Compliance Scope Advisor

The Compliance Scope Advisor helps organizations quickly determine which AI regulations apply to them and recommends the right subscription tier based on their regulatory scope.

Instead of manually researching 50+ regulations across 22 jurisdictions, the Scope Advisor makes it interactive, dynamic, and transparent.

Overview

The Scope Advisor is embedded within the AI Advisor assessment report and guides organizations through:

Regulation Selection — Choose which AI regulations are relevant to your organization
Jurisdiction Mapping — Confirm which regions/jurisdictions you operate in
Opt-Out Options — Mark regulations you already handle elsewhere
Tier Recommendation — Get a dynamic tier recommendation based on your selections

Regulation Categories

Regulations are grouped into two visual categories with color-coded badges:

AI-Specific Regulations (Blue Badges)

Frameworks specifically designed for AI governance:

EU AI Act — European Union’s risk-based AI regulation framework
UK AI Bill — United Kingdom post-Brexit AI governance
ISO 42001 — International AI Management System standard
NIST AI RMF — US National Institute of Standards AI Risk Management Framework
China Generative AI Standards — Chinese generative AI guidelines
UAE GSMA Guidelines — United Arab Emirates AI governance

General Compliance Domains (Purple Badges)

Regulations applicable to AI but not AI-specific:

GDPR — General Data Protection Regulation (EU data protection)
SOC 2 — Service Organization Control framework
HIPAA — Healthcare data security (US)
PCI-DSS — Payment card data security
CCPA/CPRA — California consumer privacy laws
LGPD — Brazil data protection law
FINRA — Financial industry regulations (US)
PIPEDA — Canada personal information protection

Interactive Selection Interface

Step 1: Jurisdiction Selection

First, confirm where your organization operates:

Where does your organization operate?
┌─────────────────────────────────────────────┐
│ ☑ North America (US, Canada)                 │
│ ☑ Europe (EU, UK, Switzerland)               │
│ ☐ Asia-Pacific (Japan, Australia, Singapore) │
│ ☐ China                                       │
│ ☑ Latin America (Brazil)                      │
│ ☐ Middle East & Africa                       │
└─────────────────────────────────────────────┘

Selected jurisdictions dynamically filter applicable regulations.

Step 2: AI-Specific Regulations

Choose which AI frameworks are relevant:

Which AI governance frameworks apply to you?

□ EU AI Act (applies if serving EU customers) ────────────────────────
   [ℹ] 37 articles, high-impact risk management
   [📋] Categories: Risk classification, Documentation, Incident reporting
   [🔧] Controls: Model cards, DPIA, training, testing

□ ISO 42001 (pursuing certification?)  ────────────────────────────────
   [ℹ] International standard, audit-friendly
   [📋] Categories: AI governance, Risk assessment, Monitoring
   [🔧] Controls: AI policy, Risk register, Audit trail

☑ NIST AI RMF (US government requirements?)  ─────────────────────────
   [ℹ] 4-pillar framework: Govern, Map, Measure, Manage
   [📋] Categories: Organization, Process, Infrastructure
   [🔧] Controls: Policies, Metrics, Testing

Each regulation includes:

Badge color — Visual category indicator
Question — Contextual question (“Does this apply to you?”)
Description — 1-line summary
Key details — Expandable section with more context

Step 3: General Compliance Domains

Select general compliance frameworks:

Which compliance domains are relevant?

☑ SOC 2 Type II
  [ℹ] Security, availability, processing integrity
  [🔗] Connected to: GDPR, HIPAA (overlapping controls)

☐ HIPAA (healthcare data?)
  [ℹ] Healthcare data security and privacy
  [⚠️] Requires separate BAA with vendors

☑ GDPR (serving EU customers?)
  [ℹ] Data protection, DPIAs, subject rights
  [🔗] Connected to: EU AI Act, CCPA (similar principles)

Step 4: Opt-Out Regulations

Mark regulations you already handle through existing programs:

Do you handle any of these through other programs?

☑ Data Security (handled by InfoSec team)
   → This means: Skip data security controls in AI-focused frameworks
   → Benefit: Avoid duplicate controls

☑ Incident Response (handled by Security Operations)
   → This means: Skip breach notification in AI requirements
   → Benefit: Leverage existing IR procedures

Opting out reduces your compliance scope and recommended tier.

Dynamic Tier Recommendation

Based on selected regulations, the Scope Advisor recommends a subscription tier:

Recommendation Logic

Selected Regulations Count
├─ 0-3 frameworks → Professional Tier ✓
├─ 4-8 frameworks → Business Tier ✓
└─ 9+ frameworks → Enterprise Tier ✓

More granular scoring:

Regulation Complexity Score
├─ Basic (SOC 2, HIPAA) → 1 point each
├─ Advanced (ISO 42001, NIST) → 2 points each
├─ Comprehensive (EU AI Act, GDPR) → 3 points each

Total Score → Tier Recommendation
├─ 0-5 points → Professional
├─ 6-15 points → Business
└─ 16+ points → Enterprise (comprehensive global scope)

Example Recommendations

Scenario 1: Early-stage startup (US-based)

Regulation selections: SOC 2, GDPR (EU customers)
Opt-outs: None
Score: 3
Recommendation: Professional Tier
“SOC 2 and GDPR are core. Professional tier handles both with auto-discovery and framework mapping.”

