Regulatory Intelligence — 2026

2026 AI Compliance
Checklist.

40 controls every regulated organization must verify before deploying or operating AI systems in 2026. Mapped to NIST AI RMF, EU AI Act, HIPAA 2026, and FTC requirements.

40
Verification controls across 4 frameworks
4
Regulatory frameworks mapped
4
Industry verticals covered
NIST AI RMF 1.0 EU AI Act 2026 HIPAA 2026 FTC / CFPB ABA Ethics 512 OMB M-26-04
NIST AI RMF — Function 1 of 4
Govern
Establish the organizational policies, roles, and accountability structures required to manage AI risk across the enterprise. Every organization deploying AI must complete these controls before any system goes live.
Priority Critical — immediate legal exposure Important — complete within 90 days Standard — ongoing governance
AI governance policy documented and board-approved
A written AI governance policy covering acceptable use, prohibited applications, human oversight requirements, and incident response must be approved at the board or executive level before any AI system operates in production.
NIST GV-1EU Art.9
Designated AI Risk Owner assigned at senior level
A named individual — Chief Compliance Officer, General Counsel, or equivalent — must hold formal accountability for AI risk management. This role must be documented in the governance policy.
NIST GV-2EU Art.26
AI Acceptable Use Policy distributed to all staff
Every employee must receive a written policy defining which AI tools are approved, what data may be entered into AI systems, and what outputs require human review before use or distribution.
NIST GV-3HIPAA
AI Vendor Due Diligence process established
A repeatable evaluation process for any new AI tool must be in place before staff begin using it. Minimum requirements: security questionnaire, data handling review, BAA execution for healthcare organizations, and compliance sign-off.
NIST GV-4FTC
AI Incident Response procedure documented and tested
A written procedure covering what to do when an AI system produces harmful output, leaks data, or is compromised. Must include escalation paths, regulatory notification timelines, and communication templates.
NIST GV-5HIPAA
Quarterly AI governance review scheduled
A recurring review process — minimum quarterly — to assess new AI tools, reassess risk ratings, update the AI inventory, and confirm compliance status against applicable regulatory requirements.
NIST GV-6
NIST AI RMF — Function 2 of 4
Map
Identify and document every AI system in operation, its context of use, the data it accesses, and the decisions it influences.
Complete AI system inventory maintained and current
Every AI tool in use across the organization — approved and shadow AI — must be documented with: tool name, vendor, data categories accessed, department, user count, and compliance status.
NIST MP-1EU Art.11
Shadow AI discovery scan completed
A systematic review of software spend, network traffic, and department-level tool usage to identify AI tools in use that have not been formally approved by IT or compliance. Must be repeated quarterly.
NIST MP-2HIPAA
Data flow mapping completed for each AI system
For every AI system in the inventory, document exactly what data enters the system, where it is processed, whether it leaves the organization's environment, and what data protections apply.
NIST MP-3EU Art.13
Human oversight requirements defined per system
For each AI system, document: which decisions require human review before action, who is responsible for that review, what escalation paths exist, and how overrides are logged.
NIST MP-4EU Art.14
NIST AI RMF — Function 3 of 4
Measure
Assess, analyze, and monitor AI risks against defined metrics and thresholds. Organizations must be able to demonstrate ongoing measurement, not just point-in-time assessment.
OWASP LLM Top 10 assessment completed for deployed agents
Every AI agent in production must be tested against the OWASP LLM Top 10 vulnerability framework. Minimum coverage: prompt injection, data leakage, insecure output handling, excessive agency, and model denial of service.
NIST MS-1EU Art.9
AI system performance and accuracy metrics documented
For each AI system making decisions that affect people — clinical recommendations, credit decisions, legal research — document baseline accuracy metrics, error rates, and the conditions under which performance degrades.
NIST MS-2FTC
Bias and fairness assessment completed for decision systems
Any AI system making automated decisions affecting individuals — lending, hiring, clinical triage, insurance — must undergo documented bias testing across protected categories before deployment and annually thereafter.
