Everything you're already liable for — and the proof each one now demands.
You're not judged against our opinion — you're judged against the standards your buyers, underwriters, and regulators already enforce.
One voluntary framework, four statutes in force, and four regulations phasing in. Most reach your firm indirectly — through the AI vendors you procure — and the obligation lands on you regardless.
| Std | Framework | Jurisdiction | Status | Penalty | |
|---|---|---|---|---|---|
| 01 | NIST AI Risk Management FrameworkAI RMF 1.0 + Generative AI Profile | US · NIST | Voluntary | Reference standard | + |
NeededA continuous Govern–Map–Measure–Manage cycle, with documented evidence at each function. At stakeAbsence of NIST mapping is now itself an examination finding in regulated industries. | |||||
| 02 | NYC Local Law 144Automated employment decision tools | NYC · DCWP | In force | $500–1,500 / day | + |
NeededAn independent annual bias audit, a public summary, and a 10-day candidate notice. At stake$500–1,500 per day, per tool — and a failed audit becomes discovery in any disparate-impact suit. | |||||
| 03 | NY DFS Part 500.11Third-party provider security policy | NY · DFS | In force | $1k–250k / violation | + |
NeededA written third-party security policy covering every AI vendor that touches nonpublic data. At stake$1k–250k per violation, plus consent-order remediation that routinely runs seven figures. | |||||
| 04 | SR 11-7 / OCC Bulletin 2011-12Model risk management for banks | US · Fed · OCC | In force | Examination finding | + |
NeededIndependent model validation, ongoing monitoring, and a model inventory under three lines of defense. At stakeMRA / MRIA findings that block M&A approvals and cost $5–25M to resolve. | |||||
| 05 | EU AI Act · Article 6High-risk AI system obligations | EU · 27 states | Phasing in | €15M / 3% global rev | + |
NeededHuman oversight, post-market monitoring, and a fundamental-rights impact assessment for high-risk uses. At stakeUp to €15M or 3% of global turnover — and member states can pull the system off the EU market. | |||||
| 06 | Colorado AI Act (SB24-205)Consequential decision systems | CO · State AG | Eff. Feb '26 | $20k / violation | + |
NeededAn AI risk-management policy, an annual impact assessment, and consumer opt-out on consequential decisions. At stake$20k per violation, enforced by the Colorado Attorney General, plus class-action exposure. | |||||
| 07 | Illinois HB 3773AI in employment decisions | IL · IDHR | Eff. Jan '26 | Civil-rights action | + |
NeededNotice to employees and applicants whenever AI informs an employment decision, with no discriminatory effect. At stakeCivil-rights claims via IDHR plus a private right of action — and Illinois class exposure. | |||||
| 08 | HIPAA Security & PrivacyBusiness-associate duties for AI vendors | US · HHS · OCR | In force | $100–50k / violation | + |
NeededA signed BAA and Security Rule controls before any PHI reaches an AI vendor. At stake$100–50k per violation, plus breach-notification liability the vendor TOS will not cover. | |||||
| 09 | SOC 2 Type IITrust services criteria · TSC 2017 | US · AICPA | Voluntary | Lost deals | + |
NeededAn independent annual examination against the five Trust Services Criteria. At stakeNot a fine — lost enterprise deals and stalled cyber-insurance renewals. | |||||
These legal doctrines sit beneath the regulations above. They determine where the liability lands when an AI system fails — and they are the reason Soma's signed Attestation exists.
Directors carry personal liability when the firm lacks a functioning system to oversee a mission-critical risk. Post-Marchand, AI vendors qualify. Absence of oversight records is not neutral — it is evidence of failure.
When a vendor's tool produces statistically adverse outcomes for a protected class, the employer pays — intent is irrelevant. Vendor terms disclaim it; the EEOC confirms the obligation does not transfer. Documented independent oversight is the only defense.
Claiming AI governance you cannot substantiate — in an RFP, an ESG report, or on an earnings call — is now a deceptive trade practice. An independent attestation on file is the substantiation regulators now demand.
Summarized for the procurement and compliance teams who answer the regulator's letter — not the vendor lawyers who draft them.
The definitive blueprint for organizing AI risk into four distinct pillars — Govern, Map, Measure, and Manage. It serves as the standard translation layer between your technical infrastructure and corporate risk, and anchors every Soma engagement.
Demands an independent, annual bias audit published directly to the corporate web footprint. Vendor-level safe harbors do not shield the employer from daily statutory penalties.
Imposes rigorous, independent third-party risk-management controls. Financial firms must verify exactly where vendor-integrated AI systems touch non-public consumer data.
Imposes strict data governance, technical logging, and human-oversight obligations on systems categorized as "High-Risk" — backed by penalties scaled to global turnover.
Soma Governance maintains strict independent auditor status as outlined by municipal guidelines and international risk-attestation standards. This demarcation is absolute.
This strict separation ensures our signed attestations retain complete legal and commercial validity when handed to an enterprise buyer, an underwriter, or a state regulator.