AI Agency

Service

AI Governance & Regulatory Compliance

Board-level AI governance advisory covering EU AI Act, NIST AI RMF, SOC 2, HIPAA, and VN AI Law — gap assessments, framework alignment, and compliance roadmaps for 2026.

Book a governance review How we help

Key capabilities

  • • EU AI Act high-risk obligations enforceable from 2 Aug 2026
  • • NIST AI RMF is the de facto US standard — referenced by FTC, SEC, FDA, DOD
  • • 66% of B2B buyers demand SOC 2 reports from AI vendors
  • • HIPAA Security Rule update proposes AI-specific inventory and authorisation requirements
  • • VN AI Law effective 1 Mar 2026 — first standalone AI law in Southeast Asia
  • • 45 of 50 US states have introduced AI legislation as of early 2026

Overview

Why governance is a board-level issue now

The AI regulatory landscape has crystallised. The EU AI Act enforces high-risk obligations from August 2026, Vietnam’s AI Law took effect March 2026, US regulators increasingly reference the NIST AI RMF, SOC 2 auditors are demanding AI-specific controls, and HIPAA’s proposed Security Rule update brings AI systems handling health data into scope. Boards need a coherent governance strategy that addresses all of them.

“Which frameworks apply to our organisation, what gaps exist in our current governance, and what is the most efficient path to compliance?” The answer is different for every organisation — it depends on geographic presence, sector, customer base, and the AI systems in use. A structured governance assessment answers this question before regulators ask it.

Aug 2026

EU AI Act high-risk obligations become fully enforceable — penalties up to €35M or 7% of global turnover

Mar 2026

VN AI Law takes effect — compliance deadline March 2027 for most organisations

2026

SOC 2 auditors now requiring AI-specific control evidence even without formal AICPA guidance

Proposed

HIPAA Security Rule NPRM would mandate AI system inventory and authorisation for ePHI-handling systems

Frameworks

The five frameworks shaping AI governance in 2026

Multiple regulatory timelines converge in 2026. Here are the five frameworks every organisation needs to understand.

🇪🇺

EU AI Act — Regulation (EU) 2024/1689

The world’s first comprehensive legal framework for artificial intelligence — and it applies extraterritorially. Any organisation whose AI systems affect EU citizens is in scope, regardless of where it is headquartered.

  • Four risk tiers: Unacceptable (prohibited), High-risk, Limited risk, Minimal risk
  • Enforcement: Prohibited practices since Feb 2025, GPAI rules since Aug 2025, high-risk obligations from 2 Aug 2026
  • Penalties: Up to €35 million or 7% of global annual turnover
  • High-risk requirements: Risk management, data governance, technical documentation, transparency, human oversight, accuracy and security, conformity assessment, post-market monitoring
  • FRIA required: Fundamental Rights Impact Assessment for high-risk systems — broader than GDPR’s DPIA
🏛️

NIST AI Risk Management Framework

While voluntary, the NIST AI RMF is rapidly becoming the US standard of care for AI governance. Federal regulators — including the FTC, SEC, FDA, CFPB, and DOD — reference its principles in enforcement guidance and procurement requirements.

  • Four core functions: Govern (policies, roles, risk tolerance), Map (context, risks, impacts), Measure (testing, evaluation, monitoring), Manage (response, recovery, communication)
  • GenAI Profile: NIST AI 600-1 (July 2024) extends the RMF with 12 generative AI-specific risk categories
  • Crosswalk available: Official NIST mapping aligns AI RMF subcategories to ISO/IEC 42001 for organisations seeking certification
  • Colorado AI Act: Grants affirmative defence to businesses demonstrating alignment with NIST AI RMF
  • Cyber AI Profile: NIST IR 8596 (draft Dec 2025) bridges AI RMF with Cybersecurity Framework 2.0
🔒

SOC 2

SOC 2 has become a de facto requirement for B2B AI companies. While the AICPA has not yet published an AI-specific standard, auditors in 2026 are demanding AI-specific control evidence in real engagements.

