ORCA Opti
Back to Insights

Insights

What an AI compliance framework can and can't do for you

ISO 42001, NIST AI RMF, the EU AI Act and AS 8005 are all useful. None of them, on their own, will make your AI use any safer. Here's where the real work happens.

Paige HarknessCo-Founder, Head of Product and Communications, ORCA Opti11 June 20264 min read
AI playing a futuristic game relying on an old fashioned compliance scoreboard to keep up with the fast paced match

The next twelve months of AI compliance conversations will be dominated by people arguing about which framework to follow.

ISO 42001. NIST AI RMF. The EU AI Act. The new AS 8005 work in Australia.

Every one of them is a useful piece of work. None of them, on their own, will make your AI use any safer.

I want to explain what I mean by that, because I think it's the part of the conversation people are missing right now, and the gap is going to get expensive for some businesses before it gets cheaper.

Frameworks are the scoreboard, not the game

A compliance framework is a way of measuring whether you've done something. It defines what good looks like and gives auditors and regulators a shared language for assessing your posture against that bar. That's genuinely useful. It's why we welcome each of these frameworks, and why we map our own work to them.

But a framework is the scoreboard. It tells you the result of the work. It is not the work itself.

The work is operational. It happens at every prompt your staff write, every model your business connects to a data source, every output sent to a customer or regulator. It happens in the quiet, invisible moments where someone has to decide "is it safe to put this in here?" and either gets the right answer because the system told them, or makes a judgement call because nobody had thought it through in advance.

If your AI compliance program lives in a quarterly committee meeting and a sixty-page document, you are scoring an exam that nobody is actually sitting.

The trap a lot of organisations are walking into

This isn't a hypothetical. It's the most common pattern we see when we sit down with a new customer.

You commission an ISO 42001 readiness assessment. You publish an AI use policy. You add a clause to your supplier contracts. The auditor signs off. The document goes in the binder. Everyone goes back to work.

Meanwhile, every member of your team who wants to use AI to do their job better is making it up as they go. Some of them are doing it well. Most of them aren't. And the gap between what you've written down and what's actually happening day to day is widening by the week.

The framework hasn't failed. It's done exactly what it was designed to do. It's described what good looks like. The problem is that nobody downstream of the document is set up to do what the document describes.

Compliance isn't a document. It's an operating system.

We built ORCA Opti the way we did because we think this is the bit that has to change.

Compliance can't be something that lives in a binder and gets dusted off when an auditor visits. It has to be present at the moment someone writes a prompt, at the moment a dataset is connected, at the moment a response is generated. It has to know your policies and apply them, in real time. It has to log what happened, not in a file an auditor will read in six months, but in a live system you can interrogate any time.

When that operational layer is in place, the framework you map to becomes a question of presentation. You can demonstrate ISO 42001 compliance. You can demonstrate NIST AI RMF compliance. You can demonstrate readiness for whichever framework lands next, because the work has already been done and the evidence is already there.

Without the operational layer, no framework on earth will save you. You'll just have a beautifully written explanation of how you intended to govern your AI use, gathering dust beside the reality of how it's actually being used.

The one question I'd ask before anything else

If you're thinking about your AI compliance posture this year, the question I'd want you to answer first is this: where does the work actually happen? In a meeting? In a document? Or at the moment your staff are doing the thing the framework is meant to govern?

If it's the third one, you're already ahead. If it's not, no amount of framework alignment will close the gap on its own.

The scoreboard tells you whether you won the game. The game is still the game.

If you want to see what operational compliance feels like in practice, you can try Opti Assist free at orcaopti.ai. It's the version of this work that runs inside your Microsoft 365, where the real decisions are being made.

Have a question? Let's talk.

Get in touch with the ORCA Opti team to see how governed, sovereign AI fits your organisation.

Contact us

Join our mailing list

News and updates from ORCA Opti.