AVAAS  /  Regulations
Regulatory coverage

One evaluation pipeline. Every regulation that matters.

AVAAS doesn’t just evaluate your AI system once and walk away. Five structurally independent validators provide initial evaluation with causal attribution, then sealed deployment verification ensures the AI running in production is the same system that was certified. If the deployment changes, the seal breaks and re-evaluation is required. Every finding maps to the applicable regulatory frameworks across whichever jurisdictions you operate in.

14
Regulations across
4 continents
7+
Enforcement deadlines
in 2026
~$0
Marginal cost per additional
state report
Select a regulation to learn how AVAAS addresses each requirement
United States — Federal
Enforcing

Banking & Lending (SR 11-7)

Banks, financial institutions • Fed, OCC, FDIC supervised

Federal Reserve SR 11-7 and OCC 2011-12 require independent model validation for all material models. AI/ML models in lending, credit scoring, fraud detection, and trading are increasingly in examination scope. AVAAS structural independence exceeds the minimum SR 11-7 requirement.

Independent validationOutcomes analysisOngoing monitoringModel inventory
View full details →
United States — States
Enforcing

California — Employment

California employers • FEHA + Civil Rights Council regulations

California's Civil Rights Council regulations make bias testing evidence admissible in employment discrimination lawsuits. Having an evaluation is evidence of diligence. Not having one is evidence of negligence. Private right of action, class actions, uncapped compensatory and punitive damages.

FEHA categoriesEvidentiary standardBusiness necessityPrivate right of action
View full details → Enforcing

California — Healthcare

SB 1120, AB 3030, AB 489, AB 2575 • Clinical AI systems

Four laws creating the most comprehensive healthcare AI regulatory stack in the US. SB 1120 prohibits AI-only coverage denials. AB 2575 would eliminate the vendor's "doctor should have caught it" defense. Criminal penalties for willful violations.

SB 1120AB 3030AB 489AB 2575
View full details → Jan 1, 2027

Colorado SB 26-189

ADMT in consequential decisions • Disclosure & human review

Replaces original Colorado AI Act (SB 26-189, repealed May 2026). Deployers of automated decision-making technology must provide pre-use notice, disclose adverse outcomes within 30 days, honor correction rights, and offer meaningful human review. AG enforcement only. Voids contract clauses shifting ADMT liability.

Pre-use noticeAdverse outcome disclosureCorrection rightsHuman review
View full details → Enforcing

Illinois

AIVIA + HB 3773 • AI video interview & hiring

Illinois requires candidate notification and consent before AI analyzes video interviews, with expanded demographic impact reporting under HB 3773. Any employer recruiting Illinois candidates is subject regardless of where they're headquartered.

Video AI consentDemographic impactData retentionIHRA categories
View full details → Enforcing

New York City

Automated Employment Decision Tools • NYC hiring & promotion

Annual independent bias audits required for any AEDT used for NYC jobs. Most auditors calculate selection rates and stop. AVAAS delivers causal decomposition that identifies why disparities exist. Penalties: $500–$1,500 per violation per person per day.

Impact ratiosCandidate noticeAnnual auditPublication req
View full details → Enforcing

Texas

High-risk AI deployers • $2.1T state economy

The Texas Responsible AI Governance Act requires governance programs, impact assessments, and consumer transparency for high-risk AI. The Texas Attorney General has civil investigative demand authority. Energy, healthcare, financial services, and defense sectors all affected.

Impact assessmentAG enforcementConsumer disclosureGovernance program
View full details →
European Union
Phased

EU AI Act

Annex III high-risk systems • Employment, lending, insurance, education

The most comprehensive AI regulation globally. Annex III high-risk systems require conformity assessment with documented risk management, bias testing, and human oversight. Penalties up to €35 million or 7% of global annual turnover. AVAAS maps directly to Articles 9 through 15.

Art. 9 Risk mgmtArt. 12 Record-keepingArt. 13 TransparencyArt. 15 Accuracy
View full details → Enforcing

EU — GDPR Article 22

Automated decisions affecting EU data subjects • Right to explanation

EU citizens have the right to meaningful information about the logic of automated decisions that affect them. Most AI systems cannot provide this. AVAAS causal attribution generates individual-level causal explanations. Penalties up to €20M or 4% of global turnover.

Right to explanationContestation supportDPIA integrationIndividual-level
View full details →
International
Enforcing

United Kingdom

FCA, ICO, MHRA, Ofcom, CMA • Sector-based approach

The UK regulates AI through existing sector regulators with real enforcement authority. The FCA governs AI in financial services, the ICO enforces UK GDPR automated decision-making, the MHRA governs AI medical devices. One AVAAS evaluation satisfies requirements across all five regulators.

FCAICO / UK GDPRMHRACMA
View full details → Enforcing

South Korea

Extraterritorial reach • High-impact AI systems

South Korea's AI Act applies extraterritorially. Any AI system affecting Korean users is covered regardless of company location. Requirements include transparency, risk assessment, human oversight, and documentation.

ExtraterritorialRisk assessmentHuman oversightTransparency
View full details → Enforcing

China

GenAI Measures, Algorithm Rules, Deep Synthesis • Multiple laws

China has the most active AI enforcement regime globally with four binding regulations already in effect. Any company selling AI-powered products or services in China faces immediate compliance obligations including consent, content labeling, user rights, and algorithm filing.

GenAI MeasuresAlgorithm RulesDeep SynthesisCAC enforcement
View full details → Draft

Canada

AI and Data Act (Bill C-27) • High-impact AI systems

Canada's proposed AI and Data Act establishes risk-based requirements for high-impact AI in employment, financial services, healthcare, and essential services. With $900 billion in annual US-Canada trade, AIDA will affect every US company selling AI-powered products into Canada.

High-impact AIBias mitigationTransparencyCross-border
View full details → Draft

Brazil

Bill 2338 • Risk-based, EU AI Act aligned • 215M population

Brazil's comprehensive AI bill creates a risk-based framework closely aligned with the EU AI Act. Impact assessments, individual rights to contest AI decisions, and mandatory incident reporting for high-risk systems. Latin America's largest economy.

Risk-basedIndividual rightsImpact assessmentEU-aligned
View full details →

Not sure which regulation applies to you?

Tell us about your AI system and we'll map it to every applicable regulation — then scope the evaluation accordingly.

Request evaluation
Or email hello@avaas.ai