AI Regulation Selector
Select the regulatory framework to apply to client programs. Only one framework may be active at a time. Non-selected frameworks are lowlighted.
# EU AI Law - Regulatory Framework
Overview
Regulation (EU) 2024/1689 - the EU Artificial Intelligence Act - entered into force on 1 August 2024 and applies progressively through 2027. It establishes a risk-based framework classifying AI systems into four tiers: Unacceptable Risk (banned), High Risk (mandatory conformity), Limited Risk (transparency obligations), and Minimal Risk (voluntary codes).
Overlay regulations relevant to the Axis Platform:
- DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) - ICT risk management for financial entities
- ISO/IEC 42001:2023 - AI Management System standard
- SOC 2 Type II - service organisation controls
- GDPR (Regulation (EU) 2016/679) - personal data processing requirements
Risk Classification
Unacceptable Risk (Article 5 - Prohibited)
Systems that are prohibited outright:
- Subliminal manipulation causing harm
- Exploitation of vulnerabilities of specific groups
- Real-time biometric identification in public spaces (limited law-enforcement exceptions apply)
- Social scoring by public authorities
- Predictive policing based solely on profiling
- Emotion recognition in workplace/education (limited exceptions)
- Biometric categorisation inferring sensitive attributes
Axis Audit Obligation: Confirm no deployed AI system falls within Article 5. Evidence must be captured per migration step.
High Risk (Annex III - Conformity Required)
| Category | Examples |
|---|---|
| Biometric identification | Remote biometric ID, emotion recognition |
| Critical infrastructure | AI in energy, water, transport networks |
| Education | Admission, assessment, monitoring tools |
| Employment | Recruitment, HR management, performance evaluation |
| Essential services | Credit scoring, insurance risk, benefits eligibility |
| Law enforcement | Risk assessment, evidence evaluation, polygraph |
| Migration and border | Risk assessment, document verification |
| Administration of justice | Fact-finding, legal interpretation support |
Conformity obligations for High-Risk AI (Articles 9-15):
- Risk management system (Art. 9)
- Data and data governance (Art. 10)
- Technical documentation (Art. 11)
- Record-keeping and logging (Art. 12)
- Transparency to deployers (Art. 13)
- Human oversight measures (Art. 14)
- Accuracy, robustness, cybersecurity (Art. 15)
Limited Risk
- Chatbots: must disclose AI nature to users
- Deep fakes: must label synthetic content
- Emotion recognition outputs: must disclose to affected persons
Minimal Risk
No mandatory obligations. Voluntary adherence to codes of practice recommended.
GPAI Models (General Purpose AI - Articles 51-56)
- Systemic risk threshold: 10^25 FLOPs training compute triggers enhanced obligations
- Documentation and copyright compliance (Article 53)
- Systemic risk providers: red-team testing, incident reporting to AI Office, cybersecurity measures (Article 55)
Axis Audit Obligation: Catalogue any GPAI model API usage. Verify provider compliance status.
Governance Structure
| Body | Role |
|---|---|
| European AI Office | Primary enforcer for GPAI; co-ordination for high-risk AI |
| National Competent Authorities | Member-state enforcement of provider/deployer obligations |
| AI Board | Advisory; co-ordinates NCAs |
| Scientific Panel | Technical advice on GPAI systemic risk |
Application Timeline
| Date | Event |
|---|---|
| 1 Aug 2024 | Regulation in force |
| 2 Feb 2025 | Chapter I and II apply (definitions, prohibited practices) |
| 2 Aug 2025 | GPAI obligations and governance apply |
| 2 Aug 2026 | High-risk AI (Annex III) obligations apply; penalties apply |
| 2 Aug 2027 | Annex I embedded systems obligations apply |
Penalties
| Violation | Maximum Fine |
|---|---|
| Prohibited practice (Article 5) | EUR 35M or 7% global annual turnover |
| Other obligations | EUR 15M or 3% global annual turnover |
| Misleading information to authorities | EUR 7.5M or 1% global annual turnover |
DORA Overlay (Financial Entities - Regulation (EU) 2022/2554)
- ICT risk management framework (Articles 5-16)
- ICT-related incident classification and reporting (Articles 17-23)
- Digital operational resilience testing (Articles 24-27)
- ICT third-party risk management (Articles 28-44)
Axis Audit Obligation: For financial-sector clients, cross-reference AI system risk posture against DORA ICT risk registers.
