Regulatory Crosswalk · AIMSS v1.0
One certification.
Every major regulation.
AIMSS is designed to be sufficient — passing the standard demonstrably satisfies the substantive requirements of the world's most-cited AI regulations. The map below shows where each AIMSS clause aligns with the EU AI Act, NYC Local Law 144, ISO/IEC 42001, and the Colorado AI Act. Use it to scope compliance work, audits, or procurement reviews.
European Union
EU AI Act
Phased: Aug 2024 → Aug 2027
View focused map →
New York City
NYC Local Law 144
Enforced since July 5, 2023
View focused map →
International (voluntary)
ISO/IEC 42001
Published Dec 2023
View focused map →
Colorado, USA
Colorado AI Act
Effective Jun 30, 2026 (delayed by SB 25B-004)
View focused map →
| AIMSS clause | Pillar | EU AI Act | NYC Local Law 144 | ISO/IEC 42001 | Colorado AI Act |
|---|---|---|---|---|---|
AIMSS §4.1 AI inventory & system register | Governance | ✓ Article 49 requires registration of high-risk systems in the EU database. Art. 49 | ◐ AEDT must be identified and disclosed publicly, but no central register. | ✓ Annex A.6 governs the AI system life cycle, including AI system documentation and inventory. Annex A.6 | ◐ Deployers must document high-risk systems used; no public register. |
AIMSS §4.3 Risk classification & impact assessment | Governance | ✓ Risk categories and conformity assessments mandated. Art. 6, Annex III | ◐ Bias audit required, but no broader impact assessment. | ✓ Annex A.5 requires an AI system impact assessment process (alongside risk assessment in Clause 6.1). A.5.2–A.5.4 | ✓ Annual impact assessment required for high-risk AI. §6-1-1703 |
AIMSS §5.1 Independent ethics review | Ethics | ◐ Fundamental rights impact assessment required for some deployers. | — Not addressed. | ◐ Encourages ethics consideration but no independent body required. | ◐ Reasonable care duty; no independent ethics body. |
AIMSS §5.4 Disclosure to affected persons | Ethics | ✓ Article 50 transparency obligations for AI systems interacting with humans. Art. 50 | ✓ Candidates must be notified at least 10 business days in advance. | ◐ Annex A.8 stakeholder communication required. | ✓ Consumer notice required before consequential decision. §6-1-1704 |
AIMSS §6.2 Training & inference emissions accounting | Climate | ◐ GPAI providers must report energy use of training. Art. 53(1)(a) | — Not addressed. | ◐ Environmental impact among AI objectives. | — Not addressed. |
AIMSS §6.4 Emissions reduction targets | Climate | — Not addressed. | — Not addressed. | ◐ Continual improvement applies if scoped to emissions. | — Not addressed. |
AIMSS §7.1 Data-worker labour conditions | Labour | ◐ Data governance Art. 10 implies labelling quality; no direct labour standards. | — Not addressed. | ◐ Resource & competence clauses cover staff but not contractors broadly. | — Not addressed. |
AIMSS §7.3 Red-team psychological safeguards | Labour | ◐ Adversarial testing required for systemic-risk GPAI. Art. 55 | — Not addressed. | — Not addressed. | — Not addressed. |
AIMSS §8.1 Bias & disparate-impact testing | Society | ✓ Art. 10 data and bias requirements for high-risk systems. Art. 10 | ✓ Mandatory annual independent bias audit with published summary. | ◐ Annex A.7 data quality & bias considerations. | ✓ Algorithmic discrimination duty of reasonable care. §6-1-1702 |
AIMSS §8.4 Misuse & dual-use assessment | Society | ◐ Systemic-risk evaluation for advanced GPAI. Art. 55 | — Not addressed. | ◐ AI risk assessment may cover misuse. | — Not addressed. |
AIMSS §9.1 Post-market monitoring & incident reporting | Lifecycle | ✓ Articles 72 & 73 mandate post-market monitoring and serious-incident reporting. Art. 72–73 | ◐ Annual re-audit obligation. | ✓ Clauses 9 & 10 cover performance evaluation and improvement. | ✓ Deployers must monitor and report algorithmic discrimination within 90 days. |
AIMSS §9.3 Public complaints register | Lifecycle | ◐ Right to lodge complaint with market surveillance authority. Art. 85 | — Not addressed. | — Not addressed. | ◐ Consumer right to appeal a consequential decision. |
AIMSS §10.1 Continuous integrity programme | Governance | ◐ Conformity reassessment after substantial modification. Art. 43 | ◐ Annual bias audit obligation only. | ✓ PDCA-style continual improvement (Clause 10). | ◐ Annual impact assessment review required. |
