Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

AI compliance

AI compliance is the practice of aligning AI systems and the processes around them with applicable laws, regulations and standards.

CASRAI research-methods explainer — AI compliance

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

What AI compliance involves

AI compliance begins by identifying which obligations apply to a given system, since these vary by jurisdiction, sector and use case. Obligations may come from dedicated AI regulation (for example the EU AI Act’s risk tiers), from existing law on data protection, consumer rights or non-discrimination, and from standards an organisation has committed to. The obligations are then mapped to concrete controls — documentation, testing, human oversight, transparency notices — and evidence is gathered to show those controls operate. Compliance is therefore an ongoing mapping-and-evidence exercise, not a one-time declaration.

The regulatory landscape

The landscape is layered and evolving. Dedicated AI regulation such as the EU AI Act sets obligations that scale with risk, from minimal-risk uses to high-risk and prohibited categories. Pre-existing laws on privacy, equality and safety continue to apply to AI. Voluntary standards — the NIST AI RMF and ISO/IEC 42001 — provide structured ways to meet and evidence many of these expectations, and may be referenced by regulators. Because requirements differ across regions and change over time, compliance is treated as a moving target tracked continuously rather than settled once.

Compliance within governance

Compliance and governance are related but distinct. AI governance is the broad operating model — frameworks, roles and processes — for directing and controlling AI. Compliance is the narrower task of demonstrating that this model satisfies specific external requirements. A well-governed organisation usually finds compliance more tractable, because the documentation, risk assessments and audit trails governance produces are exactly the evidence regulators expect. Standards such as ISO/IEC 42001 are popular partly because their controls map readily onto common regulatory expectations.

Key facts

At a glance

  • Definition: aligning AI systems and processes with applicable laws, regulations and standards
  • Sources: dedicated AI law, existing law, voluntary standards
  • Example regulation: EU AI Act (risk-tiered obligations)
  • Supporting standards: NIST AI RMF, ISO/IEC 42001
  • Activity: map obligations to controls; produce evidence
  • Relation: compliance is one outcome of broader AI governance

Common misconceptions

What people often get wrong

Often heard: AI compliance just means following the EU AI Act.

Actually: The EU AI Act is one source among many. Compliance also covers existing laws on data protection, equality and safety, plus any standards an organisation has adopted, and obligations differ by jurisdiction and use case.

Often heard: If a system is technically accurate, it is compliant.

Actually: Compliance concerns alignment with legal and standards obligations — documentation, transparency, oversight, risk management — not accuracy alone. A high-performing system can still fail required controls.

Often heard: Compliance is a one-off sign-off before launch.

Actually: Obligations change and systems drift, so compliance is maintained continuously. Evidence must be kept current and reassessed as regulation evolves and the system or its context changes.

Going deeper

Related CASRAI guidance

AI governanceISO/IEC 42001AI auditAI risk managementStandards dictionaryPlain-language explainers

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →