Global Laws Reference¶
This page provides a concise mapping of each supported regulatory framework (outside the EU) to the Geodesia G-1 features that satisfy its requirements.
ISO/IEC 42001:2023¶
International standard for AI management systems. Published in December 2023, it is the ISO equivalent of ISO 27001 but for AI systems. Organizations can be certified against it.
| Clause | Requirement | Geodesia G-1 |
|---|---|---|
| §5.2 | AI policy | config.yaml — applicable laws, purpose, scope |
| §6.1 | Risk assessment | FRIA |
| §8.4 | Impact assessment | FRIA — impact sections |
| §8.5 | AI system lifecycle | Model switching, threshold management |
| §9.1 | Monitoring and measurement | Dashboard, audit chain |
| §9.3 | Management review | Compliance report |
| §10.1 | Continual improvement | Oversight decisions feed ground-truth loop |
| Annex A.6.2.6 | Explainability | XAI |
| Annex A.6.2.7 | Controllability | Kill switch |
| Annex A.8.3 | Sensitive data | Retention policy |
NIST AI Risk Management Framework 1.0¶
Voluntary framework for managing AI risk published by the US National Institute of Standards and Technology. Widely adopted in US federal and enterprise contexts.
| Function | Category | Geodesia G-1 |
|---|---|---|
| GOVERN | AI risk governance | Applicable laws config, FRIA |
| GOVERN 1.7 | Processes for deploying AI safely | Kill switch, kill-switch test |
| MAP 1.5 | Likelihood of bias | Detection thresholds, oversight |
| MEASURE 2.5 | AI system performance | Dashboard, scorecard |
| MEASURE 4.1 | Measurement feedback | Oversight decisions loop |
| MANAGE 1.3 | Risk treatment | Blocking enforcement modes |
| MANAGE 3.2 | Risk response plan | Kill switch + incident log |
California SB 942 — AI Transparency Act¶
Effective January 1, 2026. Applies to providers of AI systems that generate synthetic content and have more than 1 million monthly users.
| Requirement | Geodesia G-1 Feature | Notes |
|---|---|---|
| Watermark AI-generated content | Latent watermark | HMAC-SHA256 token |
| Make the watermark detectable | Verify endpoint | POST /v1/glad/watermark/verify |
| Manifest disclosure in content | geodesia.watermark.disclosure in response | Configurable text |
| Suspend service within 72 hours | Kill switch | auto_deactivate_hours: 72 |
Quick setup for CA SB 942:
watermark:
enabled: true
disclosure_text: "This content was generated by an artificial intelligence system."
kill_switch:
enabled: true
app:
applicable_laws:
- CA_SB_942
Italy 132/2025¶
Italy's Decree-Law on Artificial Intelligence (in force 2025). Imposes AI content disclosure, marking of synthetic media, and sectoral restrictions for critical infrastructure, healthcare, and education.
| Requirement | Coverage |
|---|---|
| Mark AI-generated content | Manifest watermark + disclosure field |
| Detectable AI content marker | Latent HMAC-SHA256 token |
| Maintain logs of AI operations | Audit chain |
| Human oversight for high-risk sectors | Oversight queue + FRIA |
UK Data Use and Access Act 2025¶
UK DUAA 2025 establishes a framework for responsible data use and AI transparency in the UK post-Brexit. Key AI-related requirements focus on transparency, accountability, and user rights.
| Requirement | Coverage |
|---|---|
| Transparency about AI systems | Deployer manual, provider identity |
| Accountability framework | FRIA, audit chain |
| Individual rights in automated decisions | Human oversight + override |
| Reporting to regulators | Compliance report export |
Brazil 2338/2023¶
Brazil's AI Regulation Bill 2338 establishes a risk-based framework aligned with the EU AI Act. Requirements for high-impact systems:
| Requirement | Coverage |
|---|---|
| Fundamental rights impact assessment | FRIA module |
| Technical documentation | Deployer manual |
| Human oversight for high-risk | Oversight queue |
| Incident reporting | Audit chain + compliance report |
| Transparency | Manifest watermark + disclosure |
Canada AIDA (C-27)¶
Canada's Artificial Intelligence and Data Act (part of Bill C-27):
| Requirement | Coverage |
|---|---|
| High-impact system designation and documentation | FRIA + deployer manual |
| Impact assessment | FRIA module |
| Mitigation measures | Detection thresholds, blocking enforcement |
| Ongoing monitoring | Dashboard + audit chain |
| Human oversight | Oversight queue |
China GB/T 45654¶
China's national standard for generative AI services (effective 2025):
| Requirement | Coverage |
|---|---|
| Content filtering | Safety detection axes (prompt + answer safety, jailbreak) |
| Logging and record-keeping | Audit chain |
| Watermark/label AI-generated content | Latent + manifest watermark |
| User complaint mechanism | Human oversight queue |
| Prohibited content blocking | Blocking enforcement mode |
Colorado SB21-169¶
Colorado's Artificial Intelligence Act focuses on consequential automated decisions in insurance, financial services, employment, and housing.
| Requirement | Coverage |
|---|---|
| Bias and impact assessment | FRIA module |
| Transparency to consumers | Deployer manual, disclosure |
| Human review of adverse decisions | Oversight queue |
| Audit trails | Audit chain |
NYC Local Law 144¶
NYC LL144 applies to automated employment decision tools (AEDTs). It requires:
| Requirement | Coverage |
|---|---|
| Annual bias audit | Detection statistics via dashboard + compliance report |
| Disclosure to job candidates | Watermark + disclosure field |
| Audit report publication | Compliance report export (PDF/DOCX) |
SOC 2 Type II¶
SOC 2 is an auditing framework for service organizations. The following Trust Services Criteria are satisfied:
| Criterion | Coverage |
|---|---|
| CC6.1 — Logical access | License token-based access control |
| CC7.2 — System monitoring | Dashboard + audit chain |
| CC7.3 — Incident response | Kill switch + oversight escalation |
| CC9.2 — Risk mitigation | Detection thresholds + FRIA |
| A1.2 — Availability capacity | Health check endpoints + kill switch |
| PI1.4 — Processing integrity | Audit chain + HMAC chain verification |
GDPR (Data Protection)¶
While GDPR is primarily a data protection regulation rather than an AI-specific law, several provisions apply to AI systems that process personal data:
| Article | Requirement | Coverage |
|---|---|---|
| Art. 5(1)(e) | Storage limitation | Configurable retention policy |
| Art. 22 | Automated individual decisions | Human oversight override capability |
| Art. 30 | Records of processing activities | Audit chain entries |
| Art. 35 | Data protection impact assessment | FRIA module (maps to DPIA) |
| Art. 83 | Penalties | Monitoring + incident logging |
Note: GDPR compliance requires organizational and contractual measures beyond what any single software system can provide. Geodesia G-1 supplies the technical controls; legal, policy, and procedural compliance remain the deployer's responsibility.