Filtering compliance frameworks to the relevant subset
View All Tags
The fastest path from zero to a governed AI agent is: run the qualification funnel → get your framework list → configure a manifest → register it → make a call. This post walks through each step with real examples.
If you're impatient, the manifest for a simple US SaaS agent is at the bottom of this post. For everyone else, starting with the qualification funnel means you understand why each field is configured the way it is.
Canada's Bill C-27 is moving through Parliament with two pieces that will affect any company operating AI in Canada: the Consumer Privacy Protection Act (CPPA) replacing PIPEDA, and the Artificial Intelligence and Data Act (AIDA) — Canada's first AI-specific legislation.
The CPPA modernizes Canadian privacy law along GDPR lines. AIDA creates obligations specifically for "high-impact" AI systems, with significant parallels to the EU AI Act's structure. For companies already navigating GDPR and the EU AI Act, the Canadian framework is familiar but has distinct elements.
ISO/IEC 42001:2023 — published December 2023 — is the first international standard for Artificial Intelligence Management Systems (AIMS). It provides a framework for establishing, implementing, maintaining, and continuously improving AI governance within organizations. Think of it as ISO 27001, but with AI as the subject rather than information security.
For organizations subject to the EU AI Act, Singapore's AI Verify framework, or any regulator that accepts ISO standards as evidence of conformance, ISO 42001 is becoming the certification path of choice. The standard was built to align with other ISO management system standards (ISO 27001, ISO 9001) — if your organization already has one, the implementation effort for ISO 42001 is substantially lower.
Compliance is not a one-time event. Regulations get amended. Enforcement guidance clarifies what the law actually means in practice. Technical standards get updated. Courts issue rulings that change how rules are interpreted. Regulatory deadlines pass and new ones appear.
An AI agent manifest written in January 2026 may need to be updated by December 2026 because one of its frameworks changed. The question is whether you find out proactively — before a regulator does — or reactively.
Most AI governance frameworks were written with predictive AI in mind: a model that takes inputs and produces outputs, with humans reviewing outputs before acting. The Singapore framework published in January 2026 is different. MAS and IMDA wrote it specifically for agentic AI — autonomous systems that plan, take multi-step actions, and interact with external systems without step-by-step human oversight.
It's the most direct regulatory guidance for the type of AI agents that organizations are actually deploying in 2026. And its four concepts apply universally — not just in Singapore.
A global financial services company operating in New York, London, Frankfurt, Sydney, and Singapore doesn't get to choose which regulations apply. They all apply simultaneously. SOX + GDPR + HIPAA + MiFID II + FCA + DORA + NIS2 + AML + PCI-DSS + ISO 27001 + NIST CSF + SOC 2.
The question isn't "which ones do we need to comply with." The question is "how do we build a single governance architecture that satisfies all of them without creating 12 separate compliance silos."
The answer is that most frameworks require the same underlying controls — they just describe them differently and attach different evidence requirements.
There are 39 compliance frameworks that could apply to your AI agent deployment. GDPR, HIPAA, MiCA, CMMC 2.0, LGPD, NIS2, DORA, SOX, the EU AI Act — the list keeps growing as regulators catch up to autonomous software.
The honest answer to "which ones apply to me?" is: almost certainly not all of them. A Brazilian e-commerce company processing Pix payments has almost nothing in common with a UK investment manager running algorithmic trades under MiFID II. But both will find themselves staring at the same overwhelming list if they don't have a way to filter it.
UAPK's compliance qualification funnel reduces 39 frameworks to the 5–8 relevant to your context using four questions. Here's how it works — and why those four questions are enough.