AI Governance

EU AI Act High-Risk Compliance Checklist: All Requirements Before December 2027

· 20 min read · Updated July 13, 2026

Bottom Line Up Front

EU AI Act high-risk compliance requires 14 obligations across Articles 8-49. The adopted Digital Omnibus (Council final approval June 29, 2026) moved the deadline from August 2, 2026 to December 2, 2027 for stand-alone Annex III systems and August 2, 2028 for systems embedded in Annex I products. No harmonised standards exist yet and notified-body capacity is scarce: treat the extra runway as build time, not permission to wait.

Editor’s Note (July 13, 2026): This checklist has been updated to reflect the adopted Digital Omnibus. The European Parliament endorsed the AI Act simplification package on June 16, 2026, and the Council of the EU gave final approval on June 29, 2026, with publication in the Official Journal expected in July 2026. The high-risk compliance deadline is no longer August 2, 2026: stand-alone Annex III high-risk systems now bind on December 2, 2027, and high-risk systems embedded in Annex I regulated products on August 2, 2028. The 14 obligations themselves are unchanged.

Two compliance leaders read the same headline: the adopted Digital Omnibus has moved the EU AI Act high-risk deadline from August 2, 2026 to December 2, 2027. Organization A treats the extra sixteen months as build time. Its team classifies every AI system against Annex III, builds a risk management system under Article 9, drafts technical documentation per Annex IV, and books notified-body capacity now. Organization B reads “December 2027” as permission to defer, and moves the project to next year’s budget.

That extension is settled law, not a forecast. The European Parliament endorsed the Digital Omnibus on June 16, 2026; the Council of the EU gave final approval on June 29, 2026; publication in the Official Journal is expected in July 2026. Stand-alone Annex III high-risk systems bind on December 2, 2027, and high-risk systems embedded in Annex I regulated products on August 2, 2028. The penalties did not move: EUR 15 million or 3% of global turnover for non-compliance with high-risk obligations under Articles 16, 22, and related provisions [EU AI Act Art. 99(4)], and EUR 35 million or 7% for Article 5 prohibited practices [EU AI Act Art. 99(3)].

Organization B has made the more common mistake: treating a deferral as a reprieve. The obligations did not shrink, the calendar did. Conformity assessment still depends on harmonised standards that do not yet exist and notified-body capacity that is already scarce. No scenario exists where starting early produces a worse outcome.

Fourteen requirements span Articles 8 through 49. The critical sequencing insight: classification (Phase 1) determines which of the remaining 13 obligations apply, and getting classification wrong means building controls for a risk tier that does not match your system. The organizations completing Phase 1 now will have Phase 4 done before either deadline arrives.

EU AI Act high-risk compliance requires providers to complete 14 obligations before the AI Act’s high-risk deadline, now December 2, 2027 for stand-alone Annex III systems and August 2, 2028 for systems embedded in Annex I regulated products: risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy safeguards, quality management, conformity assessment, CE marking, and EU database registration across Articles 9-49 [EU AI Act]. Deployers carry independent obligations under Article 26.

How Does the EU AI Act Classify High-Risk AI Systems?

EU AI Act high-risk compliance begins with classification: Article 6 of the EU AI Act regulation defines two pathways into the high-risk category, four exemptions out, and one override blocking all exemptions [EU AI Act Art. 6]. The classification decision determines whether the remaining thirteen requirements apply to your organization at all. Get this step wrong and every downstream investment targets the wrong risk tier.

Pathway 1: Safety Components Under Annex I Product Legislation

AI systems acting as safety components of products covered by 30+ EU harmonisation directives fall into Pathway 1 [EU AI Act Art. 6(1), Annex I]. Machinery, medical devices, vehicles, civil aviation, radio equipment, lifts, pressure equipment, and marine equipment: if the product already requires third-party conformity assessment, the AI component inherits the high-risk classification under the EU AI Act. The existing notified body relationship carries over.

Pathway 2: The Eight Annex III Use-Case Areas

Pathway 2 covers AI systems deployed in eight areas where decisions affect natural persons [EU AI Act Art. 6(2), Annex III].

