Sovereign AI ready for United States.

US federal regulation governing the use and disclosure of Protected Health Information (PHI) by Covered Entities (health plans, health-care clearinghouses, providers transmitting health information electronically) and Business Associates. Privacy Rule (§§ 164.500-534) governs uses and disclosures of PHI; Security Rule (§§ 164.302-318) requires administrative, physical and technical safeguards for ePHI; Breach Notification Rule (§§ 164.400-414) requires notice to affected individuals, the HHS Secretary and (for breaches affecting ≥500 individuals) prominent media outlets.

California state privacy law applying to for-profit businesses doing business in California that (a) had annual gross revenues over $25 million in the preceding year, (b) annually buy/sell/share the personal information of 100,000+ California consumers or households, or (c) derive 50%+ of annual revenue from selling/sharing California consumers' personal information. Establishes seven consumer rights, three opt-out mechanisms (sale, sharing, sensitive PI), a notice + transparency regime, business-purpose service-provider + contractor + third-party distinctions, and a private right of action for certain data breaches. Enforced by the California Privacy Protection Agency (CPPA) + the California Attorney General.

AICPA attestation framework for service organisations. The Common Criteria (CC1-CC9) form the security baseline that every SOC 2 engagement covers; the four additional categories (Availability, Processing Integrity, Confidentiality, Privacy) are optional and elected by the service organisation. A SOC 2 Type II engagement covers a period (typically 6-12 months) and attests to operating effectiveness of controls. Independent CPA service auditor produces the report under SSAE 18 / AT-C Section 320.

AICPA Service Organization Controls 1 (SOC 1) Type II examination — reports on the design and operating effectiveness of a service organization's controls likely to be relevant to user entities' Internal Control over Financial Reporting (ICFR). The examination is conducted by an independent service auditor under SSAE 18 AT-C 320. Type II covers a specified period (commonly 6 or 12 months) and includes the service auditor's tests of operating effectiveness. The framework captured here is the standard set of control-objective domains across the industry — logical access; change management; computer operations; system development; data transmission; physical security; data processing integrity — plus the structural requirements for the management description of the system (DC 1-8), the management assertion, CUECs (complementary user-entity controls), CSOCs (complementary subservice-organization controls), and carve-out vs inclusive-method subservice handling.

Voluntary US framework for managing risks posed by AI systems. Organises trustworthy-AI work into four core functions — GOVERN (organisational culture, policies, accountability), MAP (context, AI capabilities + use, impact identification), MEASURE (analysis, testing, tracking), MANAGE (prioritised risk response across the lifecycle). Each function decomposes into categories with subcategories. Outcomes — validity + reliability, safety, security + resilience, accountability + transparency, explainability + interpretability, privacy enhancement, fairness with managed bias — characterise trustworthy AI.

Voluntary US framework organising cybersecurity activities into six functions — GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER. Each function decomposes into categories with outcome-statement subcategories. Implementation Tiers (Partial, Risk-Informed, Repeatable, Adaptive) and Profiles (Current + Target) provide an organisational-maturity overlay. Suitable for use across critical infrastructure, government and the private sector at any size.

Federal Risk and Authorization Management Program — the US government programme that standardises security authorisation of cloud products and services for federal agencies. Built on the NIST SP 800-53 Rev. 5 control baseline; ReguNav indexes its three baselines (Low / Moderate / High), the 17 NIST 800-53 control families, and the FedRAMP-specific authorisation and continuous-monitoring (ConMon) obligations.