Current as of June 2026.

AI compliance reads like a single problem until you try to buy or build for it. Then it splinters into four distinct things: a methodology for managing risk, an auditable management system you can certify, a binding law with extraterritorial reach, and a thickening patchwork of US state statutes. They are not competing options you pick between. They are layers of one stack, and the published crosswalks between them let an organization satisfy several at once. The harder problem sits underneath all of them: none were designed for AI agents that take real actions through tool calls, and that is where most enterprises are now exposed.

NIST AI RMF Supplies the Methodology, Not the Mandate

The NIST AI Risk Management Framework is the reference methodology for managing AI risk, built around four functions: Govern, Map, Measure, and Manage. It is officially voluntary, but it functions as the common vocabulary US regulators and state laws point back to. The Generative AI Profile, published as NIST-AI-600-1 on July 26, 2024, adds 12 generative-AI-specific risk categories and more than 200 suggested management actions on top of the core framework.

The framework’s pull comes from being cited rather than enforced. Texas wrote substantial compliance with NIST AI RMF directly into its AI law as an affirmative defense, which means a methodology with no statutory teeth of its own becomes the thing a court looks at when assigning liability. The four functions are deliberately not a checklist. Govern is continuous and wraps the other three: it is where policy, roles, and accountability live, and it is the function most enterprises underbuild because it is the least technical and the hardest to evidence after the fact.

What NIST AI RMF does not give you is a certificate. There is no accredited body that audits you against it and issues a pass. That gap is what the next layer fills.

ISO/IEC 42001 Is the Only Standard You Can Certify Against

ISO/IEC 42001, published in December 2023, is the first certifiable AI management system standard, and certification is its entire reason for existing. It carries 38 controls across 9 control objectives, runs on a three-year certification cycle through accredited third-party bodies, and produces a Statement of Applicability as the audited artifact. In a Cloud Security Alliance benchmark, 76% of organizations said they plan to pursue ISO/IEC 42001 or a certification like it (CSA, 2025).

The distinction from NIST AI RMF is not academic. NIST tells you how to manage AI risk; ISO/IEC 42001 lets you prove you did, to an auditor and to a customer’s procurement team. The Statement of Applicability is the document that travels: it records which controls apply, which you implemented, and why you excluded the rest. A companion standard, ISO/IEC 42006:2025, governs the certification bodies themselves, which is what makes a 42001 certificate mean the same thing across vendors instead of degrading into a self-attestation.

The two frameworks are built to be used together, and most multi-jurisdictional programs cite them as a pair. NIST supplies the risk methodology; ISO supplies the management system and the external audit. There is no NIST-published crosswalk document mapping one to the other yet, which is a real gap, but the practical pairing is well established: build to NIST, certify to ISO.

The EU AI Act Is the Binding Law, and It Reaches You in the US

The EU AI Act is the binding statute in this stack, and it is extraterritorial: it reaches any organization whose AI output touches people in the EU, regardless of where the company sits. It sorts AI systems into four tiers, unacceptable, high, limited, and minimal risk, and attaches obligations to each. Penalties run up to €35 million or 7% of global annual turnover, whichever is higher, for prohibited practices (DLA Piper, 2025).

The penalty structure is tiered the same way the risk tiers are. The €35 million / 7% ceiling applies to prohibited practices. Other obligations, including the general-purpose AI (GPAI) model rules, top out at €15 million or 3% of global turnover, and supplying false information to regulators caps at €7.5 million or 1%. These are balance-sheet numbers, not line-item fines, which is why the Act moved AI governance out of the IT budget and into the audit committee.

The timeline is where you have to be careful, because it moved. Prohibited-practice and AI-literacy obligations are already in force. GPAI model obligations took effect August 2, 2025 for new models, with Commission enforcement powers activating August 2, 2026 and pre-existing models given until August 2, 2027 to comply. The high-risk obligations are the ones that shifted: under the Digital Omnibus simplification package, a provisional agreement reached May 7, 2026 defers the main standalone high-risk obligations to December 2, 2027 and product-embedded high-risk AI to August 2, 2028. Formal adoption is expected but not yet published as of this writing, so treat the high-risk dates as provisional and confirm before you plan against them.

