Every AI pilot we've seen die in 2025 and 2026 died at the compliance gate, not the technology gate. The model worked. The prompts ran. The data was great. And then InfoSec asked a question nobody had a written answer to.
1. The gap between “AI capability” and “AI compliance”
The default trajectory of an enterprise AI project is: a senior VP gets excited, an internal team builds a prototype against a public AI API, finance approves a department-scale SaaS contract, security and compliance get looped in at the end — and then the project freezes for six months while the controls catch up to the workflow.
We invert that. The compliance map exists before the build. It is a one-page architectural document. Every line in the map is a control or a design decision that someone at the customer signs their name next to. Once it's signed, the build is fast, because the contested questions have been answered.
2. Regulatory regimes we map against
The most-frequent regimes we encounter, with deep-dive pages landing soon:
HIPAA + HITECH
Read →Privacy Rule, Security Rule, Breach Notification Rule applied to LLM and agent deployments. BAAs for AI sub-processors. PHI minimum-necessary. Six-year audit log retention.
SOC 2
Read →Five trust services criteria mapped to LLM-specific controls: model-update change management, prompt-injection mitigation, eval drift monitoring, vendor sub-processor management.
ISO 27001 / 27017 / 27018
Read →Annex A controls applied to AI workloads. Cryptographic protection of model weights and inference logs. Supplier relationship clauses for AI vendors.
EU AI Act
Read →High-risk system classification, conformity assessment, technical documentation, post-market monitoring, human-oversight requirements. Applies to US/Canada companies serving EU subjects.
NAIC (Insurance)
Read →NAIC model bulletin on AI use by insurers. State DOI filings. Bias testing on underwriting and claims models. OSFI parallel guidance for Canadian carriers.
ABA Model Rules (Legal)
Read →Model Rule 1.6 (confidentiality) and 1.1 (competence) applied to AI tools. Privilege-safe RAG architectures. State bar opinions and CLE-relevant guidance.
AML / KYC
Read →AI in transaction monitoring, sanctions screening, KYC enrichment. Model-explainability requirements. FinCEN and FINRA guidance for broker-dealers and RIAs.
Many deployments cross multiple regimes. A US healthcare SaaS serving Canadian and European customers will touch HIPAA, SOC 2, ISO 27001, PIPEDA, and the EU AI Act in a single map. We've built that map before; we'll build yours faster than the first one.
3. What the Agrus compliance map looks like
The map is one printable page. Five columns:
- Regime & control. e.g. “HIPAA Security Rule §164.312(b) — audit controls”
- Applicable scope. Which part of the AI system this control governs.
- Design decision. The architectural choice we've made to satisfy the control.
- Evidence. Where the auditor will find the proof (log location, document, screenshot, etc.).
- Owner. A named person on the customer team accountable for the control.
No vague language. No “the system has appropriate controls.” Each row is testable. Each row has an owner. The auditor reads it once and immediately knows where to look.
4. We're builders, not auditors
We are not a SOC 2 audit firm. We don't issue reports. What we do: design the controls, produce the evidence, walk through the audit with your team. We have referral relationships with audit firms that understand modern AI systems — ask us; we'll introduce you.
Compliance is the floor, not the ceiling. The map exists to make your security-and-compliance group's job easy. The architecture exists to actually make the AI useful. We do both, because doing one without the other is how good AI projects die.
Get a compliance map for your AI use case.
30-minute call with our compliance lead and a senior engineer. Free. We tell you whether the project clears your regulatory posture, regardless of whether you hire us.
Frequently asked questions
What is an AI compliance map?
A one-page architectural document that names each regulatory regime your AI system touches, lists the applicable controls, and ties each control to a specific design decision (data residency, model choice, log retention, model-update process, evaluation, escalation). Agrus produces it during the Discovery Sprint, before any production code is written. Your CISO signs it.
Is HIPAA compliant AI the same as a private LLM?
Related but distinct. A private LLM is a deployment shape; HIPAA compliance is a regulatory framework. You can have a private LLM that isn't HIPAA compliant (missing BAAs, inadequate audit logs, no minimum-necessary controls). You can also have a HIPAA-eligible architecture using frontier models if the vendor offers an enterprise BAA and your data flows are audited. Most production healthcare AI we ship uses both — a private LLM deployment plus a documented HIPAA control set.
What about the EU AI Act for US/Canada companies?
If you process data of EU subjects, or your product is offered in the EU, the Act applies regardless of where you're based. High-risk system classification triggers conformity assessment, technical documentation, post-market monitoring, and human-oversight requirements. We build the documentation as part of the build engagement, not as an afterthought.
Do you handle the actual SOC 2 / ISO 27001 audit?
We don't issue the audit report — that's the auditor's job. We design the controls, produce the evidence, and walk through the audit with your team. We have referral relationships with auditors who understand AI systems specifically.
See also: Private LLM Deployment Guide, Compliance Audit service, AI for Healthcare, AI for Legal.