AI Compliance Certifications, Frameworks, and Laws Explained

When companies evaluate AI vendors or start building a compliance program, they run into a fragmented landscape defined by acronyms. SOC 2, ISO 27001, ISO 42001, NIST AI RMF, GDPR, and the EU AI Act appear across vendor pages, procurement questionnaires, and regulatory guidance, but most teams cannot clearly explain what each one actually represents or how they differ.

That creates a direct risk. Selecting a vendor with certifications that do not match regulatory obligations leads to failed security reviews, blocked procurement cycles, or exposure to enforcement actions. In practice, buying the wrong compliance profile is equivalent to having no compliance at all when it matters.

The confusion exists because certifications, frameworks, and laws are structurally different but treated as interchangeable. A SOC 2 report reflects an external audit. NIST AI RMF alignment reflects internal implementation. GDPR compliance reflects legal obligation enforced by regulators. Each carries a different level of verification, accountability, and consequence.

This guide defines every major certification, framework, and law in plain language, explains who each one applies to, and outlines what the certification or compliance process looks like from inside an organization. It is designed as a reference for teams evaluating AI vendors, responding to procurement requirements, or building compliance programs that hold under real regulatory pressure.

The Three Categories You Need to Understand First

Most compliance conversations blur three different systems into one label, which is where many get confused. Certifications, frameworks, and laws run on different forms of proof, oversight, and consequence.

Certifications are independently verified; A third-party auditor evaluates an organization against a defined standard and issues formal documentation if requirements are met. SOC 2, ISO 27001, and ISO 42001 sit here. When a vendor claims certification, they should be able to provide an audit report or certificate from an accredited body. The proof is external and documented, which is why these claims carry weight in procurement.

Frameworks are structured guidance, not audited standards. NIST AI RMF is the clearest example. Organizations adopt the framework, implement controls, and assess alignment internally or with consultants. No official certificate is issued by NIST. When a vendor claims alignment, that reflects internal implementation rather than independent validation. Frameworks still matter because they reflect accepted practice and show up in procurement and regulatory conversations.

Laws and acts are binding obligations enforced by government bodies. GDPR, the EU AI Act, and CCPA fall here. Organizations do not get certified the same way they do for SOC 2 or ISO standards. They comply or face enforcement actions such as fines, audits, or legal claims. The consequences are financial and legal.

When a vendor claims compliance, the first question is which category that claim belongs to. The answer determines how much proof exists, how it should be verified, and how much risk sits behind it.

The Certifications

These are the claims backed by independent audits, and that distinction matters more than people think. A third party comes in, reviews controls in detail, tests real evidence, asks uncomfortable questions, and then produces documentation that a buyer can actually read and challenge. When procurement teams say they need proof, this is what they mean.

SOC 2

CertificationUnited States — AICPA Standard

SOC 2 comes from the American Institute of CPAs and evaluates how a company handles security, availability, processing integrity, confidentiality, and privacy. Organizations pick the criteria that apply to their product and the data they handle, which means two SOC 2 reports can look very different even though they carry the same label. Buyers who receive a SOC 2 report should read the scope section before treating it as comprehensive coverage.

In US enterprise sales, this report appears early in almost every security review. Without it, deals slow down and eventually drop out. A Type 1 report tells buyers that controls existed at a point in time. A Type 2 report shows those controls actually operated over a testing period, typically six to twelve months. Enterprise buyers almost always want Type 2 because it reflects sustained behavior rather than a snapshot.

The implementation process involves building controls, documenting them, and connecting everything to an evidence platform that continuously pulls data. Auditors then test that evidence by sampling logs, tracing access decisions back to defined policies, and reviewing how exceptions were handled. The first cycle is usually the most disruptive because nothing has been documented at that level before.

ISO 27001

CertificationInternational Standard

ISO 27001 requires an organization to build and operate a formal Information Security Management System, which means security is run as an ongoing process tied to explicit risk decisions rather than a set of disconnected controls. At the center of that system is the risk register: teams identify risks, assess likelihood and impact, decide how to handle them, and map specific controls to each decision. Those decisions are documented, revisited, and updated as the business changes.

The scope question catches buyers off guard more often than anything else. The certificate only covers what is explicitly included in the Statement of Applicability. A vendor can hold ISO 27001 certification while leaving specific products, environments, or regions outside the scope of the audit. Buyers should always ask exactly what the certification covers.

