This week’s signal is mostly about implementation, not new legal obligations. In the US, NIST continued building out support around the AI RMF 1.0 through its AI Resource Center, an updated overview, and a concept note for a critical-infrastructure profile. Internationally, ISO/IEC 42001:2023 remains the operative AI management system standard, with ISO’s guidance reinforcing that certification is voluntary but increasingly useful for governance and audit readiness. The practical takeaway: compliance teams should tighten AI governance evidence now, especially where NIST RMF mapping and ISO 42001 alignment may later feed assurance, procurement, or sector-specific expectations.
ISO Standards
ISO 42001 becomes the active AI governance baseline
ISO/IEC 42001:2023 is the current published edition and the operative reference for AI management systems. It sets the baseline requirements for organizations that want to implement, certify, or align to an AI management system now.
Why it matters: Compliance teams can use this as the anchor for AI governance, risk treatment, and evidence collection. If you are building an AI control framework, this is the standard most likely to shape audit-ready documentation and certification planning.
Read source →ISO says 42001 certification is voluntary
ISO’s explainer confirms that certification to ISO/IEC 42001 is not a legal requirement. It frames the standard as a governance framework that organizations can adopt to structure responsible AI policies and controls.
Why it matters: Teams should decide whether they need internal alignment, formal certification, or both, based on customer, procurement, and assurance expectations. The practical risk is overcommitting to certification when governance evidence is the real near-term need.
Read source →US Federal & State Regulation
NIST AI Resource Center shifts to implementation support
NIST’s AI Resource Center is positioned as an implementation hub for operationalizing the AI RMF, not as a source of new obligations. The center is intended to provide implementation materials and use cases for teams applying the framework.
Why it matters: Compliance, product, and risk owners should use it to strengthen AI governance documentation and align it with the RMF functions. It is especially useful for teams trying to translate policy into controls without waiting for a new rulemaking.
Read source →NIST keeps AI RMF 1.0 as the baseline
NIST’s overview confirms that the framework remains AI RMF 1.0. The update signal is in supporting materials, with the Playbook expected to be enhanced rather than the base framework changed.
Why it matters: Organizations should continue using AI RMF 1.0 in current governance and assurance work, while watching for new implementation content and profiles. This matters for teams maintaining policy language, control mappings, and internal guidance.
Read source →NIST signals critical infrastructure AI profile work
NIST released a concept note for a trustworthy AI in critical infrastructure profile, indicating active development of sector-specific guidance. The note is not a final rule and sets no compliance deadline.
Why it matters: Operators in regulated or critical environments should start mapping where their AI use cases may intersect with infrastructure risks and sector obligations. When the profile lands, existing AI RMF controls may need to be remapped to more specific expectations.
Read source →White House AI Action Plan shapes NIST direction
NIST’s AI hub notes that it was named in the White House’s July 23, 2025 AI Action Plan. The reference indicates policy direction, but it does not create a direct legal change to the AI RMF itself.
Why it matters: Compliance teams should treat this as a signal to monitor follow-on federal guidance and implementation resources. It is relevant for roadmap planning, but not for immediate control changes based on a new framework version.
Read source →On Our Radar
NIST playbook enhancements: NIST says the AI RMF Playbook will be enhanced, so teams should watch for more actionable implementation material and new profiles. That content may become the practical bridge between policy and control evidence.
Critical infrastructure profile: The concept note suggests NIST is building sector-specific AI guidance for critical infrastructure. Regulated operators should watch for profile language that could influence control mapping and assurance expectations.
ISO 42001 adoption pressure: ISO 42001 remains voluntary, but its role as the current AI management system baseline is strengthening. Expect more procurement and audit requests to reference it even without a legal mandate.