AI Compliance: A 2026 Guide for Regulated Industries

AI compliance means meeting the legal, regulatory, and contractual obligations that govern how an organization develops and uses artificial intelligence. In 2026 that landscape moved quickly, with the EU AI Act now partly in force and standards such as ISO 42001 becoming common expectations. This guide explains what AI compliance involves, the rules and frameworks that apply, and how regulated industries can approach it without grinding their AI programs to a halt. What AI Compliance Is AI compliance is the practice of meeting external obligations for AI, which span laws such as the EU AI Act, sector regulations, data protection laws, and standards such as ISO 42001 and the NIST AI Risk Management Framework. It is distinct from AI governance. Governance is the internal system an organization builds to control AI, and compliance is one of the results that system is meant to produce. The Rules That Apply to AI The EU AI Act The EU AI Act is the world’s first comprehensive AI law. It takes a risk-based approach across four tiers, unacceptable, high, limited, and minimal, with fines reaching up to 35 million euros or 7 percent of global turnover. Its obligations apply in phases. Prohibited practices and AI literacy duties have applied since February 2025, obligations for general-purpose AI models since August 2025, and most remaining provisions, including transparency rules, from August 2026. The high-risk timeline shifted in 2026. Under amendments agreed in May 2026, obligations for use-based high-risk systems were deferred to December 2027, and for product-embedded high-risk systems to August 2028, subject to formal enactment. The Act applies beyond Europe, reaching any organization whose AI touches people in the EU. United States and Other Jurisdictions The United States has no single comprehensive federal AI law. Compliance there is shaped by sector regulators, state laws, and existing obligations rather than one statute. Other jurisdictions, including the United Kingdom, have so far relied on existing regulators rather than adopting a single cross-economy AI law. Data Protection Laws AI does not get a pass from existing privacy law. The GDPR and similar regimes apply concurrently whenever an AI system processes personal data, which means many AI use cases carry both AI-specific and data protection obligations at once. Standards That Carry Weight Beyond law, voluntary standards increasingly function as expectations. The ISO 42001 AI management system standard can be certified against, and the NIST AI Risk Management Framework provides widely referenced structure. Clients, partners, and regulators increasingly look for one or both. Mapping obligations to controls is the hard part. Elevate Consult helps regulated organizations get there. The ISO 42001 AI Governance Readiness Bundle gives you a structured foundation. Why AI Compliance Is Harder in Regulated Industries Financial services, healthcare, and the defense sector already carry heavy compliance loads, and AI rules now layer on top. A defense contractor managing CMMC requirements or a vendor navigating FedRAMP authorization levels must now fold AI obligations into programs that were already demanding. The frameworks overlap, but the evidence and accountability requirements multiply. How to Approach AI Compliance The path is the same regardless of industry, even if the obligations differ. How Elevate Consult Helps Organizations With AI Compliance Elevate Consult helps regulated organizations meet AI compliance obligations by mapping them to ISO 42001 and the NIST AI Risk Management Framework, alongside the cybersecurity frameworks many of these organizations already maintain. The aim is one coherent program rather than a separate scramble for each rule. Organizations facing AI compliance requirements can start a conversation with the Elevate team. Key Takeaways Frequently Asked Questions What is AI compliance? AI compliance is the practice of meeting the legal, regulatory, and contractual obligations that govern how an organization develops and uses AI. It spans laws such as the EU AI Act, sector regulations, data protection laws, and standards such as ISO 42001. Is the EU AI Act in force in 2026? Yes, in phases. Prohibited practices have applied since February 2025 and general-purpose AI obligations since August 2025, with most remaining provisions applying from August 2026. Under amendments agreed in 2026, certain high-risk obligations were deferred to 2027 and 2028, subject to formal enactment. Does the EU AI Act apply to companies outside the EU? Yes. The EU AI Act has extraterritorial reach. It applies to any organization whose AI systems are placed on the EU market or whose output is used in the EU, regardless of where the company is based. How does ISO 42001 help with AI compliance? ISO 42001 provides a certifiable AI management system that organizes governance, risk assessment, documentation, and lifecycle controls. It gives organizations a structured way to demonstrate responsible AI practices and supports readiness for regulations such as the EU AI Act. What are the penalties for violating the EU AI Act? Penalties are tiered. Prohibited practices can draw fines up to 35 million euros or 7 percent of global annual turnover, while other violations, including those by general-purpose AI providers, carry lower maximum fines. The exact figure depends on the nature of the breach.
