AI compliance glossary
Clear, citable definitions of the regulations and concepts behind AI compliance - the EU AI Act, risk classification, ISO/IEC 42001, NIST AI RMF and more.
EU AI Act
The EU AI Act (Regulation (EU) 2024/1689) is the European Union's comprehensive law governing artificial intelligence. It classifies AI systems by risk - unacceptable, high, limited, and minimal - and imposes obligations on providers and deployers accordingly, with staggered enforcement running from 2025 through 2027.
Read more →AI system risk classification
Under the EU AI Act, every AI system is classified into one of four risk tiers: unacceptable risk (prohibited under Article 5), high risk (listed in Annex III and subject to Articles 9-15), limited risk (transparency obligations under Article 50), and minimal risk (no obligations). The tier determines the documentation and controls required.
Read more →High-risk AI system
A high-risk AI system under the EU AI Act is one listed in Annex III (such as AI used in recruitment, credit, education, or biometrics) or used as a safety component of a regulated product. High-risk systems must meet Articles 9-15: risk management, data governance, technical documentation, record-keeping, transparency, human oversight, and accuracy/robustness.
Read more →ISO/IEC 42001
ISO/IEC 42001 is the international management-system standard for artificial intelligence, published in 2023. It specifies how an organisation should establish, implement, maintain, and continually improve an AI management system (AIMS) - the AI equivalent of ISO 27001 for information security - and is increasingly requested by enterprise customers.
Read more →NIST AI RMF
The NIST AI Risk Management Framework (AI RMF 1.0, NIST.AI.100-1) is a voluntary US framework for managing AI risks. It is organised around four functions - Govern, Map, Measure, and Manage - and is the de-facto reference in US federal procurement and enterprise RFPs, even though it carries no legal force of its own.
Read more →AI literacy (EU AI Act Article 4)
AI literacy is the EU AI Act Article 4 obligation requiring providers and deployers to ensure their staff who operate or use AI systems have a sufficient understanding of AI - its opportunities, risks, and possible harms. It has applied since 2 February 2025 and covers essentially every organisation that uses AI at work.
Read more →Provider vs deployer (EU AI Act)
Under the EU AI Act (Regulation (EU) 2024/1689), a provider develops an AI system or has one developed and places it on the EU market under its own name, while a deployer uses an AI system under its authority in a professional capacity. The two roles carry sharply different obligations, and one organisation can be both.
Read more →General-purpose AI (GPAI)
General-purpose AI (GPAI) under the EU AI Act is an AI model trained on broad data that shows significant generality and can perform a wide range of distinct tasks, such as a large language model behind a chatbot. GPAI provider obligations under Articles 53 to 55 have applied since 2 August 2025.
Read more →Conformity assessment (EU AI Act)
A conformity assessment under the EU AI Act is the process of demonstrating that a high-risk AI system meets the requirements of Articles 9 to 15 before it is placed on the EU market. It is carried out either through internal control (Annex VI) or, for certain systems, with a notified body (Annex VII), and underpins the CE marking.
Read more →Notified body
A notified body under the EU AI Act is an independent conformity-assessment organisation designated by an EU member state and listed by the Commission to assess whether certain high-risk AI systems meet the Act's requirements. It performs third-party conformity assessment under Annex VII for systems where self-assessment is not sufficient, such as some biometric systems.
Read more →Post-market monitoring (Article 72)
Post-market monitoring under Article 72 of the EU AI Act is the obligation on providers of high-risk AI systems to actively and systematically collect, document, and analyse data on how the system performs throughout its lifetime, so that ongoing compliance with Articles 9 to 15 can be checked and emerging risks addressed. It complements serious-incident reporting under Article 73.
Read more →CE marking for AI
The CE marking on a high-risk AI system is the provider's visible declaration that the system conforms to the EU AI Act. Governed by Article 48, it is affixed only after conformity assessment is passed and the EU declaration of conformity (Article 47) is drawn up, signalling the system may lawfully be placed on the EU market.
Read more →