ISO/IEC 42001:2023 Overlay
- Clause 6.1 - Risk and opportunity assessment for AI systems
- Clause 8.4 - AI system impact assessment
- Clause 9.1 - Monitoring, measurement, and evaluation
- Clause 10 - Continual improvement
GDPR Overlay
For AI systems processing personal data:
- Article 22 - Automated individual decision-making (right to explanation)
- Article 25 - Data protection by design and default
- Article 35 - DPIA required for high-risk AI processing personal data
- Article 37 - Data Protection Officer designation
Axis Audit Obligation: Flag any AI system subject to Article 22 for human oversight review.
# US AI Law - Regulatory Framework
Overview
The United States AI regulatory landscape is multi-layered: federal agency enforcement, executive orders, emerging state statutes, and sector-specific standards. Unlike the EU AI Act, the US has no single omnibus AI law. Compliance requires mapping AI use cases against applicable federal agencies, sector regulations, and active state laws.
Key instruments:
- Executive Order 14110 (Oct 2023) and EO 14179 (Jan 2025) - federal AI safety and leadership direction
- NIST AI Risk Management Framework (AI RMF 1.0) - voluntary framework for AI risk governance
- Sector regulations: HIPAA, FDA, SEC, FTC, FFIEC, FCRA, ECOA
Federal AI Governance
NIST AI Risk Management Framework (AI RMF 1.0)
Voluntary but widely adopted as a compliance baseline. Four core functions:
| Function | Description |
|---|---|
| GOVERN | Policies, accountability, culture for AI risk management |
| MAP | Contextualise AI risks in deployment environment |
| MEASURE | Analyse and assess AI risks |
| MANAGE | Prioritise, respond to, and monitor AI risks |
Axis Audit Obligation: Map client AI systems to AI RMF core functions. Document GOVERN policies as evidence.
Sector-Specific Regulations
Healthcare - HIPAA and FDA
HIPAA (45 CFR Parts 160 and 164):
- AI systems processing Protected Health Information (PHI) must comply with the Security Rule
- Risk analysis required (45 CFR 164.308(a)(1))
- Business Associate Agreements (BAA) required for AI vendors with PHI access
FDA AI/ML-Based Software as a Medical Device (SaMD):
- AI systems meeting SaMD definition require 510(k) clearance or PMA
- FDA Predetermined Change Control Plan (PCCP) framework for adaptive AI
- Post-market surveillance obligations
Axis Audit Obligation: For healthcare clients, verify HIPAA BAAs are in place for AI vendors. Flag any AI system that may qualify as SaMD.
Financial Services - SEC, FFIEC, FCRA, ECOA
SEC (Reg S-P, Reg S-ID):
- AI systems in investment advice subject to Investment Advisers Act fiduciary duty
- Cybersecurity Incident Disclosure Rule (2023): material AI-related incidents reportable
FFIEC IT Examination Handbook:
- AI systems in banking subject to model risk management (SR 11-7 guidance)
- Third-party risk management for AI vendors
FCRA (15 U.S.C. 1681):
- AI-generated consumer reports must comply with adverse action notice requirements
- Accuracy and dispute resolution obligations apply to AI output used in credit decisions
ECOA / Regulation B (12 CFR Part 1002):
- AI systems in credit decisions must provide specific reasons for adverse actions
- Disparate impact analysis required for protected classes
Axis Audit Obligation: For financial clients, confirm model risk management policies cover AI systems.
Employment - EEOC and State Laws
EEOC Technical Assistance (May 2023):
- AI hiring tools subject to Title VII disparate impact analysis
- Employers remain liable for AI vendor discrimination
Illinois AI Video Interview Act (820 ILCS 42):
- Written notice and consent required before AI analysis of video interviews
New York City Local Law 144 (2023):
- Automated employment decision tools require annual bias audit by independent auditor
- Public disclosure of audit summary required
Axis Audit Obligation: Flag AI systems used in hiring or HR decisions. Verify bias audit documentation for NYC-covered entities.
State AI Laws
| State | Law | Key Requirement |
|---|---|---|
| Colorado | SB 205 (2024) | High-risk AI deployers: risk management, impact assessments, consumer disclosures |
| California | CPRA | Consumer rights over automated decisions; DPIA-equivalent for profiling |
| Illinois | BIPA (740 ILCS 14) | Biometric data collection requires written consent |
| Virginia | VCDPA | Consumer rights re profiling for consequential decisions |
Axis Audit Obligation: For each client, determine applicable state AI laws based on operational geography and data subject location.
