FAIIR is a professional compliance standard for how small and midsize businesses use AI — not a philosophy, a checklist your business can actually run. This page is the whole framework, in plain language.
Your business almost certainly uses AI already. Your insurance carrier, your enterprise clients, and a growing list of state laws are asking the same question in different words: show me how you use AI — and show me the paper that proves you’re doing it responsibly.
FAIIR is not a law. It is a professional standard — the way SOC 2 codified trust for software companies. It was developed by Available Law, a Colorado-licensed law firm, and is maintained by FAIIR, LLC, so every certification is attorney-led analysis, not a generic audit checklist. Five pillars, 41 controls, each with a pass/fail bar.
The Five Pillars
F-A-I-I-R: Fitness for purpose, Accountability, Integrity of data, Informed use, Risk management. Under each pillar sit specific documented controls — 41 in total. A sample of what they require:
“Is this AI actually suited to the task you're using it for?”
Most AI liability doesn't come from exotic failures. It comes from deploying a general-purpose model in a domain where it was never validated. This pillar asks you to prove you thought about the match.
“When something goes wrong, who owns it — and can you prove that was decided before it went wrong?”
Post-hoc accountability is no accountability. The test is whether a responsible human was designated, in writing, before the incident — and what each AI vendor contractually owes you when their model fails.
“What goes into the AI, where does it go, and how long does it live there?”
This is the pillar most businesses fail first — employees pasting customer data and trade secrets into free AI tools every day, with no one tracking it. Integrity of Data is about knowing your data perimeter and enforcing it.
“Do the humans involved — employees and customers — actually know what's going on?”
Most AI liability cases turn on a surprised person: a customer surprised their chatbot was AI, an employee surprised their prompt trained a public model. Informed Use is the pillar that prevents surprise.
“If this all goes wrong, will you know it happened, contain it, and be able to prove what you did?”
The audit-trail pillar — it converts “we're being careful” into “here is the evidence we were careful.” This is where insurers, auditors, and plaintiffs actually look.
How Scoring Works
There is no partial credit for good intentions. A control passes when the documentation exists — a written register, a signed policy, a configured setting, a dated review. The assessment scope determines how many controls are examined and how deeply, which is why certification is scoped on a discovery call rather than sold off a shelf.
What Certification Means
A FAIIR certification letter reflects an attorney-led assessment of your organization’s practices against the framework’s defined controls, based on evidence you submit. It is annual and firm-specific — never lifetime, never transferable. That precision is the point: a claim this specific is one you can hand to an insurance carrier, an enterprise procurement team, or a regulator without overselling.
FAIIR doesn't replace HIPAA, GDPR, the EU AI Act, or state-law obligations — it helps organizations meet them in an organized way.
Passing FAIIR is evidence of reasonable care — the way a SOC 2 report doesn't mean a system can't be breached, but shows security was taken seriously.
FAIIR certifies an organization's practices around deploying AI, not the models themselves. New model, same framework, applied again.
FAIIR is a standard of care, not a ruling on any particular law in your jurisdiction or industry.
What FAIIR Is Benchmarked Against
FAIIR doesn’t compete with the standards shaping AI governance; it makes them runnable at small-business scale. The same documented controls answer the questions regulators, carriers, and enterprise customers all ask in different forms.
FAIIR is a practical, SMB-scale operationalization of the same principles — govern, map, measure, manage — sized for a business without a compliance department.
The pillars map directly onto the disclosure, human-review, and recordkeeping duties that Colorado's AI Act — and the widening set of state laws like it — impose on businesses deploying AI in consequential decisions.
The Informed Use pillar aligns with the Act's disclosure and content-labeling obligations, including Article 50 transparency requirements.
FAIIR covers the AI-specific ground these frameworks don't reach, at a weight an SMB can actually carry. An organization can hold SOC 2 and FAIIR in parallel; FAIIR is a lighter-weight path toward ISO 42001-style outcomes.
Frequently asked
The free self-check scores you against the five pillars in about ten minutes. When you’re ready for the real thing, an attorney-led assessment starts with a free 30-minute discovery call.