Skip to content
AI Development Knowledge Base

Untitled

A structured library of deep-dives covering the standards, regulations, policy instruments, and professional frameworks that make up the AI assurance landscape, with an Australian focus and international context.

For an assessment of coverage and the backlog of planned additions, see AI-Assurance-Coverage-Gap-Analysis.md.

By geography

GeographyKey documents
Australia — regulatorsAPRA · APRA AI obligations (Apr 2026) · ASIC · OAIC · TGA · ACMA · ACCC
Australia — policyAI Ethics Principles, Voluntary AI Safety Standard, National AI Plan, AI Safety Institute
Australia — marketAI assurance providers & certification bodies · GRC platforms · APRA-regulated entity landscape
Australia — consulting firmsDeloitte AU strategy · KPMG AU (ISO 42001 first, Oct 2024) · EY AU (AI Sentiment Index) · PwC AU (Assurance for AI launch)
EUEU AI Act (extraterritorial obligations for AU firms) · EU AI Act deep-dive
USUS AI regulations (FTC, CFPB, California) · McKinsey (SR 11-7, financial services) · PwC US (AICPA Assurance for AI)
UK & SingaporeUK & Singapore AI frameworks
Other marketsCanada, NZ, Hong Kong, Japan, UAE
Global (standards)ISO/IEC SC 42 family · NIST AI RMF · OWASP AISVS + TEA Platform
Global (consulting)Cross-firm synthesis · BCG global RAI surveys · Deloitte global publications

By industry

IndustryKey documents
Financial services (APRA-regulated)APRA obligations (CPS 220/230/234) · APRA-regulated entities landscape · Deloitte AU strategy · McKinsey SR 11-7 / model risk · ASIC
Healthcare / medical devicesTGA (AI as Software as a Medical Device)
InsuranceAPRA (prudential: life insurance, general insurance, private health)
Government / public sectorEY AU APS guidance · Australian AI Policy Instruments
Communications / mediaACMA + eSafety Commissioner
Multi-sectorBCG/MIT SMR RAI surveys · PwC Responsible AI Toolkit · KPMG Trusted AI Framework

By function

FunctionKey documents
Regulatory obligationsAustralian regulator analyses: APRA · ASIC · TGA · OAIC · ACCC · ACMA; extraterritorial: EU · US · UK/SG
External assurance practitionersASAE/ISAE 3000 practitioner reference · AUASB/IAASB standards deep-dive · APESB/APES ethics & independence · SOC 2 · PwC Assurance for AI · KPMG ISO 42001 certification
Internal auditIIA Global Internal Audit Standards + AI Auditing Framework · ISACA AAIA certification · ISACA audit standards (ITAF, COBIT)
Advisory / strategyConsulting firms directory → · Cross-firm synthesis · Deloitte AU strategy
Professional certificationsISACA: CISA, CISM, CRISC, CGEIT, CDPSE, AAIA, AAISM · ISACA AAIA deep-dive · Australian professional bodies

By theme

ThemeKey documents
Trustworthy / responsible AI frameworksCross-firm synthesis · Deloitte Trustworthy AI Framework · KPMG Trusted AI (10 pillars) · PwC Responsible AI Toolkit · EY Nine-Attribute Framework · BCG RAI Leader Blueprint
ISO 42001 certification chainISO/IEC 42001 deep-dive · KPMG (world’s first, AU Oct 2024) · ISO 42006 (certification body requirements)
Agentic AI assuranceGenAI + agentic AI cross-cutting synthesis · Deloitte TAI across AI spectrum · McKinsey observability gap · BCG FAST framework · OWASP AISVS agentic controls
Model validationMcKinsey SR 11-7 extension + Derisking AI · Deloitte: Adapting Model Validation · GenAI assurance cross-cutting
GRC platformsGRC Platforms Market Scan
Offensive vs. defensive governanceDeloitte offensive/defensive analysis · BCG RAI as value creation

How the Library Is Organised

LayerQuestionKey Documents
Technical & definitional standardsWhat is an AI system and what does technically “good” look like?ISO/IEC 22989, 23053, 5338, 5259, TR 24027
Management system & risk standardsHow should organisations govern AI (and get certified)?ISO/IEC 42001, 42005, 42006, 23894, 27001, 27701
Regulatory obligationsWhat must organisations comply with?EU AI Act; Australian regulator analyses; extraterritorial analyses
Policy instrumentsWhat do governments expect even where not mandated?Australian AI Policy Instruments
Professional & engagement standardsWho performs assurance and under what obligations?APESB/APES, AUASB/IAASB (ASAE/ISAE), IIA, ISACA, SOC 2, Australian professional bodies
Industry initiativesWhat industry-led frameworks, benchmarks, and consortia can be leveraged?Industry Bodies deep-dive; Frontier AI Industry Initiatives
Market landscapeWho provides assurance and certification in Australia? What software infrastructure supports AI governance and assurance?AI Assurance Market Scan; GRC Platforms Market Scan
Consulting firm AI assurance researchWhat are the major consulting and professional services firms offering, how do their frameworks compare, and what are the strategic implications for Deloitte in Australia?KPMG, PwC, EY, BCG, McKinsey, Deloitte research compendiums and critical syntheses; cross-firm comparative synthesis; Deloitte Australia strategy

Contents

June 2026 restructure: the knowledge base was split into three sibling directories. This directory (AI-assurance/) holds professional assurance standards, regulator obligations, and the consulting-firm market layer. The ISO/IEC SC 42 family, NIST AI RMF, the EU AI Act, and industry-body standards now live in ../AI-Governance/standards/; MITRE ATLAS, the NCSC/CISA/ASD guidelines, and ISO/IEC 27001/27701 now live in ../AI-security/. Links below point to those locations where a document has moved.

