AI Compliance for Data Governance
Data Governance is addressed by 50 regulatory updates across 9 jurisdictions and 7 frameworks. This page tracks how regulators worldwide are approaching data governance in the context of artificial intelligence.
Framework Requirements for Data Governance
Regulations Covering Data Governance
International(18)
ISO/IEC 42001:2023 AI management systems
ISO/IEC 42001:2023 is the published AI management system standard, and organizations can use it now to formalize AI governance, controls, and certification-ready documentation.
ISO/IEC 42001:2023 AI management systems standard
ISO confirms that ISO/IEC 42001:2023 remains the core certifiable AI management system standard, so organizations seeking formal AI governance assurance can now anchor their programs to a stable international standard.
Council of Europe AI Framework Convention published
The Council of Europe AI Framework Convention is now published and signed, but it will only enter into force after the Article 30 ratification threshold is met, so organizations should prepare for rights-based AI governance obligations in advance.
AICPA releases responsible AI implementation checklist aligned to ISO/IEC 42001
AICPA’s responsible AI checklist aligns ISO/IEC 42001 concepts with SOC 2 criteria, making it a useful audit-readiness tool for teams that need AI controls to fit within existing trust services reporting.
CSA maps AI Controls Matrix to ISO/IEC 42001 and ISO 27001/27002
CSA has published a mapping between its AI Controls Matrix and ISO/IEC 42001, with references to ISO/IEC 27001 and 27002, giving compliance teams a practical bridge between AI governance and existing security control programs.
US Federal(11)
FDA draft guidance on artificial intelligence-enabled medical devices
The FDA’s January 2025 draft guidance on AI-enabled medical devices remains the key current benchmark for lifecycle, transparency, bias, and documentation expectations for AI device submissions and post-market controls.
FDA guidance on AI-enabled medical devices remains active
FDA continues to emphasize lifecycle-wide expectations for AI-enabled medical devices, including transparency and predetermined change control, so developers need submission-ready documentation for model changes and postmarket monitoring.
AI-Enabled Optimization of Early-Phase Clinical Trials Pilot Program; Request for Information
FDA issued a request for information on April 29, 2026 to shape a pilot program for AI-enabled early-phase clinical trials, creating an immediate comment-driven opportunity to influence future expectations for AI use in clinical decision-making.
U.S. court rulings tracked in May 2026 docket updates
The provided court-listener entries are docket updates rather than identified AI regulatory rulings, so they mainly serve as litigation monitoring signals rather than actionable compliance changes.
National Defense Authorization Act for Fiscal Year 2026
Congress enacted the National Defense Authorization Act for Fiscal Year 2026 on 2025-12-18, creating a new public law reference point for federal AI and cybersecurity compliance monitoring.
Switzerland(8)
ISO/IEC 42005:2025 published for AI system impact assessments
ISO published ISO/IEC 42005:2025 in May 2025, adding a formal AI system impact-assessment standard that organizations can now use to evidence structured AI governance alongside ISO/IEC 42001.
FINMA guidance on governance and risk management when using artificial intelligence
FINMA’s 18 December 2024 guidance says supervised institutions must adapt governance and controls to the materiality and probability of AI risks, including operational, model, data, IT/cyber, third-party, legal, and reputational risks.
FDPIC AI and data protection guidance
The FDPIC states that Switzerland’s FADP applies directly to AI-supported processing and expects manufacturers, providers, and users to be transparent about purpose, functionality, and data sources.
FDPIC guidance on AI and data protection
The FDPIC’s AI guidance states that the Swiss FADP applies directly to AI-supported processing and requires transparency about purpose, functionality, and data sources, which elevates compliance expectations for AI deployments in Switzerland.
FINMA guidance on AI governance and risk management
FINMA’s AI guidance highlights operational, model, cyber, data-quality, third-party, legal, and reputational risks, so Swiss financial institutions should formalize AI governance and oversight now.
United Kingdom(5)
ICO investigation into Grok
The ICO has opened an investigation into Grok, signaling active enforcement scrutiny of AI processing under UK data protection law rather than a purely policy-level review.
ICO guidance on AI and data protection
The ICO’s AI guidance remains the key UK data-protection reference for AI systems, and the page is under review because of the Data (Use and Access) Act coming into force on 19 June 2025.
ICO AI and data protection guidance under review
The ICO says its AI and data protection guidance is under review in light of the Data (Use and Access) Act 2025, so organisations should expect refreshed UK GDPR expectations on AI governance and risk assessment.
Family Court endorses secure AI use for judgment summaries
The Family Court published a judgment noting that secure Judicial Copilot summaries were useful for parents with learning difficulties, underscoring that courts will scrutinize AI use but may accept it when carefully controlled and beneficial.
ICO Guidance on AI and Data Protection
The ICO’s AI and data protection guidance remains live and is under review following the Data (Use and Access) Act coming into force on June 19, 2025, so organisations must reassess UK GDPR controls for AI now rather than treating the guidance as static.
California(2)
California AB2575 health care services artificial intelligence
California AB2575 was introduced to regulate AI in health care services, adding to the state’s growing AI governance patchwork and requiring ongoing monitoring by health-sector operators.
CA SB1159: Artificial intelligence: transparency and governance
California SB1159 was read first time and held at desk on May 4, 2026, signaling an active transparency-and-governance proposal that could impose new documentation and disclosure expectations for AI systems.
Singapore(2)
Singapore PDPC advisory guidelines on personal data in AI recommendation and decision systems
PDPC finalized advisory guidelines on the use of personal data in AI recommendation and decision systems, clarifying PDPA expectations for training and deployment workflows that use personal data.
Singapore publishes Model AI Governance Framework for Agentic AI
IMDA published Version 1.0 of the Model AI Governance Framework for Agentic AI on 2026-01-22, creating immediate governance expectations for autonomous AI systems that reason and act on their own.
European Union(2)
EDPB marks 10 years of GDPR and ongoing AI governance impact
The EDPB’s 10-year GDPR anniversary update underscores that AI training, deployment, and cross-border processing continue to be governed by the GDPR framework and its supervisory ecosystem, so organizations should refresh their AI privacy controls and supervisory authority mapping now.
EU AI Act GPAI provider guidance and code-of-practice process
The Commission’s GPAI guidance and code-of-practice process makes the AI Act’s provider obligations operational now, so GPAI developers need to finalize transparency, copyright, risk-management, and documentation controls rather than waiting for enforcement practice to settle.
New York(1)
Weekly digest — coming soon
Leave your email to get the first issue when it ships. Free, no account required.
We use your email only for the digest. Privacy policy