In European, Middle Eastern, and Asian markets, ISO 27001 functions the way SOC 2 does in the United States. It is expected as a baseline and its absence slows or blocks procurement. For organizations that already completed SOC 2, the groundwork overlaps significantly, but ISO 27001 requires connecting those pieces into a formal management system with documented risk decisions rather than just a collection of controls.

ISO 42001 — AI Management Systems

CertificationGrowing Requirement — 2026

ISO 42001 applies the management system concept to AI specifically. Organizations must maintain an inventory of AI systems, document how each is used, identify risks tied to those uses, and define controls that address issues including bias, reliability, transparency, and oversight. Data lineage needs to be part of the record, along with evaluation results and monitoring outputs showing how systems perform after deployment.

The audit follows a similar structure to ISO 27001 but the evidence looks different. Auditors review model documentation, check how risk assessments were conducted for specific use cases, examine approval workflows required before deployment, and then look at monitoring records to see what happens once a system is live. They want to follow the decision trail from how a system was approved to what happens when it produces an unexpected output.

Adoption is still limited relative to ISO 27001, which makes the signal stronger for organizations that do have it. Buyers trying to understand how a vendor manages AI risk across its lifecycle cannot get that answer from SOC 2 or ISO 27001 alone. ISO 42001 is increasingly appearing in EU market procurement requirements, especially from organizations that need to demonstrate structured AI governance ahead of EU AI Act compliance obligations.

ISO/IEC 42006 — Requirements for AI Auditors New

Certification StandardInternational — Published 2025

ISO 42006 does not certify organizations. It sets the requirements for the bodies that audit and certify organizations against ISO 42001. It specifies the competence requirements, consistency criteria, and AI-specific considerations — including bias evaluation, explainability, and data quality assessment — that certification bodies must demonstrate when conducting ISO 42001 audits.

The practical consequence for organizations pursuing ISO 42001 certification is that they should verify their chosen auditor operates in compliance with ISO 42006. The standard was designed to raise the credibility of AI management system audits by ensuring that assessors have the right expertise and apply consistent methodology. Without it, two ISO 42001 audits conducted by different bodies could reach different conclusions based on different interpretations of what "adequate governance" means.

CRAGE — Certified Responsible AI Governance & Ethics New

Professional CertificationGlobal — EC-Council, Launched 2025–2026

CRAGE is a professional certification for individuals, launched by EC-Council in late 2025 and early 2026. It is aimed at CISOs, GRC leaders, data protection officers, and internal auditors who need to build and operate AI governance programs, not just describe them. The curriculum covers NIST AI RMF, ISO 42001, EU AI Act, GDPR and CCPA, and SOC 2, with a focus on implementation, audit readiness, and accountability rather than theoretical awareness.

The older credential in this space is the IAPP's Artificial Intelligence Governance Professional (AIGP), which remains current. CRAGE differs by going deeper on operational execution — designing governance programs, performing AI testing and audits, managing risk, and documenting evidence that survives regulatory examination. Organizations hiring or evaluating AI governance professionals should understand that these two credentials test different things: AIGP covers awareness of the field, and CRAGE covers the operational work of running a governance program.

HIPAA

US Federal Law — HealthcareCompliance Demonstrated Through Audit

HIPAA governs how protected health information moves through an organization. Administrative safeguards set how teams are trained and how risk is managed. Physical safeguards cover access to facilities and devices. Technical safeguards define how systems control access, log activity, and secure data in transit. Any system handling patient data — clinical tools, documentation platforms, engagement applications, backend services — falls under this structure once it crosses the threshold of touching protected health information.

There is no certificate issued by the government. Evidence comes from documentation, risk assessments, policies, training records, and system controls. Healthcare buyers expect that proof before onboarding a vendor, and they ask for it early. Enforcement sits with the Department of Health and Human Services Office for Civil Rights and typically begins after a breach or complaint. Penalties grow quickly when large numbers of records are involved.

PCI DSS

Industry Standard — Certification RequiredGlobal — Payment Card Industry

PCI DSS governs how cardholder data is handled anywhere it appears across storage, processing, and transmission. It defines twelve requirement areas that map to system segmentation, data encryption, access control, and activity monitoring. Any AI system embedded in checkout flows, fraud detection, or transaction analysis operates close enough to payment data to bring PCI DSS into scope.

Assessment level depends on data volume. Smaller organizations complete structured questionnaires. Larger ones go through full audits with Qualified Security Assessors who test both the presence and consistency of controls. The consequence of failure is direct: payment processors can revoke access, which stops transactions from processing. For any company involved in commerce, that outcome is not theoretical.

