Answer box
AI compliance in 2026 means producing defensible evidence against four anchoring frameworks (NIST AI RMF, ISO/IEC 42001, EU AI Act, sector-specific — SOC 2, HIPAA, GDPR, PCI DSS, SR 11-7) plus emerging regional regulations (UK AISI, Singapore IMDA, Colorado AI Act, US state AI laws). One unified program produces evidence across all. Three is too many; one is the goal. This hub is the canonical entry point.
The five anchoring frameworks
| Framework | Status | What it covers |
|---|---|---|
| NIST AI RMF (2023, +600-1 GenAI profile 2024) | Voluntary US framework | Four functions: GOVERN, MAP, MEASURE, MANAGE |
| ISO/IEC 42001 (2023) | Certifiable; UKAS-accredited certifications live since Jan 2026 | Management system standard for AI; Annex A controls |
| EU AI Act (Regulation 2024/1689) | Binding EU law; phased enforcement 2025-2027 | Risk-tiered (prohibited / high-risk / limited / minimal) with provider + deployer obligations |
| OWASP Top 10 for Agentic Applications 2026 | Industry framework (Dec 2025) | Ten critical risks for agentic systems |
| Sector frameworks | Various | SOC 2 Type II, HIPAA, GDPR, PCI DSS, SR 11-7 (financial services), HHS guidance (healthcare) |
The frameworks are deliberately interoperable. Article 40 of the EU AI Act lets harmonised standards (likely including ISO 42001) presumptively satisfy parts of the Act. ISO 42001 references NIST AI RMF as a normative reference. A single control library can satisfy all four.
The 20-control unified library
From the Unified Compliance Crosswalk, twenty operational controls cover ~80% of cells across the major frameworks:
- Written AI Acceptable Use Policy
- Named AI Governance Committee
- AI literacy program
- AI inventory (continuous)
- AI Bill of Materials (AIBOM)
- Risk classification per system
- Inline prompt inspection
- Inline response inspection
- Tool allowlisting
- Capability-scoped tokens
- Provenance logging (every interaction)
- A2A signing + message inspection
- Kill switches (per system, per tool)
- AI incident response runbook
- Adversarial testing (red-team)
- Bias/fairness evaluation
- Data governance (training + operational)
- Transparency / disclosure to users
- Human oversight design
- Continuous monitoring + post-market surveillance
Each maps to specific NIST AI RMF subcategories, ISO 42001 Annex A controls, and EU AI Act articles.
The EU AI Act timeline (post-Digital Omnibus)
The May 2026 Digital Omnibus partially deferred the Act. Current operative timeline:
- Already in force (Feb 2025): Article 5 prohibitions; Article 4 AI literacy.
- Already in force (Aug 2025): GPAI obligations (one-year wind-down).
- August 2, 2026: GPAI enforcement powers + penalty regime activate.
- December 2, 2027 (deferred from Aug 2026): Annex III high-risk obligations.
- August 2, 2027: Annex I product-safety obligations.
See the EU AI Act Delayed to December 2027 piece for the full breakdown.
All AccuroAI posts on AI compliance
Cross-framework reference
- One Map to Rule Them All: A Unified Crosswalk Between NIST AI RMF, ISO 42001, and the EU AI Act — the canonical crosswalk and 20-control library.
EU AI Act
- EU AI Act, Delayed to December 2027 — Digital Omnibus update.
- EU AI Act August 2026 Deadline: Ten-Week Countdown — pre-Digital-Omnibus framing, still useful for the GPAI side.
- EU AI Act Compliance Checklist: CISO Action Plan for 2026 — operational checklist.
- EU AI Act Compliance Guide for Enterprises — provider vs deployer obligations.
NIST and ISO
- (Coming: NIST AI RMF + ISO 42001 deep dives — see the unified crosswalk for the current canonical reference.)
OWASP
- OWASP Top 10 for Agentic Applications 2026, Annotated for Enterprises — the canonical reading.
Procurement and evidence
- Enterprise Agent RFP: 30 Procurement Questions — the questions auditors and procurement teams are asking.
- How to Conduct AI Risk Assessment — assessment workflow.
- Building an AI Governance Committee Charter — committee charter template.
- AI Governance Committee Roles & Responsibilities: The Operational Reference — the operating model.
Framework hubs and overviews
- Enterprise AI Governance Framework Guide — anchoring framework selection.
- AI Governance Platform Buyer's Guide 2026 — vendor-agnostic evaluation.
- AI Governance Solutions 2026 Buyer's Guide — vendor landscape.
What to do this quarter
- Pick your anchoring framework (recommend: ISO 42001 + NIST AI RMF as the dual baseline; EU AI Act layered on top for in-scope systems).
- Build the unified 20-control library. Use the crosswalk as the template.
- Inventory existing evidence cell-by-cell. Identify gaps.
- Brief your audit team on the unified evidence approach. One evidence pack serves multiple frameworks.
- Pre-position for the August 2, 2026 GPAI enforcement date.
FAQ
Which framework should I anchor my AI compliance program to? Use all the major frameworks with one unified control library. ISO 42001 + NIST AI RMF as the dual baseline; EU AI Act layered on top for any in-scope systems. See the crosswalk.
Has the EU AI Act been delayed? Partially. High-risk Annex III obligations deferred from Aug 2026 to Dec 2027 per the May 2026 Digital Omnibus. GPAI enforcement, prohibitions, and AI literacy obligations are unchanged. See the Digital Omnibus piece.
Is ISO 42001 certification required? No. Certification is optional. Increasingly requested by procurement and partners. Under Article 40 of the EU AI Act, ISO 42001 can presumptively demonstrate compliance with parts of the Act.
What's the minimum compliance baseline for enterprises starting now? The 20-control library from the crosswalk. Most enterprises score 5-10 of 20 on a first audit. Target is 18-20 within 12 months.
Sources: EU AI Act on EUR-Lex · NIST AI Risk Management Framework · ISO/IEC 42001:2023 · OWASP Top 10 for Agentic Applications 2026 · Inside Global Tech — Digital Omnibus AI Act Update.