EU AI Act Reg (EU) 2024/1689 · from 2 Aug 2026 |
Article 11 technical documentation that accounts for a model's identity, the bases it was built on, and its known limitations. |
An audit report with a hash-pinned identity for the model and its base, the classification of any modification, and the limitations, filed in your technical documentation. |
NDAA / DFARS FY2026 NDAA → DFARS / CMMC |
Verified model registries and integrity checks before deployment, covering model weights across the lifecycle. |
A deterministic pre-deployment gate with exit codes and per-file SHA-256 weight identifiers your registry can pin. |
OMB M-26-04 Federal continuous accountability |
A move from one-time documentation to continuous accountability, including for supply-chain modifications. |
Scheduled re-audits that produce a dated, comparable series of reports, the continuous-accountability record on file. |
CycloneDX AI-BOM Procurement provenance |
A model entry whose lineage and provenance can be verified, rather than self-declared by the supplier. |
A CycloneDX-style attestation fragment with the per-file weights identifier, a verified edge to the claimed base, and the verdict, ready to merge into your bill of materials. |
Banking MRM Interagency guidance · Apr 2026 |
Independent validation of third-party and vendor models, developed and monitored over time. |
Reproducible validation evidence for the model-weights layer, what changed from the base, where, and of what kind, for the third-party validation file. |