Annex III Area Scope Example
1. Biometrics Remote identification, emotion recognition, categorization Facial recognition for building access
2. Critical Infrastructure Safety components of digital infrastructure, water, gas, heating, electricity AI managing power grid load balancing
3. Education Admissions, outcome assessment, learning monitoring Automated exam grading systems
4. Employment Recruitment, selection, contract decisions, performance monitoring Resume screening algorithms
5. Essential Services Credit scoring, insurance pricing, emergency dispatch Creditworthiness assessment models
6. Law Enforcement Risk assessment, polygraphs, evidence evaluation, profiling Predictive policing systems
7. Migration Asylum application assessment, border surveillance, risk detection Automated visa processing tools
8. Justice Case research, law interpretation, dispute resolution support Sentencing recommendation systems

The Four Exemptions and the Profiling Override

Article 6(3) provides four exemptions from high-risk classification: narrow procedural tasks, improving a completed human activity, detecting decision patterns without replacing human judgment, and preparatory tasks for assessment [EU AI Act Art. 6(3)]. Each exemption requires documented rationale demonstrating the system does not pose a significant risk to health, safety, or fundamental rights.

The override is the provision competitors miss. AI systems performing profiling of natural persons are always high-risk. No exemptions apply [EU AI Act Art. 6(3) final paragraph].

A recruitment tool scoring candidates against behavioral profiles is high-risk regardless of whether it falls within a listed exemption category. The European Commission missed its February 2, 2026 deadline to publish practical classification guidance [IAPP 2026]. Organizations must self-classify without official examples.

The audit fix. (1) Inventory every AI system in the organization. For each system, document: intended purpose, Annex III area (if applicable), profiling status, and Article 6(3) exemption applicability with written rationale. (2) Flag every system performing profiling of natural persons as high-risk. No exemptions.

(3) Store the classification register alongside AI risk management documentation. Update it when new systems deploy or existing systems change purpose.

Articles 9 through 15 define the requirements classified systems must meet.

Core Technical Requirements for EU AI Act High-Risk Compliance (Articles 9-15)

Seven articles define what every high-risk AI system must deliver, and each article prescribes specific deliverables that become audit artifacts during conformity assessment [EU AI Act Arts. 9-15]. These are not aspirational principles. Risk management (Art. 9) feeds every downstream requirement: data governance decisions depend on identified risks, documentation reflects mitigations, logging captures risk-relevant events, and accuracy metrics tie to risk thresholds.

Risk Management and Data Governance (Articles 9-10)

Article 9 demands a continuous, iterative, documented risk management process running the entire system lifecycle [EU AI Act Art. 9]. Four statutory components form the backbone per Article 9(2): (a) identification and analysis of known and foreseeable risks, (b) estimation and evaluation of those risks under intended use and reasonably foreseeable misuse, (c) evaluation of other risks arising from post-market monitoring data (Art. 72), and (d) adoption of appropriate and targeted risk management measures. Article 9(8) adds a testing requirement against predefined performance thresholds. Article 9(9) adds a separate obligation to give explicit consideration to risks for vulnerable groups, including persons under 18. The system is not a one-time assessment. It updates with every system modification, data change, and deployment context shift.

Article 10 mandates data quality criteria: training, validation, and testing datasets must be relevant, representative, and as error-free as possible [EU AI Act Art. 10]. Bias examination is required before and during deployment. The critical nuance competitors overlook: Article 10(5) permits processing of special category personal data (race, ethnicity, political opinions, health status) ONLY for bias detection and correction, under strict safeguards including pseudonymization and data minimization [EU AI Act Art. 10(5)]. This is not a general GDPR exemption. It is a narrowly scoped provision for fairness validation.

Documentation, Logging, and Transparency (Articles 11-13)

Technical documentation per Annex IV must be completed before market placement [EU AI Act Art. 11, Annex IV]. Nine mandatory sections cover: general system description, development process, training methodology, testing procedures, risk management outcomes, and post-market monitoring plans. Article 12 requires automatic logging capability for traceability throughout the system’s lifetime [EU AI Act Art. 12]. For biometric identification systems: logs must capture date, time, reference database queried, input data, and identification results for every use.

Article 13 requires instructions for use covering system capabilities, limitations, declared accuracy levels, maintenance requirements, and foreseeable misuse scenarios [EU AI Act Art. 13]. The transparency obligation extends to deployers: they must understand what the system does, what it does not do, and under what conditions it fails.