One point that gets lost: the EU AI Act does not replace GDPR. Both apply concurrently. An AI system can be perfectly compliant with the AI Act’s risk-tier obligations and still breach GDPR on the personal data flowing through it. The two regimes stack; they do not substitute.

The US Has No Federal AI Law, So Enterprises Face a Multi-State Problem

There is no single federal AI statute in the United States, which means US enterprises face a patchwork of state laws with different triggers, different liability theories, and different effective dates. The three most-cited in 2026 are Texas, California, and Colorado, and they do not align with one another.

Texas moved first and most concretely. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA) was signed June 22, 2025 and took effect January 1, 2026. It uses intent-based liability rather than the impact-based standard most other proposals reach for, carries civil penalties up to $200,000 per violation, plus $2,000 to $40,000 per day for continuing violations, and, importantly, names substantial compliance with NIST AI RMF as an affirmative defense. Enforcement is attorney-general-only, with a 60-day cure period, and the law preempts local AI ordinances.

California took a different angle with SB 53, signed September 29, 2025 and effective January 1, 2026. It targets only frontier developers: companies above $500 million in revenue training models above 10²⁶ FLOPs. Those firms must publish a safety framework, file quarterly confidential risk summaries with the state’s Office of Emergency Services, report critical safety incidents, and maintain an anonymous whistleblower channel. The catastrophic-risk threshold it is built around is severe by design: more than 50 deaths or more than $1 billion in damage from a single incident.

Colorado is the cautionary tale, and the status is the news. The original Colorado AI Act (SB 24-205) is effectively dead: a federal court stayed enforcement on April 27, 2026, and Governor Polis signed a replacement, SB 26-189, on May 14, 2026. The replacement drops the original’s risk-management-program requirement, annual impact assessments, and algorithmic-discrimination duties, swapping them for a narrower notice-and-transparency framework effective January 1, 2027. The affirmative defense for NIST AI RMF or ISO/IEC 42001 alignment that the original law offered does not carry into the replacement in the same form. If your compliance plan was built against the old Colorado law, it needs a rebuild.

The practical takeaway for a US enterprise is that there is no single rule to comply with. There is a map of overlapping state triggers, and the only durable strategy is to build to the strongest common methodology, which loops back to NIST AI RMF and ISO/IEC 42001 as the connective tissue.

GDPR, HIPAA, and PCI DSS Are Where Daily AI Risk Lands

The data-privacy and sector regimes that predate AI are where most day-to-day AI compliance risk actually shows up, because they govern the sensitive data flowing into AI tools regardless of what the AI-specific laws say. GDPR, HIPAA, CCPA/CPRA, PCI DSS, and data-residency requirements all attach to that data the moment an employee pastes it into a prompt.

This is the layer that bites first and most often. An employee dropping a customer list into a consumer chatbot is not an exotic agentic-AI threat; it is a GDPR and CCPA exposure happening through a new channel. A clinician pasting notes into an AI summarizer is a HIPAA question. A developer pushing cardholder data through a coding assistant is a PCI DSS question. None of these require a new AI law to be a violation, and they account for the bulk of real incidents because the data was already regulated and the AI tool simply became a new way for it to leave.

The compliance work here is not abstract policy. It is knowing what sensitive data exists, detecting it in real time as it moves toward an AI tool, and stopping or redacting it before it crosses a boundary that GDPR or HIPAA cares about. That is a visibility and enforcement problem, and it is the problem most enterprises are least equipped to see.

Every Framework Assumes a Human at the Keyboard, and Agents Broke That Assumption

The major frameworks were written for AI systems a person operates, and AI agents that act autonomously through Model Context Protocol (MCP) tool calls break that assumption at the foundation. Model Context Protocol is the open standard that lets an AI agent connect to external tools, APIs, and data sources and take actions through them. When an agent retrieves a record, calls an API, or writes to a system on its own, the human-in-the-loop that NIST AI RMF, ISO/IEC 42001, and the EU AI Act all quietly assume is no longer there.