AIMSS §4.2 Documented AI policy & accountable executive | Governance | ◐ Quality-management system required for providers of high-risk AI. Art. 17 | — Not addressed. | ✓ Clauses 5.1–5.3 require leadership commitment, AI policy, and assigned roles. | ◐ Risk-management programme required for deployers of high-risk AI. §6-1-1703(2) |
AIMSS §4.4 Third-party & supply-chain AI obligations | Governance | ✓ Importer, distributor and downstream-deployer obligations defined. Art. 23–27 | ◐ Independent auditor required, but no broader supplier regime. | ✓ Annex A.10 covers third-party relationships and customer obligations. | ✓ Developers must disclose to deployers all info needed for impact assessments. §6-1-1702(2) |
AIMSS §5.2 Human oversight & meaningful intervention | Ethics | ✓ Human oversight measures mandated for high-risk AI. Art. 14 | — Not addressed. | ◐ Annex A.9 addresses human oversight as a control objective. | ◐ Consumer right to human review of consequential decisions. §6-1-1704(3) |
AIMSS §5.3 Explainability of automated decisions | Ethics | ✓ Right to explanation of individual decisions for high-risk AI. Art. 86 | ◐ Disclosure of data categories and source, not per-decision explanation. | ◐ Transparency to users required as a control objective. | ✓ Plain-language explanation of the decision must be provided on request. §6-1-1704(3)(b) |
AIMSS §6.1 Water & cooling impact disclosure | Climate | ◐ GPAI Code of Practice asks for compute-environment energy reporting; water not specified. Art. 53 | — Not addressed. | ◐ Environmental impact considered within the AI management system scope. | — Not addressed. |
AIMSS §6.3 Lifecycle carbon disclosure to buyers | Climate | ◐ GPAI providers must document known or estimated energy consumption in technical documentation passed to downstream providers. Art. 53(1)(a), Annex XI | — Not addressed. | ◐ Information for interested parties (Annex A.8) can include climate data. | — Not addressed. |
AIMSS §7.2 Pay-floor & overtime limits for data workers | Labour | — Not addressed. | — Not addressed. | — Not addressed. | — Not addressed. |
AIMSS §7.4 Workforce displacement notice & re-skilling | Labour | ◐ Workers' representatives must be informed before workplace AI deployment. Art. 26(7) | ◐ Candidate notification of AEDT use required. | ◐ Stakeholder engagement covers affected staff (Annex A.8). | — Not addressed. |
AIMSS §8.2 Demographic-data governance for fairness testing | Society | ✓ Permitted processing of special-category data to detect and correct bias. Art. 10(5) | ✓ Sex, race/ethnicity categories required for the bias audit. | ◐ Data quality and bias controls referenced (Annex A.7). | ◐ Impact assessment must describe data used and limitations. |
AIMSS §8.3 Accessibility for users with disabilities | Society | ✓ Compliance with EU accessibility requirements mandated. Art. 16(l) | — Not addressed. | ◐ Interested-party needs include accessibility considerations. | — Not addressed. |
AIMSS §8.5 Content provenance & synthetic-media labelling | Society | ✓ Machine-readable marking of AI-generated and deepfake content. Art. 50(2)–(4) | — Not addressed. | ◐ Information to users covers disclosure of AI involvement. | — Not addressed. |
AIMSS §9.2 Cybersecurity & adversarial robustness | Lifecycle | ✓ Accuracy, robustness and cybersecurity requirements for high-risk AI. Art. 15 | — Not addressed. | ✓ Security controls extended to AI assets (Annex A.7, A.9). | ◐ Reasonable-care duty includes safeguarding against discrimination risk. |
AIMSS §9.4 Audit trail & technical documentation | Lifecycle | ✓ Automatic logs and detailed technical documentation required. Art. 11–12, Annex IV | ◐ Bias audit results must be publicly published and retained. | ✓ Documented information requirements throughout the standard (Clause 7.5). | ✓ Impact assessments must be retained and available to the Attorney General. |
AIMSS §10.2 External assurance & independent re-audit | Governance | ✓ Notified-body conformity assessment for many high-risk systems. Art. 43, Annex VII | ✓ Annual independent bias audit by a qualified auditor. | ✓ Designed for accredited third-party certification. | ◐ Attorney General oversight; no mandatory third-party audit. |
✓ Full coverage · ◐ Partial coverage · — Not addressed
Use the standard