EU AI Act full enforcement begins August 2, 2026 — 78 days from today. High-risk AI systems without documented governance face penalties up to €35M.

Every framework your
auditors will ask about.

ClearpathAI engagements are mapped to the regulations actually coming for mid-market operators — not just the ones that made the news. Six frameworks. All covered.

[Regulatory Frameworks]

The regulations.
What they require. What we cover.

Every ClearpathAI deliverable is mapped to the specific articles and requirements your auditors check — not generic best practices.

EU AI Act
European AI Regulation
Applies to any organization deploying AI in the EU, or serving EU customers — regardless of where you're based.
⚠ Full enforcement: August 2, 2026
The most comprehensive AI regulation in the world. Uses a risk-based approach — unacceptable risk (banned), high-risk (strict requirements), limited risk (transparency obligations), minimal risk (unregulated). High-risk AI systems face requirements for documented governance, human oversight, incident logging, and conformity assessment. Penalties up to €35 million or 7% of global turnover for non-compliance.
Article 9: Risk management system — documented and maintained throughout the lifecycle
Article 11: Technical documentation — before deployment and kept current
Article 12: Automatic event logging — retained minimum 6 months
Article 14: Human oversight — measures to enable detection and correction
Article 49: AI system inventory — registered before deployment
NIST AI RMF
US AI Risk Management Framework
Voluntary but de facto standard. Referenced by FDA, SEC, banking regulators, and increasingly required in government contracts.
The National Institute of Standards and Technology AI Risk Management Framework organizes governance across four functions: Govern, Map, Measure, and Manage. While voluntary, it has become the US standard for demonstrating responsible AI deployment — referenced in FDA AI guidance, SEC disclosure requirements, and banking regulator expectations. ISO 42001 certification is up to 40% faster for organizations already aligned to NIST AI RMF.
Govern: Policies, accountability, risk tolerance — organizational foundation
Map: AI system inventory, context, intended and unintended impacts
Measure: Testing, monitoring, bias evaluation, performance metrics
Manage: Risk response, incident handling, continuous improvement
ISO 42001
AI Management System Standard
International certification standard for AI management systems. Increasingly required by enterprise buyers in procurement and partner agreements.
ISO/IEC 42001 is the first international standard for AI management systems — providing a certifiable framework for organizations to demonstrate responsible AI governance. It's becoming a standard requirement in enterprise procurement, RFPs, and supply chain due diligence. Organizations already certified to ISO 27001 can achieve ISO 42001 certification up to 40% faster. ClearpathAI prepares you for certification — we manage the documentation, gap analysis, and pre-audit review.
Clause 6.1: AI system inventory and risk classification
Clause 8: AI policy, objectives, and operational planning
Clause 9: Performance evaluation and monitoring
Clause 10: Continual improvement and nonconformity handling
Colorado AI Act
US State AI Regulation
First US state-level AI law. Focused on algorithmic discrimination in consequential decisions. Template for what's coming from other states in 2026 and 2027.
⚠ In effect: 2026
The Colorado AI Act is the first US state law specifically regulating AI systems — focused on preventing algorithmic discrimination in consequential decisions affecting consumers (employment, credit, housing, insurance, education). It applies to any business deploying AI that makes consequential decisions about Colorado residents, regardless of where the business is based. It is the template for legislation already advancing in 15+ other states.
Impact assessment: Required before deploying AI in consequential decisions
Bias testing: Documented testing for discriminatory outcomes
Consumer notice: Disclosure when AI is used in consequential decisions
Appeal rights: Process for consumers to contest AI-driven decisions
SQF / FDA
Food & Medical Device Regulation
Industry-specific governance for food manufacturing, food safety, and medical device sectors. Six consecutive SQF Excellent ratings — we built the framework.
ClearpathAI was built by an operator who spent 40 years in food manufacturing and regulated industries. We built governance frameworks for these sectors before AI governance was a category — and we hold six consecutive SQF Excellent audit ratings. When AI tools touch your QMS, your food safety systems, or your production records, they need to be governed with the same rigor your auditors have always expected. We know what that looks like.
SQF Code: AI governance integrated into existing QMS documentation
HACCP: AI tools touching critical control points require documented governance
FDA 21 CFR Part 11: Electronic records and audit trail requirements
Medical device: AI as a medical device (AIaMD) classification and documentation
SOC 2 AI Addendum
Trust Services Criteria
Extension of SOC 2 for organizations already certified. Covers AI-specific controls for security, availability, and confidentiality.
Organizations already SOC 2 certified face a growing expectation from enterprise customers: extend your existing controls to cover AI systems. The SOC 2 AI Addendum addresses AI-specific risks within the existing Trust Services Criteria framework — covering how AI systems are developed, deployed, monitored, and governed within your existing security and compliance posture. ClearpathAI closes this gap cleanly, without duplicating work you've already done.
CC6: Logical access controls extended to AI systems and training data
CC7: System monitoring extended to AI model performance and drift
CC9: Vendor risk management extended to AI vendors and model providers
PI1: Processing integrity for AI outputs and decision audit trails
[Cross-Framework Efficiency]

Build once.
Satisfy multiple frameworks.

The frameworks overlap significantly. A well-structured AI governance program satisfies multiple requirements simultaneously — you don't need separate programs for each one.

AI tool inventory satisfies:
EU AI Act Article 49 registration
NIST AI RMF Map function
ISO 42001 Clause 6.1
SOC 2 CC9 vendor inventory
Colorado AI Act impact assessment foundation
AI Use Policy satisfies:
EU AI Act Article 9 risk management
NIST AI RMF Govern function
ISO 42001 Clause 8 operational planning
SOC 2 CC6 access controls
SQF/FDA QMS documentation requirements
Incident Response satisfies:
EU AI Act Article 12 event logging
NIST AI RMF Manage function
ISO 42001 Clause 10 nonconformity
SOC 2 CC7 incident response
FDA 21 CFR Part 11 audit trail

Know which frameworks
apply to your operation.

Book a 30-minute discovery call. We'll identify your specific regulatory exposure — which frameworks apply to you, which are optional, and where your highest-risk gaps are.

Book a Discovery Call Start with an Audit →
Cora
Cora
ClearpathAI · AI Governance

How can I help you today? I can answer questions, connect you with a partner, or get a meeting on the calendar.

Book a Meeting Partner Information
What AI governance challenge are you trying to solve?
Cora · just now
Privacy Policy