AI Risk Management: A Framework for Enterprise AI Risk

AI risk management is the practice of identifying, assessing, and treating the risks that artificial intelligence creates for an organization, before those risks turn into incidents. As AI moves into decisions that affect customers, finances, and compliance, managing its risk has become a core discipline rather than an optional one. This guide explains what it is, the main types of AI risk, the steps in the process, and how it fits within broader governance. What AI Risk Management Is It is a repeatable discipline for keeping the risks of AI within an acceptable range. It borrows from traditional risk management, but AI introduces risk types that older programs were never built to handle, including bias, opacity, model drift, and the autonomy of systems that act on their own. It does not stand alone. It is a core function inside a broader program of AI governance, which sets the accountability and policy that risk work depends on. The Main Types of AI Risk Data and Privacy Risk AI systems consume large volumes of data, which creates exposure when that data is sensitive, regulated, or moved into tools the organization does not control. Bias and Fairness Risk Models can reproduce or amplify bias in their training data, leading to unfair outcomes in decisions such as hiring, lending, or access to services. Security Risk AI expands the attack surface through prompt injection, data poisoning, ungoverned shadow AI, and autonomous agents with broad permissions. These threats often fall outside the scope of traditional security reviews. Reliability and Accuracy Risk AI output can be confidently wrong. Hallucination and model drift mean a system that performed well at launch can degrade or mislead over time if it is not monitored. Compliance and Legal Risk Using AI in regulated ways without the right controls can breach laws and standards, from data protection rules to the obligations now arriving under AI-specific regulation. Elevate Consult helps organizations turn this list of risks into a managed program. The ISO 42001 AI Governance Readiness Bundle provides a structured starting point. The Risk Management Process Whatever framework an organization adopts, the underlying process is consistent. Managing AI Risk With Recognized Frameworks Two frameworks dominate this space. The NIST AI Risk Management Framework is, at its core, a structure for managing AI risk through its functions to govern, map, measure, and manage. The ISO 42001 standard embeds risk and impact assessment inside a certifiable management system. Aligning to one or both gives a risk program structure and credibility rather than a process invented from scratch. How Elevate Consult Helps Organizations Manage AI Risk Elevate Consult helps organizations build AI risk programs aligned to the NIST AI RMF and ISO 42001, from AI inventory and risk assessment through controls, monitoring, and documentation. The aim is a program that keeps AI risk visible and under control as the organization scales its use of AI. Organizations ready to manage AI risk deliberately can start a conversation with the Elevate team. Key Takeaways Frequently Asked Questions What is AI risk management? AI risk management is the practice of identifying, assessing, and treating the risks that artificial intelligence creates, so they stay within an acceptable range. It covers risks such as bias, data exposure, security, unreliable output, and compliance. What are the main types of AI risk? The main types are data and privacy risk, bias and fairness risk, security risk, reliability and accuracy risk, and compliance and legal risk. The same AI system can carry different risks depending on how and where it is used. How do you assess AI risk? Assess AI risk by inventorying your AI systems, identifying the risks for each use case, and rating those risks by likelihood and impact. Tiering risk this way lets you apply stronger controls and oversight to the systems that need them most. What is the difference between AI risk management and AI governance? AI governance is the overall system of accountability, policy, and oversight for AI. It is a core function within that system, focused specifically on identifying and treating AI risk. Governance sets the direction, and risk management does the work of keeping AI risk in check. How does the NIST AI RMF relate to AI risk management? The NIST AI RMF is essentially a structure for managing AI risk, organized around four functions: govern, map, measure, and manage. Many organizations use it as the backbone of their AI risk program.
Shadow AI Detection: How to Find and Govern It

Shadow AI detection is the practice of finding the unapproved AI tools and services employees are already using across an organization, so they can be brought under governance. You cannot govern what you cannot see, which makes detection the first practical step in any shadow AI program. This guide explains how shadow AI detection works, the methods that surface it, and how to govern it once it is found. Why Shadow AI Detection Comes First Most organizations underestimate how much unapproved AI is already in use. Free, browser-based tools require no installation and no purchase order, so they spread without ever appearing on IT’s radar. Shadow AI detection comes first because every later step, from risk assessment to policy, depends on knowing what is actually running. For a fuller picture of the underlying problem, see the guide on AI governance frameworks. How to Detect Shadow AI No single method catches everything. Effective programs combine several signals. Employee Surveys and Self-Disclosure Asking directly, without blame, often surfaces tools no monitoring would catch. A short anonymous survey is the fastest way to begin and frequently reveals the scale of the problem. Network and Traffic Monitoring Outbound traffic and DNS logs show connections to known AI services. Monitoring egress to AI domains is one of the most reliable ways to detect shadow AI at the network level. Endpoint and Browser Visibility Because much of this activity runs in the browser, endpoint and extension visibility catches what network logs miss. Browser extensions and installed apps both leave traces worth reviewing. Identity and SaaS App Discovery Single sign-on logs, OAuth grants, and cloud access security tools reveal which AI applications employees have connected to corporate accounts. This identity layer is often the richest source of discovery. Expense and Procurement Signals Individual AI subscriptions on expense reports and corporate cards point to paid tools in use outside any review. Finance data is an easy signal that is frequently overlooked. From Detection to Governance Finding the tools is only the start. Detection has to feed governance, or the same problem returns within months: Elevate Consult helps organizations detect shadow AI and turn what they find into a governed program. The ISO 42001 AI Governance Readiness Bundle provides the structure. Shadow AI Detection and AI Governance Detection produces the inventory that every governance framework relies on. The ISO 42001 standard and the NIST AI Risk Management Framework both assume an organization knows what AI it operates. Without detection, that inventory is incomplete, and governance rests on a false picture of reality. How Elevate Consult Helps Organizations Detect and Govern Shadow AI Elevate Consult helps organizations stand up shadow AI detection and connect it to a governance program aligned to ISO 42001 and the NIST AI Risk Management Framework. The work moves from discovery through inventory, risk assessment, and policy, so unapproved tools become managed ones rather than blind spots. Teams ready to find and govern the AI already in use can start a conversation with the Elevate team. Key Takeaways Frequently Asked Questions What is shadow AI detection? Shadow AI detection is the practice of finding the unapproved AI tools and services employees use across an organization, so they can be brought under governance. It is the first step in any shadow AI program because controls cannot be applied to tools no one knows about. What methods are used to detect shadow AI? Common methods include anonymous employee surveys, network and DNS traffic monitoring for connections to AI services, endpoint and browser visibility, single sign-on and OAuth app discovery, and expense or procurement signals. Effective programs combine several of these rather than relying on one. Can you detect shadow AI with existing security tools? Often, yes. Cloud access security brokers, DNS and network monitoring, and single sign-on logs already in place can surface much shadow AI usage. The gap is usually not tooling but the decision to look and to treat the findings as a governance priority. What do you do after detecting shadow AI? After detection, organizations should catalogue each tool in an AI inventory, assess the risk of each one, provide sanctioned alternatives, bring approved tools under an acceptable use policy, and monitor continuously. Detection feeds governance rather than ending the work. Why is detecting shadow AI difficult? Detecting shadow AI is difficult because many tools are free, browser-based, and require no installation or purchase, so they never appear in procurement or software inventories. Usage is also distributed across individuals, which is why several detection signals are needed to see the full picture.
