AI Compliance Implementation Guide (2026)

What does every AI compliance framework ask for?

Before diving into specific frameworks, the universal pattern: every AI compliance framework we've mapped — HIPAA, FINRA, SEC, GLBA, NAIC, FDA Part 11, CCPA, GDPR, UAE PDPL, DIFC DPL, EU AI Act, NIST AI RMF — asks the same four things in different vocabulary.

1. Explainability: can you explain in plain language why the AI made this specific decision? Not the model architecture — the actual reasoning for the specific case. Sources cited, policy clauses applied, confidence band, the alternative that wasn't chosen.

2. Replayability: can you reconstruct the inference call six months later? The input context, the retrieval bundle, the model version, the prompt fingerprint, the output, the downstream action. If the answer is no, you have a documentation gap that an auditor will find.

3. Accountability: is there a named human owner per decision class? Full automation does not mean no accountability — it means the named accountable human approved the policy that authorised the automation. Regulators care about who is responsible, not whether the system is human or AI.

4. Segregation of duties: are the lanes for full-automation, drafted-with-review, and reserved-to-human documented and enforced? Can an operator silently widen the automation envelope without sign-off? If yes, your governance posture is fragile.

Wire these four properties into the architecture — not into a policy document — and compliance becomes a runtime property rather than a paperwork exercise.

How does HIPAA apply to AI workflows handling PHI?

HIPAA applies to any AI workflow touching Protected Health Information (PHI). The scope is broad: medical records, clinical notes, claims data, patient-identifying data of any kind.

The non-negotiables in 2026:

• BAA chain coverage: model provider (Anthropic, Azure OpenAI, AWS Bedrock all offer BAAs in 2026), retrieval host, audit log host. No PHI touches a non-BAA-covered service.
• 6-year retention minimum on records touching PHI. The audit log retention follows this floor.
• Minimum necessary principle at the prompt and retrieval layers. Don't pass full PHI when partial data suffices.
• Breach notification: 60 days from discovery for incidents affecting ≥500 individuals.
• Encryption at rest and in transit. TLS 1.3 minimum, AES-256 at rest.

Our posture on healthcare engagements: PHI workflows deploy exclusively on BAA-covered infrastructure. Redaction layer enforces minimum-necessary at the prompt boundary. 100% human-clinical-review on consequential outputs for the first 90 days of Run, then threshold-based after calibration. See our healthcare money pages: Document Processing, Compliance Operations.

What do FINRA, SEC and GLBA require for AI in financial services?

Financial services in the US are governed by FINRA (broker-dealers), SEC (investment advisers + market integrity), and GLBA (consumer financial data). AI workflows touch all three.

FINRA Rule 3110 (Supervision): requires documented supervisory review of AI-generated communications. Implementation: every AI-drafted external communication routes through a supervisory queue with reviewer disposition logged.

FINRA Rule 4511 (Recordkeeping): 3-year general retention, 6-year retention for certain communications. Implementation: audit log with WORM-compatible storage and immutable hash chain.

SEC SR 11-7-aligned model risk management: not technically required for non-bank entities, but increasingly expected as the de-facto industry standard. Implementation: model card, validation evidence against labelled test set, named accountable individual, ongoing monitoring, change management.

GLBA Safeguards Rule: written information security programme, designated qualified individual, access controls. Implementation: NPI data flows through encrypted channels only; subprocessor agreements include GLBA flow-down.

See our banking money pages: Compliance Operations, Document Processing.

How does the NAIC AI Model Bulletin govern insurance AI?

The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (adopted by most state insurance commissioners by 2026) governs insurance AI deployments.

Key requirements:

• Model governance documentation: inventory, validation, monitoring, change management.
• Fairness testing on outcomes by protected attribute (4/5 rule baseline).
• Third-party AI vendor oversight (your model provider counts).
• Adverse-action explainability for any decision affecting a policyholder.
• State-by-state filing requirements for AI use in underwriting and claims.

Our posture: insurance engagements ship with fairness testing in the eval harness from day one. Adverse-impact monitoring runs weekly. Per-state filing support during Build for the first 3 states. See Claims Triage and UW Document Processing.

How does FDA 21 CFR Part 11 apply to pharma + medical device AI?

21 CFR Part 11 governs electronic records and electronic signatures in FDA-regulated environments. AI workflows in clinical trials, manufacturing GxP, and regulated medical devices must comply.

Key requirements:

• Validation: Design Qualification (DQ), Installation Qualification (IQ), Operational Qualification (OQ), Performance Qualification (PQ).
• Audit trail: tamper-evident, signature-bound.
• System access controls + electronic signatures with cryptographic binding.
• Data integrity: ALCOA+ (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, Available).

What do CCPA + CPRA require for California consumer data?

California Consumer Privacy Act (as amended by CPRA) governs California-resident personal information. Material in 2026 because the California Privacy Protection Agency (CPPA) has proposed regulations on automated decision-making.

Key requirements:

• Right to know, delete, and opt-out of sale/sharing.
• Global Privacy Control (GPC) signals must be honoured at the retrieval layer.
• Sensitive Personal Information (SPI) has stricter use limitations.
• Automated decision-making opt-out (proposed CPPA regs, expected enforcement in 2026-2027).
• Right-to-deletion response window: 45 days.

How does GDPR apply to AI workflows in the EU?

GDPR remains the global gold standard for data protection. AI workflows touching EU personal data must comply.

