLAS Adversarial threat landscape for AI systems
Google SAIF Secure AI framework for production systems
NIST AI 100-1 Adversarial machine learning taxonomy

Ethics & Principles

Framework Origin Focus
OECD AI Principles OECD International baseline for responsible AI
UNESCO AI Ethics UNESCO Human rights approach to AI governance
IEEE 7000 IEEE Ethical design of autonomous and intelligent systems
Microsoft RAI Microsoft Responsible AI principles and practices
PAI Guidelines Partnership on AI Multi-stakeholder AI governance practices

How Frameworks Overlap

This is where most organizations waste time. Frameworks use different terminology for the same concepts:

Concept EU AI Act NIST AI RMF ISO 42001
Risk management Article 9 Map function Clause 6.1
Human oversight Article 14 Govern 1.4 A.8.4
Technical documentation Article 11 Map 3.4 A.6.2
Bias and fairness Article 10(2)(f) Measure 2.6 A.10.3
Transparency Chapter IV Govern 4.1 A.8.3

QUADRA’s knowledge graph maps all of these crosswalks structurally - so you can see where one control satisfies multiple standards, and where there are genuine gaps.


What You Get From QUADRA

  • Obligation profiler: Tell us your jurisdictions, sectors, and AI use cases. Get a tailored requirement set across all applicable frameworks.
  • Cross-framework gap analysis: See where your current controls have coverage and where they don’t - across every standard simultaneously.
  • Regulatory change tracking: When frameworks update, we flag which of your systems are affected and what changed.
  • Exportable evidence: Audit-ready mapping from your AI systems to specific regulatory articles, with control evidence attached.

Next step

See how QUADRA maps your operations to these frameworks →

Get a free governance assessment →

© 2026 Quadra, Inc. All rights reserved.

v: 0.2.0 @ 2026-04-16T04:07:19.179Z