EU AI Act Timeline: The New Deadlines After the 2026 Omnibus

The EU AI Act timeline just changed. On 16 June 2026, the European Parliament approved a package of amendments known as the digital omnibus that postpones the heaviest obligations of the AI Act by one to two years, delays one transparency requirement, and adds a new prohibition. The changes still need formal adoption by the Council before they become law, but the direction is set. This article lays out the new EU AI Act timeline, what moved, what did not, and what it means for organizations preparing to comply. What Changed in the EU AI Act Timeline The European Parliament approved the digital omnibus on 16 June 2026 by 423 votes to 57, with 174 abstentions. The package is designed to give organizations more time to comply while keeping the risk-based architecture of the AI Act intact. In short, it postpones the high-risk obligations, delays the provider watermarking requirement, bans a category of harmful AI, and reduces overlaps with other EU laws. It is not yet final: the Council must still formally adopt it, which is expected before 2 August 2026. For how the AI Act sits alongside other frameworks, see the guide on EU AI Act compliance compared with NIST and ISO 42001. The New High-Risk Deadlines The most significant change is the postponement of obligations for high-risk AI systems: The extra time is intended to let the necessary technical standards and guidance be finalized first, since much of what organizations need to comply was not going to be ready in time. What Did Not Move: Transparency Stays in August 2026 This is the part most easily misread. Most of the AI Act’s transparency obligations under Article 50 still apply from 2 August 2026, including the duty to tell people when they are interacting with an AI system such as a chatbot, and the duty for those deploying AI to clearly label deepfakes and AI-generated text published on matters of public interest. Only one transparency rule moved. The provider obligation to embed machine-readable marking in AI-generated content, the watermarking requirement, is delayed to 2 December 2026, and that extension applies to generative systems already placed on the market before 2 August 2026. Systems launched after that date are expected to comply right away. In other words, the labelling duties most organizations face are still arriving in August, and only the technical marking piece gets a short reprieve. A New Prohibition: The Nudifier Ban The omnibus also adds a new prohibited practice to Article 5 of the AI Act. It bans AI systems that generate child sexual abuse material or that create intimate or sexually explicit images, video, or audio of an identifiable person without consent. The prohibition applies to both providers placing such systems on the EU market and deployers using them for that purpose, with compliance required by 2 December 2026. There is a safe harbour for systems that include adequate technical safeguards to prevent this misuse. The practical implication is concrete: any organization offering general-purpose image or media generation needs documented preventive safeguards as part of its risk management, not as an afterthought. Other Changes Worth Knowing The Complete EU AI Act Timeline at a Glance This EU AI Act timeline reflects the package approved by Parliament on 16 June 2026 and remains subject to formal adoption by the Council. What Organizations Should Do Now Elevate Consult helps organizations turn the AI Act timeline into a working compliance plan. The ISO 42001 AI Governance Readiness Bundle is a structured place to start. How Elevate Consult Helps Elevate Consult helps organizations interpret the EU AI Act timeline and build governance programs aligned to it and to ISO 42001 and the NIST AI Risk Management Framework. The work spans scoping and classification, transparency and labelling controls, and the documentation that demonstrates a credible path to compliance as the deadlines approach. Organizations preparing for the AI Act can start a conversation with the Elevate team. Key Takeaways Frequently Asked Questions What is the new EU AI Act timeline? Under the digital omnibus approved by the European Parliament on 16 June 2026, high-risk obligations move to 2 December 2027 for stand-alone Annex III systems and 2 August 2028 for Annex I embedded systems. Most Article 50 transparency obligations still apply from 2 August 2026, while the provider watermarking requirement moves to 2 December 2026, the same date by which a new ban on nudifier systems must be met. The package still requires formal adoption by the Council. Did the EU delay the AI Act? In part. The European Parliament approved a package on 16 June 2026 that postpones the high-risk AI obligations by roughly one to two years and delays the provider watermarking requirement to 2 December 2026. It does not repeal the AI Act or change its risk-based architecture, and most other deadlines, including most transparency obligations in August 2026, remain in place. The changes still need formal adoption by the Council. When do high-risk AI obligations apply under the EU AI Act? Under the approved changes, obligations for stand-alone high-risk AI systems listed in Annex III apply from 2 December 2027, and obligations for high-risk AI embedded as safety components in regulated products listed in Annex I apply from 2 August 2028. These replace the earlier dates of 2 August 2026 and 2 August 2027. Are the EU AI Act transparency rules delayed? Mostly no. The duties to disclose AI chatbots and to label deepfakes and AI-generated public-interest text still apply from 2 August 2026. Only the provider obligation to embed machine-readable marking in AI-generated content, the watermarking requirement, moves to 2 December 2026, and that extension applies to generative systems placed on the market before 2 August 2026. What is the EU nudifier ban? The digital omnibus adds a prohibition to Article 5 of the AI Act on AI systems that generate child sexual abuse material or that create intimate or sexually explicit imagery of an identifiable person without consent. It applies to providers and deployers, takes effect on 2 December 2026, and includes a safe
