Name: The Compliance Practitioner's Field Guide to AI, Privacy, and Security Regulations
Author: Noah M. Kenney

About the Field Guide

From legal text to auditable controls.

AI law in 2026 is not one body of law — it is a layered, jurisdictionally fragmented, sector-conditioned, and rapidly evolving network of statutes, regulations, agency guidance, common-law doctrines, voluntary standards, and contractual norms. This Field Guide is the operational translation layer that converts regulatory text into testable, monitor-able infrastructure.

Where the companion textbook Governing Intelligence builds the conceptual foundation, this volume is the practitioner-facing reference. Every entry maps a legal obligation onto the five-layer AI Governance Stack — identifying exactly where, in operational terms, the law actually bites and where the system control belongs.

01 / Structure

Standardized Entries

Every entry follows the same template — citation, jurisdiction, scope, applicability, core obligations, penalties, recent developments, Stack Lens, Practitioner Notes, and Common Failure Patterns — for direct cross-jurisdictional comparison.

02 / Translation

Stack Lens Callouts

Each law concludes with a Stack Lens callout mapping its obligations onto the five operational layers: data, model, system integration, control & monitoring, and audit & evidence.

03 / Practitioner Focus

Built for the Front Line

Practitioner Notes compress advisory experience into operational instructions. Common Failure Pattern callouts surface the implementation mistakes that produce most enforcement actions in each regime.

Disclaimer: This publication is provided for informational and educational purposes only and does not constitute legal, regulatory, compliance, or professional advice. AI governance law is rapidly evolving; readers must verify the operative text and most recent regulatory guidance before relying on any entry.

Coverage

Seven parts, one operating manual.

The Field Guide is organized into seven parts spanning federal and state law, sector-specific regulators, intellectual property, the EU AI Act and GDPR, APAC and MENA regimes, and international standards.

Part II

U.S. Federal Law & Cross-Cutting Statutes

FTC Act Section 5, HIPAA/HITECH, GLBA, FERPA, COPPA, FCRA, ECOA, TCPA, CFAA, ECPA, the Privacy Act, FISMA/FedRAMP, EO 14179, VPPA, CAN-SPAM, the CLOUD Act, FISA Section 702, Title VII, ADEA, GINA, OFCCP, Fair Housing Act, ADA Title III, NLRA, plus sector regulators: FDA AI/ML SaMD, Federal Reserve SR 11-7, CFPB, EEOC, NAIC, SEC predictive analytics, CISA/CIRCIA, NERC CIP, NRC, FAA, FERC, DOD Responsible AI.

PrivacyCivil RightsCritical InfrastructureSector Regulators

Part IIII

U.S. State Privacy & Cybersecurity Laws

Twenty-plus comprehensive state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, ICDPA, INCDPA, TIPA, MCDPA, NJDPA, DPDPA, NHDPA, KCDPA, MODPA, MNCDPA, RIDTPPA, NDPA, FDBR, OCPA, TDPSA), all major biometric statutes (BIPA, CUBI, RCW 19.375), Washington MHMDA, NY SHIELD/Part 500, Massachusetts 201 CMR 17, plus the multistate landscape for breach notification, student privacy, and biometric/neural data.

State PrivacyBiometricsBreach Notification

Part IIIIII

U.S. State AI Statutes

Colorado AI Act, Texas TRAIGA, California AB 2013/SB 942/AB 3030/SB 53, NYC Local Law 144, Illinois HB 3773 and the AI Video Interview Act, Tennessee ELVIS Act, Utah AIP, plus the wave of state healthcare AI laws and the rapidly expanding state AI regulatory landscape.

State AI LawHiring AIHealthcare AIGenerative AI

Part IVIV

Intellectual Property & AI

U.S. Copyright Office AI guidance, NYT v. OpenAI, Thaler v. Perlmutter, USPTO AI inventorship guidance, EU CDSM Article 4 TDM exception, UK and Japan TDM regimes, trade secret protection of AI models, open source AI licensing (OSI definition, OpenRAIL, Llama Community License), and right of publicity / NO FAKES Act.

