Free tool
AI regulation tracker
A working list of the AI regulations Prism and Prism X are designed against. Status, effective date, scope, and a link to the issuing regulator. No gating, no email capture.
Last updated: May 11, 2026. Reviewed monthly. If a regulation is missing, email hello@blockconvey.com.
EU AI Act (Regulation 2024/1689)
Phasing inScope
Horizontal AI regulation. High-risk AI in credit, insurance, employment, medical devices.
DORA (Regulation 2022/2554)
In forceScope
ICT operational resilience for EU financial services. AI treated as ICT service.
GDPR (Regulation 2016/679)
In forceScope
General data protection. Article 22 covers automated decisioning.
NY DFS 23 NYCRR Part 500
In forceScope
Cybersecurity for NY-licensed financial entities. Now covers AI explicitly.
NAIC AI Model Bulletin
Phasing inScope
Insurer use of AI in consumer-impacting decisions. 25+ states adopted.
CFPB AI / ECOA / Reg B guidance
In forceScope
Specific reasons for adverse action by AI lenders.
Model Risk Management — Revised Guidance (supersedes SR 11-7 and SR 21-8)
In forceScope
Interagency revised guidance on model risk management. Risk-based and tailored. Expressly applies to AI / LLM systems used in credit, fraud, AML, and capital decisions.
NIST AI RMF (AI 100-1)
VoluntaryScope
Voluntary AI risk-management framework. Federal-procurement baseline.
ISO/IEC 42001
In forceScope
First auditable AI management-system standard.
HIPAA (Privacy and Security Rules)
In forceScope
PHI handling. Applies to AI processing health data.
SOX Section 404 (and AS 2201)
In forceScope
ICFR for public companies. AI in financial reporting in scope.
PCI DSS 4.0
In forceScope
Cardholder data handling. AI in CHD pipelines in scope.
Colorado AI Act (SB 24-205)
ProposedScope
High-risk AI in consequential decisions. Mirrors EU AI Act structure.
Texas Responsible AI Governance Act (TRAIGA)
ProposedScope
Algorithmic discrimination prevention; high-risk AI category.
UK AI regulation (pro-innovation white paper)
VoluntaryScope
Sector-led AI regulation through existing UK regulators (FCA, ICO, CMA).
| Regulation | Jurisdiction | Status | Effective | Scope | Source | Prism bundle |
|---|---|---|---|---|---|---|
| EU AI Act (Regulation 2024/1689) | EU | Phasing in | Aug 2024 → Aug 2027 | Horizontal AI regulation. High-risk AI in credit, insurance, employment, medical devices. | EUR-Lex | See mapping |
| DORA (Regulation 2022/2554) | EU | In force | Jan 17, 2025 | ICT operational resilience for EU financial services. AI treated as ICT service. | EUR-Lex | See mapping |
| GDPR (Regulation 2016/679) | EU | In force | May 25, 2018 | General data protection. Article 22 covers automated decisioning. | EUR-Lex | See mapping |
| NY DFS 23 NYCRR Part 500 | US State | In force | March 2017 (AI amendments 2023) | Cybersecurity for NY-licensed financial entities. Now covers AI explicitly. | NY Department of Financial Services | See mapping |
| NAIC AI Model Bulletin | US State | Phasing in | State-by-state from 2024 | Insurer use of AI in consumer-impacting decisions. 25+ states adopted. | NAIC | See mapping |
| CFPB AI / ECOA / Reg B guidance | US Federal | In force | ECOA 1974; AI guidance Sep 2023 | Specific reasons for adverse action by AI lenders. | CFPB | See mapping |
| Model Risk Management — Revised Guidance (supersedes SR 11-7 and SR 21-8) | US Federal | In force | May 2026 (supersedes SR 11-7, April 2011) | Interagency revised guidance on model risk management. Risk-based and tailored. Expressly applies to AI / LLM systems used in credit, fraud, AML, and capital decisions. | Federal Reserve Board, OCC, FDIC | See mapping |
| NIST AI RMF (AI 100-1) | US Federal | Voluntary | Jan 2023 | Voluntary AI risk-management framework. Federal-procurement baseline. | NIST | See mapping |
| ISO/IEC 42001 | Global | In force | Dec 2023 | First auditable AI management-system standard. | ISO | See mapping |
| HIPAA (Privacy and Security Rules) | US Federal | In force | Privacy Rule 2003; Security Rule 2005 | PHI handling. Applies to AI processing health data. | HHS | See mapping |
| SOX Section 404 (and AS 2201) | US Federal | In force | Sept 2002 | ICFR for public companies. AI in financial reporting in scope. | SEC / PCAOB | See mapping |
| PCI DSS 4.0 | Global | In force | March 31, 2025 (mandatory) | Cardholder data handling. AI in CHD pipelines in scope. | PCI SSC | See mapping |
| Colorado AI Act (SB 24-205) | US State | Proposed | Feb 2026 (current schedule) | High-risk AI in consequential decisions. Mirrors EU AI Act structure. | Colorado General Assembly | — |
| Texas Responsible AI Governance Act (TRAIGA) | US State | Proposed | Pending | Algorithmic discrimination prevention; high-risk AI category. | Texas Legislature | — |
| UK AI regulation (pro-innovation white paper) | UK | Voluntary | March 2023 | Sector-led AI regulation through existing UK regulators (FCA, ICO, CMA). | UK Department for Science, Innovation and Technology | — |
Start tracing in 5 minutes
One SDK. Five minutes. Full audit trails, PII redaction, and guardrail enforcement, from day one.