Is Your AI Compliance Posture Defensible?
Eighteen scored questions across EU AI Act, NIST AI RMF, and state-AI obligations — for the GC, CISO, and CAIO who'll be asked to defend the company's AI posture.
- A scored profile across 6 dimensions — see exactly where you're strong and where the gaps are.
- Your biggest opportunities, mapped to specific next moves.
- A personalized video walkthrough from Shawn (optional) — a real read on your results.
AI compliance has stopped being a future problem. The EU AI Act's phased obligations are landing through 2026 and 2027. The NIST AI Risk Management Framework is becoming the de facto US standard, and the Generative AI Profile (NIST AI 600-1) extends it to foundation-model use. Colorado's AI Act, NYC's Local Law 144 on Automated Employment Decision Tools, Illinois' AI Video Interview Act, and California's emerging ADMT regulations are pulling US obligations forward one state at a time. Sector regulators — FTC, EEOC, CFPB, HHS, FDA, FINRA — are publishing AI-specific guidance. And the cross-jurisdictional reality is that most mid-market and enterprise organizations now have to defend a posture they never deliberately built.
This free scorecard measures whether your AI compliance posture is defensible — across governance and accountability, risk classification, documentation and disclosure, transparency, post-deployment monitoring, and incident response. It's built for general counsel, chief compliance officers, CISOs, and chief AI officers who'll be asked to defend the program, drawn from 27 years of technology leadership across Fortune 500 and growth-stage companies — the same lens a fractional Chief AI Officer would bring to your first conversation about EU AI Act readiness, NIST AI RMF adoption, and US state-law obligations.
What the AI compliance scorecard measures
Compliance posture is a profile, not a single number. The scorecard scores six dimensions independently so you can see where you're strong and where the regulatory exposure is: Governance & Accountability (is there a named owner, chartered oversight body, and board reporting line for AI), Risk Classification (have you inventoried AI systems and tiered them against EU AI Act risk categories and NIST AI RMF functions), Documentation & Disclosure (could you produce model cards, datasheets, and AI impact assessments under audit), Transparency & User Notice (do users know when AI is involved in decisions about them, in line with Article 50 and automated decision-making obligations), Monitoring & Post-Deployment (are you watching production systems for drift, bias, and harm), and Incident Response & Reporting (could you meet EU AI Act and state regulator reporting timelines). The final question maps the specific frameworks — EU AI Act, NIST AI RMF, ISO 42001, US federal, US state, sector-specific — that apply to your business.
Why a defensible AI compliance posture matters now
Enterprise customers are putting AI clauses into procurement contracts. Boards are asking the GC and CISO to brief them on AI risk. EU customers are demanding conformity evidence for high-risk systems. State attorneys general have started issuing AI-related enforcement. The cost of waiting isn't theoretical — it's an enterprise deal that pauses while you assemble a model card from scratch, a regulator inquiry that surfaces shadow AI you didn't know was deployed, or an incident where the response plan doesn't mention AI at all. Organizations that treat compliance posture as a deliberately sequenced program — governance first, then inventory and risk tiering, then documentation, then transparency, monitoring, and incident response — get there faster and at lower cost than those that wait for a forcing event.
What you get at the end
You'll see an overall AI compliance score, a band that describes where your posture stands (from Exposed through Defensible), a per-dimension breakdown across governance, risk, documentation, transparency, monitoring, and response, and a map of the frameworks most relevant to your business. From there you can request a personalized video walkthrough — a short, recorded read on your specific results and what a fractional Chief AI Officer engagement would do for your compliance program. No generic compliance deck.
Frequently asked questions
What is an AI regulation compliance scorecard?
It's a structured evaluation of whether an organization has the governance, risk classification, documentation, transparency, monitoring, and incident response capabilities required to defend its AI posture under the EU AI Act, NIST AI RMF, ISO 42001, and emerging US federal and state AI laws. Rather than measuring policy completeness, it measures operational maturity — the capabilities a regulator, enterprise customer, or board would actually scrutinize.
How long does the scorecard take?
About seven minutes. It's 18 scored questions across six compliance dimensions plus a final framework-mapping question covering EU AI Act, NIST AI RMF, ISO 42001, US federal, US state, and sector-specific obligations. Your progress auto-saves, so you can leave and resume without losing answers.
Is the scorecard free?
Yes. The scorecard and your scored results are completely free. You can optionally request a personalized video walkthrough of your results, which is also free.
Who is this scorecard for?
It's built for general counsel, chief compliance officers, CISOs, chief AI officers, and chief privacy officers at organizations that are deploying or buying AI and need a clear-eyed read on whether their compliance posture would hold up under audit, regulator inquiry, or enterprise customer scrutiny.
Does it cover the EU AI Act, NIST AI RMF, and US state laws?
Yes. The scored questions are framework-aware — drawing on EU AI Act risk tiering, Article 50 transparency, FRIA, NIST AI RMF Govern/Map/Measure/Manage functions, ISO 42001 management-system concepts, and US state obligations like the Colorado AI Act, NYC Local Law 144 (AEDT), and the Illinois AI Video Interview Act. The optional framework-mapping question lets you flag which obligations apply so the follow-up conversation is specific.