FedRAMP

US Federal Authorization, Required to Sell to Federal Agencies

FedRAMP defines how cloud systems are evaluated and approved for use by US federal agencies. Without authorization, agencies cannot legally use the product regardless of how well it performs. The requirement is absolute, not a preference.

The process involves implementing hundreds of controls mapped to NIST SP 800-53, undergoing assessment by a Third Party Assessment Organization, and moving through a federal review cycle before authorization is granted. Authorization can take one to two years and requires dedicated internal resources. Most organizations pursue it only when there is clear, documented demand from federal buyers because the investment does not make sense otherwise. Once authorized, continuous monitoring is required to maintain status.

The Frameworks

Frameworks sit in an weird middle ground, and that is exactly why they get misunderstood so often. They do not produce certificates, they do not come with a stamp from an external auditor, and yet they show up in procurement conversations as if they carry the same weight. What they actually represent is how a company thinks about risk and whether that thinking holds up under pressure.

NIST AI Risk Management Framework (AI RMF)

Framework — US NISTUpdated: GenAI Profile 600-1 April 2026

The NIST AI RMF organizes AI risk management across four functions: Govern, Map, Measure, and Manage. It is the most widely used voluntary framework in the United States and has become the de facto anchor for AI governance programs across industries. Federal contractors are increasingly expected to align with it. State laws reference it. International regulatory bodies use it as a technical companion for EU AI Act compliance.

Govern establishes accountability structures, ownership, and risk tolerance. Map builds the inventory of AI systems and their downstream impacts. Measure defines testing, evaluation, and monitoring. Manage is where decisions and responses are recorded and acted on. Each function sounds straightforward until an organization tries to apply it consistently across departments, at which point the friction usually surfaces around ownership and documentation rather than technical implementation.

Recent additions: NIST published the Generative AI Profile (NIST-AI-600-1) in July 2024 and updated it in April 2026, extending AI RMF coverage to large language models and generative systems. A separate draft profile for agentic AI systems is in development. NIST has also published an expanded set of evaluation methodologies through 2026 for organizations applying the framework to non-traditional AI deployments.

NIST Cybersecurity Framework (CSF)

Framework — US NISTWidely Used Globally

The NIST Cybersecurity Framework organizes security practice across Identify, Protect, Detect, Respond, and Recover functions. Many organizations have built their entire security posture around it, and it shows up routinely in regulatory guidance and procurement requirements across industries. CSF 2.0, released in 2024, added a Govern function that creates direct connection points with the NIST AI RMF for organizations managing AI security alongside broader cybersecurity programs.

Two companies can reference the same framework and arrive at very different realities. One has tested incident response, maintains real-time monitoring that drives decisions, and keeps documentation that reflects actual operations. Another has documentation that technically exists but does not match how work gets done day to day. The framework provides structure. What sits inside that structure depends on how the organization chose to fill it.

NIST Cyber AI Profile New

Draft Framework — US NISTReleased December 2025, Public Comment Period

In December 2025, NIST released a draft Cybersecurity Framework profile for AI systems, designated NIST IR 8596 and referred to as the Cyber AI Profile. The draft overlays three focus areas onto the NIST CSF 2.0 functions. "Secure" covers the challenges of integrating AI systems safely into existing security architectures. "Defend" covers how AI can be used to enhance cybersecurity operations, including threat detection and automated incident response. "Thwart" addresses resilience against AI-enabled attacks such as deepfakes, spear phishing automation, and AI-driven vulnerability exploitation.

This profile is still in draft form, and organizations should treat it as a developing standard rather than a final requirement. Once finalized, it will extend the NIST CSF into AI-specific security governance and is expected to be referenced in federal procurement requirements. The Treasury Department's February 2026 financial services AI framework already maps NIST AI RMF principles into 230 operational control objectives, suggesting the direction these profiles will take once formalized.

ISO 23894 — AI Risk Management

International Standard — FrameworkISO / IEC Joint Technical Committee

ISO 23894 focuses on how organizations identify, analyze, and treat risks in AI systems throughout their lifecycle. It does not certify behavior, but it defines a methodology for risk decision-making that sits above the technical layer and connects to the management system requirements in ISO 42001.

Where ISO 23894 creates real operational pressure is in the documentation of risk acceptance decisions. Teams are expected to define how they evaluate risk, walk through realistic scenarios, and produce records showing why certain risks were accepted while others were mitigated. In many organizations those decisions happen informally, in meetings and chat threads that leave no durable record. ISO 23894 pushes those decisions into a structured form that can be reviewed, challenged, and updated as circumstances change.

