Creative Genius Creative Genius
Get Started
Guide · 2026-05-19 · 9 min read

AI security & compliance 2026: SOC 2, ISO 42001, EU AI Act

What AI security and compliance look like in 2026 — SOC 2 considerations, ISO 42001, EU AI Act timelines, data handling, and the controls that matter.

Table of contents

Frameworks that matter in 2026

  • SOC 2 Type II — still the table-stakes ask from US enterprise buyers
  • ISO 42001 — the 2024 AI management system standard, increasingly required in RFPs
  • NIST AI RMF — US public-sector default, voluntary but influential
  • EU AI Act — phased rollout 2025–2027; risk-based classification
  • HIPAA — healthcare-specific, requires BAA chain through AI vendors
  • GDPR / UK GDPR — Articles 22 (automated decisions), 35 (DPIAs for AI)

Data handling controls

  • PII scrubbing on inputs (Presidio, Microsoft PII Detection, custom regex + LLM filter)
  • BAA / DPA in place with every AI vendor processing customer data
  • Customer data isolation in vector stores (per-tenant namespaces or separate indexes)
  • Audit logs of every LLM call: input, output, model, timestamp, user
  • Right-to-delete propagation into vector stores and fine-tuning datasets
  • Encryption in transit (TLS 1.3) and at rest
  • Zero data retention with vendors where possible (OpenAI ZDR, Anthropic ZDR)

Top AI-specific risks

RiskMitigation
Prompt injectionInput filters, output validation, scope-limited tools, never trust LLM output as auth signal
Data exfiltration via tool callsAllowlist tools, sandbox execution, output redaction
Hallucination in customer-facing outputRAG with citations, confidence thresholds, escalation paths
Model abuse / jailbreakOutput filtering, refusal patterns, rate limits
PII leakage in logsLog redaction, structured logging only, short retention
Cost runaways (DoS via expensive prompts)Per-user token budgets, request throttling, cost alerts

EU AI Act timelines

  • February 2025: Prohibited AI practices in force (social scoring, real-time biometric ID, etc.)
  • August 2025: GPAI (general-purpose AI) obligations begin
  • August 2026: High-risk AI system obligations (most B2B AI sits here)
  • August 2027: High-risk AI in regulated products (medical devices, vehicles)

Vendor due diligence checklist

  • SOC 2 Type II report (current within 12 months)
  • BAA / DPA available and signed
  • Data residency options (US / EU / customer-managed)
  • Zero data retention option for sensitive workloads
  • Training data provenance / opt-out
  • Sub-processor list and notification policy
  • Incident response SLA
  • Right-to-delete and audit-log access

Need an AI security review? Talk to us.

FAQs

Do I need ISO 42001 if I'm not in the EU?

Increasingly yes — enterprise buyers in healthcare, financial services, and government are asking. It's the 'SOC 2 of AI' and will likely be table stakes by 2027.

Is OpenAI / Anthropic SOC 2 compliant?

OpenAI Enterprise: SOC 2 Type II, HIPAA BAA. Anthropic: SOC 2 Type II, HIPAA BAA available. Both maintain GDPR-compliant data handling for EU customers.

What happens if the AI hallucinates and harms a customer?

Liability sits with the deploying company, not the model vendor (per current US and EU jurisprudence). Mitigation: guardrails, human-in-the-loop for consequential decisions, clear disclosure to users.

More guides

How to build an AI agent (2026 guide)Best AI tools for business 2026AI assistant for business (2026 guide)AI for small business 2026How AI agents work (2026)AI automation guide (2026)

Want this built for your business?

Free 30-minute discovery call. Fixed-price scope after. Full source-code transfer at handoff.

Book a free call