FTC Enforcement
The FTC Act (15 U.S.C. 45) prohibits unfair or deceptive practices. FTC enforcement priorities for AI:
- Deceptive AI endorsements and fake reviews (16 CFR Part 465)
- Algorithmic collusion
- Discriminatory outcomes from AI models
- AI-generated impersonation (FTC Impersonation Rule 2024)
NIST AI RMF Trustworthy AI Characteristics
- Accountable and Transparent - explainability, documentation, audit trails
- Explainable and Interpretable - outputs understandable to users
- Fair with Managed Bias - equitable across groups; bias testing documented
- Privacy-Enhanced - data minimisation, consent, PIA
- Reliable and Accurate - tested against intended use; performance monitored
- Safe - harm prevention; human oversight for high-stakes decisions
- Secure and Resilient - adversarial robustness; incident response
Axis Audit Obligation: Document evidence for each characteristic per AI system in scope.
Penalties and Enforcement
| Authority | Maximum Penalty |
|---|---|
| FTC civil penalty | USD 51,744 per violation per day |
| HIPAA (HHS OCR) | USD 100 to USD 1.9M per violation category per year |
| EEOC enforcement | Back pay, compensatory damages, injunctive relief |
| Colorado AI Act | Up to USD 20,000 per violation |
# EU AI Law - Regulatory Framework
Overview
Regulation (EU) 2024/1689 - the EU Artificial Intelligence Act - entered into force on 1 August 2024 and applies progressively through 2027. It establishes a risk-based framework classifying AI systems into four tiers: Unacceptable Risk (banned), High Risk (mandatory conformity), Limited Risk (transparency obligations), and Minimal Risk (voluntary codes).
Overlay regulations relevant to the Axis Platform:
- DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) - ICT risk management for financial entities
- ISO/IEC 42001:2023 - AI Management System standard
- SOC 2 Type II - service organisation controls
- GDPR (Regulation (EU) 2016/679) - personal data processing requirements
Risk Classification
Unacceptable Risk (Article 5 - Prohibited)
Systems that are prohibited outright:
- Subliminal manipulation causing harm
- Exploitation of vulnerabilities of specific groups
- Real-time biometric identification in public spaces (limited law-enforcement exceptions apply)
- Social scoring by public authorities
- Predictive policing based solely on profiling
- Emotion recognition in workplace/education (limited exceptions)
- Biometric categorisation inferring sensitive attributes
Axis Audit Obligation: Confirm no deployed AI system falls within Article 5. Evidence must be captured per migration step.
High Risk (Annex III - Conformity Required)
| Category | Examples |
|---|---|
| Biometric identification | Remote biometric ID, emotion recognition |
| Critical infrastructure | AI in energy, water, transport networks |
| Education | Admission, assessment, monitoring tools |
| Employment | Recruitment, HR management, performance evaluation |
| Essential services | Credit scoring, insurance risk, benefits eligibility |
| Law enforcement | Risk assessment, evidence evaluation, polygraph |
| Migration and border | Risk assessment, document verification |
| Administration of justice | Fact-finding, legal interpretation support |
Conformity obligations for High-Risk AI (Articles 9-15):
- Risk management system (Art. 9)
- Data and data governance (Art. 10)
- Technical documentation (Art. 11)
- Record-keeping and logging (Art. 12)
- Transparency to deployers (Art. 13)
- Human oversight measures (Art. 14)
- Accuracy, robustness, cybersecurity (Art. 15)
Limited Risk
- Chatbots: must disclose AI nature to users
- Deep fakes: must label synthetic content
- Emotion recognition outputs: must disclose to affected persons
Minimal Risk
No mandatory obligations. Voluntary adherence to codes of practice recommended.
GPAI Models (General Purpose AI - Articles 51-56)
- Systemic risk threshold: 10^25 FLOPs training compute triggers enhanced obligations
- Documentation and copyright compliance (Article 53)
- Systemic risk providers: red-team testing, incident reporting to AI Office, cybersecurity measures (Article 55)
Axis Audit Obligation: Catalogue any GPAI model API usage. Verify provider compliance status.