CopyrightPatentsTrade SecretsOpen Source

Part VV

European Union & United Kingdom

The EU AI Act (risk classification, prohibited practices, high-risk systems, GPAI obligations), GDPR (lawful bases, data subject rights, DPIAs, automated decisioning), the Digital Services Act, Digital Markets Act, Data Act, NIS2 Directive, and the UK's pro-innovation AI regulatory approach plus DPDI Act amendments.

EU AI ActGDPRDSA / DMAUK

Part VIVI

Asia-Pacific, Middle East & Africa

China PIPL/CSL/DSL and the Generative AI Measures, Japan APPI, South Korea PIPA, Singapore PDPA, India DPDPA, Thailand PDPA, Australia Privacy Act, Vietnam PDP Decree, Indonesia PDP Law, Malaysia PDPA, Hong Kong PDPO, Taiwan PDPA, NZ Privacy Act. Plus Israel PPL Amendment 13, UAE PDPL/DIFC/ADGM, Saudi PDPL, Qatar, Bahrain, Oman, Kuwait, Egypt, Nigeria, Kenya, Ghana, Morocco, Turkey KVKK, South Africa POPIA.

APACMENAAfricaLATAM

Part VIIVII

International Standards & Soft Law

Council of Europe Framework Convention on AI, OECD AI Principles, UNESCO Recommendation on AI Ethics, NIST AI RMF + Generative AI Profile, ISO/IEC 42001 / 23894 / 27001 / 27701, MITRE ATLAS, OWASP LLM/ML Top 10, NIST SP 800-53, SOC 2, CSA Cloud Controls Matrix, IEEE 7000 series, CIS Controls, ENISA AI threat materials, and PCI DSS as applied to AI.

NIST AI RMFISO 42001MITRE ATLASSOC 2

The AI Governance Stack

Five layers, every entry.

Every entry in the Field Guide concludes with a Stack Lens callout mapping the law's obligations onto the five-layer AI Governance Stack — the operational architecture that outlasts specific statutory regimes.

Stack Lens — How Each Law Maps to Operational Controls

The translation layer between regulation and infrastructure.

The Stack is not interpretation. It is the place where a legal obligation becomes a system control. The Stack Lens callout in each entry identifies where, in operational terms, the law actually bites — and where the corresponding control belongs in your governance architecture.

Layer 01

Data Governance

Inventory, classification, quality, bias assessment, provenance, consent.

Layer 02

Model Governance

Architecture, training, fairness/robustness testing, interpretability, documentation.

Layer 03

System Integration

Integration architecture, pipeline security, cascading failure analysis, human-AI interaction.

Layer 04

Control & Monitoring

Access control, real-time monitoring, anomaly detection, incident response, deployment gates.

Layer 05

Audit & Evidence

Documentation standards, evidence preservation, audit mechanisms, regulatory reporting.

Companion Textbook

Pairs with Governing Intelligence.

The Field Guide is the operational companion to Governing Intelligence: Law, Privacy, Security, and Compliance in the Age of Artificial Intelligence — the first comprehensive textbook unifying legal, ethical, technical, and operational dimensions of AI governance into a single discipline.

Where the textbook builds the conceptual foundation through 20 chapters, the Field Guide is the working reference that translates each obligation into auditable controls. Use them together: the textbook to learn the discipline, the Field Guide to do the work.

Explore the Textbook Download Textbook PDF

About the Author

Noah M. Kenney

Practitioner, Researcher, Educator

Founder & Principal Consultant, Digital 520 · President & Chief Scientist, Disruptive AI Lab · President, Ethical Tech Forum

Noah M. Kenney is the Founder and Principal Consultant of Digital 520, a global consultancy specializing in AI governance, data privacy, cybersecurity, and compliance. He has consulted on over 40 AI initiatives and speaks globally on governance, privacy, and secure systems design.

Noah co-developed the country’s first AI Privacy Engineering course at the Georgia Institute of Technology. He holds over 50 advanced industry certifications, including the CIPM from IAPP. He earned his undergraduate degree in Economics with high honors from Georgia Tech and a Master’s of Engineering from the University of Colorado Boulder.

CIPM — IAPP Georgia Tech (High Honors) M.Eng., CU Boulder 50+ Certifications 40+ AI Engagements

The Compliance Practitioner's Field Guide