ISO/IEC 42005 — AI Impact Assessment New

International Standard — Published May 2025Supports EU AI Act Compliance

ISO 42005, published in May 2025, provides a structured method for evaluating how an AI system may affect individuals, groups, and society. It covers when to trigger an impact assessment, how to define the scope of impact, how to assign accountability for the review, and how to document findings in a way that connects to risk registers and incident response processes.

What distinguishes ISO 42005 from older impact assessment approaches is the emphasis on continuous assessment rather than a one-time evaluation before launch. The standard expects organizations to treat impact assessment as a lifecycle practice that is revisited when systems are updated, when deployment contexts change, or when adverse outcomes surface in production.

Regulatory connection: The EU AI Act requires Fundamental Rights Impact Assessments for high-risk AI systems operating in specific domains. ISO 42005 is the most complete framework available for satisfying that obligation, and organizations pursuing EU AI Act compliance for high-risk systems should treat it as the operational methodology behind those required assessments.

OECD AI Principles

Intergovernmental FrameworkOECD — 38 Member Countries

The OECD AI Principles center on transparency, accountability, robustness, security, and human-centered design. They were adopted in 2019 by the OECD member countries and have been incorporated into the policy frameworks of many governments as a reference point for how AI should be governed. They shape public statements, inform national AI strategies, and appear frequently in procurement and policy alignment documents.

Inside an organization, these principles act more as a reference point than a system. They guide policy language and help teams communicate about AI risk, but they do not define specific controls or require documented evidence. References to OECD alignment in vendor materials signal awareness and general orientation. They do not, by themselves, answer the harder questions that procurement teams are now asking about specific governance processes and audit trails.

AI TRiSM — Trust, Risk, and Security Management New

Framework — Gartner / IndustryFormalized 2025–2026

AI TRiSM brings together three governance problems that organizations have historically handled in separate silos. Trust management covers fairness, bias, and privacy — the characteristics that determine whether an AI system behaves reliably across different population groups. Risk management covers societal harms, including manipulation, deepfakes, and autonomous weapons applications. Security management covers adversarial inputs, prompt injection, model theft, and other technical attacks against AI systems.

The framework's value is in treating these as a single integrated problem rather than as three separate workstreams. Organizations running security programs that do not include fairness evaluation, or running ethics programs that do not include adversarial testing, will find that problems in the uncovered area surface under pressure. AI TRiSM provides the conceptual vocabulary for building programs that address all three dimensions simultaneously across the AI lifecycle.

AI Verify Testing Framework New

Testing Framework — Singapore AI Verify FoundationUpdated Early 2026

AI Verify, developed by the AI Verify Foundation in collaboration with Singapore's IMDA, provides a toolkit of tests and process checks for evaluating responsible AI practices. It groups eleven ethical principles into five evaluation areas: transparency and explainability, reproducibility, safety and resilience, fairness and data governance, and management and oversight. The framework includes both process checklists and technical test libraries, and it is designed to be used alongside rather than instead of ISO 42001 and NIST AI RMF.

Where AI Verify distinguishes itself from higher-level frameworks is in the specificity of the testing methodology. Rather than describing what responsible AI should look like, it provides concrete tests that can be run against specific systems and concrete criteria for evaluating the results. Organizations looking to operationalize responsible AI principles rather than just document them have used AI Verify as the testing layer that makes their governance commitments verifiable.

AI Security Posture Management (AISPM) New

Emerging Practice — Vendor-Led StandardFormalized 2025

AI Security Posture Management is a continuous practice of monitoring and improving the security of AI systems, models, and data pipelines. It extends traditional security posture management into AI-specific territory: securing training datasets, protecting model parameters, defending against inference attacks, detecting model poisoning, managing prompt injection risks, and catching configuration drift that changes how a deployed model behaves.

AISPM gives organizations a unified view of their AI security posture rather than treating model security, data security, and application security as separate programs. Several vendors have built products around this concept, and regulators are increasingly expecting real-time evidence of secure AI operations rather than point-in-time audits. Organizations should treat AISPM as a continuous operational requirement that runs alongside governance and compliance programs rather than as an alternative to them.

Singapore IMDA Model AI Governance Framework for Agentic AI New

Framework — Singapore IMDALaunched January 22, 2026 — Updated May 2026

On January 22, 2026, at the World Economic Forum in Davos, Singapore's Infocomm Media Development Authority launched the world's first governance framework designed specifically for autonomous AI agents. The framework was announced by Minister for Digital Development and Information Josephine Teo alongside a global call for industry collaboration on agentic governance standards. An updated version was released in May 2026 incorporating case studies and stakeholder feedback.

