Frameworks
Industry standards and legal requirements, kept distinct
AI adoption rarely touches a single regime, and two very different things are often confused: voluntary industry standards you can be certified against, and legal requirements you must comply with. We keep them clearly separated, then connect them into one coherent path.
Industry standards & certifications
Voluntary, certifiable frameworks that prove maturity to customers and partners. You choose to adopt them, and you can be audited and certified against them.
Legal & regulatory requirements
Binding law. You must comply where it applies, certification or not. Non-compliance carries real liability, fines, and reputational risk.
Industry standards & certifications
Voluntary, certifiable standardization
ISO 9001 Quality
- What it is
- The international standard for quality management systems (QMS), built on consistency and continual improvement.
- How AI intersects
- AI changes how work is produced; quality controls must ensure validation of AI outputs isn’t quietly bypassed.
- How we help
- Embed human validation of AI outputs into your quality processes.
ISO/IEC 27001 Information security
- What it is
- The international standard for an information security management system (ISMS).
- How AI intersects
- AI tools and data flows become assets, risks, and controls your ISMS must govern.
- How we help
- Extend your ISMS to cover AI usage, data handling, and supplier risk.
ISO/IEC 42001 AI management
- What it is
- The first international standard for an AI management system (AIMS), designed specifically for organizations that build or use AI.
- How AI intersects
- It is the framework purpose-built to operationalize responsible AI across its full lifecycle.
- How we help
- Stand up an AIMS that satisfies ISO 42001 and dovetails with your EU AI Act obligations.
TISAX Automotive
- What it is
- The automotive industry’s assessment and exchange mechanism for information security.
- How AI intersects
- AI handling of sensitive or prototype data must satisfy TISAX information-security expectations.
- How we help
- Prepare AI-related practices for TISAX assessment readiness.
SOC 2 Service trust
- What it is
- An attestation of controls over security, availability, processing integrity, confidentiality, and privacy for service providers.
- How AI intersects
- AI sub-processors and features fall within the controls auditors test.
- How we help
- Map AI components to your SOC 2 control set and supporting evidence.
ISO 22301 Business continuity
- What it is
- The international standard for business continuity management.
- How AI intersects
- Dependence on AI services creates new continuity and resilience risks to plan for.
- How we help
- Account for AI dependencies in your continuity and recovery plans.
Legal & regulatory requirements
Binding law you must comply with
EU AI Act AI-specific
- What it is
- The EU’s risk-based regulation of artificial intelligence, setting obligations by risk tier: prohibited uses, high-risk systems, and transparency duties.
- How AI intersects
- It directly classifies your AI use cases and assigns concrete obligations, documentation, and human-oversight requirements.
- How we help
- Use-case classification, readiness assessment, and a remediation roadmap.
GDPR Data protection
- What it is
- The EU’s General Data Protection Regulation governing the processing of personal data.
- How AI intersects
- Training data, automated decisions, and profiling raise lawful-basis, transparency, and DPIA obligations.
- How we help
- DPIAs for AI, lawful-basis analysis, privacy-by-design, and a fractional DPO (Data Protection Officer).
NIS2 Cybersecurity
- What it is
- The EU directive raising cybersecurity and incident-reporting requirements for essential and important entities.
- How AI intersects
- AI systems become assets to secure and risks to manage under your cyber-risk regime.
- How we help
- Fold AI assets into your NIS2 risk management and governance controls.
DORA Financial resilience
- What it is
- The EU’s Digital Operational Resilience Act for the financial sector and its critical ICT providers.
- How AI intersects
- AI-driven and third-party ICT services fall under DORA’s resilience, testing, and oversight rules.
- How we help
- Bring AI and ICT third-party risk into your DORA program.
Cyber Resilience Act (CRA) Product security
- What it is
- EU rules imposing cybersecurity requirements on products with digital elements across their lifecycle.
- How AI intersects
- AI-enabled features are digital elements that must meet security-by-design and update obligations.
- How we help
- Align AI-enabled product features with CRA requirements and documentation.
HIPAA Health data · US
- What it is
- The US framework protecting health information held by covered entities and their business associates.
- How AI intersects
- AI processing of protected health information (PHI) must preserve privacy and security safeguards.
- How we help
- Keep AI workflows that touch PHI within HIPAA’s safeguards.
Which of these apply to you?
We’ll help you understand which frameworks apply and turn them into one manageable plan.