Where AIAuth fits in your compliance stack.
This page maps AIAuth's capabilities to the regulatory and control frameworks most often referenced in enterprise procurement — EU AI Act Article 50, SOC 2, ISO 27001, and the NIST AI Risk Management Framework. It is informational. Consult qualified counsel for advice specific to your organization.
EU AI Act — Article 50 (deployer disclosure)
Enforcement begins 2 August 2026. Article 50 requires deployers of AI systems to disclose that content was generated or materially modified by an AI system and to mark such content in a machine-readable format.
| Article 50 requirement | How AIAuth addresses it |
|---|---|
| 50(2) — Deployer discloses AI involvement to recipients. | AIAuth receipts record that AI was involved (model, provider, ai_markers) and that a human reviewed the output. A receipt code attached to a deliverable serves as a verifiable disclosure mechanism. |
| 50(4) — Machine-readable marking of AI-generated content. | AIAuth receipts are JSON with stable field names; the ai_markers block identifies AI authorship signals in a parsable form. For media assets (image, video, audio) we recommend pairing AIAuth with a C2PA implementation — see the standards page. |
| 50(5) — Information provided in a clear and distinguishable manner, at latest at first interaction. | Receipt codes can be attached to an email subject line, document footer, PR description, or message body. The verification page at aiauth.app/check is publicly accessible without an account. |
What AIAuth does NOT address in Article 50
- AIAuth does not perform watermarking of media files. For synthetic image/video/audio, use a C2PA-compatible tool and preserve the Content Credentials.
- AIAuth does not embed metadata inside media files — receipts live alongside the content as an external record.
- AIAuth does not perform AI-content detection. It is a voluntary attestation mechanism, not a forensic classifier.
SOC 2 Trust Service Criteria — control crosswalk
For enterprises evaluating AIAuth as part of a SOC 2-scoped environment, the self-hosted enterprise deployment supports the following controls:
- CC6.1 — Logical access. Magic-link authentication with short-lived session tokens; admin endpoints gated behind a master key; managed-policy schema for Workspace/Intune provisioning.
- CC7.2 — System monitoring. All attestation events are logged with attestation id, timestamp, and signing key id. The admin dashboard aggregates events; operator email alerts are available.
- CC8.1 — Change management. Source is version-controlled on GitHub; releases are tagged and published; the signing key manifest versions every rotation.
- CC9.2 — Vendor / third-party. Self-hosted enterprise runs on customer infrastructure; no third-party processor handles attested content.
ISO/IEC 27001 Annex A — control mapping
- A.8.1 — Asset management. Attested content is hashed, never stored. The hash registry is a single-purpose data asset with documented retention.
- A.12.4 — Logging and monitoring. Per-attestation logs with cryptographic linkage via chain-of-custody parent hashes.
- A.14.1 — Security in development. Apache 2.0 source; reproducible builds for the Chrome extension.
- A.18.1 — Compliance with legal / contractual requirements. Data-handling terms codified in the Privacy Policy and Terms of Service.
NIST AI Risk Management Framework
- GOVERN-1.1 — AIAuth provides a verifiable record of human review, supporting organizational policies that require a human in the loop for AI-assisted output.
- MAP-1.1 — Receipts aggregate AI-authorship signals (
model,provider,source_domain,ai_markers) for context identification. - MEASURE-2.6 — Time-to-attest (
tta) is a proxy metric for review quality; the enterprise dashboard surfaces rubber-stamp detection. - MANAGE-2.3 — Chain of custody (
parent,doc_id) supports incident review and rollback.
Scope of applicability
This mapping is informational and is not a substitute for a SOC 2 audit, ISO 27001 certification, or NIST AI RMF implementation. We are not yet SOC 2 audited; the crosswalk is provided so your compliance team can evaluate where AIAuth fits within your own control environment. For the self-hosted enterprise tier, we can provide architecture diagrams and control-evidence artifacts under NDA — contact sales@aiauth.app.