The regulatory perimeter inside which AI-driven credit decisions now have to operate, and the per-decision evidence the regulators ask for.
Every framework below is enforceable today or about to be. Velma evidence is the format both sides expect.
Sorted by soonest deadline first.
AI used in consumer-facing decisions (including lending, insurance, healthcare, employment, and housing) must meet documented governance, impact-assessment, and disclosure obligations enforced by the Texas Attorney General.
Texas joins Colorado as the second comprehensive U.S. state AI law. Penalties are tiered and per-violation.
Developers and deployers of high-risk AI must use reasonable care to protect consumers from algorithmic discrimination, and document governance, impact assessment, and consumer notice.
First U.S. comprehensive AI law. Applies to lending, employment, healthcare, insurance, and government services.
Comprehensive AI regulation covering high-risk AI in lending, healthcare, employment, and public services, with risk classification, governance documentation, and impact assessments enforced by the ANPD.
Largest Latin American market joining the EU/U.S. governance arc. Cross-border vendors face a third major framework.
Anticipated obligations for the largest frontier-AI developers. Safety case, capability evaluation, and incident reporting to a new statutory regulator.
UK is on track to be the third major frontier-AI regulator after the EU and California. Multinational vendors will face a fourth distinct framework.
AI systems and software are treated as products under EU law. Strict-liability for defects, with reversed burden of proof when claimants face technical complexity barriers.
Lending, healthcare, and agentic-AI vendors now carry product-defect liability. Tamper-evident audit evidence is the primary defense.
High-risk AI (credit scoring, healthcare devices, fraud screening, worker management) must ship with documented risk management and regulator-readable evidence.
Original 2 Aug 2026 deadline deferred by the Omnibus VII provisional agreement (May 2026). Standalone systems now in force 2 Dec 2027; embedded systems 2 Aug 2028. Fines up to 7% of global turnover. Deferral confirms the audit-format gap; it does not eliminate it.
Full conformity for the eight Annex III high-risk categories (including credit scoring, employment, education, law enforcement, and democratic processes) alongside Article 9.
Original 2 Aug 2026 deadline deferred by the Omnibus VII provisional agreement. Pulls every adaptive AI product touching one of these surfaces into the formal conformity-assessment process on the new date.
Full conformity for high-risk AI in regulated products under Article 6, and the end of the grandfather window for embedded systems.
Original 2 Aug 2027 deadline deferred to 2 Aug 2028 by the Omnibus VII provisional agreement. The legacy carve-out closes on this date. Every covered system in the field must produce the full evidence package.
The examiner can cite any of these on first request.
Covered lenders must collect, retain, and report demographic and pricing data on small-business applications, including evidence that algorithmic scoring is non-discriminatory.
First-tier compliance is live; Tier 2 and 3 deadlines in 2025 and 2026.
Model-risk framework for banking models. Independent validation, documentation, ongoing monitoring.
Examiners now apply SR 11-7 to adaptive ML and agentic systems inside banks.
Five stages. The evidence artifact. Sealed forecasts at horizon. Isometric DFD-0.
Formal safety models, ODD, assurance cases, reviewer briefs.
How we are set up and why the trust structure matters.
Direct line to the inventor. No demo, no deck.
Thirty minutes. Architecture, not sales. On the regulatory surface you already know.