Human Oversight and Technical Safeguards (Articles 14-15)

Article 14 requires human-machine interface tools enabling the overseer to understand capabilities, monitor operation, interpret output, override or reverse decisions, and stop the system [EU AI Act Art. 14]. These five oversight capabilities are specified in Article 14(4). For biometric identification systems listed in Annex III point 1(a): Article 14(5) mandates dual-person verification. Two natural persons must independently verify biometric identification results before any action is taken [EU AI Act Art. 14(5)]. An exception applies where Union or national law deems the two-person requirement disproportionate for law enforcement, migration, border control, or asylum applications. This provision appears in almost no competitor checklist.

Article 15 requires declared accuracy metrics with statistical confidence intervals, resilience against data poisoning, model poisoning, adversarial examples, and confidentiality breaches [EU AI Act Art. 15]. Continuously learning systems must address feedback loop risks preventing output degradation over time.

  • Build risk management system covering four statutory components (Art. 9(2)) plus testing thresholds (Art. 9(8)) and vulnerable-groups consideration (Art. 9(9))
  • Document data governance criteria: relevance, representativeness, error management (Art. 10)
  • Complete nine-section Annex IV technical documentation before market placement (Art. 11)
  • Implement automatic logging with traceability retention (Art. 12)
  • Draft instructions for use covering capabilities, limitations, and foreseeable misuse (Art. 13)
  • Build human oversight interfaces with five Article 14(4) capabilities: understand, monitor, recognize bias, interpret, override/stop
  • Implement dual-person biometric verification for Annex III point 1(a) systems per Article 14(5)
  • Declare accuracy metrics and implement resilience against adversarial attacks (Art. 15)

The audit fix. (1) Build the risk management system first (Art. 9). It feeds every downstream requirement. Start by listing every reasonably foreseeable risk to health, safety, or fundamental rights. (2) Map each identified risk to a mitigation control. Test each control against predefined performance thresholds.

(3) For biometric systems, implement dual-person verification per Article 14(5) and per-use logging (Art. 12). (4) Document everything in Annex IV format before engaging a conformity assessor. Link technical documentation to deployer obligations under Article 26 for the operational side of these requirements.

Organizational requirements assign responsibility for building and operating the system.

Provider and Deployer Obligations for EU AI Act High-Risk Compliance

The EU AI Act splits compliance duties between providers who build the system and deployers who operate it, and each role carries distinct obligations, distinct penalties, and distinct documentation requirements [EU AI Act Art. 16, Art. 26]. Dual-role status is common: organizations customizing third-party AI for their own use become both provider and deployer, stacking obligations from both checklists.

Provider Obligations: QMS, Post-Market Monitoring, Incident Reporting

Article 16 lists 12 provider obligations spanning design through decommissioning [EU AI Act Art. 16]. Article 17 requires a documented quality management system (QMS) with 13 specific elements: regulatory compliance strategy, design and development procedures, quality control and assurance procedures, examination and validation protocols, technical specifications, data management, risk management integration per Article 9, post-market monitoring per Article 72, incident reporting per Article 73, communication procedures, record-keeping systems, resource management, and an accountability framework [EU AI Act Art. 17].

The financial institution exception is a provision competitors miss entirely. Article 17(3) provides that organizations subject to EU financial services internal governance rules satisfy QMS requirements automatically, except for three specific elements: risk management (Art. 9), post-market monitoring (Art. 72), and serious incident reporting (Art. 73) [EU AI Act Art. 17(3)]. Post-market monitoring requires active, systematic collection of performance data throughout the system’s lifetime [EU AI Act Art. 72]. Serious incident reporting carries a 15-day deadline from the date of awareness, not from occurrence [EU AI Act Art. 73(2)].

The harmonised standard for QMS (prEN 18286) entered public enquiry on October 30, 2025, but will not finalize until Q4 2026 at earliest [CMS LawNow 2025]. No harmonised standard for Article 17 exists as of mid-2026.

Deployer Obligations (Article 26)

Article 26 sets out deployer obligations [EU AI Act Art. 26]. Key requirements: use the system according to provider instructions, assign qualified human overseers with documented competence and authority, retain automatically generated logs for a minimum of six months, inform affected workers and their representatives before deploying AI in the workplace, and suspend use immediately upon detecting a risk. Deployers controlling input data must confirm data relevance and representativeness.

When Deployers Must Conduct a Fundamental Rights Impact Assessment

Four categories of deployers must complete a Fundamental Rights Impact Assessment (FRIA) before first use [EU AI Act Art. 27]. Public bodies, private entities providing public services, deployers of credit-scoring AI, and deployers of life or health insurance risk-assessment AI: each must document affected populations, specific harm risks, human oversight measures, and complaint mechanisms. FRIA results must be shared with the market surveillance authority before the system goes live.