NIST MS-3CFPB
Audit logging active for all AI system actions
Every action taken by an AI agent — queries submitted, data accessed, outputs produced, decisions influenced — must be logged with timestamp, user context, and system identifier. Logs must be retained per applicable regulatory requirements.
NIST MS-4HIPAA
Adversarial testing (red team) conducted pre-production
Before any AI agent goes live, conduct adversarial testing using automated tools (Garak, PyRIT) to probe for security vulnerabilities. Document all findings and confirm remediation before production deployment.
NIST MS-5EU Art.9
NIST AI RMF — Function 4 of 4
Manage
Prioritize and address AI risks based on documented findings. Maintain ongoing remediation, monitoring, and governance as regulatory requirements evolve.
Prioritized remediation roadmap produced and actioned
Every risk identified in assessment must have an assigned owner, a target remediation date, and a documented status. The roadmap must be reviewed at each quarterly governance review.
NIST MG-1
AI decommission procedure in place for retired systems
When an AI system is retired or replaced, a formal decommission process must document: data deletion, access revocation, vendor contract termination, and removal from the AI inventory.
NIST MG-2HIPAA
Regulatory monitoring active for applicable frameworks
A process for monitoring changes to EU AI Act, HIPAA guidance, FTC rules, and applicable state AI laws must be in place. Material changes must trigger a governance review within 30 days of publication.
NIST MG-3EU Art.43
Regulatory Framework — EU AI Act
EU AI Act Compliance Controls
Full enforcement since August 2026. Applies to any organization placing AI systems on the EU market or whose AI affects persons in the EU. US location is not an exemption.
EU Nexus Assessment completed — applicability confirmed
Determine whether and how the EU AI Act applies to your organization. Many US companies incorrectly believe they are exempt. If you sell to EU customers, deploy AI affecting EU persons, or operate EU-connected AI workflows, you have obligations.
EU Art.2
All AI systems classified under EU AI Act risk tiers
Every AI system must be classified as: Prohibited, High-Risk (Annex III), Limited Risk, or Minimal Risk. Classification determines all compliance obligations. Misclassification carries fines up to €35M or 7% of global annual revenue.
EU Art.6
Technical documentation package produced for High-Risk systems
For each High-Risk AI system: system description, intended purpose, design logic, training data summary, accuracy metrics, human oversight procedures, and incident logging framework must be documented and maintained.
EU Art.11
Human oversight controls verified for High-Risk AI
High-Risk AI systems must have documented human oversight mechanisms that allow authorized persons to monitor, intervene, and override system outputs. These controls must be tested before deployment.
EU Art.14
GPAI model obligations assessed for foundation model use
Organizations using General Purpose AI models (GPT-4, Claude, Gemini, Llama) must assess their obligations under the GPAI provisions of the EU AI Act, including transparency and copyright compliance requirements.
EU Art.51
Regulatory Framework — HIPAA 2026
HIPAA 2026 Security Rule Controls
January 2026 update removed the "addressable" safeguard category. Encryption at rest and in transit is now mandatory — no exceptions — for any AI system handling Protected Health Information.
Business Associate Agreements executed with all AI vendors
Every AI vendor that may access, process, or store Protected Health Information must have a signed BAA before any PHI enters their system. Using an AI tool without a BAA is an active HIPAA violation with up to $1.9M annual penalty exposure.
HIPAA §164.308
Encryption at rest verified for all AI systems handling PHI
All AI systems storing or processing PHI must use AES-256 encryption at rest. The 2026 update eliminated the option to classify this as "addressable." Non-compliance is now a direct HIPAA Security Rule violation.
HIPAA §164.312
Encryption in transit verified for all PHI-handling AI systems
All data transmitted to or from AI systems handling PHI must use TLS 1.2 or higher. This includes API calls to AI vendors, data uploads to AI platforms, and output delivery to clinical staff.
HIPAA §164.312
AI-specific workforce training completed on PHI handling
Clinical and administrative staff must receive training specifically covering which AI tools are approved for PHI, how to verify a tool has a BAA, and what to do if PHI is inadvertently entered into an unapproved AI system.