Enterprise AI Governance: A Guide for Boards and Leadership

Enterprise AI governance is the way an organization’s board and senior leadership direct, oversee, and remain accountable for the use of AI across the entire business. As AI moves into decisions that shape revenue, risk, and reputation, oversight of it has become a board-level duty rather than a technical detail. This guide explains what enterprise AI governance involves, the board’s specific role, and how leadership can govern AI at scale. What Enterprise AI Governance Is Enterprise AI governance is governance applied at the level of the whole organization, not a single team’s policy. It is the direction, accountability, and oversight that leadership sets so that every business unit uses AI within the same guardrails. The defining feature is ownership: at enterprise scale, responsibility for AI sits with the board and executive leadership, not only with technology teams. The mechanics of building it out are covered in the broader guide on AI governance frameworks. The Board’s Role in AI Governance A board does not run AI. Its job is to ensure AI is run responsibly. That means setting the organization’s risk appetite for AI, requiring clear accountability beneath them, ensuring the program is properly resourced, and asking management the questions that surface risk before it becomes a problem. The distinction matters. Boards that try to operate AI overstep, and boards that ignore it leave the organization exposed. Effective oversight sits between the two: informed, demanding, and accountable without being operational. What Leadership Must Put in Place For oversight to be real, leadership has to stand up a few essentials: a named executive owner for AI risk, an enterprise policy that applies across business units, an inventory of AI systems spanning the whole organization, regular risk reporting that reaches the board, and alignment to a recognized standard so the program is consistent and defensible. Without these, board oversight becomes a conversation with no evidence behind it. Questions Boards Should Ask About AI A board does not need to understand the technology in depth to govern it well. It needs to ask the right questions: Elevate Consult helps boards and leadership turn these questions into a working oversight program. The ISO 42001 AI Governance Readiness Bundle gives leadership a structured foundation. Enterprise AI Governance and Recognized Frameworks Recognized standards make leadership oversight concrete. The ISO 42001 standard places explicit responsibility on top management for the AI management system, and the NIST AI Risk Management Framework puts governance at the center of its structure. Aligning the enterprise to one or both gives the board a defensible answer when asked how AI is controlled. How Elevate Consult Helps Boards and Leadership Govern AI Elevate Consult helps boards and executive teams establish AI oversight aligned to ISO 42001 and the NIST AI Risk Management Framework, from executive accountability and enterprise policy through board-level risk reporting. The aim is governance leadership can stand behind and demonstrate to regulators, clients, and the board itself. Boards and leadership teams ready to strengthen AI oversight can start a conversation with the Elevate team. Key Takeaways Frequently Asked Questions What is enterprise AI governance? Enterprise AI governance is organization-wide direction, accountability, and oversight of how AI is used, owned by the board and senior leadership rather than a single team. It ensures every business unit uses AI within the same guardrails and that someone at the top is accountable for the risk. What is the board’s role in AI governance? The board oversees rather than operates AI. Its role is to set the organization’s risk appetite for AI, require clear accountability beneath it, ensure the program is resourced, and ask management the questions that surface risk. It does not run AI systems itself. What questions should a board ask about AI? A board should ask where AI is used and the risk of each use, who is accountable for AI risk, how the organization knows its AI is compliant, what its exposure to shadow AI is, and whether it is aligned to a recognized framework and can prove it in an audit. How does enterprise AI governance differ from a single AI policy? A single AI policy sets rules for one team or use case. Enterprise AI governance is the broader system of leadership accountability, inventory, risk reporting, and oversight that applies consistently across the whole organization. The policy is one component within it. Does ISO 42001 require board involvement? ISO 42001 places explicit responsibility on top management for the AI management system, including leadership commitment and accountability. While it does not name the board specifically, it requires senior leadership to own and direct AI governance.
