Compliance is where most AI-agent procurements actually live or die in 2026. The model is impressive in the demo; the trouble starts when InfoSec asks for the SOC 2 Type II report. This guide is the buyer's checklist — the six frameworks that matter (SOC 2, ISO 27001, HIPAA, GDPR, the EU AI Act, NIST AI RMF), what each requires, what to ask vendors, and the controls you need on your own side before you can deploy responsibly.
The single most-common cause of AI-agent procurement falling through in 2026 isn't price or features — it's a 90-minute meeting with a security and compliance review where the vendor's answers don't pass. The teams that close fast are the ones who showed up with the right paperwork on day one.
This article sits next to AI agent security, agent stack reference and observability comparison. It's written for buyers (CIO / CISO / CFO offices, procurement, GRC) and for vendors who want to understand what enterprise buyers actually need.
The six frameworks that matter
| Framework | Scope | Who must care | Vendor obligation |
|---|---|---|---|
| SOC 2 Type II | US trust services criteria | Almost any B2B buyer | Annual independent attestation |
| ISO 27001 | International ISMS standard | Global enterprises | Certified ISMS |
| HIPAA | US healthcare PHI | Anyone handling PHI | BAA + technical safeguards |
| GDPR | EU personal data | Anyone serving EU users | DPA + data subject rights |
| EU AI Act | EU AI systems | EU-deployed AI by risk class | Conformity + transparency |
| NIST AI RMF | US federal-adjacent | Gov + critical infra | Voluntary but increasingly expected |
A typical enterprise SaaS buyer expects, at minimum, SOC 2 Type II + ISO 27001 + framework-specific certifications (HIPAA if healthcare, FedRAMP if US public sector, etc.). Lacking any of these doesn't disqualify a vendor but does narrow the buyer base materially.
SOC 2 Type II — the trust baseline
SOC 2 is the de facto "yes you can buy from us" attestation for US B2B SaaS in 2026. It's not a regulation; it's an attestation that an independent auditor reviewed the vendor's controls against the AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).
Why Type II matters and Type I doesn't:
- Type I: "These controls existed on this date." Easy to fake.
- Type II: "These controls operated effectively over 6–12 months." Real evidence.
What to demand from an AI agent vendor:
- Current SOC 2 Type II report (under NDA is normal).
- Auditor name and report date — under one year old.
- A list of "complementary user entity controls" (what you must do to inherit their compliance).
- Any exceptions / modified opinion items explained.
Where AI agents add SOC 2 work beyond classic SaaS: tracking model providers as sub-processors, documenting how prompts and outputs are handled in logs, evidencing access control on memory stores, demonstrating that agent runs are auditable.
ISO 27001 — the international equivalent
ISO 27001 certifies an Information Security Management System (ISMS). Many European enterprises require it where US buyers would accept SOC 2. The pragmatic answer in 2026 is "have both" — most enterprise-grade AI vendors do.
ISO 27001's 2022 update added explicit controls around cloud services, threat intelligence and secure development that align well with AI agent stacks.
HIPAA — for any agent touching US healthcare
HIPAA's two key obligations for AI agents:
- Sign a Business Associate Agreement (BAA). Without one, you cannot legally share PHI with the vendor.
- Implement the Security Rule's technical safeguards — access control, audit, integrity, transmission security.
Vendor questions:
- Do you sign BAAs at the buyer's tier? (Some vendors only BAA at enterprise.)
- Is inference run in a HIPAA-eligible environment? (Most major clouds + Anthropic, OpenAI and Google all offer HIPAA-eligible API tiers; some vendors' fine print disqualifies smaller plans.)
- Where are logs stored, and does logging include PHI? (Logs that include PHI must remain inside the BAA scope.)
- Are observability and analytics sub-processors covered by the BAA?
A common failure mode in 2026: a healthcare buyer deploys an agent that calls a frontier model under a BAA, but the vendor's observability layer (LangSmith / Helicone cloud) is not under that BAA, and PHI leaks into the trace store. See our AI for healthcare and AI voice agent healthcare coverage for vertical-specific framing.
GDPR — for any agent serving EU users
The Regulation has been settled law since 2018 but its application to AI agents needed several years of guidance to clarify. The 2026 picture:
Lawful basis. You need one for processing personal data through the agent. For most B2B uses, the basis is "performance of a contract" or "legitimate interest." For consumer-facing agents the basis is typically explicit consent.
Data subject rights. Users have the right to know what data the agent holds about them, correct it, delete it, and export it. For agents with long-term memory this means a memory-inspection / deletion API.
Cross-border transfers. Standard Contractual Clauses (SCCs) + supplementary measures cover most US/EU transfers; some EU customers (especially public sector) insist on EU-only inference (Anthropic, OpenAI and Google all offer EU residency tiers in 2026).
Automated decision-making. GDPR Article 22 limits decisions "based solely on automated processing" that produce significant legal effects. Most B2B AI agents avoid this by keeping a human-in-the-loop on consequential decisions.
Vendor obligations:
- DPA in place.
- List of sub-processors maintained and notifiable on change.
