AI Model Compliance Comparison (2026)

A living comparison of how the major AI models handle HIPAA, GDPR, SOC 2, ISO 42001, and data residency. Updated with each new model release.

This AI model compliance comparison shows how the major AI models handle the rules that regulated businesses care about. We track HIPAA, GDPR, SOC 2, ISO 42001, and data residency for Claude, ChatGPT, and Gemini. We update this page each time a new frontier model ships.

Here is the key point most buyers miss. A model is rarely "compliant" or "not compliant" on its own. Compliance depends on the plan you buy, the contract you sign, and the settings you turn on. The same model can be safe on one tier and unsafe on another.

Use this guide to match an AI model to your industry and your risk. We explain where a Business Associate Agreement (BAA) is available, which certifications each vendor holds, and where the common gaps are. Every claim links to the vendor's own documentation.

AI Model Compliance at a Glance (2026)

All three major vendors now offer enterprise compliance coverage. Each one can sign a BAA for HIPAA, holds SOC 2, and supports GDPR through a Data Processing Addendum. The differences show up in the details: which plans are covered, which certifications are held, and how data residency works.

One rule applies to every model. Consumer plans are almost never covered. You need a business, enterprise, or API tier, plus a signed agreement, before you put regulated data into any of these tools.

  • Claude (Anthropic): BAA available on the first-party API and HIPAA-ready Enterprise. Holds SOC 2 Type I & II, ISO 27001:2022, and ISO 42001:2023. Zero-Data-Retention addendum available.
  • ChatGPT / GPT (OpenAI): BAA available on the API, ChatGPT Enterprise, Business, and ChatGPT for Healthcare. Holds SOC 2 Type 2, ISO 27001:2022, and ISO 27701:2019. Data residency in 11+ regions.
  • Gemini (Google): BAA available through Vertex AI and covered Workspace SKUs. Holds SOC 1/2/3, ISO 42001, HITRUST, FedRAMP High, and PCI DSS v4.0. Full regional data residency on Google Cloud.
  • Every vendor excludes free and basic consumer plans from BAA coverage.
  • Certifications cover the platform, not just one model. A new model on a covered API usually inherits that coverage.
No major AI model is HIPAA compliant by default. Compliance requires the right plan, a signed BAA, and the correct settings turned on.

Is Claude Compliant? (HIPAA, SOC 2, ISO 42001)

Claude can support regulated work, but only on the right surface. Anthropic offers a BAA for HIPAA-ready services, which include the first-party API and HIPAA-ready Enterprise plans. An administrator must turn on HIPAA settings and sign the BAA first.

The BAA does not cover Claude Free, Pro, Max, or Team. It also excludes the Workbench, the Console, Cowork, and beta features. Putting patient data into those surfaces gives you no BAA protection.

On certifications, Anthropic is strong. It holds SOC 2 Type I and Type II, ISO 27001:2022, and ISO/IEC 42001:2023 for AI management systems. Enterprise customers can add a Zero-Data-Retention addendum so no conversation data is stored after a session.

Is ChatGPT Compliant? (HIPAA, SOC 2, GDPR)

OpenAI signs BAAs to support HIPAA compliance. Coverage applies to the API, ChatGPT Enterprise, ChatGPT Business, and ChatGPT for Healthcare. Consumer tiers — Free, Plus, Pro, and Team — are not eligible, so they offer zero BAA protection for patient data.

OpenAI holds a SOC 2 Type 2 report covering security, availability, confidentiality, and privacy. It also holds ISO 27001:2022 and ISO 27701:2019. For GDPR, OpenAI signs a Data Processing Addendum with business and API customers.

Data residency is a strength. Eligible customers can store content at rest in the US, Europe, UK, Japan, Canada, South Korea, Singapore, Australia, India, and the UAE. Enterprise and API data is not used to train models by default.

Is Gemini Compliant? (HIPAA, FedRAMP, PCI DSS)

Gemini has the broadest certification list of the three. Through Vertex AI and Google Cloud, it covers SOC 1/2/3, ISO 27001/27017/27018/27701, ISO 42001, HITRUST, FedRAMP High, and PCI DSS v4.0. That FedRAMP High coverage matters for government and public-sector work.

A BAA is available, but Gemini is not HIPAA compliant by default. You need the right surface — Vertex AI on Google Cloud or a covered Workspace SKU — plus a signed Google BAA and controls that keep PHI off unsupported surfaces.