This is the hinge. NIST’s Govern function assumes accountable humans making decisions. The EU AI Act’s transparency and human-oversight obligations assume a person to inform and a person to oversee. ISO/IEC 42001’s management-system controls assume processes humans run. An agent chaining tool calls across systems satisfies none of those assumptions cleanly, because the action surface moved from a screen a person reads to a tool call that fires in milliseconds. Traditional controls that govern URLs and network destinations lose visibility entirely at the point where the agent decides what to do.

There is one early exception worth naming. Singapore’s Infocomm Media Development Authority launched the Model AI Governance Framework for Agentic AI on January 22, 2026 at Davos, the first governance framework written specifically for autonomous AI agents, structured around risk bounding, human accountability, technical controls, and end-user responsibility. It is voluntary and explicitly a living document, but it is the first official acknowledgment that the existing stack does not reach agents. Everyone else is still catching up, which means the control for this gap has to come from the architecture, not the framework.

How the Compliance Stack Lines Up Across Three Dimensions

The three core frameworks differ on what they are, whether they bind you, and how far they reach into generative and agentic AI. The table below lines them up on the dimensions that decide how you might use each one.

The pattern reads clearly across the row for agentic AI: every framework’s coverage there is partial. That column is the gap the rest of this article is about.

You Cannot Comply With What You Cannot See

The inventory step sits underneath every framework in the stack, and it is the one most programs skip because they assume they already know what AI is running. Aurascape discovers every AI app and agent in use, including shadow AI embedded inside trusted SaaS and browser plugins, against a catalogued database of more than 20,000 AI applications with a 48-hour SLA for new connectors. Without that inventory, the Govern function of NIST AI RMF, the scope definition in an ISO/IEC 42001 Statement of Applicability, and the system register the EU AI Act expects are all built on a guess.

Discovery is where the gap between policy and reality shows up. A security team can have a written AI policy and still be blind to the personal ChatGPT accounts, the AI features switched on inside an approved SaaS tool, and the copilots employees enabled without asking. You cannot write a Statement of Applicability for tools you have not found.

Sensitive Data Controls Operationalize GDPR, HIPAA, and CCPA at the Prompt

The data-privacy regimes attach to sensitive data the moment it moves toward an AI tool, so the control has to sit at that exact moment. Aurascape performs real-time, multimodal data discovery and classification and applies Data Loss Prevention (DLP) built specifically for AI-bound data flows, inspecting prompts, responses, file uploads, and multi-turn conversations across text, code, and images before anything leaves for an external AI service.

This is what operationalizing GDPR, HIPAA, CCPA, and data-residency obligations looks like in the live path rather than on paper. Sensitive Data Fingerprinting tags regulated data so policy can distinguish a benign prompt from one carrying cardholder data or protected health information, and enforcement happens inline: allow, block, redact, or coach, before the boundary is crossed. In the Police Credit Union deployment, conversation-level guardrails blocking risky interactions in real time helped the organization reach NCUA compliance readiness and cut AI risk by 83%, against an alternative the team had seriously considered: banning generative AI outright.

Audit Logging Is How You Prove It to an Examiner

The record-keeping and logging expectations in the EU AI Act and the Govern function of NIST AI RMF are evidence requirements, and evidence has to be producible on demand. Aurascape generates audit-ready, conversation-level logs of AI interactions, the decoded record of what was prompted, what was returned, what data was involved, and what policy decision fired. In the Police Credit Union case, that produced examiner-ready interaction logs an NCUA examiner could review directly.

This is the difference between asserting governance and demonstrating it. An ISO/IEC 42001 auditor, an EU AI Act conformity assessment, or a state attorney general invoking an affirmative-defense clause all want the same thing: a traceable record that your stated controls actually ran. Decoded interaction histories and policy-decision logs are that record. The platform does not make an organization compliant, and it does not replace legal counsel; it produces the evidence that lets compliance and legal teams demonstrate the controls were in place and enforced.