Scenario 2: Mid-market SaaS (US + Europe)

Regulation selections: SOC 2, GDPR, EU AI Act, ISO 42001, CCPA
Opt-outs: “Incident Response” (already in place)
Score: 11
Recommendation: Business Tier
“Multiple jurisdictions and AI-specific regulations. Business tier provides evidence collection from 18 connectors, custom frameworks, and audit-ready reports.”

Scenario 3: Global financial services

Regulation selections: SOC 2, GDPR, HIPAA, CCPA, FINRA, EU AI Act, NIST, ISO 42001
Opt-outs: “Data Security” (InfoSec team)
Score: 16
Recommendation: Enterprise Tier
“Comprehensive global compliance scope. Enterprise tier includes dedicated support, custom frameworks, on-premises deployment, and white-label options.”

Location within AI Advisor

The Scope Advisor appears as Step 1 when taking the AI Advisor assessment:

AI Advisor Assessment Flow

Step 1: Compliance Scope Advisor
  ├─ Jurisdiction Selection
  ├─ AI-Specific Regulations
  ├─ General Compliance Domains
  ├─ Opt-Out Regulations
  └─ Tier Recommendation ← Shows recommended tier

Step 2: Organization Assessment
  ├─ AI Maturity
  ├─ Governance Readiness
  └─ Risk Profile

Step 3: Results & Roadmap
  ├─ Assessment Score
  ├─ Tier Recommendation Confirmation
  ├─ Gap Analysis
  └─ 90-Day Implementation Plan

Key Features

Transparent Mapping

Every regulation shows:

Description — What it covers
Key Requirements — Main control objectives
Coverage Areas — Which AI system aspects it touches
Connection to other frameworks — Related regulations you selected

Dynamic Filtering

As you select jurisdictions and regulations:

Applicable regulations automatically appear/hide
Overlapping controls are highlighted
Dependencies are shown (“Can’t opt-out EU AI Act if you selected GDPR”)

Education-First Design

Rather than just recommending a tier, the Scope Advisor explains:

Why each regulation applies — Contextual question helps you confirm relevance
What each tier includes — Transparent pricing and feature breakdown
How regulations overlap — Avoid duplication, consolidate controls

Export Capabilities

After completing the Scope Advisor:

Export Options:
├─ Assessment Summary (PDF)
│  └─ Selected regulations, tier recommendation, rationale
├─ Regulation Mapping (CSV)
│  └─ All selected regulations with descriptions
├─ Implementation Checklist (Excel)
│  └─ Controls per regulation, owner assignment, timeline
└─ Tier Comparison (Side-by-side)
   └─ What's included in recommended vs other tiers

Next Steps After Assessment

After Scope Advisor recommends a tier:

Confirm Tier — Accept recommendation or choose different tier
Create Account — Sign up for recommended tier
Import Checklist — Auto-populate compliance tasks in your system
Configure Framework — Set up selected frameworks in Compliance Hub
Start Auto-Discovery — Begin discovering AI systems in your organization

Changing Scope Later

Regulations and business needs change. You can:

Re-run Scope Advisor — Retake assessment to update selections
Upgrade/Downgrade — Change tier if scope expands or contracts
Modify Opt-Outs — Update regulations you handle externally
Add Jurisdictions — Extend to new regions

Changes take effect in next billing cycle.

Best Practices

Be honest about scope — Select all regulations you must comply with (not just want to)
Research if unclear — Use the “Learn More” links to understand each regulation
Involve stakeholders — Confirm regulatory scope with Legal and Compliance teams
Plan for growth — If expanding internationally soon, account for new jurisdictions
Review annually — Regulations change; re-run Scope Advisor yearly

FAQ

Q: What if I’m not sure which regulations apply? A: Each regulation has a contextual question and “Learn More” link. If still unclear, start with your industry’s most common frameworks (fintech → FINRA; healthcare → HIPAA; EU customers → GDPR).

Q: Can I change my tier after the assessment? A: Yes. You can upgrade or downgrade anytime. Changes take effect in the next billing period.

Q: What if my scope grows? A: Run the Scope Advisor again to get an updated tier recommendation. If your new scope justifies an upgrade, we’ll show the price difference.

Q: Is the recommendation binding? A: No. The Scope Advisor is a guide. You can choose any tier that fits your budget and needs. We recommend the tier based on your selections, but the choice is yours.