Two US financial privacy regulations updated significantly in 2023: the FTC's Safeguards Rule under GLBA (effective June 2023) and New York DFS's 23 NYCRR 500 cybersecurity regulation (effective November 2023). Both have teeth that the originals lacked — and both attach personal liability to individuals for compliance failures.

If you're a US financial institution, non-bank financial company, or mortgage servicer, and you're deploying AI agents that touch customer financial data, both regulations apply.

ESG investing has generated its own regulatory stack: SFDR (Sustainable Finance Disclosure Regulation) requires fund managers to classify products under Article 6, 8, or 9 and disclose how sustainability factors are integrated. CSRD (Corporate Sustainability Reporting Directive) requires large EU companies to report on sustainability using ESRS (European Sustainability Reporting Standards).

Both regulations increasingly involve AI: ESG scoring models, portfolio screening algorithms, automated ESRS data collection, and natural language processing of sustainability disclosures. Where AI is involved, the governance and audit requirements of these regulations apply to the AI layer.

FedRAMP (Federal Risk and Authorization Management Program) Rev. 5 — aligned with NIST SP 800-53 Rev. 5 — is the authorization framework for cloud services used by US federal agencies. If your AI platform is used by a federal agency, or if you're building AI agents that operate on FedRAMP-authorized infrastructure, you're in this regulatory environment.

The 2024 FedRAMP authorization process reform has made the path somewhat faster for some providers. But the substantive requirements — particularly around logging, access control, and incident reporting — are unchanged and extensive.

PCI-DSS 4.0 became the mandatory standard on March 31, 2024. Version 3.2.1 is retired. Among the significant changes in v4.0: expanded requirements for automated and AI-driven systems operating within or adjacent to the Cardholder Data Environment (CDE).

If your AI agent handles, routes, processes, or queries payment card data — primary account numbers (PANs), CVVs, cardholder names, expiration dates — PCI-DSS 4.0 applies to both the agent and its infrastructure.

NIST published the AI Risk Management Framework in January 2023. It's now referenced by the EU AI Act's technical standards bodies, DoD AI ethics guidelines, the Singapore MAS framework, and dozens of sector-specific AI governance documents. It's become the shared vocabulary for AI risk management — and it's voluntary, which means the organizations that implement it well get a structural advantage when regulators start asking questions.

The framework has four core functions: Govern, Map, Measure, Manage. Each maps directly to how UAPK structures AI agent governance.

DORA — the Digital Operational Resilience Act — became applicable on January 17, 2025. It applies to EU financial entities (banks, investment firms, insurance companies, payment institutions, crypto-asset service providers) and their critical ICT third-party service providers.

If you're an AI vendor providing services to EU financial institutions, or an EU financial institution running your own AI agents, DORA's ICT risk management framework applies to those AI systems.

Brazil's LGPD (Lei Geral de Proteção de Dados) came into force in September 2020. After a grace period, ANPD (Autoridade Nacional de Proteção de Dados) began issuing enforcement actions in 2023. The fines are real, the investigations are real, and the pattern of enforcement is becoming clear.

If your AI agents process personal data of Brazilian residents — including purchasing behavior, CPF numbers, location data, or any other information that identifies an individual — LGPD applies regardless of where your company is headquartered.

China's data regulatory framework has consolidated significantly since 2021: the Personal Information Protection Law (PIPL), the Data Security Law (DSL), the Cybersecurity Law (CSL), and the CAC's regulations on generative AI, algorithmic recommendations, and deep synthesis. Operating AI in China means navigating all of them simultaneously.

The key difference from GDPR: PIPL's cross-border transfer restrictions have teeth that GDPR's currently doesn't. Moving Chinese personal data out of China requires one of three legal mechanisms — and one of them requires prior government approval.

CMMC 2.0 is no longer proposed — it's in the Federal Register and is being phased into DoD contracts through 2026. If you're a defense contractor that uses AI agents to handle Controlled Unclassified Information (CUI), you need CMMC compliance baked into those agents.

The consequence of getting this wrong isn't a fine. It's losing your DoD contracts.

SOX Section 302 requires the CEO and CFO to personally certify that financial reports are accurate and that they've reviewed the controls over financial reporting. Section 906 makes false certifications a criminal offense — up to 20 years in prison.

When an AI agent is generating financial reports, running disclosure checks, or preparing SEC filings, those certifications still apply. The executives signing them need to be able to vouch for the process that produced the numbers.

That's only possible if the AI's actions are auditable, the outputs are traceable to specific data sources, and a human reviewed the result before it was filed.