AI Audit: What It Covers and How to Prepare

An AI audit is an independent review of how an organization builds, uses, and governs artificial intelligence, measured against a standard, regulation, or risk framework. As AI takes on more consequential decisions, this kind of review has become the way organizations prove their AI is controlled, fair, and compliant. This guide explains what it covers, the main types, and how to prepare for one. What an AI Audit Is It is a structured, independent evaluation of an organization’s AI systems, the controls around them, and the governance that directs them. It is not a penetration test, which probes for technical weaknesses, and it is broader than a general IT audit. Its purpose is to give an objective answer to a simple question: is this organization’s AI actually under control? Independence is what gives the result its weight. A review carries more credibility when the party performing it is separate from the team that built the systems being examined. Types of AI Audit Governance and Management System Audits These assess an organization’s AI management system against a standard such as ISO 42001, checking that governance, policies, and controls are in place and operating. Risk and Controls Audits These examine whether the organization has identified its AI risks and applied controls that match, often using the NIST AI Risk Management Framework as the benchmark. Bias and Fairness Audits Sometimes called algorithmic audits, these evaluate specific models for biased or unfair outcomes, which matters most for AI used in decisions about people. Regulatory and Compliance Audits These check AI use against legal obligations, such as the conformity requirements arriving under AI-specific regulation, and against the broader landscape of AI governance frameworks. What an Audit Covers Across these types, an audit generally examines a common set of areas: the inventory of AI systems, the policies governing their use, risk and impact assessments, the controls applied to each system, the evidence and documentation behind them, monitoring practices, and the oversight of third-party and vendor AI. The thread running through all of it is evidence. An audit tests not whether an organization says it governs AI, but whether it can show it. Elevate Consult helps organizations get audit-ready before the auditor arrives. The ISO 42001 AI Governance Readiness Bundle is built for exactly this. How to Prepare for an Audit Preparation is the difference between an audit that confirms control and one that exposes gaps. ISO 42001 Audits and Certification For many organizations, the most consequential audit is the certification audit for ISO 42001, conducted by an accredited certification body. That certification audit must be independent from the work that prepared the organization for it. A readiness partner helps an organization become audit-ready and can run internal audits, while the formal certification is performed by a separate accredited body. Keeping those roles distinct protects the integrity of the result. How Elevate Consult Helps Organizations Prepare for Audits Elevate Consult helps organizations prepare for audits aligned to ISO 42001 and the NIST AI Risk Management Framework, through readiness assessments, internal audits, evidence organization, and gap remediation. The goal is an organization that walks into its certification audit ready to pass, with a clear separation between readiness support and the independent certifying body. Organizations preparing for an audit can start a conversation with the Elevate team. Key Takeaways Frequently Asked Questions What is an AI audit? An AI audit is an independent, structured review of how an organization builds, uses, and governs AI, measured against a standard, regulation, or risk framework. It evaluates AI systems, the controls around them, and the governance directing them. What does an AI audit cover? An AI audit typically covers the inventory of AI systems, governing policies, risk and impact assessments, applied controls, supporting evidence and documentation, monitoring practices, and oversight of third-party AI. The common thread is whether the organization can demonstrate, with evidence, that its AI is controlled. How do you prepare for an AI audit? Prepare by building an AI inventory, documenting your governance, keeping audit-ready evidence such as risk and impact assessments, mapping controls to the relevant standard, and running an internal audit or readiness review to close gaps before the external audit. What is the difference between an AI audit and an ISO 42001 audit? An ISO 42001 audit is a specific type of audit that evaluates an organization’s AI management system against the ISO 42001 standard, and the certification version is performed by an accredited body. The broader term AI audit also includes risk, bias, and regulatory reviews that are not tied to a single standard. Who performs an AI audit? Internal audits can be run by an organization’s own team or an advisor, while formal certification audits, such as for ISO 42001, must be performed by an independent accredited certification body. A readiness partner prepares the organization but does not perform its own certification.
Labeling AI-Generated Content: What the EU AI Act Requires

Labeling AI-generated content is about to become a legal requirement in the European Union. In June 2026, the European Commission published a voluntary Code of Practice to help organizations meet the AI Act transparency obligations that apply from 2 August 2026. This article explains what must be labeled, what the new Code does, and what it means for any organization whose AI content reaches the EU. What the EU AI Act Requires for Labeling AI-Generated Content The requirement comes from Article 50 of the AI Act, the section that sets transparency obligations for providers and deployers of generative and interactive AI systems. These obligations arrive on two dates, following the digital omnibus approved by the European Parliament in June 2026. From 2 August 2026, deployers must clearly label deepfakes and AI-generated or AI-manipulated text published to inform the public on matters of public interest, and anyone deploying an interactive system such as a chatbot must tell people they are interacting with AI rather than a human. The provider duty to mark AI-generated or AI-manipulated audio, image, video, and text in a machine-readable format, so the content can be detected as artificial, applies from 2 December 2026 for generative systems already on the market before 2 August 2026, with systems launched after that date expected to comply right away. These rules sit within the broader risk-based structure of the AI Act. For how that structure compares with other frameworks, see the guide on EU AI Act compliance alongside NIST and ISO 42001. What the New Code of Practice Does, and Does Not Do On 10 June 2026, the European Commission published the final Code of Practice on marking and labeling of AI-generated content. It was drafted by independent experts through a stakeholder process and is organized into two parts: one for providers, covering machine-readable marking and detection, and one for deployers, covering the labeling of deepfakes and public-interest text. Taken together, it is the EU’s most concrete guidance yet on labeling AI-generated content. The critical point is what the Code is not. It is voluntary, and signing or following it does not by itself prove compliance with the AI Act. It is a practical route to meeting the