AI Governance & Compliance Consulting
ISO 42001, the EU AI Act, KVKK, and the NIST AI RMF — the four frameworks that turned mandatory in the production AI era.
How does 2026 AI compliance shape up for Turkish enterprises?
The EU AI Act began enforcing the 'unacceptable risk' ban on 2 February 2026, and GPAI obligations kicked in on 2 August 2026. ISO/IEC 42001 (the AI management system standard, published December 2023) is now the primary certification. In Turkey, KVKK and the Presidential AI Strategy are live. Only one in five companies has a mature governance model (Databricks, 2026). OpenSeaPiranha runs a single audit that maps to all four frameworks.
- ▸ISO/IEC 42001 readiness assessment plus certification roadmap
- ▸EU AI Act risk classification with mitigation playbook
- ▸KVKK and NIST AI RMF cross-mapping plus the documentation set
- ▸Engagements run 4 to 8 weeks at $20K–$60K
Why It's Urgent in 2026
Only 20% have mature governance
Databricks Enterprise AI Agent Trends 2026: only one company in five runs a mature AI governance model. The other 80% will fail an audit when one shows up.
EU AI Act is on the calendar
2 February 2026 — unacceptable risk ban. 2 August 2026 — GPAI obligations. 2 February 2027 — full compliance for high-risk systems. Any Turkish company serving EU customers is in scope.
ISO 42001 is becoming AI's ISO 27001
Published December 2023, the AI Management System standard moved into RFP boilerplate during 2026. Few firms hold the certification yet — the early adopters get the bid.
ISO/IEC 42001 — AI Management System Certification
What it covers
Lifecycle management of AI systems: risk assessment, data governance, transparency, accountability, supplier oversight, incident response. Think of it as ISO 27001 with an AI-specific lens.
OSP's path
Five steps: existing system inventory, gap analysis, policy and procedure documentation, internal audit and remediation, then certification body matching. Six to twelve weeks total.
EU AI Act — 2026 Calendar and What It Means for Turkey
Risk categories
Unacceptable (banned — social scoring, real-time biometric surveillance), high-risk (medical, education, critical infrastructure — strict obligations), limited-risk (chatbots — transparency duties), minimal-risk (filters, games — no obligations).
How it lands in Turkey
Any Turkish company serving EU customers, processing EU data, selling AI products into the EU, or making automated decisions inside EU borders is directly in scope. The Brussels effect: ISO 42001 plus EU AI Act will be in most Turkish RFPs by year end.
KVKK + NIST AI RMF — the Local-Global Bridge
KVKK 2026 AI guidance
When personal data flows through an AI system, the KVKK 2026 AI guidance document applies. Notice, explicit consent, and data minimization are spelled out for the AI case specifically.
NIST AI Risk Management Framework
Born in the US but a global RFP standard. Map, Measure, Manage, Govern. Cross-mapping it to ISO 42001 lets us document compliance against both at once.
How We Run It
One audit, four frameworks
ISO 42001, EU AI Act, KVKK, and NIST RMF documented as a cross-walk. One parallel project instead of four separate audits.
AgentOps integration
Production audit logs, reproducibility, and change management requirements get operationalized through the AgentOps retainer.
Sector-specific playbooks
Defense (classified protocols), healthcare (GDPR plus HIPAA plus KVKK), finance (KVKK plus SPK plus EU AI Act high-risk) — each has its own runbook.