19 posts tagged with "Policy Enforcement"

Most AI governance frameworks were written with predictive AI in mind: a model that takes inputs and produces outputs, with humans reviewing outputs before acting. The Singapore framework published in January 2026 is different. MAS and IMDA wrote it specifically for agentic AI — autonomous systems that plan, take multi-step actions, and interact with external systems without step-by-step human oversight.

It's the most direct regulatory guidance for the type of AI agents that organizations are actually deploying in 2026. And its four concepts apply universally — not just in Singapore.

The Children's Online Privacy Protection Act has been consistently enforced by the FTC for 25 years. COPPA violations regularly result in the largest per-violation penalties in US privacy law: up to $51,744 per violation as of 2023. For AI systems that collect data from or target content to children under 13, there is no equivalent risk-adjusted situation anywhere else in US privacy regulation.

The FTC has made clear that the "general audience" defense — "we didn't know children were using our platform" — requires demonstrating concrete age-verification measures, not just a terms-of-service statement.

The UAPK qualification funnel has a single framework that triggers for every deployment, regardless of answers: ISO 27001. It's not a coincidence. ISO 27001 is the information security management baseline that every other framework assumes you have in place.

GDPR references ISO 27001 as a baseline security measure. The EU AI Act's technical standards bodies have referenced it. HIPAA's Security Rule was modeled on its structure. SOC 2's Trust Service Criteria map directly to ISO 27001 domains. If you're going to comply with any specialized framework, you need ISO 27001 as the foundation.

NIST published the AI Risk Management Framework in January 2023. It's now referenced by the EU AI Act's technical standards bodies, DoD AI ethics guidelines, the Singapore MAS framework, and dozens of sector-specific AI governance documents. It's become the shared vocabulary for AI risk management — and it's voluntary, which means the organizations that implement it well get a structural advantage when regulators start asking questions.

The framework has four core functions: Govern, Map, Measure, Manage. Each maps directly to how UAPK structures AI agent governance.

China's data regulatory framework has consolidated significantly since 2021: the Personal Information Protection Law (PIPL), the Data Security Law (DSL), the Cybersecurity Law (CSL), and the CAC's regulations on generative AI, algorithmic recommendations, and deep synthesis. Operating AI in China means navigating all of them simultaneously.

The key difference from GDPR: PIPL's cross-border transfer restrictions have teeth that GDPR's currently doesn't. Moving Chinese personal data out of China requires one of three legal mechanisms — and one of them requires prior government approval.

CMMC 2.0 is no longer proposed — it's in the Federal Register and is being phased into DoD contracts through 2026. If you're a defense contractor that uses AI agents to handle Controlled Unclassified Information (CUI), you need CMMC compliance baked into those agents.

The consequence of getting this wrong isn't a fine. It's losing your DoD contracts.

The Bank Secrecy Act has been around since 1970. FinCEN's expectations for AI-assisted transaction monitoring are not new — the 2021 guidance on AML program effectiveness explicitly called out model risk management and audit trail requirements for automated transaction monitoring systems.

If your AI agent initiates, approves, routes, or monitors financial transactions, AML/BSA requirements apply. There's no AI carve-out.

August 2, 2026. That's when Article 6 obligations for high-risk AI systems under Annex III of the EU AI Act become enforceable. If you're deploying AI agents in any of the eight Annex III categories, you have months — not years — to get compliant.

The categories are broader than most teams expect.

GDPR Article 22 is the one provision most AI teams misread. It says EU data subjects have the right not to be subject to "a decision based solely on automated processing" that produces legal or similarly significant effects on them.

The common misreading: "our AI only makes recommendations, so Article 22 doesn't apply."

The problem: regulators and courts have steadily expanded what counts as a "significant effect." A loan denial, an insurance quote, a job screening shortlist, a fraud flag that freezes an account — all of these have been held to trigger Article 22 rights. If your AI agent's output feeds directly into a decision that affects a person's access to money, services, or employment, you are likely in scope.