Data residency runs through Google Cloud regions. Vertex AI offers EU regions, but you pin the region per call, not per project. A data protection review should specify and verify region pinning.

What the Latest Model Release Changes

New models usually inherit their vendor's existing compliance coverage. When a model ships on a covered API or enterprise plan, the same BAA, SOC 2, and ISO certifications apply. The contract and settings still matter more than the model name.

Anthropic's Claude Fable 5, released in June 2026, is a good example. It runs on the same Anthropic API and Enterprise surfaces, so the BAA and ISO 42001 coverage carry over. Fable 5 also adds hard safety limits that block high-risk requests in areas like cybersecurity and biology, then falls back to Claude Opus 4.8.

Pricing and availability did change. Fable 5 costs more than Opus 4.8 and became generally available on GitHub Copilot at launch. Always confirm a new model is in scope for your BAA before you send it regulated data.

A new model does not reset compliance. It inherits the vendor's coverage — but only on the plans and surfaces the BAA already names.

Which AI Model Is Right for Your Regulated Industry

The best model depends on your rules, not just raw performance. Healthcare teams need a signed BAA and tight PHI controls. Financial and legal teams care most about data residency, retention, and audit logs.

Match the surface to the risk. For the strictest needs, pick an API or enterprise tier with Zero-Data-Retention and region pinning. For lighter use, a covered business plan with a DPA is often enough.

  • Healthcare and medical practices: any of the three works with a signed BAA on a covered tier. Confirm PHI stays on supported surfaces.
  • Banking and financial services: prioritize data residency, SOC 2, and audit logs. Gemini adds PCI DSS v4.0 and FedRAMP High.
  • Legal and professional services: prioritize Zero-Data-Retention and no-training defaults to protect privileged data.
  • Government and public sector: Gemini's FedRAMP High coverage is often the deciding factor.

How to Deploy AI Compliantly: A Quick Checklist

Compliance is a setup task, not a single purchase. Follow these steps before you send any regulated data to an AI model.

  • Pick a covered tier: API, enterprise, or business — never a free or consumer plan.
  • Sign the vendor's BAA (for HIPAA) or DPA (for GDPR) before processing real data.
  • Turn on the compliance settings, such as HIPAA mode or Zero-Data-Retention.
  • Pin your data residency region if you operate under GDPR or local rules.
  • Confirm the specific model is in scope for your agreement.
  • Keep audit logs and limit access to staff who need it.
  • Review beta features carefully — they are often excluded from BAA coverage.

Frequently Asked Questions

  • All three can support HIPAA with a signed BAA on a covered tier. Claude, ChatGPT, and Gemini each offer a BAA on their API or enterprise plans. None is HIPAA compliant by default, so the plan and settings matter more than the model.
  • No. Anthropic, OpenAI, and Google all exclude free and basic consumer plans from BAA coverage. You must use a business, enterprise, or API tier and sign a BAA before processing any patient data.
  • Usually not. A new model on a covered API or enterprise plan inherits the same BAA, SOC 2, and ISO certifications. Always confirm the specific model is named in your agreement before sending regulated data.
  • Gemini, through Vertex AI, has the broadest list. It covers SOC 1/2/3, ISO 42001, HITRUST, FedRAMP High, and PCI DSS v4.0. Claude and OpenAI hold SOC 2 and ISO 27001, and Claude and Gemini both hold ISO 42001.
  • Zero-Data-Retention (ZDR) stops the vendor from storing your prompts and outputs after a session. Anthropic and OpenAI offer it on enterprise or API tiers. It is strongly recommended for healthcare, legal, and financial data.
  • Fable 5 runs on Anthropic's API and Enterprise surfaces, so it inherits the existing BAA and ISO 42001 coverage. It also adds safety limits that block high-risk requests. Confirm Fable 5 is in scope for your BAA before use.
  • They can. All three sign a Data Processing Addendum (DPA) for GDPR. OpenAI and Google also offer regional data residency so you can store data at rest in the EU. You still need to configure region settings correctly.

Not sure which AI model fits your compliance needs?

Layer3 Labs helps small and mid-market companies in regulated industries pick, configure, and deploy AI models the right way — with the BAA, settings, and controls your rules require.

Book a free 30-min AI compliance review