The Compliance Atlas · Edition 2026.1

The spectrum

11 frameworks
One axis
Every metric that matters
A practitioner's decision tool — every framework, every metric, one screen.
Plotted on a single axis from voluntary methodology to binding regulation. Each badge carries its weight — the output it produces, the controls it covers, the audit cadence, the typical effort and cost. Below the spectrum, the same data as a comparison table for hard side-by-side decisions. Below that, three pre-built reading paths for common situations.
§ 01

The spectrum

voluntary methodology on the left · binding regulation on the right · click any badge to open the volume
VOLUNTARY methodology · adopt freely BINDING law or mandate · enforced MARKET-DRIVEN customer-demanded CONTRACTUAL via business relationship IV NIST CSF 2.0 PROFILE XI NIST AI RMF PROFILE II SOC 2 CPA ATTESTATION III ISO 27001:2022 CERTIFICATE IX ISO 42001 CERTIFICATE V HITRUST v11 CERTIFICATION VI PCI DSS v4.0.1 RoC + AOC VIII FedRAMP ATO VII HIPAA NO NATIVE CERT I Sarbanes-Oxley OPINION X EU AI Act CE MARKING badges ABOVE the line carry highlight context · BELOW shows complement
Part 1 — Financial & Assurance Part 2 — Cybersecurity & Industry Part 3 — AI Governance badge size hints at effort & cost · click any to open
§ 02

The hard numbers

same data, table form · sort by what you need to compare
# Framework Output Controls / Scope Who Audits Cadence Effort & Cost Signature Insight
I
Sarbanes-Oxley
FINANCIAL · 2002
 Auditor opinionintegrated audit · attestation 5 control typesELC, ITGC, ITAC, BPC, IPE External auditor(PCAOB-registered) Annualcontinuous testing High$500K-$5M+/yr Deficiency severity (CD/SD/MW) is the entire ballgame. Read →
II
SOC 2
ATTESTATION · TSP-100
 CPA reportType 1 / Type 2 5 TSCs33 Common Criteria Licensed CPASSAE 18 AnnualType 2 = 6–12 mo period Medium$30K-$150K CUEC chain-of-trust is the most-overlooked mechanic. Read →
III
ISO 27001:2022
ISMS · CERTIFIABLE
 Certificate3-year validity 93 controls4 themes Annex A Cert bodyUKAS / ANAB accredited 3-yr cycle+ annual surveillance Medium$30K-$120K initial Statement of Applicability is a living document. Read →
IV
NIST CSF 2.0
FRAMEWORK · 2024
 Profileno native cert 6 functions22 categories · 106 subs None nativefolded into SOC 2+ Continuousself-assessed Lowinternal effort only Read by everyone, audited via other frameworks. Read →
V
HITRUST v11
HEALTHCARE STD · e1/i1/r2
 CertificationHITRUST Alliance Tierede1 (44) → r2 (200+) AEA + QAtwo-party validation e1: 1yri1: 1yr · r2: 2yr Medium-High$50K-$300K+ Healthcare's only credible cert path. Read →
VI
PCI DSS v4.0.1
PAYMENTS · CARD BRANDS
 RoC or SAQ+ AOC attestation 12 reqs~64 sub-req groups · ~270 numbered subs QSA(L1) or self (L2-L4) AnnualRoC every year L1 High$50K-$300K+ RoC Scope (CDE) is the entire game. Read →
VII
HIPAA Security Rule
HEALTHCARE · 45 CFR 164
 No native certSOC 2+ / HITRUST / 3rd-party 3 safeguardsAdmin · Phys · Tech OCR(reactive) Episodicbreach- or complaint-driven Low-MedSRA-driven "Addressable" ≠ optional — the most-misread term. Read →
VIII
FedRAMP
FEDERAL CLOUD · 800-53
 ATOP-ATO (JAB) or Agency Low: 156Mod: 323 · High: 410 3PAO+ FedRAMP PMO + AO 3-yr re-authmonthly ConMon Very HighMod $500K-$1M · High $1-2M+ An ATO is a federal officer's signature on your risk. Read →
IX
ISO/IEC 42001
AI MGMT SYSTEM · 2023
 Certificate3-year validity 38 controls9 control objectives Cert bodyUKAS / ANAB accredited 3-yr cycle+ annual surveillance Medium~30-50% more vs 27001 Same shape as 27001 — different evidence universe. Read →
X
EU AI Act
EU REGULATION · 2024
 CE marking+ EU declaration Risk-tieredprohibited/high/limited/min. NB or selfAnnex VI vs VII · MSA Post-marketArt. 72 monitoring High€35M / 7% turnover max penalty Original date Aug 2, 2026 — postponed to Dec 2, 2027 per May 2026 Omnibus political agreement. Read →
XI
NIST AI RMF
AI METHODOLOGY · 2023
 Profilevoluntary self-attest 4 functions19 cat · 72 subs · 12 GenAI risks None nativefolded into 42001 / EU AI Act Continuousself-assessed Lowinternal effort only The vocabulary every other AI framework uses. Read →
§ 03

Pick your path

three common situations · which volumes to read in which order
Path 01 · The startup

You're scaling a SaaS and customers are starting to ask for compliance proof

You need SOC 2 yesterday and ISO 27001 within 18 months. NIST CSF gives you the vocabulary. HIPAA and PCI come into play if your customer base is health or payments.

IV · CSF II · SOC 2 III · ISO 27001 VII · HIPAA VI · PCI
Path 02 · The federal play

You're targeting the U.S. federal market or selling AI into the EU

FedRAMP is non-negotiable for federal cloud sales. EU AI Act high-risk obligations were originally scheduled for August 2, 2026 but were postponed to December 2, 2027 by the May 2026 Digital Omnibus political agreement (pending Official Journal publication). Both rest on prerequisite layers — 800-53 for FedRAMP, ISO 42001 for the EU.

IV · CSF VIII · FedRAMP XI · AI RMF IX · ISO 42001 X · EU AI Act
Path 03 · The financial enterprise

You're a public company or finance-adjacent and need the full stack

SOX is your annual baseline. Add SOC 2 and ISO 27001 to satisfy customer and vendor expectations. HITRUST if you touch healthcare. The AI volumes apply to your AI use cases — and they're growing fast.

I · SOX II · SOC 2 III · ISO 27001 V · HITRUST XI · AI RMF