  • Five trust principles: Security, Availability, Processing Integrity, Confidentiality, Privacy
  • Market reality: Roughly 66% of B2B buyers now demand a SOC 2 report before considering a vendor
  • AI control expectations: Data governance, model risk management, transparency and bias controls, secure development lifecycle, vendor management, incident response
  • Type I vs Type II: Most buyers require a Type II report covering at least 6 months of operational evidence
  • Cross-framework integration: SOC 2 AI controls increasingly align with NIST AI RMF and ISO 42001 expectations
🏥

HIPAA AI Governance

AI systems handling protected health information introduce new compliance dimensions under HIPAA. The proposed 2026 Security Rule update would make AI-specific inventory and risk analysis mandatory, and rapidly expanding state AI laws add further obligations.

  • Proposed Security Rule (NPRM): Would mandate AI system inventory, authorisation, and documentation for all systems touching ePHI. Encryption, MFA, and logging would become mandatory rather than addressable.
  • BAA requirements: Any AI vendor processing PHI must have a Business Associate Agreement defining permitted uses, safeguards, and breach reporting.
  • State legislation: 45 of 50 US states have introduced AI legislation in 2026. Texas, Utah, California, and Colorado have enacted AI laws affecting healthcare specifically.
  • Key risks: PHI leakage via AI model outputs, prompt injection exposing training data, minimum necessary rule compliance, clinical oversight of AI-assisted decisions
  • FDA overlap: AI/ML-enabled medical devices (SaMD) face additional FDA premarket review and Predetermined Change Control Plan requirements
🇻🇳

VN AI Law — Law 134/2025/QH15

Vietnam’s first standalone AI Law took effect on 1 March 2026 — the first comprehensive AI regulation in Southeast Asia. It applies to domestic and foreign entities developing, providing, deploying, or using AI systems that affect Vietnamese users.

  • Three-tier framework: High-risk (strict controls, pre-market conformity), Medium-risk (transparency and monitoring), Low-risk (minimal oversight)
  • Compliance deadline: 1 March 2027 (12-month grace period). Health, education, and financial services: 1 September 2027
  • Key obligations: AI inventory, risk classification, human oversight, technical documentation, registration on national AI portal, AI literacy
  • Foreign providers: High-risk AI providers must establish a local presence or appoint an authorised representative in Vietnam

How the frameworks fit together

These five frameworks are not silos. Work done for one directly contributes to readiness for the others. A unified governance program is more efficient than managing each framework independently.

  • NIST AI RMF → EU AI Act: The AI RMF’s Map function supports EU AI Act risk classification. Measure supports conformity assessment. Manage supports post-market monitoring. The European Commission has acknowledged AI RMF as a useful reference for implementation.
  • NIST AI RMF → ISO 42001: NIST published an official crosswalk mapping AI RMF subcategories to ISO 42001 clauses. Use the RMF for operational guidance and ISO 42001 for formal certification.
  • SOC 2 → All frameworks: SOC 2’s trust principles provide a control foundation that supports compliance across all regulatory frameworks. AI-specific controls designed for SOC 2 map to EU AI Act documentation requirements, NIST AI RMF Measure function, and HIPAA Security Rule safeguards.
  • VN AI Law → EU AI Act: Vietnam’s risk-based three-tier framework mirrors the EU approach. Organisations already aligned with the EU AI Act will find significant conceptual overlap with VN AI Law obligations — though implementation details and deadlines differ.

How we help you build an AI governance program

We help boards and leadership teams understand which frameworks apply, assess current governance posture, and build a practical, integrated compliance program that addresses multiple regulatory requirements simultaneously.

  • Scoping & framework mapping: Identify which frameworks apply based on your geographic presence, sector, customer base, and AI systems in use. Map obligations across frameworks to find overlaps and efficiencies.
  • Governance gap assessment: Evaluate current AI governance against applicable frameworks. Assess AI inventory completeness, risk classification, documentation, oversight mechanisms, and control effectiveness.
  • Governance framework design: Design policies, roles, oversight bodies, and risk tolerance thresholds. Build a unified governance framework that satisfies multiple regulatory requirements with a single set of controls.
  • Roadmap & board briefing: Prioritised implementation roadmap with milestones, resource requirements, and timelines aligned to regulatory deadlines. Board-ready briefing on risk exposure, recommended actions, and investment case.