Governance Structure
| Body | Role |
|---|---|
| European AI Office | Primary enforcer for GPAI; co-ordination for high-risk AI |
| National Competent Authorities | Member-state enforcement of provider/deployer obligations |
| AI Board | Advisory; co-ordinates NCAs |
| Scientific Panel | Technical advice on GPAI systemic risk |
Application Timeline
| Date | Event |
|---|---|
| 1 Aug 2024 | Regulation in force |
| 2 Feb 2025 | Chapter I and II apply (definitions, prohibited practices) |
| 2 Aug 2025 | GPAI obligations and governance apply |
| 2 Aug 2026 | High-risk AI (Annex III) obligations apply; penalties apply |
| 2 Aug 2027 | Annex I embedded systems obligations apply |
Penalties
| Violation | Maximum Fine |
|---|---|
| Prohibited practice (Article 5) | EUR 35M or 7% global annual turnover |
| Other obligations | EUR 15M or 3% global annual turnover |
| Misleading information to authorities | EUR 7.5M or 1% global annual turnover |
DORA Overlay (Financial Entities - Regulation (EU) 2022/2554)
- ICT risk management framework (Articles 5-16)
- ICT-related incident classification and reporting (Articles 17-23)
- Digital operational resilience testing (Articles 24-27)
- ICT third-party risk management (Articles 28-44)
Axis Audit Obligation: For financial-sector clients, cross-reference AI system risk posture against DORA ICT risk registers.
ISO/IEC 42001:2023 Overlay
- Clause 6.1 - Risk and opportunity assessment for AI systems
- Clause 8.4 - AI system impact assessment
- Clause 9.1 - Monitoring, measurement, and evaluation
- Clause 10 - Continual improvement
GDPR Overlay
For AI systems processing personal data:
- Article 22 - Automated individual decision-making (right to explanation)
- Article 25 - Data protection by design and default
- Article 35 - DPIA required for high-risk AI processing personal data
- Article 37 - Data Protection Officer designation
Axis Audit Obligation: Flag any AI system subject to Article 22 for human oversight review.
# US AI Law - Regulatory Framework
Overview
The United States AI regulatory landscape is multi-layered: federal agency enforcement, executive orders, emerging state statutes, and sector-specific standards. Unlike the EU AI Act, the US has no single omnibus AI law. Compliance requires mapping AI use cases against applicable federal agencies, sector regulations, and active state laws.
Key instruments:
- Executive Order 14110 (Oct 2023) and EO 14179 (Jan 2025) - federal AI safety and leadership direction
- NIST AI Risk Management Framework (AI RMF 1.0) - voluntary framework for AI risk governance
- Sector regulations: HIPAA, FDA, SEC, FTC, FFIEC, FCRA, ECOA
Federal AI Governance
NIST AI Risk Management Framework (AI RMF 1.0)
Voluntary but widely adopted as a compliance baseline. Four core functions:
| Function | Description |
|---|---|
| GOVERN | Policies, accountability, culture for AI risk management |
| MAP | Contextualise AI risks in deployment environment |
| MEASURE | Analyse and assess AI risks |
| MANAGE | Prioritise, respond to, and monitor AI risks |
Axis Audit Obligation: Map client AI systems to AI RMF core functions. Document GOVERN policies as evidence.
Sector-Specific Regulations
Healthcare - HIPAA and FDA
HIPAA (45 CFR Parts 160 and 164):
- AI systems processing Protected Health Information (PHI) must comply with the Security Rule
- Risk analysis required (45 CFR 164.308(a)(1))
- Business Associate Agreements (BAA) required for AI vendors with PHI access
FDA AI/ML-Based Software as a Medical Device (SaMD):
- AI systems meeting SaMD definition require 510(k) clearance or PMA
- FDA Predetermined Change Control Plan (PCCP) framework for adaptive AI
- Post-market surveillance obligations
Axis Audit Obligation: For healthcare clients, verify HIPAA BAAs are in place for AI vendors. Flag any AI system that may qualify as SaMD.
Financial Services - SEC, FFIEC, FCRA, ECOA
SEC (Reg S-P, Reg S-ID):
- AI systems in investment advice subject to Investment Advisers Act fiduciary duty
- Cybersecurity Incident Disclosure Rule (2023): material AI-related incidents reportable
FFIEC IT Examination Handbook:
- AI systems in banking subject to model risk management (SR 11-7 guidance)
- Third-party risk management for AI vendors
FCRA (15 U.S.C. 1681):
- AI-generated consumer reports must comply with adverse action notice requirements
- Accuracy and dispute resolution obligations apply to AI output used in credit decisions
ECOA / Regulation B (12 CFR Part 1002):
- AI systems in credit decisions must provide specific reasons for adverse actions
- Disparate impact analysis required for protected classes
Axis Audit Obligation: For financial clients, confirm model risk management policies cover AI systems.