Copilot Readiness Closes the Embedded-AI Privacy Gap

Embedded AI copilots inherit every oversharing and access problem already latent in the SaaS they sit inside, which turns a permissions mess into a live data-exposure path. Aurascape addresses this in three moves: Copilot Readiness finds overshared permissions before a rollout, Copilot Oversight monitors live usage, and Copilot Unlearning removes sensitive data that has already been exposed to the AI system.

Tools like Microsoft 365 Copilot surface whatever a user can technically reach, which means a permissions structure that was tolerable when humans clicked through it becomes a compliance problem when a copilot can summarize across all of it in one prompt. Finding the oversharing before the rollout is the readiness step; monitoring usage and removing exposed data afterward is the ongoing control. All three map directly to the privacy and record-keeping obligations in GDPR, HIPAA, and the EU AI Act, applied to the specific channel copilots opened.

The Zero-Bypass MCP Gateway Is the Control the Frameworks Are Missing

The agentic gap needs a control at the tool call, because that is where the framework assumptions break and where traditional network controls go blind. Aurascape’s Zero-Bypass MCP Gateway inspects, verifies, signs, and controls every Model Context Protocol tool call, API invocation, and data retrieval before an agent reaches any external system. Secure Agentic AI wraps the rest of the lifecycle: pre-build adversarial testing, Code Path and CVE Detection, and Safe Output Governance at runtime.

This is the control layer for the risk none of the major frameworks fully reach yet. Where NIST AI RMF, ISO/IEC 42001, and the EU AI Act assume a human to oversee the action, the Gateway treats the agent as a privileged user and inspects both legs of its behavior: the agent-to-model leg and the agent-to-tool leg. Practitioners watching this space have noted that Aurascape is not trying to force legacy security models onto AI, and the Gateway is the concrete version of that: a control that fires at the tool call itself rather than at a URL or a network destination the agent already moved past.

Auri Gives Compliance Teams the Evidence Without the Console

Compliance and legal teams need access to AI activity evidence, but they do not live in a security console and should not have to learn a query language to get it. Auri, Aurascape’s natural-language agent, gives Legal and Compliance role-based access to AI activity, summaries, and audit evidence through plain-language questions, without requiring them to use the dashboard or learn query syntax.

This matters because the people who own the compliance obligation are usually not the people who run the security tooling. A GRC officer preparing for an ISO/IEC 42001 surveillance audit or an EU AI Act assessment needs to pull the relevant interaction records and policy decisions themselves, on their own timeline. Self-service, role-bound access to that evidence is what lets compliance operate the program rather than filing a ticket and waiting on the security team for every audit request.

The Stack Holds, but Only If Something Watches the Agents

Enterprise AI compliance is a stack, not a choice: NIST AI RMF gives you the methodology, ISO/IEC 42001 gives you the certifiable management system, the EU AI Act gives you the binding law, and the US state patchwork fills the space between. Built together, with NIST as the common methodology and ISO as the external proof, they cover the human-operated AI surface well. The crosswalks are real, and an organization that builds to the strongest common denominator can satisfy several layers without duplicating the work.

The stack’s one structural gap is the agent. Every framework assumes a person at the keyboard, and autonomous tool calls through Model Context Protocol removed that person from the loop faster than the frameworks could adapt. Singapore’s January 2026 agentic framework is the first to name the gap; the rest of the stack is still catching up. Until it does, the control for autonomous AI has to come from architecture that inspects the tool call directly, because a framework that assumes human oversight cannot govern an action no human sees.

Where Aurascape Sits Against the AI Security Field

Enterprises evaluating AI compliance controls tend to find vendors clustered around a few approaches: copilot oversharing, build-time agent testing, browser-level monitoring, or full-conversation inspection across both employee AI and the agents teams build. The table below compares how each addresses the live-path control problem the frameworks leave open, across AI app coverage, the agentic-AI control mechanism, and embedded-AI reach.

The differentiator for the compliance use case is the combination: conversation-level inspection across a large app catalog plus a tool-call control that fires before the agent acts. That pairing is what lets a single platform produce evidence for the human-operated layers and enforce a control on the agentic layer the frameworks have not reached.