HIPAA §164.308
Industry Vertical — Legal
ABA Ethics & Legal AI Controls
ABA Formal Ethics Opinion 512 creates direct personal accountability for supervising attorneys over AI-assisted work product. Bar sanctions and malpractice liability apply.
Attorney supervision protocol established for AI work product
Under ABA Opinion 512, supervising attorneys must understand the AI tools used in their matters, verify outputs before use, and maintain competence in AI capabilities and limitations. A written supervision protocol is required.
ABA 512
Client confidentiality verified for all AI tools used in matters
Every AI tool used in client matters must have terms of service reviewed to confirm client data is not used for vendor training, is not accessible to third parties, and does not create privilege waiver risk.
ABA 1.6
AI citation verification protocol in place for court filings
Any AI-generated legal research used in court filings must be independently verified before submission. A written protocol documenting the verification process protects attorneys from sanctions under court AI disclosure rules.
ABA 3.3
Industry Vertical — Financial Services
FTC / CFPB / SEC AI Controls
Explainable AI is now mandatory for all automated consumer-facing decisions. Black-box models are prohibited for lending, credit, and investment recommendations.
Explainability documentation produced for all automated decisions
Every AI system making automated decisions affecting consumers — lending, credit scoring, investment recommendations — must produce an explainable rationale for each decision that can be disclosed to the affected individual on request.
CFPBFTC
SEC AI disclosure documentation prepared for advisory AI
Registered investment advisers using AI for client recommendations must prepare SEC-compliant disclosure documentation explaining how AI is used, its limitations, and how adviser judgment overrides AI recommendations.
SEC 2026
Industry Vertical — Government Contractors
OMB M-26-04 & CMMC Controls
Federal AI procurement now requires verifiable, neutral AI outputs. Non-compliance risks contract termination and debarment.
OMB M-26-04 compliance documentation produced for federal AI
Every AI system used in federal contract performance must have documented governance showing verifiable, neutral outputs. Contracting officers may request this documentation during contract renewal or performance review.
OMB M-26-04
CUI handling review completed for AI systems on federal contracts
Any AI system used in contract performance that may access Controlled Unclassified Information must be assessed against CMMC 2.0 and NIST SP 800-171 requirements. AI tools processing CUI without proper controls create FAR violation exposure.
CMMC 2.0
Completion Summary
Checklist Completion Tracker
Use this summary to track your organization's overall compliance posture across all 40 controls. Present this page to your board, compliance committee, or insurer as evidence of governance due diligence.
Control Coverage by Framework
NIST AI RMF — Govern (6 controls) _____ / 6 completed
NIST AI RMF — Map (4 controls) _____ / 4 completed
NIST AI RMF — Measure (5 controls) _____ / 5 completed
NIST AI RMF — Manage (3 controls) _____ / 3 completed
EU AI Act Controls (5 controls) _____ / 5 completed
HIPAA 2026 Controls (4 controls) _____ / 4 completed
Legal — ABA Ethics Controls (3 controls) _____ / 3 completed
Financial Services Controls (2 controls) _____ / 2 completed
GovCon — OMB / CMMC Controls (2 controls) _____ / 2 completed
Total Controls Completed _____ / 34 applicable
Critical Controls Incomplete
_____ items
Immediate remediation required
Important Controls Incomplete
_____ items
Complete within 90 days
Recommended Next Steps
01Address all Critical controls within 30 days. Prioritize BAA execution and AI inventory completion as immediate actions requiring no budget.
02Commission a full AI Risk Assessment to produce a Signed Defensibility Report covering all applicable frameworks for your specific environment.
03Establish quarterly governance reviews to maintain compliance as regulations evolve. The EU AI Act and HIPAA guidance are actively updated.
Founder, Navard LLC
M.S. Cybersecurity  ·  AIGP (IAPP)  ·  CISM (ISACA)
navard.ai
contact@navard.ai
May 2026
This checklist constitutes AI governance information only and does not constitute legal advice. Navard LLC is not a law firm. Organizations should consult qualified legal counsel regarding the applicability of any regulation to their specific circumstances. Completion of this checklist does not constitute regulatory certification or guarantee of compliance.