Obligation Provider Duty Deployer Duty
Risk Management Build and maintain system (Art. 9) Monitor for risks during use (Art. 26)
Human Oversight Design interface tools per Art. 14(4); dual-person verification for biometrics per Art. 14(5) Assign qualified overseers (Art. 26)
Logging Implement automatic logging (Art. 12) Retain logs minimum 6 months (Art. 26)
Incident Reporting Report within 15 days of awareness (Art. 73(2)) Report risks to provider (Art. 26)
Documentation Complete Annex IV (Art. 11); retain 10 years (Art. 18) FRIA if applicable (Art. 27)

The audit fix. (1) Determine whether your organization is a provider, deployer, or both. Dual-role is common with customized AI. (2) For providers: start the Article 17 QMS build now. Use ISO 42001 as a structural foundation (40-50% coverage overlap with EU AI Act requirements).

(3) For deployers: assign human oversight personnel with documented competence, training, and authority. Set up a six-month log retention pipeline per Article 26. (4) If your organization falls into one of the four FRIA trigger categories, schedule the assessment before the system goes live.

Market access requires proving compliance through conformity assessment, CE marking, and EU database registration.

How Do Conformity Assessment, CE Marking, and EU Database Registration Work?

No high-risk AI system enters the EU market without passing conformity assessment, affixing CE marking, and registering in the EU database [EU AI Act Art. 43, Art. 48, Art. 49]. The absence of harmonised standards as of mid-2026 is the single biggest practical obstacle to December 2027 readiness. The medical device regulation (MDR) precedent is instructive: a large share of manufacturers failed to complete certification by the MDR deadline, and notified body queue times exceeded 18 months.

Two Conformity Assessment Pathways (Article 43)

Path A (Annex VI, internal control): the provider self-verifies compliance when harmonised standards are fully applied [EU AI Act Art. 43, Annex VI]. This pathway is available for Annex III categories 2-8 and, when harmonised standards are fully applied, for Category 1 biometric systems as well. Path B (Annex VII, notified body): a third-party auditor examines the QMS and technical documentation. For biometric systems (Category 1), Path B is required when harmonised standards have not been applied, when the provider deviates from available standards, or when common specifications exist but were not followed. Because no harmonised AI Act standards have been published as of mid-2026, biometric providers currently face Path B by default until harmonised standards become available and are applied. For law enforcement biometrics, the market surveillance authority acts as the notified body rather than a private conformity assessment body.

Conformity certificates are valid for four years, renewable for another four after re-assessment [EU AI Act Art. 44]. Substantial modifications to the system trigger a new assessment cycle. The four-year validity creates a planning horizon: budget for re-assessment starting in year three.

CE Marking and EU Database Registration (Articles 48-49)

CE marking must be visible, legible, and indelible on the product or its packaging [EU AI Act Art. 48]. For digital-only systems: a machine-readable code is acceptable.

EU database registration is required before market placement [EU AI Act Art. 49]. Providers register themselves and each system. Public authority deployers register their specific use case. Areas 1 (biometrics for law enforcement), 6 (law enforcement), and 7 (migration) enter a restricted, non-public database section [EU AI Act Art. 71].

The Standards Gap: No Harmonised Standards Until Q4 2026

CEN and CENELEC missed their 2025 deadline for harmonised technical standards. The draft QMS standard prEN 18286 entered public enquiry on October 30, 2025, with a publication target of Q4 2026 at earliest [CMS LawNow 2025]. Until harmonised standards are adopted and published in the Official Journal of the EU, providers have no presumption of conformity [EU AI Act Art. 40]. This gap is precisely why the adopted Digital Omnibus moved the high-risk deadline: the compliance framework was not ready to support full application on the original schedule.

Without harmonised standards, providers cannot claim presumption of conformity and notified bodies have nothing to audit against. Organizations building QMS on ISO 42001 now create the closest available proxy for compliance evidence.

Bottom Line Up Front

No harmonised standard means no presumption of conformity. The conformity assessor has no official benchmark, and the provider has no safe harbor. ISO 42001 fills that gap today: organizations that build their QMS on it now will have a structural foundation ready to align when prEN 18286 finalizes.

