The Complete AI Compliance
Checklist for 2026

ISO 42001 establishes the requirements for an AI Management System (AIMS). Unlike a point-in-time audit, it demands a continual improvement cycle across governance, risk, operations, and performance evaluation. The 10 items below represent the highest-impact requirements for initial implementation. For the complete 93-item clause-by-clause checklist, see our dedicated ISO 42001 checklist page.

• Define your AIMS scope and AI policy Clauses 4 & 5 — Document which AI systems are in scope, appoint top management accountability, and publish a signed AI policy committing to responsible AI development.
• Complete an AI risk and impact assessment Clause 6 — Identify risks posed by each AI system in scope, assess probability and severity of harms, and document opportunities alongside risks.
• Set measurable AI objectives aligned to policy Clause 6.2 — Define specific, time-bound AI objectives (e.g., bias audit completion rate, model card publication) with named owners and success metrics.
• Allocate resources and establish AI competency Clause 7 — Ensure personnel working on AI systems have documented competence. Maintain training records. Communicate AI governance expectations across the organization.
• Implement AI system lifecycle controls Clause 8 — Document operational planning for each AI system from development through decommission. Apply controls for data quality, model testing, and change management.
• Manage third-party AI suppliers and partners Clause 8.4 — Assess AI-related risks in your supply chain. Ensure suppliers meet AIMS requirements through contracts, audits, or third-party attestations.
• Monitor and measure AI system performance Clause 9 — Establish KPIs for AI system behavior (accuracy, fairness, drift). Conduct periodic evaluations and document results. Feed findings into management review.
• Conduct an internal ISO 42001 audit Clause 9.2 — Schedule and complete an internal audit against all Annex A controls before any third-party certification assessment. Document findings and corrective actions.
• Complete a management review of the AIMS Clause 9.3 — Hold a formal management review at planned intervals. Review audit results, objective progress, and resource adequacy. Document decisions and action items.
• Address nonconformities and drive continual improvement Clause 10 — When a nonconformity is found, document root cause, implement corrective action, and verify effectiveness. Log improvements to the AIMS over time.

The EU AI Act is the world's first comprehensive AI regulation. Obligations scale by risk tier. All EU AI Act-covered organizations must first classify their systems; from there, high-risk systems (Annex III) face the most extensive requirements. Prohibited practices have been banned since February 2, 2025. Full high-risk obligations apply from August 2, 2026.

• Classify all AI systems by risk tier Determine whether each system is prohibited, high-risk (Annex III), limited-risk, or minimal-risk. Document the classification rationale. This step unlocks all subsequent obligations.
• Cease any prohibited AI practices immediately Banned since Feb 2, 2025: real-time remote biometric surveillance in public, social scoring by governments, emotion recognition in workplaces/schools, manipulative subliminal techniques, and AI-based exploitation of vulnerabilities.

• Implement a risk management system Article 9 — Establish a continuous risk management process throughout the AI system lifecycle. Identify, estimate, evaluate, and adopt risk mitigation measures.
• Establish data governance practices Article 10 — Training, validation, and testing data must be subject to data governance including relevance, representativeness, and freedom from bias. Document data lineage.
• Create and maintain technical documentation Article 11 & Annex IV — Prepare technical documentation before placing the system on the market. Includes system description, design logic, training data specs, and validation results.
• Enable logging and record-keeping Article 12 — High-risk AI systems must automatically log events throughout operation sufficient to ensure traceability. Deployers must retain logs for at least 6 months.
• Provide transparency and user instructions Article 13 — High-risk AI must be sufficiently transparent for deployers to interpret output and use it appropriately. Provide instructions for use, including limitations and foreseeable misuse.
• Implement human oversight measures Article 14 — Design systems to enable effective human oversight. Humans overseeing the system must be able to understand its capabilities, detect failures, intervene, and override outputs.
• Conduct a conformity assessment and affix CE marking Article 43 — Before market placement, complete a conformity assessment (self-assessment or third-party). Affix CE marking, draw up EU Declaration of Conformity, and register in the EU database.
• Establish post-market monitoring and incident reporting Article 72 — Providers must actively monitor deployed high-risk AI systems and report serious incidents to national authorities without undue delay (within 15 days for deaths/serious harm).

The reenacted law applies to deployers that use ADMT to make, or be a substantial factor in, a consequential decision affecting a Colorado consumer — in employment, education, housing, financial/lending services, insurance, health care, or essential government services. It reaches any business serving Colorado consumers, regardless of where the company is headquartered. If you use a third-party AI tool that drives those decisions, you are a deployer.

