AAI Compliance Atlas
FrameworksState lawsIndustriesToolsNews
GuidesMap my obligations →
AAI Compliance Atlas

Structured, continuously verified reference for US AI compliance — federal frameworks, state laws, and the obligations that connect them.

Atlas

  • Frameworks
  • State laws
  • Industries
  • By role
  • Comparisons

Tools

  • Compliance Checker
  • Penalty Calculator
  • Impact Assessment

Resources

  • Guides
  • News
  • Blog

Company

  • About
  • Contact
  • Privacy
  • Terms
© 2026 AI Compliance Atlas. Informational only — not legal advice. Consult qualified counsel before making compliance decisions.Verified Jun 9, 2026
  1. Home/
  2. Roles/
  3. Vendor

AI Vendor Obligations

Vendors providing AI tools to other organizations sit upstream of deployers and downstream of developers. Specific contractual and disclosure obligations depend on jurisdiction and use case.

Governance routing

Use the AI governance guide to assign decision rights, committees, lifecycle gates, and escalation paths before mapping role-specific duties into the AI compliance framework register.

Obligations under US laws

  • data handlingFlorida AI Legislation (Deepfake and AI Disclosure Laws)Fla. Stat. § 836.13 (HB 757 / Brooke's Law)

    Do not willfully create, possess with intent to promote, solicit, or produce an altered sexual depiction of an identifiable person without consent, including AI-generated deepfakes. Covered platforms must remove altered sexual depictions within 48 hours of a valid takedown request. Per-image third-degree felony exposure.

    Deadline: 48_hour_takedown

Framework controls

  • documentationISO/IEC 42001Clause 8 + Annex A.6

    Maintain documentation throughout the AI system lifecycle including data management, system development, verification and validation, and deployment per Annex A.6 controls.

  • risk assessmentISO/IEC 42001Clause 6 + Annex A.5

    Conduct AI system impact assessments and risk assessments addressing intended uses, deployment context, affected stakeholders, and mitigation of identified risks per Annex A.5 controls.

  • governanceISO/IEC 42001Clauses 4-5

    Establish, implement, maintain, and continually improve an AI management system (AIMS) covering policies, leadership commitment, roles, and integration with other management systems.

  • governanceNIST AI RMFMANAGE 1-4

    MANAGE function: prioritize and treat identified risks, allocate resources, and implement risk response strategies including mitigation, transfer, acceptance, or avoidance.

  • risk assessmentNIST AI RMFMEASURE 1-4

    MEASURE function: assess, analyze, and monitor AI risks using both quantitative and qualitative methods, including bias evaluation, robustness testing, and explainability assessments.

  • risk assessmentNIST AI RMFMAP 1-5

    MAP function: identify the context, intended uses, stakeholders, and risks of each AI system, including categorization of impacts on individuals, communities, and the organization.

  • governanceNIST AI RMFGOVERN 1-6

    GOVERN function: establish policies, processes, structures, and accountability for AI risk management across the organization, including senior leadership oversight and a risk-based culture.

Run AI risk and impact assessments faster with Credo AI

partner link

Specialized AI governance platform built around the NIST AI RMF and EU AI Act. Bias auditing, model registry, policy automation.

Get a Credo AI demo →
Legal disclaimer

This content is informational only and does not constitute legal advice. Laws change frequently and vary by jurisdiction. Consult qualified legal counsel before making compliance decisions. Information accuracy not guaranteed as of any specific date.

We may receive referral commissions from recommended compliance tools. Recommendations are based on product fit and not on commission size. Links marked “partner link” include a tracked redirect.