The audit fix. (1) Contact notified bodies now. If your system requires third-party assessment (biometrics where harmonised standards are unavailable, or any system where standards have not been applied), begin the engagement process immediately. Capacity is limited. (2) Build your QMS using ISO 42001 + prEN 18286 draft structure as a scaffold.

(3) When the harmonised standard finalizes, map existing documentation to official requirements. (4) Budget for the 4-year conformity certificate renewal cycle. Begin re-assessment planning in year three. Link to EU AI Act penalties and enforcement for the consequences of missing the deadline.

The standards gap is the operational reality, and it is why the adopted Digital Omnibus reset the high-risk deadline. The next section explains what the new law changed and what it left in place.

The Deadline Moved to December 2027: The Adopted Digital Omnibus Explained

The European Commission proposed the Digital Omnibus on November 19, 2025, and its AI provisions originally linked high-risk enforcement timing to the availability of compliance support measures [OneTrust 2025]. The co-legislators reached a provisional agreement on May 7, 2026, then adopted it: the European Parliament endorsed the package on June 16, 2026, and the Council of the EU gave final approval on June 29, 2026, with Official Journal publication expected in July 2026. The adopted law replaces the original conditional trigger with two fixed dates. Stand-alone Annex III high-risk obligations now apply from December 2, 2027, and high-risk systems embedded in Annex I regulated products from August 2, 2028. No scenario exists where starting early produces a worse outcome.

From Stop-the-Clock to Fixed Dates: What Actually Changed

The Commission’s original proposal held high-risk obligations back until it confirmed that adequate compliance support existed: harmonised standards, guidelines, and common specifications [Morrison Foerster 2025]. That conditional “stop-the-clock” design did not survive into the adopted text. The co-legislators replaced it with two firm calendar dates that apply regardless of whether standards are ready: December 2, 2027 for stand-alone Annex III systems, and August 2, 2028 for high-risk systems embedded in Annex I regulated products. The stated reason for the deferral was readiness: harmonised standards, Commission guidance, and national competent authorities were not in place to support full application on the original August 2026 schedule.

Additional provisions favor smaller organizations. The adopted package introduces a Small Mid-Cap category (up to 750 employees or EUR 150 million turnover) that receives simplified, proportionate documentation and registration requirements [IAPP 2025]. Legacy high-risk systems already on the market before the obligations apply are not required to obtain new certification unless they undergo significant design changes.

Legislative Status: Adopted (June 2026)

The provisional agreement of May 7, 2026 has completed formal adoption: the European Parliament endorsed it on June 16, 2026, and the Council gave final approval on June 29, 2026, with Official Journal publication expected in July 2026, before the original August 2 date. December 2, 2027 is now the legally enforceable deadline for stand-alone Annex III high-risk AI systems, and August 2, 2028 for systems embedded in Annex I regulated products. The planning question is no longer whether the date will move; it is whether the extra runway gets used to build conformity or wasted.

The audit fix. (1) Build your compliance program on the December 2, 2027 timeline (August 2, 2028 if your system is embedded in an Annex I regulated product). Treat the extra runway as buffer for testing and refinement, not as permission to delay. (2) Work backward from December 2027 across five phases: inventory and classify first, then build technical requirements, then complete QMS documentation, then engage a conformity assessor, then CE marking and registration. Book notified-body capacity early: the queue, not the deadline, is the binding constraint. (3) If your organization qualifies as a Small Mid-Cap, evaluate the simplified documentation and registration provisions and apply them to reduce burden.

The deadline question is settled. The execution question is not: will your organization spend the runway building, or waiting?

The EU AI Act high-risk compliance program has 14 distinct requirements, no harmonised standards yet, and a deadline the adopted Digital Omnibus has moved to December 2, 2027 for stand-alone Annex III systems and August 2, 2028 for systems embedded in regulated products. The organizations that read the deferral as permission to wait, not the ones who started early, will meet enforcement unprepared. Start with Article 6 classification. Build the Article 9 risk management system. Everything else follows from those two foundations.

Frequently Asked Questions

What does EU AI Act high-risk compliance require?

EU AI Act high-risk compliance requires providers to implement 14 obligations across Articles 8-49: risk management (Art. 9), data governance (Art. 10), technical documentation (Annex IV), automatic logging (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy and cybersecurity safeguards (Art. 15), a quality management system (Art. 17), conformity assessment (Art. 43), CE marking (Art. 48), and EU database registration (Art. 49) [EU AI Act]. Deployers carry independent obligations under Article 26, including six-month log retention and human oversight assignment.