• Inventory the automated decision-making technology (ADMT) you use Map every system that makes, or is a substantial factor in, a consequential decision affecting Colorado consumers. Include vendor-provided tools. Prioritize employment, lending, housing, insurance, education, health care, and government-services contexts.
• Give consumers pre-use notice that ADMT is involved Before (or at the time of) a consequential decision, tell the consumer that automated decision-making technology is being used to make or substantially influence it.
• Explain adverse decisions When the outcome is adverse to the consumer, provide a plain-language statement of the principal reasons, the type of data used, and the source of that data. The reenacted law contemplates this disclosure on request and within a defined window.
• Let consumers correct the data used about them Provide a route for a consumer to review and correct inaccurate personal data that the ADMT relied on for a consequential decision.
• Offer human review of adverse decisions Give consumers the right to request meaningful human review and reconsideration of an adverse consequential decision made by ADMT.
• Keep records for three years Retain the documentation supporting your ADMT notices, explanations, and consumer requests for at least three years.
• Collect developer documentation from your AI vendors Developers must give deployers the information needed to provide these disclosures. Confirm your vendors supply system documentation, intended uses, and the data categories involved.
• Good practice (no longer mandatory): keep your governance documentation Impact assessments, a NIST AI RMF / ISO 42001 program, and bias testing are no longer legally required in Colorado and no longer a statutory safe harbor — but they remain strong evidence of diligence and are still required by other regimes (EU AI Act, NYC LL 144).

The NIST AI Risk Management Framework (AI RMF 1.0) organizes AI risk management into four core functions: Govern, Map, Measure, and Manage. While voluntary, it is referenced in federal procurement, increasingly incorporated into sector regulations, and provides excellent scaffolding for organizations building toward EU AI Act or Colorado AI Act compliance. The 8 items below cover the highest-impact actions across all four functions.

• GOVERN: Establish AI governance policies and accountability Define organizational policies for responsible AI development and deployment. Assign accountability at the executive level. Document roles and responsibilities across the AI lifecycle.
• GOVERN: Create a culture of AI risk awareness Train all teams involved with AI systems on risk concepts, ethical considerations, and the organization's AI policies. Include technical, product, legal, and procurement staff.
• MAP: Categorize and contextualize AI risks For each AI system, document its intended use, affected stakeholders, deployment context, and the potential harms. Use this context to prioritize risk management resources appropriately.
• MAP: Identify and engage affected stakeholders Map internal and external parties affected by AI system decisions. Include end users, impacted communities, and third-party partners. Gather input on values and concerns before deployment.
• MEASURE: Evaluate AI risks with quantitative and qualitative methods Use a combination of testing, red-teaming, benchmarking, and bias evaluation to measure AI risks. Document methodologies, results, and any residual risks accepted after mitigation.
• MEASURE: Track trustworthiness characteristics over time Monitor accuracy, fairness, explainability, privacy, robustness, and security of AI systems post-deployment. Establish baselines and alert thresholds for drift or degradation.
• MANAGE: Prioritize and treat identified AI risks Implement mitigation controls for risks prioritized in the Map and Measure stages. Document treatment decisions, including accepted residual risks with named risk owners.
• MANAGE: Establish incident response for AI failures Create an AI incident response plan covering detection, triage, escalation, stakeholder communication, and post-incident review. Test the plan at least annually. Link to your broader risk management program.

Regardless of which specific regulations apply to your organization, these 10 items represent baseline AI governance that every organization deploying AI systems should complete. They underpin compliance with every framework above and build the organizational maturity that makes regulatory compliance sustainable rather than a one-time scramble.

• Maintain a complete AI system inventory Know every AI system in use across your organization — including embedded AI in SaaS tools, vendor-provided models, and internally built systems. Inventory is the foundation of all compliance work.
• Assign an AI governance owner or committee Designate a named individual or cross-functional committee responsible for AI governance. Without clear ownership, compliance tasks fall through the cracks under deadline pressure.
• Publish an AI use policy for employees Create and distribute an internal policy covering approved and prohibited uses of AI tools, data handling requirements, and escalation paths for novel AI use cases. Review annually.
• Implement AI-specific data governance Extend your data governance framework to cover AI training data, inference data, and model outputs. Address data quality, consent, retention, and cross-border transfer requirements.
• Conduct AI bias and fairness testing before deployment Test every AI system that affects individuals for demographic bias before go-live. Document the methodology, datasets used, results, and any remediation actions taken. See AI bias audit guidance.
• Create model cards or system cards for significant AI systems Document each significant AI system's intended use, training approach, performance characteristics, limitations, and known biases. Make model cards available to downstream deployers and affected parties.
• Ensure meaningful human oversight for consequential decisions For decisions that materially affect people (hiring, lending, healthcare triage), ensure a human can understand, challenge, and override AI outputs. Document the oversight mechanism and train the responsible staff.
• Review AI vendor contracts for compliance obligations Ensure contracts with AI vendors address: data processing terms, bias testing obligations, audit rights, incident notification requirements, and liability allocation. Renegotiate gaps before deadline pressure forces concessions.
• Establish an AI incident log and lessons-learned process Track all AI-related incidents, near-misses, and unexpected outputs. Review the log quarterly. Feed findings into your risk management process and model retraining decisions.
• Schedule annual regulatory horizon scanning The AI regulatory landscape is evolving rapidly. Assign someone to monitor new legislation, guidance, and enforcement actions — in your jurisdictions and globally — at least annually. Use resources like Regulome Observatory to stay current.