AI Compliance Framework v1.1

A standardized framework for responsible AI deployment, regulatory compliance, and bias accountability across client engagements.

Download PDF

1. Purpose

AI regulation is accelerating. The AI Accountability Act (signed March 2026) now requires businesses deploying AI in consequential decisions to conduct and publish regular bias audits. The White House National AI Legislative Framework (March 20, 2026) recommends regulatory sandboxes to encourage responsible innovation. Combined with state laws in California, Colorado, and Texas, and industry-specific requirements like HIPAA, businesses face real compliance obligations. This framework ensures every Coastal AI engagement meets or exceeds these requirements from day one.

What This Framework Covers

Classification of AI systems by risk level
Bias audit methodology and cadence
Transparency and disclosure requirements
Data handling and privacy compliance (HIPAA, CCPA, etc.)
Multi-state regulatory mapping for distributed businesses
Ongoing monitoring and reporting obligations

2. AI System Classification

Every AI system built or recommended by Coastal AI is classified at project kickoff. Classification determines the compliance requirements that apply.

Risk Level	Definition	Examples	Requirements
Standard	AI that assists with general business tasks, content, or internal tooling. No consequential decisions about individuals.	Content generation, chatbot FAQ, internal analytics dashboards	Transparency label, basic documentation
Elevated	AI that influences business decisions involving customer data, lead prioritization, or service delivery.	Lead scoring, AI-driven outreach, customer segmentation, appointment prioritization	Bias audit, transparency disclosures, data handling review, documentation
High-Risk	AI that makes or directly influences consequential decisions about healthcare, employment, lending, housing, or criminal justice.	Patient intake scoring, hiring screeners, care recommendation engines, insurance qualification	Full bias audit, regulatory filing, impact assessment, legal review, ongoing monitoring

3. Bias Audit Methodology

All Elevated and High-Risk AI systems undergo bias audits before deployment and on a recurring basis.

3.1 Pre-Deployment Audit

Required Before Launch

Input Analysis: Review training data and input sources for demographic representation gaps
Output Testing: Run test cases across demographic groups to measure outcome variance
Protected Class Check: Verify the system does not produce materially different outcomes based on race, gender, age, disability, religion, national origin, or political affiliation (per AMERICA AI Act)
Edge Case Review: Test with ambiguous, incomplete, or adversarial inputs
Documentation: Record methodology, findings, and any remediation steps taken

3.2 Recurring Audit Schedule

Risk Level	Audit Frequency	Scope
Standard	Annual	Documentation review, output spot-check
Elevated	Semi-annual	Full output analysis, demographic variance check, data review
High-Risk	Quarterly	Full audit with third-party review option, regulatory documentation update, published summary per AI Accountability Act

Publication Requirement (AI Accountability Act)

For High-Risk AI systems, bias audit results must be published -- not just filed internally. Audit reports for these systems should be written for public disclosure and include methodology, findings, and remediation steps in plain language. Coastal AI's quarterly cadence exceeds the federal minimum of "regular" audits.

4. Transparency & Disclosure

Transparency is non-negotiable across all AI systems. Requirements scale with risk level.

4.1 Universal Requirements (All Systems)

AI Label: Any user-facing AI interaction must include a visible indicator that AI is involved (e.g., "AI-assisted" badge)
System Documentation: Plain-language description of what the AI does, what data it uses, and how decisions are made
Opt-Out Path: Where feasible, provide users with an alternative to AI-driven interaction

4.2 Elevated & High-Risk Additions

Methodology Disclosure: Explanation of scoring/ranking logic accessible to affected parties
Data Source Transparency: Document all data inputs and their provenance
Contestability: Process for individuals to challenge AI-driven decisions that affect them
Bias Audit Disclosure: For High-Risk systems, public notice that a bias audit has been conducted and where to access the published results (per AI Accountability Act)
State-Specific Disclosures: Written notices per Texas TRAIGA, California SB 942, Colorado AI Act as applicable

5. Data Handling & Privacy

PHI / Healthcare Data

Any AI system processing Protected Health Information (PHI) must comply with HIPAA. This includes:

Data isolation per entity (no cross-location data visibility without explicit authorization)
Encryption at rest and in transit
Access logging and audit trails
Business Associate Agreement (BAA) with all AI vendors processing PHI
Minimum necessary standard: AI only accesses the PHI it needs for its specific function

General Data Requirements

Data retention policy defined per system
PII handling documented and minimized
CCPA compliance for California residents (right to know, right to delete, right to opt out)
No client data used for model training without explicit written consent
Vendor data processing agreements reviewed and filed

6. Multi-State Regulatory Map

For clients operating across multiple states, Coastal AI maps applicable AI regulations by location. The strictest applicable law governs each location.

State	Law	Effective	Key Requirements	Applies To
Federal	AI Accountability Act	March 2026	Mandatory published bias audits for AI used in consequential decisions	Elevated High-Risk
Federal	AMERICA AI Act (draft)	TBD	Bias audits for high-risk AI, protected class protections including political affiliation	High-Risk
California	SB 942 (AI Transparency)	Jan 1, 2026	AI content disclosure, detection tools for providers with 1M+ monthly users	Elevated High-Risk
California	AB 2013	Jan 1, 2026	Training data disclosure for generative AI developers	Elevated High-Risk
California	AB 489	2026	AI cannot imply it holds a healthcare license	High-Risk
Colorado	SB 24-205 (AI Act)	Feb 1, 2026	Impact assessments, risk management, consumer notice for high-risk AI in consequential decisions	High-Risk
Texas	TRAIGA	Jan 1, 2026	Written disclosure before AI is used in patient diagnosis or treatment	High-Risk

Note for Multi-Location Businesses

If your business operates in multiple states, each location must comply with the laws of its state. A franchise in Colorado has different obligations than one in Florida. Coastal AI maps these requirements per location as part of every engagement and updates this map as new laws take effect.

7. How This Integrates Into Engagements

This framework is applied to every Coastal AI client engagement. The process:

Kickoff: Classify every AI system by risk level at project start
Build Phase: Compliance requirements baked into the technical spec, not bolted on after
Pre-Launch: Bias audit and transparency review completed before deployment
Handoff: Compliance documentation delivered with the project
Ongoing: Audit cadence set per classification, regulatory updates flagged as needed

8. What You Receive

Every engagement that includes AI components delivers these compliance artifacts, scaled to the risk level of your system:

All Engagements

AI System Classification (Standard, Elevated, or High-Risk)
Transparency Disclosure Templates (user-facing language, reusable)
Data Handling Summary
Audit Schedule (review cadence based on risk tier)

Elevated & High-Risk Engagements

Bias Audit Report (pre-launch testing results and methodology)
Vendor Risk Flags (known data handling concerns with third-party tools)

Enterprise & Multi-Location Add-Ons

For clients operating across multiple states or industries with heightened regulatory exposure, additional deliverables are available on request:

Multi-state regulatory compliance map (per-location obligations)
Full vendor data processing agreement review
Incident response and escalation procedure
Ongoing regulatory monitoring and proactive updates