The framework organizes agentic governance across four dimensions. The first covers assessing and bounding risks upfront — organizations are expected to conduct use-case-specific assessments that account for agentic-specific factors including autonomy level, access to sensitive data, reversibility of actions, and task complexity. The second covers making humans meaningfully accountable, which requires clear responsibility assignments across the agent lifecycle and oversight mechanisms capable of intercepting or overriding agent actions in real time. The third covers implementing technical controls throughout the agent lifecycle, including tool guardrails, least-privilege access, threat modelling, and unique agent identities tied to supervising users or agents for accountability. The fourth covers enabling end-user responsibility through disclosure and contestability mechanisms.

Regulatory track record: Singapore's AI governance frameworks have historically anticipated regulatory directions adopted by the EU and United States by twelve to eighteen months. The agentic focus of this framework is worth tracking closely given that HiddenLayer found one in eight reported AI breaches now involves agentic systems, and Palo Alto named Agentic Endpoint Security as a formal product category in Q2 2026. Compliance with the framework is voluntary, but organizations operating agents in Singapore markets remain legally accountable for agent behavior under existing law regardless of whether they follow it.

The Laws and Regulations

This is the point where the tone shifts, and it does so for a very real reason. Certifications tend to enter the picture when there is clear business incentive, and frameworks usually come into play once teams are ready to bring some order to how they think about risk. Laws move differently, and you can feel that difference almost immediately once they enter the conversation. They apply whether an organization feels ready or not, and once they apply, the consequences come from outside the company, which changes how seriously they are treated in a way that is hard to ignore once you’ve seen it play out.

EU AI Act Updated: Omnibus May 2026

EU Regulation (EU) 2024/1689Applies to Any Organization Serving EU Users

The EU AI Act is the most consequential AI law in force globally. It uses a risk-based classification system: systems posing unacceptable risk are banned; high-risk systems in eight defined domains face strict obligations; limited-risk systems carry transparency requirements; minimal-risk systems face no specific requirements. The eight high-risk domains include biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice.

The enforcement timeline has shifted following the Digital Omnibus provisional agreement reached on May 7, 2026. The August 2, 2026 conformity assessment deadline for Annex III standalone high-risk systems was deferred to December 2, 2027, because the harmonized technical standards required for conformity assessments are still being developed by the European standards bodies CEN and CENELEC. Annex I embedded systems were deferred to August 2, 2028. The political reasoning was straightforward: requiring organizations to assess against standards that do not yet exist is not enforceable compliance, it is administrative absurdity.

What the extension did not change: Article 50 transparency obligations — requiring disclosure to users when they are interacting with an AI system — are active from August 2, 2026 on the original schedule. GPAI model obligations under Article 53, which entered force in August 2025, were unchanged. Organizations that have been running GPAI models in production since 2025 have accumulated sessions that were either governed or were not. The extension moved a conformity assessment deadline; it did not retroactively cover the production activity that already occurred.

Non-compliance with the EU AI Act can result in fines of up to €35 million or seven percent of global annual turnover, whichever is higher. The law applies to any organization operating in EU markets regardless of where that organization is headquartered. US-based vendors deploying AI systems that affect EU residents are in scope.

GDPR — General Data Protection Regulation

EU Regulation — In Force Since 2018Applies to Any Organization Processing EU Resident Data

GDPR governs how personal data belonging to EU residents is collected, processed, stored, and transferred. Individuals have the right to access their data, restrict its processing, and request its deletion. Organizations must identify a legal basis for every processing activity, document those decisions, and be prepared to respond to rights requests across all the systems and vendors that have touched the data.

AI systems create additional GDPR pressure because data gets pulled into models, transformed during training, and used in ways that are difficult to trace after the fact. When a user exercises their deletion rights, the question of whether their data can be removed from trained model weights is one that most organizations have not fully resolved. That gap is where regulatory and procurement pressure tends to surface. Organizations using GDPR-covered data in AI training should have a documented position on this question before they need to produce one under examination.

DORA — Digital Operational Resilience Act Effective 2025

EU Regulation — Financial SectorApplies from January 17, 2025

DORA applies to financial institutions operating in the EU and requires them to demonstrate digital operational resilience across information and communication technology risk management, incident classification and reporting, digital resilience testing, and third-party risk management. While DORA is not an AI-specific law, it directly affects how financial institutions manage AI systems because those systems are part of the ICT infrastructure DORA governs.