obligations, not a substitute for them. Organizations remain responsible for satisfying Article 50 whether or not they adopt the Code. What Content Must Be Labeled The obligations target the content most likely to deceive: There are exceptions. Labeling obligations are eased where AI-generated text has undergone human review and sits under editorial responsibility, and where AI performs an assistive or minor editing function. The exact boundaries are part of what the Commission’s accompanying guidelines aim to clarify. The EU Icons for AI-Generated Content To make disclosure consistent, the Commission has published a set of standardized icons for marking AI-generated content. Standard marks matter because labeling only works if readers, regulators, and courts recognize and trust the same signal. Organizations can review the official set on the Commission’s EU Icons for labelling AI-generated content page. Does This Apply to US Companies? Often, yes. The AI Act reaches beyond the borders of the EU. A company based in the United States can fall within scope when it places a generative AI system on the EU market, or when the AI-generated output it produces is used in the EU, regardless of where the company itself is located. For many US organizations publishing content, running chatbots, or shipping AI features that reach European users, the transparency obligations are not optional and the 2 August 2026 date is real. Because applicability turns on specific facts, organizations should assess their own exposure rather than assume distance from Europe puts them outside the rules. How to Prepare for Labeling AI-Generated Content Preparing for labeling AI-generated content is less about a single tool and more about knowing where AI touches the content you publish: Elevate Consult helps organizations turn AI transparency rules into a working program. The ISO 42001 AI Governance Readiness Bundle is a structured place to start. How Elevate Consult Helps Elevate Consult helps providers and deployers prepare for the AI Act transparency obligations as part of a governance program aligned to ISO 42001 and the NIST AI Risk Management Framework. The work spans AI inventory, policy, labeling and provenance controls, and the evidence that demonstrates a good-faith path to compliance. Organizations that want to be ready before 2 August 2026 can start a conversation with the Elevate team. Key Takeaways Frequently Asked Questions What does the EU AI Act require for labeling AI-generated content? Under Article 50 of the AI Act, deployers must clearly label deepfakes and AI-generated text published on matters of public interest, and people must be told when they are interacting with an AI system such as a chatbot. These deployer and disclosure duties apply from 2 August 2026. The separate provider duty to embed machine-readable marking in AI-generated audio, image, video, and text applies from 2 December 2026 under the June 2026 digital omnibus, for generative systems already on the market before 2 August 2026. When do the EU AI Act transparency rules apply? Most apply from 2 August 2026, including the duty to label deepfakes and AI-generated public-interest text and to disclose AI chatbots. The provider duty to embed machine-readable marking in AI-generated content was moved to 2 December 2026 by the digital omnibus approved in June 2026, with a grandfathering allowance for generative systems already on the market before 2 August 2026. Is the EU Code of Practice on AI labeling mandatory? No. The Code of Practice published on 10 June 2026 is voluntary. Following or signing it can support a demonstration of compliance with the AI Act, but it does not by itself establish compliance. The underlying Article 50 obligations are mandatory regardless of whether an organization adopts the Code. Does the EU AI Act apply to US companies? It can. The AI Act applies beyond the EU when a company places a generative AI system on the EU market or when the AI-generated output it
AI Acceptable Use Policy: How to Curb Shadow AI

An AI acceptable use policy is the document that tells employees which AI tools they may use, what data they may enter into them, and what they must never do. It is the single fastest control an organization can put in place to curb shadow AI, the unapproved use of AI tools that spreads quietly through most companies. This guide explains what an AI acceptable use policy is, what it should include, and how to write one that people actually follow. What an AI Acceptable Use Policy Is An AI acceptable use policy is a short, readable document that sets the boundaries for how people use AI at work. It is not a legal contract written for lawyers. It is a practical guide written for the employees who use AI every day, and it sits inside a broader AI governance framework alongside risk assessment, inventory, and oversight. Its job is simple: make the safe path the easy path, so employees do not have to guess where the line is. Why an AI Acceptable Use Policy Matters Most shadow AI does not come from bad intent. It comes from the absence of a clear rule. When employees have no guidance, they reach for whatever free tool gets the work done, often pasting sensitive data into services the organization has never reviewed. An acceptable use policy closes that gap. It gives people a clear answer to the question they are already asking, which tools are allowed and what data is off limits, and it gives the organization a documented standard it can point to with auditors, regulators, and clients. What to Include in an AI Acceptable Use Policy Approved and Prohibited Tools List the AI tools the organization has reviewed and approved, and state clearly that other tools require approval before use. Naming approved tools is what gives employees a safe alternative to shadow AI. Data Rules Define the categories of information that may never be entered into an AI tool, such as customer data, regulated records, credentials, and proprietary code. This is the most important section of the policy and the one most likely to prevent a serious incident. Human Review and Accountability State that AI output must be reviewed by a person before it is used in decisions, communications, or deliverables, and that the employee using the tool remains accountable for the result. Disclosure and Transparency Set expectations for when AI use should be disclosed, both internally and to clients, so the organization avoids surprises and reputational risk. Consequences and Support Explain what happens if the policy is broken, but pair it with support. Tell people how to request a new tool or ask a question, so the policy enables good behavior rather than only punishing bad behavior. An acceptable use policy works best inside a structured program. Elevate Consult’s ISO 42001 AI Governance Readiness Bundle gives organizations an AI governance operating system to build on. How to Write an AI Acceptable Use Policy A policy that no one reads changes nothing. The following sequence produces one that does. The Policy Is One Part of AI Governance An acceptable use policy is necessary, but it is not sufficient on its own. It works only inside a broader program that includes an AI system inventory, risk assessment, and ongoing oversight. For organizations formalizing that program, the policy maps directly to controls in the ISO 42001 AI management system standard, which expects documented policies as part of responsible AI governance. How Elevate Consult Helps Organizations Govern AI Elevate Consult helps organizations write AI