AI Compliance for Risk Management
Risk Management is addressed by 50 regulatory updates across 9 jurisdictions and 9 frameworks. This page tracks how regulators worldwide are approaching risk management in the context of artificial intelligence.
Framework Requirements for Risk Management
Regulations Covering Risk Management
US Federal(13)
Multiple AI-related U.S. court and state actions signal rising litigation risk
The source set includes multiple recent court decisions and state legislative actions around AI, biometric data, and automated decision tools, indicating that U.S. litigation and state-law exposure for AI systems is expanding even without a single federal AI statute.
FTC continues AI deception and AI-companion scrutiny
The FTC’s recent AI enforcement and 6(b) activity shows that deceptive AI claims, misleading chatbot marketing, and data-handling practices remain active enforcement targets and can trigger orders, notices, or information demands without new AI-specific legislation.
SEC actions on false and misleading AI statements
SEC enforcement releases in 2024–2026 show the Commission continuing to treat false or misleading AI claims as a disclosure and fraud problem for public companies and advisers.
FTC inquiry into generative AI investments and partnerships
The FTC’s 6(b)-style inquiry into major AI investments and partnerships signals antitrust and market-structure scrutiny for AI deals and ecosystem concentration.
FTC authorization for compulsory process for AI-related products and services
The FTC approved compulsory-process authority for AI-related products and services, suggesting faster investigative requests and higher scrutiny of AI claims and practices.
International(9)
NIST updated guidelines for managing misuse risk for dual-use foundation models
NIST’s second public draft on dual-use foundation-model misuse risk closed for comments on March 15, 2025, making it an important adjacent reference for foundation-model governance even though it is not the AI RMF itself.
NIST AI RMF Generative AI Profile
NIST’s generative AI profile was updated on April 8, 2026, making it the current companion reference for organizations governing GenAI risk under the AI RMF.
NIST AI Risk Management Framework hub and critical infrastructure profile concept note
NIST’s AI RMF hub now highlights a new April 7, 2026 concept note for a trustworthy AI profile in critical infrastructure, indicating the framework’s next expansion area for high-consequence sectors.
ISO/IEC JTC 1/SC 27/WG 1 N 3298 auditing practices note on SoA
This ISO committee note clarifies how scope and control coverage are handled in a Statement of Applicability, which can affect how AI-related controls are documented inside an existing ISO/IEC 27001 certification.
BS ISO/IEC 42006:2025 requirements for AI management system certification bodies
BSI says BS ISO/IEC 42006:2025 now sets requirements for bodies that audit and certify AI management systems, which raises the bar for ISO/IEC 42001 certification quality.
European Union(6)
EU consults on future cloud and AI policies tied to AI Act implementation
The Commission’s cloud-and-AI policy consultation explicitly seeks input on AI Act implementation, so organisations should treat it as an active policy-development channel that may shape future operational obligations.
EU AI Office advances GPAI code of practice and AI-generated content transparency work
The EU AI Office is actively operationalizing the AI Act through codes of practice and related guidance for general-purpose AI and AI-generated content, meaning providers should align now to avoid being behind the forthcoming compliance baseline.
ESAs publish first annual report on DORA major ICT-related incidents
On 2026-06-03, the EBA, EIOPA and ESMA published their first annual overview of major ICT-related incidents under DORA, underscoring that borderless ICT and AI-driven risks now require financial entities to tighten cybersecurity and incident-reporting readiness.
EU AI Office finalizes General-Purpose AI Code of Practice
The Commission’s 2025 AI Act update makes the General-Purpose AI Code of Practice available as a voluntary compliance tool, meaning GPAI providers now have a concrete benchmark for transparency, copyright, and safety/security obligations.
EU AI Act sandbox implementing act consultation closes
The Commission’s consultation on the AI Act implementing act for regulatory sandboxes closed on 2026-01-13, so organizations seeking sandbox access should now watch for the final rules and application conditions.
United Kingdom(5)
UKAS grants first accreditation for ISO/IEC 42001 certification
UKAS accredited BSI for ISO/IEC 42001 certification, creating a live accredited certification market that materially changes how organizations can seek independent assurance for AI management systems.
FCA Mills Review on how AI will reshape retail financial services
The FCA launched a review of advanced AI’s impact on retail financial services, with feedback due 24 February 2026 and recommendations expected for the FCA Board in summer 2026.
