COMPLIANCE MAPPING

Your AI Decisions Need Evidence.
Here’s The Map.

Article-by-article regulatory alignment. Not compliance claims — evidence infrastructure mapping.

AAL provides evidence infrastructure. This is not legal advice or compliance certification.

The compliance window is closing.

Five regulatory events that define the next 12 months for AI governance.

MAR 11, 2026
FTC AI Policy Statement

May preempt state AI laws. OIA monitors and adapts.

JUN 30, 2026
Colorado AI Act SB 24-205

$20,000 per violation per consumer. Affirmative defense requires “recognized risk management framework.”

AUG 2, 2026
EU AI Act Full Enforcement

Articles 9, 12, 13, 14 mandatory. Extraterritorial. Requires automatic logging + human oversight evidence.

ONGOING
Insurance D&O Exclusions

4 carriers excluded AI liability (Jan 2026). Mobley v. Workday: $1.1B class action.

2026
Singapore Agentic AI Framework

New framework validates agent-level accountability. Aligns with AAL architecture.

EU AI Act — Article-by-Article Mapping

How AAL’s settlement infrastructure maps to mandatory high-risk AI requirements.

Art. 9 Risk Management
Requirement

“Establish, implement, document, and maintain a risk management system”

AAL Capability

Settlement chain provides per-decision risk documentation

Evidence
GET /v1/evidence/:chain_id returns complete decision trail
Art. 12 Record-Keeping (Logging)
Requirement

“High-risk AI systems shall technically allow for the automatic recording of events”

AAL Capability

Every AI decision auto-generates tamper-evident evidence packets

Evidence
Hash-chained packets, RFC 3161 timestamps
Art. 13 Transparency
Requirement

“Designed and developed in such a way to ensure their operation is sufficiently transparent”

AAL Capability

Settlement receipt provides full decision transparency per query

Evidence
Settlement receipt API returns Δ1 status per decision
Art. 14 Human Oversight
Requirement

“Designed and developed so they can be effectively overseen by natural persons”

AAL Capability

Authorization Layer (L1) enforces human-in-the-loop policies

Evidence
Authorization tokens with approver identity

Colorado SB 24-205

The first US state AI law with teeth — and an affirmative defense path.

The Law

Effective June 30, 2026
Penalty $20,000 per violation per consumer
Key requirement “Reasonable care” in AI deployment
Affirmative defense “Recognized risk management framework”

How Δ1 Maps

  • Each AI decision → Evidence Pack (C1: evidence consumed, C2: intent isolated, C3: signed)
  • Settlement receipt = documentary proof of “reasonable care”
  • Binary: SETTLED = framework applied / UNSETTLED = gap identified
evidence-pack — colorado-defense
# Evidence Pack satisfying CO SB 24-205 affirmative defense
{
"settlement_id": "ST-2026-0630-CO",
"status": "SETTLED",
"framework": "AAL Δ1 Decision Settlement",
"delta1": {
"c1": true,
"c2": true,
"c3": true
},
"applicable_law": "CO SB 24-205",
"evidence_packets": 5,
"tsa": "DigiCert SHA-256"
}

NIST AI RMF Alignment

How AAL maps to the four core functions of the NIST AI Risk Management Framework.

NIST Function AAL Capability Layer
GOVERN Policy-based authorization (Authorization Layer) L1
MAP 5-level leakage taxonomy identifies risk surfaces L0
MEASURE FLEET benchmark quantifies defense effectiveness L3
MANAGE Settlement receipt provides closure + audit evidence L0–L4

OWASP Agentic AI Top 10

Every risk category in the OWASP Agentic AI Top 10 mapped to an AAL layer.

1
Excessive Agency
Authorization Layer (L1)
2
Supply Chain Vulnerabilities
Evidence Sealing Layer (L4)
3
Insecure Output Handling
Settlement Validation Layer (L0)
4
Data Poisoning
Model Integrity Layer (L3)
5
Insufficient Monitoring
Settlement chain auto-logging (L0–L4)
6
Prompt Injection
Cognitive Governance Layer (L2–L3)
7
Model Theft
Cognitive Governance Layer (L2)
8
Insecure Plugin/Tool Use
Authorization Layer (L1)
9
Denial of Service
Gateway rate limiting + circuit breakers
10
Improper Error Handling
Settlement receipt captures failures explicitly

Evidence Pack Format

The atomic unit of accountability. One per decision. Automatically generated.

evidence-pack.json
EVIDENCE PACK (simplified)
Per-decision cryptographic evidence:
Run ID Unique identifier per decision session
Hash-chained evidence packets Tamper-evident, sequential
Δ1 settlement status C1 ∧ C2 ∧ C3 = SETTLED
TSA timestamp RFC 3161 compliant (pluggable)
Chain integrity hash SHA-256, verifiable offline

Evidence Pack = Run ID + Closure Status + Verification Proof. Per decision. Automatically.

Evidence infrastructure for the regulations ahead.

See how settlement maps to your compliance stack. 15 minutes, zero commitment.

See it in action Explore Docs Talk to us

AAL provides evidence infrastructure aligned with regulatory requirements. This mapping does not constitute legal advice, compliance certification, or audit attestation. Compliance depends on your organizational controls and deployment context. 12 patents pending (354+ claims). 9 published papers with DOI.