acceptable use policies that fit their risk profile and connect them to a complete AI governance program aligned to ISO 42001 and the NIST AI Risk Management Framework. The result is a policy that curbs shadow AI and stands up to scrutiny. Organizations ready to bring AI use under control can start a conversation with the Elevate team. Key Takeaways Frequently Asked Questions What is an AI acceptable use policy? An AI acceptable use policy is a document that defines which AI tools employees may use, what data they may enter into them, and what is prohibited. It sets clear boundaries for AI use at work as part of a broader AI governance program. What should an AI acceptable use policy include? It should include approved and prohibited tools, clear data boundaries on what can never be entered into AI, a requirement for human review of AI output, disclosure expectations, and both consequences for misuse and a process for requesting new tools. How does an AI acceptable use policy help with shadow AI? Most shadow AI comes from the absence of a clear rule. By naming approved tools and defining what data is off limits, an acceptable use policy gives employees a safe alternative and removes the main reason they turn to unapproved tools. Who should an AI acceptable use policy apply to? It should apply to everyone who uses AI in the course of their work, including full-time employees, contractors, and anyone with access to company systems or data. Is an AI acceptable use policy required for ISO 42001? ISO 42001 expects documented policies governing AI use as part of an AI management system. An acceptable use policy is a practical way to meet that expectation and demonstrate responsible AI governance to an auditor.
How to Build an AI Governance Framework

An AI governance framework is the set of policies, roles, and processes an organization uses to direct and control how it develops, buys, and uses artificial intelligence. Without one, AI decisions happen in scattered pockets across the business, often with no one accountable for the risk. This guide explains what an AI governance framework includes, the steps to build one, and how to align it with recognized standards so it holds up to audits, regulators, and the board. What an AI Governance Framework Is An AI governance framework is not a single document. It is the operating model for every AI decision in the organization, covering four things: the people accountable for AI, the policies that set the rules, the processes that manage risk across the AI lifecycle, and the oversight that keeps it all on track. A good framework does not slow AI down. It gives leadership the confidence to move faster, because the guardrails are clear and someone owns the outcome. Why Organizations Need an AI Governance Framework AI risk is now business risk. Regulators are setting expectations, clients are asking how AI is governed, and boards are being held accountable for AI decisions they may not fully understand. At the same time, shadow AI, the use of AI tools without approval, spreads through organizations that have no framework to channel it. A framework turns all of this from a source of exposure into a managed program. It is the difference between knowing where AI is used and discovering it after an incident. The Core Components of an AI Governance Framework Clear Accountability and Roles Every framework needs a named owner for AI risk and a cross-functional group that brings together security, legal, compliance, and the business. Without clear accountability, governance becomes everyone’s job and therefore no one’s. AI Principles and Policies Principles state what the organization will and will not do with AI. Policies make those principles operational, including an acceptable use policy that defines approved tools and the data that can never enter an AI system. An AI System Inventory An organization cannot govern AI it cannot see. A living inventory of AI systems, including tools brought in through shadow AI, is the foundation that every other control depends on. A Risk Management Process Each AI system carries a different level of risk. A repeatable process to assess and tier systems by risk lets the organization apply effort where it matters most, rather than treating a marketing chatbot the same as a credit decision model. Controls and Documentation Controls should be proportional to risk, and every significant decision should leave a record. That documentation is what makes the program defensible to an auditor, a regulator, or a client. Monitoring and Review AI systems drift, vendors change, and new tools appear constantly. Governance has to be a continuous process with regular review, not a policy written once and filed away. Building this from scratch is faster with a partner who has done it before. Elevate Consult helps organizations stand up AI governance programs that pass audits. Request a conversation. How to Build an AI Governance Framework Step by Step The components above come together through a clear sequence. Aligning Your Framework with Recognized Standards A framework built in isolation is harder to defend than one aligned to a recognized standard. Two stand out. ISO 42001 is a certifiable AI management system standard, and the NIST AI Risk Management Framework is a widely used voluntary framework. Aligning to one or both gives the program credibility with auditors, regulators, and clients, and provides a tested structure rather than a blank page. How Elevate Consult Helps Organizations Govern AI Elevate Consult helps organizations design and implement AI governance frameworks aligned to ISO 42001 and the NIST AI Risk Management Framework, from accountability and policy through inventory, risk assessment, and ongoing monitoring. The result is a program leadership can stand behind and an auditor can verify. Organizations ready to build or strengthen their AI governance can start with a scoping conversation. Talk with the Elevate team. Key Takeaways Frequently Asked Questions What is an AI governance framework? An AI governance framework is the set of policies, roles, and processes an organization uses to direct and control how it develops, buys, and uses artificial intelligence. It covers accountability, rules for use, a process for managing risk, and ongoing oversight. What should an AI governance framework include? A complete framework includes clear accountability and roles, AI principles and policies, an inventory of AI systems, a risk management process, controls and documentation proportional to risk, and continuous monitoring and review. How do you build an AI governance framework? Start by securing executive sponsorship and assigning accountability, then inventory your AI systems, define principles and policies, establish a risk assessment process, apply controls proportional to risk, train staff, and monitor and improve the framework over time. What is the difference between ISO 42001 and the NIST AI RMF? ISO 42001 is a certifiable AI management system standard that an organization can be formally audited against. The NIST AI Risk Management Framework is a voluntary framework that provides structure and guidance but is not certified. Many organizations use the NIST framework for guidance and pursue ISO 42001 for certification. Who is responsible for AI governance in a company? Accountability should sit with a named senior owner, supported by a cross-functional group spanning security, legal, compliance, and the business. Ultimate oversight increasingly rests with executive leadership and the board.