When is the EU AI Act high-risk deadline?

December 2, 2027 is the legally binding deadline for stand-alone Annex III high-risk AI system obligations, and August 2, 2028 for high-risk systems embedded in Annex I regulated products [EU AI Act Art. 113, as amended by the Digital Omnibus]. The Digital Omnibus, endorsed by the European Parliament on June 16, 2026 and given final approval by the Council on June 29, 2026, moved these dates from the original August 2, 2026 deadline. Compliance planning should target December 2027 and treat the extra runway as build time.

How do you determine if an AI system is high-risk under the EU AI Act?

Article 6 defines two pathways: the system acts as a safety component under Annex I product legislation requiring third-party assessment, or the system falls within one of eight Annex III use-case areas covering biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice [EU AI Act Art. 6]. Systems performing profiling of natural persons are always high-risk with no exemptions.

What are the penalties for EU AI Act non-compliance?

Penalties follow a three-tier structure: EUR 35 million or 7% of global turnover for Article 5 prohibited practices [Art. 99(3)], EUR 15 million or 3% for violations of high-risk obligations under Articles 16, 22, and related provisions [Art. 99(4)], and EUR 7.5 million or 1% for providing incorrect, incomplete, or misleading information to authorities [Art. 99(5)]. For cooperative violations where the entity makes substantial efforts to comply, national authorities may take cooperation and mitigating factors into account within the bounds of their enforcement discretion [Art. 99(7)]. SMEs and startups receive the lower of the fixed amount or the percentage, not the higher [Art. 99(6)].

Does ISO 42001 satisfy EU AI Act requirements?

ISO 42001 covers approximately 40-50% of EU AI Act high-risk requirements, providing strong alignment for risk management (Art. 9), data governance (Art. 10), documentation (Art. 11), transparency (Art. 13), and QMS structure (Art. 17) [ISO 42001:2023]. It does not cover conformity assessment (Art. 43), CE marking (Art. 48), EU database registration (Art. 49), incident reporting (Art. 73), or the Fundamental Rights Impact Assessment (Art. 27).

What is the Digital Omnibus stop-the-clock provision?

The “stop-the-clock” mechanism was the Commission’s original proposal to delay high-risk obligations until it confirmed that adequate compliance support existed, including harmonised standards, guidelines, and common specifications [Morrison Foerster 2025]. The adopted Digital Omnibus replaced that conditional trigger with two fixed dates: December 2, 2027 for stand-alone Annex III systems and August 2, 2028 for systems embedded in Annex I regulated products. These dates apply regardless of whether harmonised standards are ready.

How does conformity assessment work for high-risk AI systems?

Two pathways exist under Article 43: internal control (Annex VI) allows provider self-verification when harmonised standards are fully applied, and third-party assessment by a notified body (Annex VII) is required when standards are unavailable, not applied, or only partially applied [EU AI Act Art. 43]. For biometric systems (Category 1), internal control is available when standards are fully applied; because no harmonised AI Act standards exist as of mid-2026, biometric providers currently require notified body assessment. Certificates are valid for four years, renewable after re-assessment. Substantial modifications require a new cycle.

What is the Fundamental Rights Impact Assessment under the EU AI Act?

Public bodies, private entities providing public services, deployers of credit-scoring AI, and deployers of life or health insurance AI must complete a Fundamental Rights Impact Assessment before first use of a high-risk AI system [EU AI Act Art. 27]. The assessment documents affected populations, specific harm risks, human oversight measures, and complaint mechanisms. Results must be shared with the market surveillance authority.

Subscribe to The Authority Brief for next week’s analysis.

Discipline in preparation. Confidence in the room.

Josef Kamara, CPA, CISSP, CISA, Security+
Josef Kamara
Josef Kamara
CPA · CISSP · CISA · Security+ · MBA

15+ years in Technology Risk Consulting, External and Internal Audit across KPMG (Financial Audit), BDO (Senior Manager across the Third-Party Risk Management practice and IS Assurance, leading technology assurance audits of public and private companies), and Stryker (Head of SOX IT Audit). Founded The Audit Defense Library in 2024 after 50+ SOC 1, SOC 2, HITRUST, and HIPAA attestation engagements plus multiple SOX and IT assurance projects.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.