For AI vendors selling into EU financial services, DORA creates concrete obligations at the customer level that flow back through vendor contracts. Financial institutions must manage the operational resilience of their AI systems and can be held accountable for disruptions caused by third-party AI tools. Organizations in this space should expect DORA compliance requirements to appear in financial services procurement processes alongside EU AI Act and GDPR obligations.

SR 26-2 — Revised Model Risk Management Guidance Replaced SR 11-7 — April 17, 2026

US Banking Guidance — Fed, OCC, FDICSupersedes SR 11-7 — Issued April 17, 2026

On April 17, 2026, the Federal Reserve, the Office of the Comptroller of the Currency, and the FDIC jointly issued SR 26-2, which supersedes SR 11-7 after fifteen years as the foundational model risk management guidance for US banking organizations. SR 26-2 is the new standard for how banking organizations identify, validate, monitor, and govern quantitative models used in credit decisions, regulatory reporting, capital calculations, stress testing, and related functions. Applicability is most relevant to banking organizations with over $30 billion in total assets.

The revision narrows the definition of "model" compared to SR 11-7, moves to a more principles-based and risk-proportionate approach, and explicitly carves out generative AI and agentic AI systems from its scope. The carveout language in Footnote 3 states directly that generative and agentic AI models are "novel and rapidly evolving" and therefore outside the scope of the guidance. This does not mean those systems are unregulated — SR 26-2 instructs institutions to apply their existing risk management and governance practices to any systems the guidance does not cover, and the agencies have signaled that a Request for Information on AI model risk, including generative and agentic systems, will follow.

What this means in practice: Traditional machine learning models, classifiers, and neural networks used for credit or fraud remain fully in scope under SR 26-2. When a generative AI or agentic layer interfaces with an underlying traditional model — for example, an LLM that feeds outputs into a credit-scoring model — the underlying traditional model remains fully subject to SR 26-2 validation requirements. Institutions building hybrid AI architectures should map which components are in scope and which are governed under the parallel framework the carveout requires them to build.

SR 26-2 is guidance, not enforceable law, but non-compliance surfaces during regulatory examinations and can drive supervisory action. For vendors selling AI infrastructure to banks, the practical implication is that products need to support model inventories, independent validation workflows, audit trails, and documentation outputs that match how regulators evaluate institutions. Institutions that have built programs around SR 11-7 should review their current model classification inventories under the new, narrower definition of "model" and adjust validation cadences from calendar-based to risk-proportionate scheduling.

Trump AI Executive Order — "Promoting Advanced Artificial Intelligence Innovation and Security" Signed June 2, 2026

US Federal Executive OrderSigned June 2, 2026

The Trump administration signed this executive order on June 2, 2026, making it the first direct US federal engagement with pre-deployment evaluation of frontier AI models since the Biden-era executive order was revoked in January 2025. The order is narrowly focused on cybersecurity and national security rather than the broad AI governance framework the Biden order attempted to establish.

Section 3 is the core. It directs the Treasury, the National Security Agency, and CISA to develop a classified benchmarking process within 60 days to assess the advanced cyber capabilities of AI models and determine the threshold at which a model qualifies as a "covered frontier model." The NSA director makes designation decisions, and the criteria remain classified. Alongside that benchmarking process, the agencies must build a voluntary framework through which developers can provide the federal government with access to covered frontier models for up to 30 days before releasing them to other trusted partners.

The order explicitly prohibits interpreting any of its language to authorize mandatory licensing, preclearance, or permitting requirements for model development or release. Participation in the pre-release review window is voluntary. Section 4 directs the Attorney General to prioritize prosecution of existing federal computer crime statutes against anyone using AI to unlawfully access systems, including anyone deploying AI agents for unauthorized data access. That direction creates no new crimes but signals that DOJ will treat AI-assisted computer fraud as an enforcement priority.

For Enterprise Teams

This order primarily affects frontier model developers. The 30-day voluntary window, if widely adopted, could extend the gap between a model finishing training and reaching commercial API availability for the most capable systems. The NSA-administered benchmarking process, even though voluntary, creates institutional pressure in enterprise boardrooms and changes the conversation around how AI capabilities are assessed before deployment. Organizations using frontier models in production should monitor how the voluntary framework develops and what early access structures emerge from the clearinghouse process.

California AI Laws (Multiple) Multiple Effective 2026

California State LawMultiple Laws — Effective January 1, 2026

California has enacted more AI-specific legislation than any other US jurisdiction. Several laws took effect on January 1, 2026:

SB 53 — Transparency in Frontier AI Act: Requires developers of large frontier models — those trained using more than 10²⁶ floating-point operations — to publish risk frameworks, implement safety incident reporting, and establish whistleblower protections. Fines reach up to $1 million per violation. This law applies to the companies building the largest AI models, not to typical enterprise deployers, but its documentation requirements affect what transparency information providers must make available to deployers for their own governance programs.

