The Innovation Attorney Podcast
Global Predictions paid the Securities and Exchange Commission 175,000 dollars on March 18, 2024, for calling itself the first regulated AI financial adviser without being able to support the claim. Delphia paid 225,000 dollars in the same action. Both cases charged violations of Section 206.2 and Section 206.4 of the Investment Advisers Act of 1940, and both involved a company describing its own AI capability in terms the underlying technology could not support. That enforcement pattern is the backdrop against which an entire new software category, automated compliance and audit tools for enterprise AI, is now selling itself into finance, health, and defense. This Substack is reader-supported. To receive new posts and support my work, consider becoming a free or paid subscriber. The commercial case for these tools is strong on paper. Enterprise AI systems in regulated sectors carry obligations under statutes that predate large language models by decades: the Investment Advisers Act of 1940 for financial advisers, the Health Insurance Portability and Accountability Act of 1996 for health systems, and Federal Acquisition Regulation cybersecurity clauses for defense contractors. Layered on top of those older statutes are two newer reference points. The National Institute of Standards and Technology published its AI Risk Management Framework, organized around four functions the agency labels Map, Measure, Manage, and Govern, as a voluntary structure with no certification mechanism. The International Organization for Standardization published ISO/IEC 42001 in December 2023 as the first certifiable AI management system standard, complete with a two stage audit and a three year recertification cycle. Platforms including Credo AI, Holistic AI, ModelOp, and Vanta have built businesses mapping enterprise AI deployments against these frameworks. Vanta advertises ISO/IEC 42001 audit readiness within two to four weeks using 70 prebuilt controls. Credo AI markets assessments spanning the EU AI Act, the NIST framework, and ISO/IEC 42001 in a single registry. Amazon Web Services, Anthropic, and Microsoft already hold ISO/IEC 42001 certification as of 2026, and enterprise buyers increasingly ask vendors and each other for the same credential before signing. Venture capital has priced this shift into how it evaluates the startups building these tools and the startups relying on them. A KPMG Private Enterprise Venture Pulse analysis found that 74 percent of late stage venture deals included a dedicated AI or technical review in 2025, up from 31 percent in 2022. Andreessen Horowitz and Sequoia Capital, the two funds most frequently named as anchor investors in AI unicorns, each manage roughly 90 billion dollars in assets and now run diligence that tests model ownership, training data sourcing, and whether commercial contracts assign AI specific liability rather than relying on generic software as a service language. Four compliance automation startups, Hadrius, Spektr, Iridius, and Haast, raised a combined 67.6 million dollars in 2026 selling directly into that demand. In contract negotiations over the past year, I have watched enterprise customers try to substitute a vendor’s ISO/IEC 42001 certificate for the indemnification language their own counsel had asked for, and in every instance the certificate covered a process, not the specific output the customer was buying. A certification audit tests whether an organization followed its documented procedures. It does not test whether the underlying AI model produced a biased credit decision, a wrong diagnosis, or a leaked medical record. The Health Insurance Portability and Accountability Act of 1996 does not excuse a data breach because the health system’s AI vendor held a clean audit score, and Section 206 of the Investment Advisers Act of 1940 does not excuse a misleading AI marketing claim because a third party platform generated the language. The statute governs the outcome. The audit governs the paperwork. The regulatory calendar makes the gap harder to ignore. The EU AI Act set August 2, 2026, as the date most remaining provisions take effect, but a May 7, 2026, political agreement postponed the compliance date for Annex III use based high risk systems, covering credit scoring, employment screening, and biometric identification, to December 2, 2027, and postponed Annex I product regulated high risk systems, covering medical devices and lifts, to August 2, 2028. Companies that built compliance programs around the original August 2026 date now have to decide whether to hold that timeline or reallocate the budget toward the deferred obligations. Noncompliance once the deadlines do arrive carries fines up to 35 million euros or 7 percent of annual worldwide turnover, whichever figure is higher, and ISO/IEC 42001 certification is not a harmonized standard under the statute, so holding the certificate does not create a presumption of conformity. The Federal Trade Commission has already shown what happens when a company’s AI claims outrun what the technology delivers. Operation AI Comply, opened in September 2024, produced roughly a dozen AI washing cases in 2025 and continued into 2026 with the Growth Cave resolution on January 27 and an action against three marketing companies over a deceptive Active Listening tool on May 21. Every one of those cases involved a company describing its AI capability in terms broader than the underlying system could support. A compliance automation vendor that overstates its own detection capability, or an enterprise that treats a purchased audit report as proof of a regulatory conformity it has not actually achieved, sits inside the identical fact pattern. None of this means the compliance automation category is a bad bet for the enterprises buying it or the investors funding it. Sector specific audit obligations are real, the frameworks these platforms map against are the ones regulators actually cite, and a documented process is better than no process when a regulator or a plaintiff’s lawyer eventually asks what the company did to manage its AI risk. What the category cannot yet do is transfer legal liability away from the company that deployed the model, and no venture partner’s diligence checklist changes what a statute written decades before generative AI actually requires. Read my full analysis here: https://theinnovationattorney.com/automated-compliance-audits-become-a-2026-condition-for-ai-venture-funding/ This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit theinnovationattorney.substack.com/subscribe [https://theinnovationattorney.substack.com/subscribe?utm_medium=podcast&utm_campaign=CTA_2]
68 episodios
Comentarios
0Sé la primera persona en comentar
¡Regístrate ahora y únete a la comunidad de The Innovation Attorney Podcast!