NIST AI RMF Explained: A Practical Implementation Guide

The NIST AI RMF, short for the National Institute of Standards and Technology AI Risk Management Framework, is a voluntary framework that helps organizations manage the risks of artificial intelligence across its full lifecycle. Released in 2023 and expanded since through companion profiles, it has become a common reference point for building trustworthy AI. This guide explains what the NIST AI RMF is, its four core functions, the characteristics of trustworthy AI it promotes, and how to put it into practice. What the NIST AI RMF Is NIST released version 1.0 of the AI Risk Management Framework in January 2023. It is voluntary, applies across industries and use cases, and is designed to help organizations capture the benefits of AI while managing its risks throughout the AI lifecycle. NIST has not released a formal version 2.0. Instead, the framework has matured through profiles and companion resources that adapt it to specific technologies and sectors, which means organizations adopting it today work from the 1.0 core plus the profile most relevant to their use case. The Four Core Functions of the NIST AI RMF The framework is organized around four functions. The first runs through all the others, and the remaining three describe a continuous lifecycle. The Characteristics of Trustworthy AI The framework defines what trustworthy AI looks like through a set of characteristics that the four functions work to achieve: These characteristics give organizations a shared vocabulary for judging whether an AI system is fit to deploy. Putting the NIST AI RMF into practice is where most organizations get stuck. Elevate Consult helps translate the framework into a working program. Request a conversation. NIST AI RMF Profiles and Recent Developments Profiles adapt the framework to a specific technology, sector, or use case. In July 2024, NIST released the Generative AI Profile to address risks unique to generative AI. The framework has continued to expand since. In December 2025, NIST published a preliminary draft of a Cybersecurity Framework Profile for AI. In April 2026, it released a concept note for a profile on trustworthy AI in critical infrastructure. NIST has also launched an initiative to develop voluntary guidelines for AI agents, with an agent-focused profile planned for late 2026. The direction is clear: the framework is becoming more operational and more sector-specific over time. How to Implement the NIST AI RMF The framework is descriptive rather than prescriptive, which gives organizations flexibility but can make starting difficult. A practical path follows the functions in order. NIST AI RMF and ISO 42001 The NIST AI RMF is often compared with ISO 42001. The NIST framework is voluntary guidance, while ISO 42001 is a certifiable AI management system standard an organization can be audited against. The two are complementary, and many organizations use the NIST framework to shape their approach while pursuing ISO 42001 certification to demonstrate it. How Elevate Consult Helps Organizations Govern AI Elevate Consult helps organizations operationalize the NIST AI Risk Management Framework, from the Govern function through mapping, measuring, and managing AI risk, and align it with ISO 42001 where certification is the goal. The aim is a program that is not only documented but demonstrably working. Organizations adopting the NIST AI RMF can start with a scoping conversation. Talk with the Elevate team. Key Takeaways Frequently Asked Questions What is the NIST AI RMF? The NIST AI RMF is the National Institute of Standards and Technology AI Risk Management Framework, a voluntary framework released in 2023 that helps organizations manage the risks of artificial intelligence across its full lifecycle. What are the four functions of the NIST AI RMF? The four functions are Govern, Map, Measure, and Manage. Govern is the cross-cutting foundation that sets accountability and policy, while Map, Measure, and Manage describe a continuous cycle of identifying, assessing, and acting on AI risk. Is the NIST AI RMF mandatory? No. The NIST AI RMF is voluntary. However, it is increasingly referenced in contracts, procurement requirements, and regulatory guidance, which has made it a common expectation even though it is not legally required. What is the difference between the NIST AI RMF and ISO 42001? The NIST AI RMF is voluntary guidance for managing AI risk, while ISO 42001 is a certifiable AI management system standard an organization can be formally audited against. They are complementary, and many organizations use both. Is there a NIST AI RMF 2.0? NIST has not released a formal version 2.0. The framework remains based on the 2023 version 1.0 core, expanded through profiles and companion resources such as the Generative AI Profile and newer sector-specific guidance.