Compliance & Governance for AI Workloads
Artifact, Config, Audit Manager, and CloudTrail applied to AI — plus the governance habits regulators expect.
The compliance toolbox (AI edition)
Download AWS's own compliance reports (SOC, ISO, PCI) when auditors ask about the infrastructure your AI runs on.
Who did what: every Bedrock/SageMaker API call logged for audit — model invocations, training jobs, configuration changes.
Continuous configuration compliance: e.g., alert if a SageMaker notebook becomes internet-accessible or an S3 training bucket goes public.
Automates evidence collection against frameworks — including generative AI best-practice frameworks.
Best-practice checks across cost, security, and resilience.
Document models and manage approved versions — governance for the model lifecycle itself.
Same trio as every AWS exam, now wearing an AI hat: CloudTrail = API audit, Config = configuration compliance, Audit Manager = evidence collection, Artifact = AWS's own certifications. If the scenario says "prove who invoked the model," that's CloudTrail.
A governance program for AI, in brief
- Define policies for acceptable AI use, data handling, and human oversight.
- Assign accountability — named owners for each model and dataset.
- Document everything: model cards, data lineage, evaluation results.
- Monitor continuously — drift, bias, misuse, cost.
- Review regularly against evolving regulations (e.g., EU AI Act risk tiers) and update guardrails.
- Frameworks to name-drop: NIST AI Risk Management Framework, ISO/IEC 42001 (AI management systems).
That completes the five domains. Next stop: the cheat sheet, then two full-length mock exams that mirror the real AIF-C01 experience.
A compliance team must show auditors a log of every user who invoked the company's Bedrock models last quarter. Which service provides this?