AB 2013 — AI Training Data Transparency Act: Requires generative AI developers to disclose the categories of data used to train their systems. Covers publicly available systems and applies to developers rather than deployers.

SB 243 — Chatbot Disclosure Law: Requires chatbots to clearly disclose that they are AI before engaging with users and mandates specific safety protocols for chatbots interacting with minors.

AB 489 — Healthcare AI Disclosures: Requires AI tools used in patient-facing communications to disclose that they are AI and provide instructions for contacting a human.

CCPA ADMT Amendments: California finalized updated CCPA regulations effective January 1, 2026, requiring comprehensive privacy risk assessments before initiating processing activities that present a significant risk to consumer privacy — including using automated decision-making technology for significant decisions, profiling in HR and education contexts, and training AI systems on personal data. Organizations using AI in covered contexts must conduct these assessments by defined deadlines and submit annual certifications. Automated decision-making opt-out rights have been extended, and consumers must be able to contest profiling decisions with legal or similarly significant effects.

Colorado SB 26-189 — Automated Decision-Making Technology Law Replaced Prior Law

Colorado State LawEffective January 1, 2027 — Replaced SB 24-205

Colorado's original AI law, SB 24-205, was repealed and replaced by SB 26-189 in May 2026. The replacement law is structured differently from the original. Where SB 24-205 focused on a duty of care and impact assessment requirements that would have taken effect in 2026, SB 26-189 shifts to a disclosure and documentation framework centered on automated decision-making technology.

Under SB 26-189, effective January 1, 2027, developers of automated decision-making technology must provide deployers with technical documentation covering intended use, training data categories, and known limitations. Both developers and deployers must retain records for three years. Deployers must disclose to consumers when ADMT materially influences consequential decisions, provide plain-language explanations after adverse decisions, and enable human review. The Attorney General has exclusive enforcement authority with a 60-day cure period.

The law covers consequential decisions in employment, housing, education, healthcare, insurance, and legal services. Organizations deploying AI in any of those domains for Colorado consumers — which includes employees and job applicants who are Colorado residents — should treat January 1, 2027 as a hard compliance deadline requiring documentation and disclosure infrastructure to be in place beforehand.

Texas TRAIGA — Responsible AI Governance Act

Texas State LawEffective January 1, 2026

Texas's Responsible AI Governance Act took effect on January 1, 2026. TRAIGA applies primarily to government AI use in Texas and prohibits AI systems designed to discriminate harmfully or to implement social scoring by government entities. It requires public disclosure of AI use by government agencies, mandates human oversight mechanisms for consequential AI decisions, and establishes an AI Council and a regulatory sandbox for responsible innovation. Enforcement sits with the Texas Attorney General and includes a 60-day cure period for first violations.

The first enforcement action under TRAIGA was brought within six months of the law taking effect. That speed was notable because the standard assumption in US enterprise compliance planning had been that new AI laws would take a year or more before active enforcement. The TRAIGA enforcement action disproved that assumption and changed how compliance teams should think about the enforcement timelines of recently enacted state AI laws across other jurisdictions.

Illinois HB 3773

Illinois State LawEffective January 1, 2026

Illinois HB 3773, effective January 1, 2026, amends the Illinois Human Rights Act to make discriminatory AI-driven employment decisions a civil rights violation. Employers must provide notice to employees and candidates when AI is used in employment decisions. Individuals have the right to sue for violations, and the Illinois Department of Human Rights can investigate complaints and pursue administrative remedies. This law creates direct litigation risk for employers using AI in hiring, promotion, performance evaluation, and similar employment functions.

New York City Local Law 144 — AEDT Bias Audits

NYC Local LawActive Since July 2023 — Enforcement Tightening in 2026

NYC Local Law 144 requires employers and employment agencies using automated employment decision tools in New York City hiring or promotion decisions to conduct annual independent bias audits, publish audit results publicly, and provide advance notice to candidates. The law has been in effect since July 2023, but a December 2025 audit by the New York State Comptroller found that the NYC Department of Consumer and Worker Protection had identified only one compliance issue out of 32 companies reviewed, while the Comptroller's team found 17 instances of potential non-compliance. The Comptroller issued 13 recommendations pushing DCWP toward proactive enforcement.

