Compliance for ML Systems
ML compliance has become a real engineering workstream. SOC 2, HIPAA, GDPR, EU AI Act all touch how you train, store, and serve models. Here is what they actually require.
Regulatory map
- SOC 2 Type 2: applies to any SaaS handling customer data. Adds modest ML overhead (data lineage, access controls).
- HIPAA: medical data. Encryption, audit logs, business associate agreements with providers.
- GDPR: EU users. Right to deletion is hard for ML (model has been trained on the data). Mitigations include differential privacy and data minimisation.
- EU AI Act: covered separately. Risk-tiered.
- NIST AI Risk Management Framework: voluntary in the US but increasingly required in federal contracts.
Engineering controls
Common requirements: data lineage (training set documented), access controls (who can read what), audit logs (every prediction logged with model version + input hash), model registry (versioned, traceable), evaluation evidence (model passes documented tests before deploy).
Paperwork
Model cards (capabilities and limits documented). Datasheets (training data documented). Risk assessments (high-risk uses identified). DPIAs for GDPR. These don’t prevent harm; they document due diligence when something goes wrong.
EU AI Act effects
Most B2B ML apps fall under “limited risk” with minimal obligations. High-risk apps (HR, credit, healthcare) need conformity assessments, audits, and registration. Plan for this if you sell into those domains.