AI Compliance Checklist (SR 11-7, NIST AI RMF, EU AI Act)

Why Compliance Teams Need This Now

Regulatory scrutiny of AI is accelerating across every sector. The Federal Reserve, OCC, FFIEC, and EU supervisory authorities are now including AI governance in their examination scope. The EU AI Act entered enforcement in 2025. Organizations that cannot demonstrate a structured compliance program face findings, remediation costs, and reputational damage.

An AI compliance checklist is the fastest way to assess where your organization stands and what gaps need to be closed before the next examination arrives.

Your AI Compliance Checklist

• Written AI governance policy approved by senior leadership or the board
• AI acceptable use policy communicated to all employees with acknowledgment records
• Complete and current AI model inventory covering all tools in use
• Risk assessments completed for each AI use case with documented risk tiering
• Vendor due diligence questionnaires completed for all third-party AI providers
• Data handling guidelines specifying what data may be submitted to AI tools
• Incident response procedures specific to AI-related events
• Employee training and acknowledgment records
• Evidence of ongoing monitoring and periodic policy review
• EU AI Act classification assessment for AI systems in use

Common Compliance Gaps

• Treating AI compliance as a one-time project rather than an ongoing program
• Focusing only on internally developed models and ignoring third-party SaaS AI tools
• No documentation trail — verbal governance doesn't satisfy regulators
• Gaps between policy and practice — policies exist but are not enforced
• No ownership — compliance programs without clear accountable owners fail