Key requirements specific to AI workflows in 2026:

• Article 22 (automated decision-making): right to human review of consequential automated decisions.
• Article 30 (records of processing activities): comprehensive processing record per activity.
• Schrems II Transfer Impact Assessment for EU-to-US data flows.
• Standard Contractual Clauses (SCCs) Module 2 for processor relationships.
• Breach notification: 72 hours to supervisory authority.

What does AI compliance look like under UAE PDPL, DIFC DPL and ADGM DPR?

UAE has three overlapping data protection regimes: federal PDPL (Federal Decree-Law 45 of 2021), DIFC DPL (Law No. 5 of 2020) for DIFC-registered entities, and ADGM Data Protection Regulations 2021 for ADGM-licensed entities.

Key requirements:

• UAE PDPL: lawful processing, data-subject rights (30-day response window), breach notification within 72 hours.
• DIFC DPL Article 35: mandatory disclosure for high-risk automated decisions.
• DIFC Regulation 10: DPIA required for AI processing high-risk personal data.
• ADGM DPR 2021: mandatory DPO appointment for certain processors.
• Cross-border transfer mechanisms aligned with each regime.

See our UAE-specific engagement framework at /for-dubai-companies.

What does the EU AI Act 2026 require for high-risk systems?

The EU AI Act enters substantive enforcement for high-risk AI systems in August 2026. Companies deploying AI in EU markets must comply with classification, conformity assessment, and transparency requirements.

Key categories:

• Prohibited AI: social scoring, manipulative AI, real-time biometric ID in public spaces (with exceptions).
• High-risk AI: hiring decisions, credit scoring, biometric ID, critical infrastructure, education access. Conformity assessment + CE marking required.
• Limited-risk AI: chatbots, content generation. Transparency obligations (user must know they're interacting with AI).
• Minimal-risk AI: no specific obligations beyond existing law.

Critical for AI buyers in 2026: if your workflow may be classified as high-risk, the conformity assessment process should start now. Lead times for notified body assessments are stretching to 6-9 months.

How does the NIST AI RMF unify all the regional frameworks?

The NIST AI Risk Management Framework (AI 100-1) is a voluntary framework increasingly referenced by regulators globally. It maps cleanly to most regional frameworks above.

The four functions:

• Govern: roles, policies, accountability, risk tolerance.
• Map: identify and document AI systems, their context, and impacts.
• Measure: assess AI risks and impacts using empirical methods.
• Manage: prioritise, allocate resources, and respond to risks.

Every engagement we run maps to NIST AI RMF in Discovery. The control map produced becomes the artefact your CIO, Chief AI Officer, and DPO use to defend the workflow.

How do you go from Discovery to defensible AI compliance?

How we wire compliance into the engagement, week by week:

Discovery week 1: identify applicable frameworks based on industry + data sensitivity + geography. Map each framework's requirements to specific artefacts.

Discovery week 2: produce the control map (which framework requirement maps to which architectural control). Sign-off by compliance + DPO + named accountable individual.

Build week 1-2: deploy the audit log architecture per our open audit-log spec. Retention policy aligned with the longest applicable framework.

Build week 3-8: each workflow layer (intake, context, action, review) ships with its compliance hooks: PHI redaction, consent enforcement, source curation, named-owner queue routing.

Run quarterly: attestation pack auto-generated from the audit log. Reviewed by compliance + audit. Ready for any regulator examination on demand.

Who is AI-native compliance implementation best for?

Answer in one sentence: regulated mid-market operators in healthcare, financial services, insurance, pharma and EU/UAE jurisdictions who need AI in production but cannot tolerate a compliance gap that an auditor could exploit.

Best for: healthcare, banking, insurance, pharma, legal

These five verticals carry the heaviest documentation burden and the most consequential audit exposure. An engagement that ships the audit log, the BAA-covered model stack, and the segregation-of-duties policy on week one saves 6-12 months of compliance retrofitting later.

Best for: EU and UAE jurisdictions facing 2026 enforcement

The EU AI Act enters substantive enforcement August 2026 for high-risk systems. UAE PDPL, DIFC DPL, and ADGM DPR all carry breach notification windows of 72 hours. If you operate in either jurisdiction, the compliance posture is a precondition for production, not a phase 2 concern.

Best for: workflows with named accountable owners

Regulators care about who is responsible. If you can name the decision owner per workflow class (head of claims, chief compliance officer, head of underwriting), the engagement scopes cleanly. If you cannot, expect Discovery to surface organisational ambiguity that needs resolution first.

When is AI-native compliance implementation the wrong choice?

Answer in one sentence: when the workflow is unregulated, when no audit log is required, or when leadership is not willing to commit to quarterly compliance review after Build closes.

Compliance implementation without an audit requirement

If you operate in an industry with no audit log requirement and no foreseeable regulator visit, the compliance scaffolding is over-engineered. Better fit: our general AI-native workflow guide.

Compliance implementation without leadership commitment

Compliance is a runtime property. If your CCO or CISO will not sign the policy document and accept the quarterly review cadence, the documentation we ship atrophies within 6 months and the audit log becomes paper. Decline the engagement if leadership commitment is uncertain.

Compliance implementation without a labelled test set

Defensible AI compliance requires evidence that the model meets a measured quality bar on a representative set of cases. If your team will not invest 6-8 weeks in producing 200-400 labelled cases per workflow, the engagement cannot land. This is a precondition, not a phase.

Where to start

If you're scoping a regulated AI workflow:

• Run the Compliance Readiness Assessment to score current posture.
• Download our vertical-specific compliance checklist.
• Review our security posture, DPA, and data handling policy.
• Book a Discovery call. The Build SOW will include the explicit compliance map.