A practical AI compliance checklist for 2026 — inventory AI, classify data, control agent access, redact sensitive data, monitor, and map to ISO 42001, NIST AI RMF, and the EU AI Act. Plus how Strac automates the data-protection controls.
AI moved faster than governance. Employees adopted ChatGPT, Claude, and Copilot; engineers wired agents to data via MCP; and the controls auditors and customers now ask about — ISO 42001, NIST AI RMF, the EU AI Act — didn't exist when most security programs were built. A checklist turns "we should govern AI" into concrete, evidenced steps.
Discover 1. Inventory every AI tool and agent — browser AI, desktop apps, and MCP connectors, including shadow AI on personal accounts. See discover AI agents. 2. Map the data each AI can reach — which SaaS, cloud, and databases agents connect to, and what sensitive data flows through. 3. Classify sensitivity — PII, PHI, PCI, secrets, source code, and regulated records across those sources.
Control 4. Scope agent access — least privilege per agent and per tool; no blanket access. 5. Enforce allow/block and approvals — block high-risk actions (writes, exports) or route them for sign-off. 6. Govern third-party AI vendors — assess and monitor AI vendors as part of AI TPRM.
Protect 7. Remediate sensitive data in-flight — redact, mask, block, or revoke access before data reaches a model, in the browser, on endpoints, and at the MCP layer. 8. Cover every surface — browser, endpoint, SaaS, and cloud, not just one.
Prove 9. Log every AI interaction — who, which agent, which tool, what data, what action. 10. Stream to your SIEM — Splunk, Sentinel, or Datadog for monitoring and alerting. 11. Map controls to frameworks — ISO 42001, NIST AI RMF, EU AI Act, plus SOC 2 / HIPAA / PCI / GDPR. 12. Maintain AI policies — acceptable-use, model governance, and data-handling, reviewed regularly.
Steps 1-3, 7-10 are where teams stall — they require actually seeing and protecting data, not writing a policy. Strac's AI data governance platform does this across every surface: it discovers shadow AI and agents, controls and blocks access, remediates sensitive data inline, and logs every action as audit evidence.
Inventory of AI tools and agents, the data they can reach, data classification, agent access controls, in-flight data remediation, monitoring and logging, AI vendor risk, framework mapping (ISO 42001, NIST AI RMF, EU AI Act), and AI policies.
The core ones are ISO 42001 (AI management system), NIST AI RMF (risk management), and the EU AI Act (regulation), alongside data-protection frameworks SOC 2, HIPAA, PCI, and GDPR.
The data controls — discovering shadow AI, knowing what data agents touch, and remediating sensitive data before it reaches a model. Policies are easy to write; evidence is hard to produce, which is what Strac automates.
Start with discovery (step 1): you can't govern AI you can't see. Inventory every AI tool and agent and the data they reach, then layer on control, protection, and proof.
Automate the proof. Strac Comply's AI Evidence Agent captures evidence from any app you can log into, and its headless compliance MCP server lets your AI agent write that evidence into your binder — turning steps 9-11 from a screenshot marathon into an automated loop. See Strac Comply.
AI compliance isn't a policy document — it's evidence that AI is governed end to end. Work this checklist, and lean on Strac for the data-protection steps that are hardest to prove: discover, control, remediate, and audit AI's access to your data.
Related reading: AI Agent Governance · AI Governance Frameworks · ISO 42001 · AI TPRM · Shadow AI · Best AI Governance Tools
.avif){kind=icon}
.gif)
.webp)