Overviews and Cross-Cutting

ISO/IEC Standards Deep-Dives (now in ../AI-Governance/standards/ and ../AI-security/)

Regulation and Attestation Frameworks

Professional Assurance Standards (Professional-Assurance-Standards/)

ISACA (ISACA/)

Australian Market Scan and Policy (AI-Assurance-market-scan/)

  • AI-Assurance-Market-Scan.md — Australian AI assurance landscape, providers, and certification bodies
  • GRC-Platforms-Market-Scan.md — proprietary and open-source GRC software infrastructure for AI governance and assurance: AI-native platforms (Credo AI, Holistic AI, KomplyAI), compliance automation (Vanta, Drata, OneTrust), GRC incumbents (ServiceNow, IBM, Optro), technical assurance vendors, open-source platforms, analyst coverage, and 2024–2026 consolidation
  • Australian-AI-Policy-Instruments.md — AI Ethics Principles, Voluntary AI Safety Standard, NAIC Guidance for AI Adoption (AI6), mandatory guardrails proposal, National AI Plan, AI Safety Institute, regulator-specific AI guidance, government assurance frameworks
  • Regulator analyses: ASIC, APRA, ACMA, ACCC, OAIC, TGA
  • APRA-AI-Assurance-Obligations.md — analysis of APRA’s 30 April 2026 Letter to Industry on AI: AI-specific expectations against CPS 220/230/234, criteria-readiness matrix, and engagement design by obligation
  • APRA-Regulated-Entities-Landscape.md — sector rankings of the largest APRA-regulated entities (ADIs, super, insurance) sizing the AI-assurance opportunity
  • Extraterritorial analyses: EU, US, UK & Singapore, other markets

Consulting Firm AI Assurance Research (consulting-firms/)

Research compendiums (hyperlinked catalogues of public publications) and critical syntheses for each major firm, plus cross-cutting analysis. See consulting-firms/README.md for thematic navigation by geography, function, and industry.

Research compendiums:

  • Deloitte-AI-Assurance-Research.md — 50+ publications; Trustworthy AI™ Framework; AI Institute; algorithm assurance; regional offices (US, UK, AU, Japan, APAC)
  • KPMG-AI-Assurance-Research.md — Trusted AI 10-pillar framework; ISO 42001 certification chain (world’s first: AU Oct 2024 → International Dec 2025); University of Melbourne trust study (48,000+, 47 countries); System Cards
  • PwC-AI-Assurance-Research.md — 76 publications; Responsible AI Toolkit (6 dimensions); Assurance for AI (June 2025, AICPA standards); AI Trust Dividend (1.7×); Model Edge; Regulatory Pathfinder
  • EY-AI-Assurance-Research.md — 64 publications; Trusted AI Framework (9 attributes, 3 governance domains); Responsible AI Pulse Survey Phase 2 (99% of orgs lost money, avg US$4.4M); AI Sentiment Index (AU equal lowest globally, score 52); APS government guidance
  • McKinsey-AI-Assurance-Research.md — 48+ publications; AI Trust Maturity Model (5 dimensions, 0–4 scale, longitudinal); SR 11-7 extension for ML/AI; State of AI survey series; The AI Reckoning (Dec 2025)
  • BCG-AI-Assurance-Research.md — 53 publications; RAI Leader Blueprint (5 pillars incl. Culture); BCG/MIT SMR RAI survey series; ARTKIT open-source red-teaming; FACET explainability library; FAST framework for agentic AI

Critical syntheses:

Cross-cutting analysis:

  • AI-Assurance-Firms-Comparative-Synthesis.md — cross-firm comparison of all six: framework architectures, what “assurance” means, active disagreements, shared gaps, Australian market specifics, competitive positioning map
  • Deloitte-Australia-AI-Assurance-Strategy.md — strategic positioning for Deloitte in Australia: strengths to emphasise, weaknesses to mitigate, priority moves (ASAE 3000, APS implementation, APRA agentic framework, independence policy), priority action sequence
  • Deloitte-Australia-AI-Assurance-Priority-Plan.md — validation plan converting the (public-information-based) strategy into prioritised hypotheses to confirm with Deloitte leadership and test with priority clients, with decision gates per strategic move

Conventions

  • Deep-dives: {Standard-Code}-Deep-Dive.md; regulator analyses: Regulator-Analysis-{Agency}.md; each subdirectory carries a README.md index
  • Document structure: header metadata → executive summary → structure/key requirements → implementation guidance → relationships to other standards → checklists → gaps/future developments → sources
  • Each document carries a status note; verify fast-moving items (Australian policy, draft ISO standards, IAASB/IIA workstreams) against primary sources before relying on them
  • ../AI-Governance/ — internal governance frameworks, controls templates, and risk management artefacts that implement what these standards require
  • ../research/tools/ — Responsible AI tooling options analyses
  • ../ai-governance-tooling/ — AI governance tooling ideas and PRDs