ICO investigation into Grok
The ICO has opened an investigation into Grok, signaling active enforcement scrutiny of AI processing under UK data protection law rather than a purely policy-level review.
ICO guidance on AI and data protection
The ICO’s AI guidance remains the key UK data-protection reference for AI systems, and the page is under review because of the Data (Use and Access) Act coming into force on 19 June 2025.
ICO maintains enforcement posture on AI chatbots and biometrics
The ICO has continued investigating AI systems such as Grok and reiterating its willingness to use full enforcement powers, so AI chatbot and biometric deployments remain under active data-protection scrutiny.
Switzerland(5)
ISO/IEC 42005:2025 published for AI system impact assessments
ISO published ISO/IEC 42005:2025 in May 2025, adding a formal AI system impact-assessment standard that organizations can now use to evidence structured AI governance alongside ISO/IEC 42001.
FINMA guidance on governance and risk management when using artificial intelligence
FINMA’s 18 December 2024 guidance says supervised institutions must adapt governance and controls to the materiality and probability of AI risks, including operational, model, data, IT/cyber, third-party, legal, and reputational risks.
FDPIC AI and data protection guidance
The FDPIC states that Switzerland’s FADP applies directly to AI-supported processing and expects manufacturers, providers, and users to be transparent about purpose, functionality, and data sources.
FDPIC guidance on AI and data protection
The FDPIC’s AI guidance states that the Swiss FADP applies directly to AI-supported processing and requires transparency about purpose, functionality, and data sources, which elevates compliance expectations for AI deployments in Switzerland.
FINMA guidance on AI governance and risk management
FINMA’s AI guidance highlights operational, model, cyber, data-quality, third-party, legal, and reputational risks, so Swiss financial institutions should formalize AI governance and oversight now.
California(5)
California AB2575 health care services artificial intelligence
California AB2575 was introduced to regulate AI in health care services, adding to the state’s growing AI governance patchwork and requiring ongoing monitoring by health-sector operators.
California AB 2575 – Health care services: artificial intelligence
California AB 2575 was last acted on 2026-05-18 and is still moving as an introduced bill, so healthcare AI teams should track it for emerging state-level obligations rather than treat it as operative law.
California AB2545 labor force impact report on AI advances
California AB2545 cleared committee on 2026-05-14, indicating growing legislative interest in AI labor impacts and signaling a possible future reporting obligation for employers and developers.
California AB1979 advances on health care AI
California AB1979 passed committee on 2026-05-14, keeping health-care AI regulation active in California and requiring providers and vendors to continue preparing for disclosure and oversight duties.
California SB947 advances on employment automated decision systems
California SB947 was read a second time and amended on 2026-05-14, so employers should expect a rapidly evolving employment-AI compliance bill and begin impact assessment planning now.
Colorado(3)
Colorado SB 189 – Automated Decision-Making Technology
Colorado SB 189 was signed by the Governor on 2026-05-14, indicating the state has enacted a new automated decision-making framework that compliance teams need to map against existing AI controls.
Colorado SB189 sent to governor on automated decision-making technology
Colorado SB189 was sent to the governor on 2026-05-12, meaning a statewide automated decision-making law may be imminent and organizations should finalize gap remediation before enactment.
Colorado HB1139 advances on use of AI in health care
Colorado HB1139 advanced to Senate third reading on 2026-05-11, increasing the likelihood of new AI-specific obligations for health-care use cases that could require near-term policy and vendor review.
Singapore(2)
Singapore PDPC advisory guidelines on personal data in AI recommendation and decision systems
PDPC finalized advisory guidelines on the use of personal data in AI recommendation and decision systems, clarifying PDPA expectations for training and deployment workflows that use personal data.
Singapore publishes Model AI Governance Framework for Agentic AI
IMDA published Version 1.0 of the Model AI Governance Framework for Agentic AI on 2026-01-22, creating immediate governance expectations for autonomous AI systems that reason and act on their own.
New York(2)
New York bill on technological displacement notice and workforce transition
New York S08589 was printed on 2026-05-14 and would require notice, reporting, and a workforce transition period before technological displacement, so employers should assess restructuring plans now.
New York automated lending decision tools bill advances
New York A00773 advanced to third reading on 2026-04-30, signaling imminent scrutiny of automated lending tools and the need to prepare consent/opt-out and governance controls now.
Weekly digest — coming soon
Leave your email to get the first issue when it ships. Free, no account required.
We use your email only for the digest. Privacy policy