AI Compliance: What the Frameworks Require and How to Build It

AI compliance has shifted from a theoretical concern to a set of concrete, enforceable obligations. In 2026, a company building or deploying an AI system faces at minimum three overlapping compliance regimes: the EU AI Act, which carries fines up to 7% of global annual turnover; FTC enforcement authority under existing consumer protection statutes; and the NIST AI Risk Management Framework, which has become the de facto standard for U.S. government procurement and enterprise contracts. None of these can be dismissed as advisory. What they require, who they apply to, and how to build a compliance program to address them is the practical question most AI product teams are now working through.

What the EU AI Act Actually Requires

The EU AI Act ↗ (Regulation (EU) 2024/1689) is the most structurally demanding of the three regimes. It applies to any AI system placed on the EU market or used by EU-based deployers, regardless of where the provider is headquartered. A U.S.-based API provider whose model is accessed by a European enterprise is in scope.

The Act divides AI systems into risk tiers, and compliance obligations track that classification:

Prohibited systems — AI systems that manipulate users through subliminal techniques, enable mass social scoring by public authorities, or conduct real-time remote biometric identification in public spaces for law enforcement without authorization — are banned outright. These prohibitions have been in effect since February 2, 2025. There is no compliance path for a prohibited system; it must be withdrawn.

High-risk systems face the heaviest obligations. These include AI used in critical infrastructure, education outcomes, employment decisions, credit scoring, law enforcement, border control, and administration of justice. Full obligations apply as of August 2, 2026 for most high-risk deployments. Required controls include: a quality management system, technical documentation covering the system’s design and training data, automatic event logging, human oversight mechanisms, and post-market monitoring. Before deployment, high-risk systems need a conformity assessment — either self-assessment against the Act’s requirements (most categories) or third-party certification (biometric systems and certain safety components).

General-Purpose AI (GPAI) models — foundation models with broad capabilities that can be integrated into downstream applications — have been under obligation since August 2, 2025. Providers must maintain technical documentation, publish usage policies, and implement copyright compliance measures. Models with “systemic risk” (estimated at over 10^25 FLOPs for training) face additional obligations including adversarial testing, incident reporting to the AI Office, and cybersecurity measures.

Transparency-tier systems — chatbots and AI-generated content systems — must disclose their AI nature to users. This is the lowest mandatory tier, but enforcement actions for deceptive AI disclosure failures are already occurring through member-state consumer protection bodies.

Teams building the technical controls for EU compliance — guardrails, content filters, human-in-the-loop mechanisms — will find practical tooling coverage at GuardML ↗, which tracks the defensive AI tooling landscape.

NIST AI RMF: The U.S. Compliance Baseline

The NIST AI Risk Management Framework ↗ (AI RMF 1.0), published January 2023, is voluntary at the federal level. That designation is misleading about its practical weight. Federal agencies reference it for AI procurement requirements, enterprise buyers cite it in vendor contracts, and it has become the structure most compliance consultants and auditors map to when assessing U.S.-based AI programs.

The AI RMF organizes compliance work around four core functions:

• Govern establishes organizational accountability: who owns AI risk, what the risk tolerance is, what the escalation path looks like. This function is the prerequisite for the others being repeatable rather than ad hoc.
• Map scopes individual AI systems: their purpose, the populations they affect, the categories of harm they could cause, and the regulatory contexts they operate in. For compliance purposes, this is where you identify which EU AI Act tier or FTC risk category applies.
• Measure quantifies and tracks identified risks through testing, red-teaming, bias audits, and monitoring. These outputs are both operationally useful and serve as documentary evidence for auditors.
• Manage allocates resources to treat risks, documents residual risk decisions with rationale, and coordinates incident response when something goes wrong.

NIST published a Generative AI Profile (NIST AI 600-1) in July 2024 to extend the RMF to large language models specifically, covering risks including confabulation, data privacy, and prompt injection. Teams operating LLMs in production should treat this profile as a required supplement to the base framework.

One practical limitation: the RMF describes a structure, not a checklist. Organizations that need to demonstrate compliance to counterparties or auditors often layer ISO/IEC 42001 on top, because that standard supports third-party certification — a credential the RMF alone cannot provide.

FTC Enforcement: What “Deceptive AI” Means in Practice

The FTC’s AI enforcement authority ↗ derives from Section 5 of the FTC Act, which prohibits unfair or deceptive acts in commerce. The FTC has not passed AI-specific regulations, but it has made clear through guidance documents and its Operation AI Comply enforcement sweep (September 2024) that existing consumer protection law applies fully to AI claims and AI-enabled services.

The FTC’s practical concerns for AI compliance teams cluster around three areas. First, AI capability claims: the FTC has brought actions against companies that made unsubstantiated claims about AI accuracy, safety, or capabilities. If your marketing asserts the model “never hallucinates” or “is unbiased,” those claims need to be defensible. Second, AI-enabled fraud: using AI to automate deceptive practices at scale — fake reviews, impersonation, bogus testimonials — carries the same liability as running those schemes manually, with additional FTC attention because of the volume multiplier. Third, data practices: the FTC’s information security orders and consent decrees routinely now include AI-specific provisions about training data sourcing, model updates, and data minimization.

For teams monitoring AI privacy enforcement intersections, AI Privacy Report ↗ covers FTC actions and regulatory developments at the data protection boundary.

Building an AI Compliance Program: Four Steps for This Quarter

1. Classify your systems. Map every AI system you build or deploy to the EU AI Act’s risk tiers. If you have EU users or EU-based API customers downstream, prohibited-practice and GPAI obligations are already live and cannot wait for the August 2026 high-risk deadline.

2. Build the documentary record now. High-risk EU AI Act compliance and NIST RMF Measure/Manage functions both require contemporaneous documentation — design decisions, data sourcing rationale, test results, risk acceptance records. Documentation written after the fact to satisfy an audit is weaker and more expensive to produce. Start the technical documentation file for each material AI system today.

3. Establish an AI risk register. The NIST RMF’s Govern function exists to make risk management repeatable. A risk register with named owners, identified risks, treatment decisions, and review cadences is the minimum. Assign an AI risk owner who is not the product manager for the system being assessed.

4. Audit your AI claims. Before your next marketing campaign or sales pitch deck, review every claim made about AI accuracy, fairness, or safety. Apply the FTC standard: is this claim substantiated by testing? If not, revise it before it creates liability.

AI compliance is a moving target — frameworks update, enforcement priorities shift, and courts are still resolving the boundaries of federal preemption over state AI laws. Treat the current moment as the floor, not the ceiling.

---

Sources

• NIST AI Risk Management Framework (nist.gov ↗): Official NIST page for AI RMF 1.0 and the Generative AI Profile (NIST AI 600-1). Includes the framework document, playbook, and supplemental guidance for specific AI application types.

• EU AI Act — European Commission (digital-strategy.ec.europa.eu ↗): European Commission regulatory framework page including the full regulation text, implementation timeline, sector-specific guidance, and links to the AI Office enforcement structure.

• FTC — Artificial Intelligence Resources (ftc.gov ↗): FTC’s central AI resource page, including policy statements, enforcement actions from Operation AI Comply, and guidance on applying Section 5 of the FTC Act to AI-enabled products and services.