Employment - EEOC and State Laws
EEOC Technical Assistance (May 2023):
- AI hiring tools subject to Title VII disparate impact analysis
- Employers remain liable for AI vendor discrimination
Illinois AI Video Interview Act (820 ILCS 42):
- Written notice and consent required before AI analysis of video interviews
New York City Local Law 144 (2023):
- Automated employment decision tools require annual bias audit by independent auditor
- Public disclosure of audit summary required
Axis Audit Obligation: Flag AI systems used in hiring or HR decisions. Verify bias audit documentation for NYC-covered entities.
State AI Laws
| State | Law | Key Requirement |
|---|---|---|
| Colorado | SB 205 (2024) | High-risk AI deployers: risk management, impact assessments, consumer disclosures |
| California | CPRA | Consumer rights over automated decisions; DPIA-equivalent for profiling |
| Illinois | BIPA (740 ILCS 14) | Biometric data collection requires written consent |
| Virginia | VCDPA | Consumer rights re profiling for consequential decisions |
Axis Audit Obligation: For each client, determine applicable state AI laws based on operational geography and data subject location.
FTC Enforcement
The FTC Act (15 U.S.C. 45) prohibits unfair or deceptive practices. FTC enforcement priorities for AI:
- Deceptive AI endorsements and fake reviews (16 CFR Part 465)
- Algorithmic collusion
- Discriminatory outcomes from AI models
- AI-generated impersonation (FTC Impersonation Rule 2024)
NIST AI RMF Trustworthy AI Characteristics
- Accountable and Transparent - explainability, documentation, audit trails
- Explainable and Interpretable - outputs understandable to users
- Fair with Managed Bias - equitable across groups; bias testing documented
- Privacy-Enhanced - data minimisation, consent, PIA
- Reliable and Accurate - tested against intended use; performance monitored
- Safe - harm prevention; human oversight for high-stakes decisions
- Secure and Resilient - adversarial robustness; incident response
Axis Audit Obligation: Document evidence for each characteristic per AI system in scope.
Penalties and Enforcement
| Authority | Maximum Penalty |
|---|---|
| FTC civil penalty | USD 51,744 per violation per day |
| HIPAA (HHS OCR) | USD 100 to USD 1.9M per violation category per year |
| EEOC enforcement | Back pay, compensatory damages, injunctive relief |
| Colorado AI Act | Up to USD 20,000 per violation |
# Methodology - AI Regulatory Crosswalk and Audit Status
Overview
This document defines the Axis Platform audit methodology for applying AI regulatory frameworks to client programmes. It provides the crosswalk between EU AI Act obligations and US regulatory requirements, enabling a unified compliance posture for clients operating in both jurisdictions.
Active Framework Options:
- EU_AI_LAW — Apply EU AI Act (Regulation (EU) 2024/1689) + DORA + ISO/IEC 42001 + GDPR overlays
- US_AI_LAW — Apply US federal and state AI regulations + NIST AI RMF
- EU_US_AI_LAW — Apply both jurisdictions simultaneously with this crosswalk methodology
Crosswalk: EU AI Act vs US Requirements
| EU AI Act Obligation | Article | US Equivalent | Authority |
|---|---|---|---|
| Risk management system | Art. 9 | NIST AI RMF MAP + MANAGE | NIST |
| Data governance | Art. 10 | HIPAA Security Rule / FCRA accuracy | HHS / FTC |
| Technical documentation | Art. 11 | SR 11-7 Model Documentation | Federal Reserve / OCC |
| Logging and record-keeping | Art. 12 | SEC Books and Records (17 CFR 240.17a-4) | SEC |
| Transparency to deployers | Art. 13 | FTC transparency guidance | FTC |
| Human oversight | Art. 14 | NIST AI RMF GOVERN + FDA SaMD oversight | NIST / FDA |
| Accuracy and robustness | Art. 15 | NIST AI RMF MEASURE | NIST |
| Prohibited practices | Art. 5 | FTC deception / EEOC disparate impact | FTC / EEOC |
| GPAI documentation | Art. 53 | No direct equivalent; NIST guidance applies | NIST |
Audit Phase Methodology
Phase 1 — AI System Inventory
Objective: Catalogue all AI systems within client scope.
