[{"data":1,"prerenderedAt":4},["ShallowReactive",2],{"raw-en-regulations":3},"---\ntitle: AI Regulations & Standards\ndescription: A plain-language guide to the AI regulations that matter  -  what they require, who they apply to, and how they connect to each other.\nlang: en\nnavigation:\n  section: governance\n  label: Regulations\n  order: 20\n---\n# AI Regulations & Standards\n\n## The landscape\n\nAI governance is fragmenting across jurisdictions and sectors. No single framework covers everything. Most organizations face overlapping requirements from multiple standards  -  and the gaps between them are where risk hides.\n\nQUADRA tracks and cross-maps 30+ frameworks. Here's what you need to know about the ones that matter most.\n\n---\n\n## Horizontal Frameworks (Apply Across Sectors)\n\n### EU AI Act\n\n**Who it applies to:** Any organization offering or deploying AI systems in the EU  -  regardless of where the organization is based.\n\n**What it requires:**\n- Risk classification of all AI systems (unacceptable, high-risk, limited, minimal)\n- Conformity assessment and CE marking for high-risk systems\n- Transparency obligations (users must know when they're interacting with AI)\n- Technical documentation, human oversight, and ongoing monitoring\n- Governance documentation and audit readiness\n\n**Enforcement:** Fines up to 7% of global annual revenue for prohibited practices; 3% for other violations.\n\n**Key dates:** Prohibited practices enforcement from February 2025. High-risk system obligations from August 2026.\n\n### NIST AI Risk Management Framework (AI RMF)\n\n**Who it applies to:** Voluntary, but increasingly referenced by US regulators and procurement offices. Being \"NIST-aligned\" is becoming a de facto requirement.\n\n**What it requires:**\n- Four core functions: Govern, Map, Measure, Manage\n- Risk identification across the AI lifecycle\n- Documented organizational governance structure\n- Measurement of AI system trustworthiness characteristics\n\n**Why it matters:** NIST AI RMF is the most actionable framework available. It maps directly to operational decisions  -  who governs, what's measured, how risk is managed.\n\n### ISO 42001 (AI Management Systems)\n\n**Who it applies to:** Organizations seeking formal certification of their AI governance practices.\n\n**What it requires:**\n- Management system approach (plan-do-check-act)\n- Annex A controls covering policy, risk, technical, and operational requirements\n- Internal audit and management review\n- Continuous improvement cycle\n\n**Why it matters:** ISO 42001 is the certification standard. If your industry expects third-party audited governance, this is the target.\n\n### EU GDPR (AI-Specific Provisions)\n\n**Who it applies to:** Any organization processing EU resident personal data  -  relevant wherever AI systems make or support decisions about individuals.\n\n**Key provisions for AI:**\n- Article 22: Right not to be subject to solely automated decision-making\n- Profiling provisions: Transparency about logic, significance, and consequences\n- Data minimization: Use only what's necessary\n- Purpose limitation: Don't repurpose training data without legal basis\n\n---\n\n## Sector-Specific Standards\n\n### Financial Services\n\n| Framework | Jurisdiction | Focus |\n|---|---|---|\n| **SR 11-7** (Fed Reserve) | US | Model risk management  -  applies to all AI-driven financial models |\n| **EBA AI Guidelines** | EU | Credit institutions' use of AI and machine learning |\n| **MAS AI Governance** | Singapore | Financial institution AI oversight |\n\n### Healthcare & Life Sciences\n\n| Framework | Jurisdiction | Focus |\n|---|---|---|\n| **FDA AI\u002FML SaMD** | US | Clinical AI and software as a medical device |\n| **ONC Trustworthy AI** | US | Health IT standards for AI trustworthiness |\n\n### Security & Adversarial Risk\n\n| Framework | Focus |\n|---|---|\n| **OWASP LLM Top 10** | Security vulnerabilities specific to large language models |\n| **MITRE ATLAS** | Adversarial threat landscape for AI systems |\n| **Google SAIF** | Secure AI framework for production systems |\n| **NIST AI 100-1** | Adversarial machine learning taxonomy |\n\n### Ethics & Principles\n\n| Framework | Origin | Focus |\n|---|---|---|\n| **OECD AI Principles** | OECD | International baseline for responsible AI |\n| **UNESCO AI Ethics** | UNESCO | Human rights approach to AI governance |\n| **IEEE 7000** | IEEE | Ethical design of autonomous and intelligent systems |\n| **Microsoft RAI** | Microsoft | Responsible AI principles and practices |\n| **PAI Guidelines** | Partnership on AI | Multi-stakeholder AI governance practices |\n\n---\n\n## How Frameworks Overlap\n\nThis is where most organizations waste time. Frameworks use different terminology for the same concepts:\n\n| Concept | EU AI Act | NIST AI RMF | ISO 42001 |\n|---|---|---|---|\n| Risk management | Article 9 | Map function | Clause 6.1 |\n| Human oversight | Article 14 | Govern 1.4 | A.8.4 |\n| Technical documentation | Article 11 | Map 3.4 | A.6.2 |\n| Bias and fairness | Article 10(2)(f) | Measure 2.6 | A.10.3 |\n| Transparency | Chapter IV | Govern 4.1 | A.8.3 |\n\n**QUADRA's knowledge graph maps all of these crosswalks structurally**  -  so you can see where one control satisfies multiple standards, and where there are genuine gaps.\n\n---\n\n## What You Get From QUADRA\n\n- **Obligation profiler:** Tell us your jurisdictions, sectors, and AI use cases. Get a tailored requirement set across all applicable frameworks.\n- **Cross-framework gap analysis:** See where your current controls have coverage and where they don't  -  across every standard simultaneously.\n- **Regulatory change tracking:** When frameworks update, we flag which of your systems are affected and what changed.\n- **Exportable evidence:** Audit-ready mapping from your AI systems to specific regulatory articles, with control evidence attached.\n\n---\n\n## Next step\n\n[See how QUADRA maps your operations to these frameworks →](\u002Fhow-it-works)\n\n[Get a free governance assessment →](\u002Fgetting-started)\n",1776312470245]