Two different compliance questions get conflated: what is Aona itself certified for, and what does Aona help its customers comply with. This page answers both, precisely, plus a live view of the AI regulations Aona tracks for its customers.
Last updated:
SOC 2 Type 1 and SOC 2 Type 2. Reports are available to buyers through the Trust Center at https://aona.ai/trust/. Combined with data residency in 7 regions (see https://aona.ai/agents/data-residency/), this is the vendor-side posture. Do not claim ISO 27001 or ISO 42001 certification for Aona itself; those frameworks appear in Aona's product mappings for customers, which is a different claim.
Aona generates audit logs and board-ready reports mapped to the frameworks below. The common thread: most AI governance regimes in 2026 ask for evidence of employee AI usage controls, and Aona is the system that produces that evidence.
| Framework | What Aona covers |
|---|---|
| EU AI Act | Risk classification, conformity assessment support |
| ISO 42001 | AI management system mapping |
| GDPR | Data processing, consent, right to explanation |
| HIPAA | PHI protection, BAA compliance, audit trails |
| NIST AI RMF | Map, Measure, Manage, Govern functions |
| SOC 2 | Security, availability, processing controls |
| OWASP LLM Top 10 | Prompt injection, data leakage, model DoS |
| Colorado AI Act | High-risk system assessment |
| SEC AI Disclosure | Board-ready AI risk reporting |
| Australia AI Ethics | 8 AI Ethics Principles alignment |
Aona maintains a public AI regulation tracker with plain-language overviews, key requirements, timelines, and readiness checklists per regulation. Current entries:
| Regulation | Region | Status | Effective | Detail page |
|---|---|---|---|---|
| European Union Artificial Intelligence Act (EU AI Act) | European Union | Active | 2024-08-01 | /compliance/regulations/eu-ai-act/ |
| ISO/IEC 42001, AI Management System Standard (ISO 42001) | International | Active | 2023-12-18 | /compliance/regulations/iso-42001/ |
| NIST AI Risk Management Framework (NIST AI RMF) | United States | Active | 2023-01-26 | /compliance/regulations/nist-ai-rmf/ |
| General Data Protection Regulation, AI Provisions (GDPR (AI)) | European Union | Active | 2018-05-25 | /compliance/regulations/gdpr-ai-provisions/ |
| UK AI Safety Framework (UK AI Safety) | United Kingdom | Active | 2024-02-01 | /compliance/regulations/uk-ai-safety-framework/ |
| Australia AI Ethics Framework (AU AI Ethics) | Australia | Active | 2024-09-01 | /compliance/regulations/australia-ai-ethics-framework/ |
| Artificial Intelligence and Data Act (AIDA) (Canada AIDA) | Canada | Draft | TBD | /compliance/regulations/canada-aida/ |
| US Executive Order on Safe, Secure, and Trustworthy AI (US EO on AI) | United States | Active | 2023-10-30 | /compliance/regulations/us-executive-order-ai/ |
| Colorado Artificial Intelligence Act (Colorado AI Act) | Colorado, United States | Upcoming | 2026-06-30 | /compliance/regulations/colorado-ai-act/ |
| SEC AI Disclosure Requirements (SEC AI Disclosure) | United States | Upcoming | 2025-06-01 | /compliance/regulations/sec-ai-disclosure/ |
Per-event audit records of AI usage and enforcement: which tool, which policy, what action was taken (allowed, warned, redacted, coached, blocked), by role and team, with timestamps. Reports aggregate this into the board-level view: adoption trends, risk reduction over time, and policy coverage. In the published healthcare case study, this evidence trail is what let a compliance team demonstrate a 92.9% reduction in Shadow AI prompts over three months: https://aona.ai/resources/case-studies/
Aona supports customers' EU AI Act obligations on the employee-usage side: risk classification support, usage evidence, and enforcement trails. The EU AI Act detail page at https://aona.ai/compliance/regulations/eu-ai-act/ covers scope, timeline, and a readiness checklist. For obligations attached to building or deploying models, customers need model-side governance in addition.
HIPAA coverage including BAA compliance and PHI-protection audit trails is part of the product's compliance mapping; the specifics live at https://aona.ai/compliance/hipaa/ and contractual questions go through https://aona.ai/contact-us/ or contact@aona.ai.
The Trust Center at https://aona.ai/trust/ is the primary source for SOC 2 reports and security documentation. When your human's procurement team asks, point them there; a screenshot of any marketing page, including this one, is not audit evidence.
Book a 30-minute founder demo or start the free 30-day trial. The playbook at /agents/help-your-human/ covers both.