The deadlines are real.
The evidence is the hard part.
Regulators don't ask whether you meant to oversee your AI agents — they ask for the records. Here is the current compliance calendar, and exactly how Avowex™'s human-approval gate and tamper-evident audit trail map to each framework's requirements.
Key dates
What's in force and what's coming, as of June 2026.
In force now
Texas TRAIGA · California AB 2013 & SB 53 · Illinois AI-employment notice
Texas offers a safe harbor for NIST AI RMF-aligned programs — oversight controls + logs are the substance.
August 2, 2026
EU AI Act Article 50 — transparency
Users must be told they're interacting with AI; AI content machine-readably marked. Also: California SB 942 provenance rules.
January 1, 2027
Colorado SB 26-189 · California ADMT rules
Consumers get meaningful human review of adverse automated decisions — you'll need the mechanism and the proof.
December 2, 2027
EU AI Act high-risk obligations (Arts. 8–27)
Automatic logging (Art. 12), human oversight (Art. 14), deployer duties (Art. 26). Deadline moved from Aug 2026 — use the runway.*
How Avowex maps to each framework
Requirement → what Avowex does → the evidence you can hand an auditor.
| Framework | What it requires | How Avowex meets it | Evidence you get |
|---|---|---|---|
| EU AI ActArticle 12 — record-keeping | High-risk AI must automatically log events over its lifetime; logs kept ≥6 months; biometric rules even require logging which humans verified results. | Every escalation, decision, actor, and policy change lands in an append-only, hash-chained audit log — tamper-evident by construction. | Audit export + chain attestation (/v1/audit/verify), retention policy |
| EU AI ActArticle 14 — human oversight | Humans must be able to monitor, interpret, override or disregard outputs, and stop the system. | The gate is the oversight: risky actions pause for a human who approves, rejects, or edits; timeouts fail safe (reject by default). | Decision records w/ reasons; oversight design documentation |
| EU AI ActArticle 26 — deployer duties | Assign oversight to competent, trained, authorized people; monitor operation; keep logs. | Team & access roles define exactly who may approve what; the dashboard streams every agent move; per-operator activity is tracked. | Per-operator reports; reviewer roster + roles |
| FINRA · 2026 ReportRule 3110 supervision | FINRA's 2026 Oversight Report tells firms to address: "human-in-the-loop agent oversight protocols… track agent actions and decisions… guardrails to limit agent behaviors." | That is the product: HITL approval protocols, full agent action tracking, and policy guardrails — server-side, so agents can't bypass them. | Supervision pack: full chain of agent activity + decisions + operators |
| SECRule 17a-4 records | Electronic records via the audit-trail alternative: complete time-stamped trail of every action with the actor's identity, producible on request. | The hash-chained log is a native audit-trail implementation — time-stamped, actor-attributed, tamper-evident, exportable. | Exportable, verifiable decision trail |
| SOC 2CC6 / CC7 / CC8 | Logical access control, complete logging & monitoring, and controlled changes — including changes to AI guardrails. | Role-scoped keys; complete decision logs; every policy edit is versioned and recorded as a policy.changed audit event. |
SOC 2 evidence extracts (logs, change ledger, access roles) |
| ISO/IEC 42001A.6.2.6 / A.6.2.8 / A.9 | AI event-log recording; operation monitoring with every intervention tied to a named person; responsible-use escalation to qualified humans. | Decision log + per-operator reports + policy-gated escalation map one-to-one to these controls. | Named-person intervention records; escalation policy docs |
| HIPAA§164.312(b) audit controls | A required safeguard: record and examine activity in systems with ePHI — continuous logs, no unexplained gaps. | Hash-chaining proves log continuity; context redaction/minimization keeps payloads lean; BAA available on request. | Gap-free chained logs; 6-year retention option |
| PCI DSS 4.xReq 3 & 10 | Never store SAD/CVV; PAN unreadable everywhere including logs; logs integrity-protected, 12-month retention. | Token-first integration guidance and context redaction keep card data out of the loop; chained logs satisfy integrity (10.3). | PCI-safe log design; 12-month retention option |
| US statesCO SB 26-189 · TX TRAIGA | Colorado (2027): consumers get meaningful human review of adverse automated decisions. Texas: NIST AI RMF alignment is a safe harbor. | Human review is the core loop — with the record to prove it happened. Avowex implements the RMF's Govern/Manage oversight controls. | Human-review decision records; RMF control mapping |
Honest framing: Avowex is designed to produce the oversight and evidence these frameworks require — it is not itself a certification, and using Avowex does not by itself make your AI system compliant or exempt it from high-risk classification. Dates reflect the EU "Digital Omnibus" agreement of May 2026 (*formal adoption pending — expected mid-2026) and US state law status as of June 2026; both are evolving. Verify specifics with your counsel.
Put the evidence on autopilot.
One API call to gate a risky action. A tamper-evident record of every decision. Free — 500 actions/month, no card.