Why · 03

The regulatory window
has already started closing.

The EU AI Act, NIST AI RMF 1.0, ISO/IEC 42001, DORA — the first wave of AI-specific regulation is enforceable, in force, or imminent. Plus the existing frameworks (SOC 2, ISO 27001, FCA SYSC, GDPR, HIPAA, MAS TRM) all have an opinion about model use. Read this brief before you scope your next audit.

Talk to compliance team See governance brief

Timeline

Key dates and effective windows.

Date	Framework	What changes
17 Jan 2025	DORA	Financial entities — ICT risk management, third-party register, resilience testing in force.
2 Feb 2025	EU AI Act — prohibitions	Article 5 prohibitions enforceable. Social scoring, real-time biometric ID, manipulative systems.
2 Aug 2025	EU AI Act — GPAI obligations	General-purpose AI providers: technical documentation, copyright disclosure, summary of training data.
2 Aug 2026	EU AI Act — high-risk systems	Annex III high-risk systems — full conformity, post-market monitoring, registration.
Ongoing	NIST AI RMF 1.0	US federal procurement, state insurance regulators, DoD — reference baseline.
Ongoing	ISO/IEC 42001:2023	AIMS — the ISO 27001 of AI. Customers and procurement increasingly require it.

Dates accurate as of May 2026. Confirm current text with your legal counsel.

Framework deep-dives

Six frameworks, plain language.

EU AI Act

Risk-tiered. Prohibits some practices outright. Imposes heavy obligations on “high-risk” systems — risk management, data governance, technical documentation, human oversight, accuracy, robustness, cybersecurity. Separate obligations for general-purpose AI providers.

Where AIW maps Articles 9 (risk), 10 (data governance), 12 (logs), 13 (transparency), 14 (human oversight), 15 (accuracy/robustness/cybersecurity).

NIST AI RMF 1.0

Voluntary in name; load-bearing in US procurement and insurance. Four functions: Govern, Map, Measure, Manage. Crosswalks to ISO 42001, SOC 2, and most internal risk programs cleanly.

Where AIW maps GV-1 (governance), MP-2 (categorisation), MS-2.7 (security), MG-3.1 (incident response), MG-4.1 (audit logs).

ISO/IEC 42001:2023

Management-system standard for AI. Same shape as ISO 27001 (Plan-Do-Check-Act), with AI-specific Annex A controls. Increasingly the procurement-friendly answer to “are you doing AI properly?”.

Where AIW maps A.4 (resources), A.6 (impact), A.7 (data), A.8 (info for users), A.9 (use), A.10 (third-party).

DORA (EU 2022/2554)

Financial entities only. ICT risk management, incident reporting, resilience testing, third-party risk register, oversight of critical ICT providers. AI systems in scope as ICT.

Where AIW maps Articles 5 (governance), 6 (ICT risk), 17 (incident reporting), 28 (third-party register).

SOC 2 Type II

Trust services criteria — Security, Availability, Confidentiality, Processing Integrity, Privacy. AI doesn’t change the criteria; it changes the in-scope systems and the evidence you need.

Where AIW maps CC1 (control environment), CC6 (logical access), CC7 (system operations), CC8 (change management).

FCA SYSC · MAS TRM · OCC

Sectoral — UK FCA, Singapore MAS, US OCC. Senior-management accountability, model risk management, outsourcing, operational resilience. Existing frameworks now extended to AI by guidance.

Where AIW maps SMCR ownership, SS1/23 model-risk lifecycle, MAS TRM 6.1 (governance), 8 (third-party).

Control overlaps

Five controls, eight frameworks.

These five controls satisfy obligations under every framework above. Build them once. Map them many times. Stop re-evidencing the same control for every audit cycle.

Control	Maps to
Versioned, approved policies with diff	EU AI Act 9 · NIST GV-1 · ISO 42001 A.4 · DORA 5 · SOC 2 CC1.5
Identity-rooted access control with least privilege	EU AI Act 14 · NIST GV-3 · ISO 42001 A.5 · DORA 6 · SOC 2 CC6 · GDPR 32
Inline data redaction (PII, secrets, regulated)	EU AI Act 10(5) · NIST MS-2.7 · ISO 42001 A.7 · GDPR 25 · HIPAA 164.312 · MAS TRM 8.4
Signed, immutable audit log of every model and tool call	EU AI Act 12 · NIST MG-4.1 · ISO 42001 A.9 · DORA 17 · SOC 2 CC7
Four-eyes approvals for material change	EU AI Act 14 · NIST GV-1 · ISO 42001 A.4 · DORA 28 · SOC 2 CC8 · FCA SYSC 4.1

Evidence model

Evidence is a query.
Not a quarter-end project.

The reason audit cycles take six weeks is that evidence is reconstructed by hand from screenshots, CSV exports, and tribal memory. Move the source of truth into a queryable, signed log — the audit becomes a parameterised query against a live system.

One signed event per model call, tool call, policy change, approval, scope change
Hash-chained — tampering is detectable
Per-control evidence packs as parameterised queries with reproducible output
Auditor-facing read-only role — let them run the query themselves

# EU AI Act Article 12 — automatic logging
aiw evidence export \
  --control eu-ai-act-12     \
  --period 2026-Q1           \
  --output ./pack-q1.tar.gz

→ 14 queries · 38,217 events
→ signed by auditor-key.pub
→ pack ready in 41s
          

Not legal advice

This page is engineering-and-controls oriented and intended to help you scope your audit and implementation. It is not legal advice. Citations, dates, and obligations should be confirmed by counsel competent in your jurisdictions and sectors.

Map controls once.
Evidence many times.

Bring your auditor and your AI lead. We’ll show you a draft evidence pack mapped to your framework of choice, against demo data, in 30 minutes.

Request a compliance session Read the governance brief

The regulatory windowhas already started closing.