The Enterprise AI Compliance Guide
A practical guide to navigating SOC 2, HIPAA, FedRAMP, and the EU AI Act when selecting enterprise AI tools.
Key Takeaways
- 1SOC 2 Type II is the minimum compliance bar for any enterprise AI tool handling sensitive data.
- 2The EU AI Act classifies most enterprise AI tools as "limited risk" -- but LLMs used in hiring, credit, or healthcare are "high risk" with strict obligations.
- 3HIPAA compliance requires a signed Business Associate Agreement (BAA) from every AI vendor touching PHI.
- 4FedRAMP authorization is mandatory for AI tools used in US federal government contexts.
- 5A vendor's compliance posture is a leading indicator of their operational maturity -- use it as a proxy for overall quality.
Why Compliance Is Now a First-Order Concern
Three years ago, enterprise AI compliance was an afterthought -- a box to check after the technology decision had been made. In 2026, it is a first-order selection criterion. The reasons are straightforward: regulatory frameworks have caught up with the technology, high-profile AI failures have sensitized boards and legal teams, and the cost of a compliance failure (regulatory fines, reputational damage, contract loss) now routinely exceeds the cost of the AI tool itself.
This guide is designed for enterprise buyers -- procurement teams, CISOs, legal counsel, and business unit leaders -- who need to evaluate AI tools against a compliance framework. It is not a legal opinion; consult qualified counsel for specific regulatory guidance.
The Core Compliance Frameworks
SOC 2 Type II is the foundational compliance certification for enterprise software. It audits a vendor's security, availability, processing integrity, confidentiality, and privacy controls over a period of at least six months. Type II (as opposed to Type I, which is a point-in-time assessment) provides meaningful assurance. Any AI vendor handling sensitive enterprise data should have SOC 2 Type II. If they don't, ask why -- and treat the absence as a yellow flag.
ISO 27001 is the international standard for information security management systems. It is more prescriptive than SOC 2 and is often required for European enterprise procurement. Many vendors hold both SOC 2 and ISO 27001.
HIPAA applies to any AI tool that processes, stores, or transmits Protected Health Information (PHI). The critical requirement is a signed Business Associate Agreement (BAA) from the vendor. Without a BAA, using an AI tool with PHI is a HIPAA violation regardless of the vendor's technical security controls. Always request the BAA before procurement.
FedRAMP (Federal Risk and Authorization Management Program) is mandatory for AI tools used in US federal government contexts. FedRAMP authorization is a multi-year process; the list of authorized vendors is publicly available at fedramp.gov. If your organization sells to or works with federal agencies, FedRAMP authorization in your AI vendors is non-negotiable.
The EU AI Act, which began phased enforcement in 2025, introduces a risk-based framework for AI systems. Most enterprise AI tools fall into the "limited risk" category, requiring only transparency obligations (users must know they're interacting with AI). However, AI systems used in hiring, credit scoring, healthcare diagnostics, or law enforcement are classified as "high risk" and face strict requirements including conformity assessments, human oversight mechanisms, and registration in the EU database.
The Vendor Compliance Evaluation Checklist
When evaluating an AI vendor's compliance posture, request the following documentation before signing a contract:
Certifications to request: SOC 2 Type II report (within the last 12 months), ISO 27001 certificate (if applicable), HIPAA BAA (if PHI is involved), FedRAMP authorization letter (if federal context), PCI-DSS attestation (if payment data is involved).
Questions to ask: Where is data stored, and can you specify a region? Is data used to train models? What is the data retention policy? Who has access to our data within your organization? What is your incident response SLA and notification timeline? Do you offer a Data Processing Agreement (DPA) for GDPR compliance?
Technical controls to verify: End-to-end encryption in transit and at rest, role-based access controls, audit logging with immutable records, single sign-on (SSO) and SCIM provisioning support, and the ability to delete all customer data on request.
Data Residency and Sovereignty
Data residency -- the requirement that data be stored and processed within a specific geographic jurisdiction -- is increasingly a hard requirement for European, Canadian, and Australian enterprises, and for any organization subject to sector-specific regulations. Most major AI vendors now offer regional deployment options (EU, US, APAC), but the details matter: verify that inference (not just storage) occurs within the required region, and that no data crosses borders for model training or fine-tuning.
For organizations with the strictest data sovereignty requirements, on-premise or private cloud deployment is the only viable option. This narrows the field significantly -- most SaaS AI tools do not offer on-premise deployment -- but the vendors that do (including several in the Xither directory) command premium pricing that reflects the genuine engineering cost of supporting this deployment model.