Iron Usually higher scrutiny
Employment, lending, insurance, healthcare, housing, education, public benefits, and other decisions that affect access to important opportunities.
AI Compliance Hub
See what AI laws apply to you.
Applicability
Most laws start with what the AI does to people.
The same model can be low pressure in one workflow and heavily regulated in another. The practical question is whether AI affects access, opportunity, money, care, housing, work, education, or a customer’s understanding of who they are dealing with.
Transparency still matters
Customer-facing chat, generated content, recommendations, and workflows where people should know when AI is involved.
Governance baseline
Internal productivity tools may be lower risk, but still need inventory, data handling, access limits, and audit evidence.
Current Status
Enforcement is live. The clock is already running.
The EU AI Act is in force. California ADMT regulations took effect January 2026. NYC AEDT penalties accrue daily. Use this table to understand where obligations are active and where to focus first.
RuleStatusWhere it pointsSource
EU AI ActEU / EEA
In force, staged applicationProhibited practices and AI literacy already apply. Transparency rules apply from August 2026. Many Annex III high-risk rules are staged for December 2027.
High-risk areas such as employment, education, critical services, certain biometrics, and access to essential services.
Colorado SB26-189United States / Colorado
Current official bill to trackThe official bill page is the source of record for Colorado automated decision-making technology changes.
Consequential decision workflows, especially where AI influences employment, finance, healthcare, housing, education, or similar access decisions.
California CCPA / ADMTUnited States / California
Regulations completeThe CPPA lists the CCPA updates covering risk assessments, cybersecurity audits, ADMT, and insurance as effective January 1, 2026.
Covered businesses using automated decisionmaking technology, personal information, or significant decision workflows.
NYC AEDTUnited States / New York City
In forceNYC DCWP is the official source for automated employment decision tool requirements.
Employers and employment agencies using covered automated tools for hiring or promotion decisions in NYC.
UK AI regulation approachUnited Kingdom
Principles-led, sector-ledThe UK approach relies on existing regulators and cross-cutting principles rather than a single comprehensive AI Act.
Organizations should evaluate sector duties, data protection, safety, fairness, accountability, and contestability expectations.
Canada AIDACanada
Archived proposal, monitor next stepsThe Government of Canada page says there is currently no AI-specific regulatory framework in Canada and describes AIDA as proposed legislation.
Use as a watch item for high-impact AI governance, safety, non-discrimination, recordkeeping, and monitoring expectations.
NIST AI RMFUnited States / voluntary framework
Voluntary alignment frameworkNIST AI RMF organizes AI risk management around Govern, Map, Measure, and Manage.
Useful as a governance backbone for organizations preparing for audits, buyers, regulators, and internal risk review.
The Better Way
Compliance should feel like air traffic control, not a paper chase.
Paper programs prove what you meant to do. Iron Gorilla helps show what actually happened: which AI acted, which policy applied, who approved the step, and what evidence was preserved.
Operational Controls
We help turn compliance requirements into visible operating controls.
01
Know what AI is in use
AI inventory, use-case classification, vendor visibility
How Iron Gorilla helps
Centralizes agent, model, tool, connector, and workflow visibility so teams can classify the system before it becomes shadow AI.
02
Prevent risky actions before they happen
Policy controls, least privilege, data protection, prohibited-use controls
How Iron Gorilla helps
Checks policy before agent actions execute and helps keep data movement, tool use, and approvals inside defined boundaries.
03
Keep humans in the loop
Human oversight, appeal support, adverse-decision review
How Iron Gorilla helps
Routes consequential or unusual actions to human approval and preserves who reviewed what, when, and why.
04
Prove what happened
Audit logs, traceability, incident review, regulator-ready evidence
How Iron Gorilla helps
Captures policy decisions, trace IDs, action history, and replayable evidence so teams can investigate and report from facts.
Inventory
Know which agents, models, vendors, and workflows exist before they affect people.
Boundaries
Keep actions inside policy, scope connectors, classify data, and apply least privilege.
Oversight
Route consequential, unusual, or low-trust actions to human approval before they proceed.
Evidence
Preserve trace IDs, approvals, decisions, and replayable audit trails for review.