AI Regulations & Standards
The landscape
AI governance is fragmenting across jurisdictions and sectors. No single framework covers everything. Most organizations face overlapping requirements from multiple standards - and the gaps between them are where risk hides.
QUADRA tracks and cross-maps 30+ frameworks. Here’s what you need to know about the ones that matter most.
Horizontal Frameworks (Apply Across Sectors)
EU AI Act
Who it applies to: Any organization offering or deploying AI systems in the EU - regardless of where the organization is based.
What it requires:
- Risk classification of all AI systems (unacceptable, high-risk, limited, minimal)
- Conformity assessment and CE marking for high-risk systems
- Transparency obligations (users must know when they’re interacting with AI)
- Technical documentation, human oversight, and ongoing monitoring
- Governance documentation and audit readiness
Enforcement: Fines up to 7% of global annual revenue for prohibited practices; 3% for other violations.
Key dates: Prohibited practices enforcement from February 2025. High-risk system obligations from August 2026.
NIST AI Risk Management Framework (AI RMF)
Who it applies to: Voluntary, but increasingly referenced by US regulators and procurement offices. Being “NIST-aligned” is becoming a de facto requirement.
What it requires:
- Four core functions: Govern, Map, Measure, Manage
- Risk identification across the AI lifecycle
- Documented organizational governance structure
- Measurement of AI system trustworthiness characteristics
Why it matters: NIST AI RMF is the most actionable framework available. It maps directly to operational decisions - who governs, what’s measured, how risk is managed.
ISO 42001 (AI Management Systems)
Who it applies to: Organizations seeking formal certification of their AI governance practices.
What it requires:
- Management system approach (plan-do-check-act)
- Annex A controls covering policy, risk, technical, and operational requirements
- Internal audit and management review
- Continuous improvement cycle
Why it matters: ISO 42001 is the certification standard. If your industry expects third-party audited governance, this is the target.
EU GDPR (AI-Specific Provisions)
Who it applies to: Any organization processing EU resident personal data - relevant wherever AI systems make or support decisions about individuals.
Key provisions for AI:
- Article 22: Right not to be subject to solely automated decision-making
- Profiling provisions: Transparency about logic, significance, and consequences
- Data minimization: Use only what’s necessary
- Purpose limitation: Don’t repurpose training data without legal basis
Sector-Specific Standards
Financial Services
| Framework | Jurisdiction | Focus |
|---|---|---|
| SR 11-7 (Fed Reserve) | US | Model risk management - applies to all AI-driven financial models |
| EBA AI Guidelines | EU | Credit institutions’ use of AI and machine learning |
| MAS AI Governance | Singapore | Financial institution AI oversight |
Healthcare & Life Sciences
| Framework | Jurisdiction | Focus |
|---|---|---|
| FDA AI/ML SaMD | US | Clinical AI and software as a medical device |
| ONC Trustworthy AI | US | Health IT standards for AI trustworthiness |
Security & Adversarial Risk
| Framework | Focus |
|---|---|
| OWASP LLM Top 10 | Security vulnerabilities specific to large language models |
| MITRE ATLAS | Adversarial threat landscape for AI systems |
| Google SAIF | Secure AI framework for production systems |
| NIST AI 100-1 | Adversarial machine learning taxonomy |
Ethics & Principles
| Framework | Origin | Focus |
|---|---|---|
| OECD AI Principles | OECD | International baseline for responsible AI |
| UNESCO AI Ethics | UNESCO | Human rights approach to AI governance |
| IEEE 7000 | IEEE | Ethical design of autonomous and intelligent systems |
| Microsoft RAI | Microsoft | Responsible AI principles and practices |
| PAI Guidelines | Partnership on AI | Multi-stakeholder AI governance practices |
How Frameworks Overlap
This is where most organizations waste time. Frameworks use different terminology for the same concepts:
| Concept | EU AI Act | NIST AI RMF | ISO 42001 |
|---|---|---|---|
| Risk management | Article 9 | Map function | Clause 6.1 |
| Human oversight | Article 14 | Govern 1.4 | A.8.4 |
| Technical documentation | Article 11 | Map 3.4 | A.6.2 |
| Bias and fairness | Article 10(2)(f) | Measure 2.6 | A.10.3 |
| Transparency | Chapter IV | Govern 4.1 | A.8.3 |
QUADRA’s knowledge graph maps all of these crosswalks structurally - so you can see where one control satisfies multiple standards, and where there are genuine gaps.
What You Get From QUADRA
- Obligation profiler: Tell us your jurisdictions, sectors, and AI use cases. Get a tailored requirement set across all applicable frameworks.
- Cross-framework gap analysis: See where your current controls have coverage and where they don’t - across every standard simultaneously.
- Regulatory change tracking: When frameworks update, we flag which of your systems are affected and what changed.
- Exportable evidence: Audit-ready mapping from your AI systems to specific regulatory articles, with control evidence attached.