Frequently Asked Questions

Does an ISO/IEC 42001 certificate satisfy the EU AI Act?

No. ISO/IEC 42001 is a voluntary management-system certification, and the EU AI Act is a binding law with its own conformity-assessment requirements for high-risk systems. A 42001 certificate strengthens your governance evidence and can streamline parts of an AI Act assessment, but it does not substitute for the Act’s specific obligations.

Which framework should an enterprise start with?

Most start with NIST AI RMF because it is the common methodology the other instruments reference, then certify to ISO/IEC 42001 to prove it externally. Texas TRAIGA names substantial NIST AI RMF compliance as an affirmative defense, which makes the methodology a practical legal anchor even though it is voluntary.

Is the EU AI Act’s high-risk deadline still August 2, 2026?

Not as currently agreed. A Digital Omnibus provisional agreement reached May 7, 2026 defers the main standalone high-risk obligations to December 2, 2027 and product-embedded high-risk AI to August 2, 2028. Formal adoption is pending as of June 2026, so confirm the status before planning against either date.

Does the EU AI Act apply to a US company with no EU office?

Yes, if your AI system’s output is used by or affects people in the EU. The Act is extraterritorial, so physical presence in the EU is not the trigger; the reach of your AI output is.

What happened to the Colorado AI Act?

The original Colorado AI Act (SB 24-205) was effectively replaced. A federal court stayed enforcement on April 27, 2026, and Governor Polis signed a narrower replacement, SB 26-189, on May 14, 2026, effective January 1, 2027, dropping the original risk-management and impact-assessment duties.

Why do AI agents create a compliance gap the frameworks do not cover?

The major frameworks assume a human operates and oversees the AI system, and agents acting through Model Context Protocol tool calls remove that human from the decision loop. Oversight, transparency, and accountability obligations written for human-operated systems do not map cleanly onto autonomous tool calls that fire without a person reviewing them.

Do GDPR and the EU AI Act both apply to the same AI system?

Yes, concurrently. The EU AI Act governs the AI system’s risk tier and obligations; GDPR governs the personal data flowing through it. A system can meet the AI Act’s requirements and still breach GDPR on its data handling, so both regimes have to be satisfied independently.

Can a security platform make my organization compliant?

No. A platform like Aurascape operationalizes and evidences compliance: it discovers AI use, enforces data controls, and produces audit-ready records. Compliance itself is a legal and organizational determination that requires counsel and formal assessment; tooling supports and demonstrates it but does not replace either.

Where does sensitive-data risk actually concentrate in AI use?

In the pre-existing data regimes, GDPR, HIPAA, CCPA, and PCI DSS, because regulated data becomes exposed the moment it moves into an AI tool. Most real incidents are not exotic agentic attacks; they are regulated data leaving through a new channel, which is why real-time detection at the prompt matters more than any single AI-specific statute.

How Aurascape Operationalizes the Compliance Stack Across Every AI Interaction

The frameworks in this article assume you can see, govern, and evidence AI use, and the one control they all leave open is the autonomous agent acting through Model Context Protocol tool calls. Aurascape is the AI-native platform built for exactly that span: it discovers every AI app and agent including shadow and embedded AI, classifies and controls sensitive data inline before it reaches an external tool, and produces the conversation-level audit records that NIST AI RMF’s Govern function and the EU AI Act’s logging expectations call for.

For the agentic gap specifically, the Zero-Bypass MCP Gateway inspects, verifies, and signs every tool call before it executes, and Secure Agentic AI adds adversarial testing and runtime guardrails across the agent lifecycle. The platform sits alongside an existing SSE, SASE, or DLP stack rather than replacing it, and Auri gives compliance teams self-service, natural-language access to the evidence. Aurascape does not make an organization compliant or replace legal counsel; it operationalizes the controls and produces the proof that compliance and legal teams use to demonstrate the program is real.

---

Aurascape is the AI-native control layer for the one place the compliance stack still goes blind: autonomous agents acting through tool calls your existing controls never see. Every deployment runs through a tailored demo with your security team.

See how Aurascape governs every AI interaction in the live path →