Heading to Blackhat? Let's talk.
Free tool · Compliance & risk teams resources / 01

AI Compliance
Readiness Checklist.
36 controls. 7 frameworks.

An interactive workbook that maps thirty-six controls across the EU AI Act, NIST AI RMF, ISO/IEC 42001, GDPR, SEC S-K Item 106, HIPAA, and SOC 2 — so your team knows exactly where you stand, and what to remediate before the auditor asks.

  • 36 controls across 6 compliance domains
  • Every control mapped to EU AI Act, NIST, ISO 42001, GDPR & SEC
  • Built-in progress dashboard with live completion tracking
  • Owner, target date, and evidence fields for each control
  • Framework cross-reference map for multi-framework audits

Download the free checklist

Instant access to the interactive workbook. Used by compliance and risk teams preparing for EU AI Act and ISO 42001 audits.

36
Actionable controls with guidance, owner fields, and evidence requirements.
7
Compliance frameworks mapped — EU AI Act, NIST, ISO 42001, GDPR, SEC, HIPAA, SOC 2.
49%
of employees use unapproved AI tools with no governance visibility.BlackFog / CIO, 2026
Aug 2026
EU AI Act compliance deadline for high-risk AI systems.Regulation (EU) 2024/1689
The case

The regulatory window is closing.

The EU AI Act compliance deadline for high-risk systems lands in August 2026. Organizations that suffered AI-related breaches in 2025 were disproportionately those without a formal AI governance policy in place at the time of incident.

Nearly half of public companies now disclose AI risk as a board oversight item — triple the prior-year rate. Procurement diligence is moving faster than regulation.

Organizations without a structured compliance program are no longer just facing regulatory exposure; they are quietly failing enterprise procurement reviews before deals reach legal.

63%
of organizations with an AI-related breach had no AI governance policy at the time of incident.
What’s inside

Six domains. Thirty-six controls. One workbook.

Each control includes the specific action, the framework rationale, and fields for owner, target date, status, and evidence — ready to populate, ready to present to a board.

D / 01 06 controls

AI inventory & usage visibility

AI system inventory, third-party API cataloguing, shadow-AI detection, EU AI Act risk classification, technical documentation, and function-level usage tracking.

EU AI Act Art. 9 ISO 42001 §8.1 NIST: Map
D / 02 06 controls

AI policy & governance

Formal AI usage policy, risk-ownership roles, ERM integration, board-level risk appetite, AI governance committee, and SEC board-oversight documentation.

NIST: Govern ISO 42001 §5 SEC S-K Item 106
D / 03 06 controls

Data privacy & compliance

DPIAs for personal-data AI, cross-border data-flow mapping, data minimization, human oversight for automated decisions, vendor DPAs, and audit-trail maintenance.

GDPR Art. 22 EU AI Act Art. 26 HIPAA
D / 04 06 controls

AI incident detection & response

Continuous AI-usage monitoring, AI-specific incident categories, IRP integration, sensitive-data logging, high-risk-usage alerting, and annual AI tabletop exercises.

NIST: Measure / Manage EU AI Act Art. 62 SEC Cyber Rule
D / 05 06 controls

Third-party & supply-chain risk

AI Bill of Materials, vendor governance due diligence, embedded SaaS-AI classification, contractual incident notification, open-source model risk, and real-time third-party monitoring.

EU AI Act Art. 28 ISO 42001 §8.4 NIST: Map
D / 06 06 controls

Audit readiness & board reporting

Quarterly board AI risk register, annual maturity assessment, evidence portfolios for high-risk systems, sanctioned vs. unsanctioned usage reports, AI literacy tracking, and continuous improvement cycles.

ISO 42001 §9 SEC S-K Item 106 EU AI Act Art. 61
Coverage

Every control mapped to the frameworks that matter.

A single column per regulation — scope a multi-framework audit without rebuilding the spreadsheet for each one.

EU AI Act
Reg. 2024/1689
Risk-tiered AI obligations
NIST
AI RMF 1.0
Govern · Map · Measure · Manage
ISO 42001
ISO/IEC 42001:2023
AI management system standard
GDPR
Reg. 2016/679
Automated decisioning & data flows
SEC S-K
Item 106
Board oversight disclosure
HIPAA
45 CFR 164
PHI handled by AI systems
SOC 2
TSC 2017
Trust services criteria
Who it’s for

Built for the teams accountable for AI compliance.

For organizations operating in regulated or public-company environments — where “we are still scoping it” is no longer an acceptable answer to the auditor.

Compliance & risk teams

Use the checklist as your primary AI compliance workstream tracker. The built-in dashboard gives real-time visibility into domain-level completion for quarterly board reporting.

Primary use → Board reporting

CISOs & security leaders

Align AI security controls with regulatory obligations. The framework map lets you demonstrate to auditors that your security program satisfies NIST AI RMF, ISO 42001, and the EU AI Act simultaneously.

Primary use → Audit defense

Legal, DPO & general counsel

Use the GDPR, EU AI Act, and SEC columns to scope your legal exposure, identify DPA gaps, and build the evidence portfolio needed for regulatory inspections and M&A due diligence.

Primary use → Legal scoping

Know your AI compliance posture before your auditor does.

Free. Interactive. Covers every major framework. Download the workbook and start your assessment today.