Steps:
- Identify all software systems that meet the EU AI Act definition of an AI system (Art. 3(1)): machine-based systems that infer from inputs to generate outputs such as predictions, recommendations, decisions, or content
- Classify each system by risk tier (Unacceptable / High / Limited / Minimal under EU AI Act; Consequential / Non-consequential under US state laws)
- Record system purpose, deployer, provider, and data flows
- Identify GPAI model dependencies (APIs, embedded models)
Evidence required:
- AI system register (record type: migration.step.completed)
- Data flow diagrams showing personal data processing
- Provider contracts and API usage documentation
Phase 2 — Risk Assessment
Objective: Assess risk profile of each AI system against applicable frameworks.
Steps:
- Apply EU AI Act Annex III checklist for High-Risk classification
- Apply NIST AI RMF MAP function: context establishment, risk identification
- Conduct DPIA for any AI system processing personal data at scale (GDPR Art. 35)
- Assess NIST RMF trustworthy AI characteristics (Accountable, Explainable, Fair, Privacy-Enhanced, Reliable, Safe, Secure)
- Identify applicable US sector regulations based on client industry and geography
Evidence required:
- Completed risk assessment per AI system (record type: migration.step.completed)
- DPIA reports for in-scope systems
- Sector regulation mapping matrix
Phase 3 — Conformity Assessment (High-Risk AI)
Objective: Verify EU AI Act Articles 9-15 obligations are met for High-Risk systems.
Steps:
- Art. 9 — Verify documented risk management system with iterative review process
- Art. 10 — Audit training/validation/test data governance practices; check bias examination
- Art. 11 — Review technical documentation against Annex IV requirements
- Art. 12 — Confirm automatic logging capability; verify log retention and access controls
- Art. 13 — Review instructions for use provided to deployers
- Art. 14 — Assess human oversight mechanisms; verify override capability
- Art. 15 — Review accuracy metrics; test adversarial robustness
Evidence required:
- Conformity assessment report per High-Risk AI system
- Technical documentation package (Annex IV)
- Log retention policy and sample logs
Phase 4 — US Compliance Verification
Objective: Verify applicable US regulatory requirements are met.
Steps:
- NIST AI RMF: confirm GOVERN policies are documented; MAP and MEASURE outputs are recorded
- HIPAA (healthcare): verify BAAs with AI vendors; confirm Security Rule controls
- Financial (SR 11-7): review model risk management policy; confirm validation documentation
- Employment AI (NYC LL144 / EEOC): verify bias audit is current; confirm adverse action capability
- FTC: review customer-facing AI disclosures; confirm no deceptive claims
- State AI laws: confirm compliance with Colorado SB 205 / Illinois BIPA / Virginia VCDPA as applicable
Evidence required:
- NIST RMF implementation evidence per function
- Vendor BAA inventory (healthcare)
- Model validation reports (financial)
- Bias audit reports (employment AI)
Phase 5 — Evidence Packaging and Sign-Off
Objective: Package all evidence for regulatory submission or internal audit record.
Steps:
- Compile evidence records from evidence substrate (all record types)
- Apply XAdES-LTA signatures to evidence package via binder-signing service
- Generate PDF/A-3 compliance binder
- Conduct final OSCAL compliance posture check via catalog-mapping service
- Obtain senior sign-off (record type: migration.approval.granted)
- Archive source systems (record type: migration.step.completed)
Evidence required:
- Signed compliance binder (PDF/A-3 with XAdES-LTA)
- OSCAL System Security Plan (SSP) output
- Approval record with approver identity and timestamp
Evidence Integrity Standards
All evidence captured by the Axis Platform must meet:
- WORM immutability: Evidence records are write-once; no modification after capture
- RFC 3161 timestamps: All records timestamped by trusted timestamp authority
- Merkle anchoring: Record hashes anchored to Merkle tree for chain-of-custody
- XAdES-LTA signatures: Long-term archival signatures on compliance binders
- Tenant isolation: Evidence records scoped to tenant; cross-tenant access prohibited
Regulatory Update Schedule
| Framework | Update Frequency | Next Scheduled Review |
|---|---|---|
| EU AI Act obligations | Quarterly | 2026-10-01 |
| US federal guidance | Bi-annual | 2026-12-01 |
| State AI laws | Quarterly | 2026-10-01 |
| NIST AI RMF updates | Annual | 2027-01-01 |
| ISO/IEC 42001 | Annual | 2027-01-01 |
Status
| Item | Status | Last Updated |
|---|---|---|
| EU AI Act crosswalk | Current | 2026-07-01 |
| US federal regulation mapping | Current | 2026-07-01 |
| State law tracker | Current | 2026-07-09 |
| NIST AI RMF alignment | Current | 2026-06-15 |
| DORA overlay | Current | 2026-06-15 |