- Documented retention and deletion policy.
- Data residency option for EU buyers.
For more on the broader privacy posture see our agent memory guide — memory is where most GDPR friction actually shows up in agents.
The EU AI Act — the regulation specifically for AI
The Act came into force in 2024 and rolled into application through 2025–2026. By mid-2026 the high-risk provisions are fully in force.
Risk classification:
- Prohibited. Social scoring, real-time biometric ID in public spaces (with narrow exceptions), manipulative AI. Off-limits.
- High-risk. AI used in HR, education, credit, healthcare diagnosis, critical infrastructure, law enforcement, border control. Triggers heavy obligations.
- Limited-risk. Most B2B agents. Transparency obligations only (users must know they're interacting with AI).
- Minimal-risk. Spam filters and similar.
If your agent is high-risk under the Act, obligations include:
- Conformity assessment before deployment.
- Risk-management system.
- Data governance and quality requirements on training data.
- Detailed technical documentation.
- Logging and traceability of decisions.
- Human oversight design.
- Accuracy / robustness / cybersecurity standards.
- Post-market monitoring.
- Fundamental rights impact assessment.
Practically: if you're deploying an agent that screens job applicants, sets credit limits, makes medical recommendations or interacts with critical infrastructure, you're high-risk and need the full apparatus. Most B2B agents (sales, ops, support, coding) are limited-risk and only need transparency labels.
General-purpose AI model providers (OpenAI, Anthropic, Google, Meta, Mistral) have their own obligations under the Act — technical documentation, copyright disclosures, training-energy reporting for the largest models. The vendor passes the relevant parts of this down to enterprise buyers.
NIST AI RMF — the US federal-adjacent framework
The NIST AI Risk Management Framework is voluntary but increasingly expected by US federal-adjacent buyers and by regulated industries that take their cues from NIST. Its four core functions — Govern, Map, Measure, Manage — give a useful structure even outside US federal contexts.
Practical use in 2026: most enterprise GRC teams treat NIST AI RMF as the internal framework for organizing the AI program, and SOC 2 / ISO 27001 as the external evidence they show buyers.
The vendor compliance dossier — what to demand
When evaluating an AI agent vendor for enterprise procurement, demand the following in one package:
- Certifications. SOC 2 Type II report + ISO 27001 certificate + relevant industry-specific (HIPAA documentation if applicable, FedRAMP if US public, PCI DSS if payments).
- Data Processing Agreement (DPA). Pre-drafted, GDPR-compliant.
- List of sub-processors. Names, locations, processing purpose. Most vendors maintain this on a public page.
- Pen-test summary. Latest report, redactions OK; date < 12 months.
- AI red-team summary. See our AI agent security guide. Vendors who don't red-team specifically for prompt injection are not yet mature.
- Architecture diagram. Where data flows, where it's stored, where logs go.
- Incident response plan. SLA for notification, breach playbook.
- Data-deletion process. Timeline + format of certificate of destruction on contract termination.
- Audit log capabilities. Sample of an audit trail for an agent run.
- Insurance. Cyber liability coverage at appropriate limits.
A vendor who can deliver this dossier in 48 hours is enterprise-ready. A vendor who needs three weeks is mid-maturity. A vendor who can't deliver it at all is not enterprise-ready, regardless of demo quality.
Controls you must implement on your side
Compliance isn't just vendor responsibility. Your side of the deployment must implement:
- Identity. SSO / SAML for agent access; per-user audit trail of who used the agent for what.
- Data classification. Don't let high-classification data flow into agents that aren't certified for it.
- Egress controls. What outbound destinations may the agent contact?
- Logging retention. Per your data retention policy, not the vendor's default.
- DPIA / Privacy Impact Assessment where the agent processes personal data.
- Acceptable use policy for end-users so they know what they can and can't put in the agent.
- Human oversight where regulations demand it (high-risk under the EU AI Act; significant decisions under GDPR).
- Annual review of the deployment vs current compliance posture; AI compliance is a moving target.
What changes when the agent is "more autonomous"
Compliance friction increases sharply with autonomy. A copilot that suggests email drafts has roughly the compliance burden of email itself. An autonomous agent that sends emails on its own raises questions about agency, authorization, and the audit chain. The autonomy spectrum (see autonomous vs copilot agents) maps directly onto compliance review depth.
Practical guidance:
- Copilot / suggest-only: standard SaaS review.
- Approve-then-act (human-in-loop on writes): standard SaaS + per-action audit.
- Autonomous in a sandbox: full security + privacy + auditability review.
- Autonomous in production with external actions: above + insurance + legal review + bounded blast-radius design.
See human-in-the-loop, agent observability and our methodology page.
The bottom line for procurement
Compliance is the most boring conversation in AI in 2026, and also the one that decides which vendors get $50M deals and which get pilots that never close. The mature buyer treats it as a checklist and works the list early. The mature vendor publishes the dossier proactively. Everyone else loses six weeks of cycle time per deal.
For the broader buyer's view see how to pick an AI agent, how to evaluate AI agent and the leaderboard for our scoring across compliance-relevant axes.