The enforcement posture is changing. Organizations that treated Local Law 144 as technically active but practically unenforced should revisit that assumption. The law applies to any employer using an AEDT for jobs performed in New York City, regardless of where the employer is headquartered, and liability sits with the employer rather than the AI vendor providing the tool.

New York RAISE Act — Responsible AI Safety and Education Act Effective January 1, 2027

New York State LawSigned December 19, 2025 — Effective January 1, 2027

Governor Hochul signed the RAISE Act on December 19, 2025. It takes effect January 1, 2027 and applies to "large developers" of frontier models — defined as companies with annual revenue exceeding $500 million that have trained at least one frontier model above the 10²⁶ FLOP threshold. Large developers must establish comprehensive safety and security protocols, implement incident reporting procedures with 72-hour reporting timelines, and register with a new oversight office created within the New York Department of Financial Services. That office has rulemaking authority and will produce annual compliance reports beginning in January 2028.

The New York Attorney General enforces the RAISE Act and may impose civil penalties of up to $1 million for a first violation and up to $3 million for subsequent violations. There is no private right of action. Most companies fall below the large developer threshold, but the law's requirements ripple through vendor relationships and procurement practices across the AI supply chain as organizations seek to understand what their AI providers are required to disclose.

Utah Artificial Intelligence Policy Act

Utah State LawIn Force Since 2024

Utah's Artificial Intelligence Policy Act was among the first US consumer protection laws specifically addressing AI. It requires regulated professions to clearly disclose when generative AI is used in client-facing interactions, prohibits companies from attributing misstatements to AI tools as a defense, and establishes an AI Lab regulatory sandbox for responsible innovation. Enforcement is through the Utah Division of Consumer Protection, which may impose fines for non-compliance.

Nevada and Montana Synthetic Media Laws

State Laws — In Force 2025

Nevada enacted a synthetic media disclosure law requiring AI-generated political advertisements to clearly disclose that they contain synthetic content. Montana passed a right-of-publicity law prohibiting the unauthorized use of a person's likeness in AI-generated content. Both laws took effect in 2025 and protect individuals from AI-driven deception in political and commercial contexts.

Illinois BIPA — Biometric Information Privacy Act

Illinois State Law — Established 2008

BIPA is not an AI-specific law but it creates significant compliance obligations for AI systems that involve biometric data, including facial recognition, voiceprint analysis, retina scanning, and fingerprint data. Organizations must obtain informed written consent before collecting biometric identifiers, provide specific disclosures about retention and destruction schedules, and cannot sell or profit from biometric data. Individuals can sue directly for violations and statutory damages are substantial — $1,000 to $5,000 per violation — which has produced significant class action litigation.

For AI systems incorporating biometric data in any form, BIPA creates one of the most demanding compliance requirements in the United States. Healthcare, retail, security, and HR applications that use facial recognition or voice analysis should have specific BIPA compliance analysis conducted before deployment if they serve any Illinois users or employees.

South Korea Basic AI Act

South Korean National LawEntered Into Force January 2026

South Korea's Basic AI Act entered into force in January 2026, making South Korea one of the few major economies to have binding national AI legislation in place. The law establishes a framework for classifying and governing AI systems, requires safety measures for high-impact AI, and creates government oversight infrastructure for AI governance. For multinational organizations operating in South Korean markets, this law adds another jurisdiction-specific compliance layer that must be tracked alongside EU and US requirements.

Vietnam AI Law — Law on Artificial Intelligence

Vietnamese National Law — Law 134/2025/QH15Effective March 1, 2026

Vietnam passed its Law on Artificial Intelligence in December 2025, with an effective date of March 1, 2026. The law applies to domestic and foreign entities developing, providing, or using AI systems in Vietnam and introduces a risk-based classification into high, medium, and low risk tiers. High-risk AI systems require periodic audits and local presence requirements. Prohibited acts include using AI to forge representations of persons or events, violating data or intellectual property laws through AI, and using AI to incite violence or discrimination. AI-generated content must carry machine-readable markings identifying it as AI-generated.

Vietnam's law is significant because it demonstrates that serious AI regulation is expanding beyond North America and Europe. Organizations with operations in Southeast Asia should be monitoring similar legislative processes underway in Indonesia, Thailand, and other ASEAN member states.

CCPA / CPRA with ADMT Amendments Updated January 2026

California State LawADMT Regulations Effective January 1, 2026

California's Consumer Privacy Act, strengthened by the California Privacy Rights Act, has been updated with regulations covering automated decision-making technology. The 2026 amendments require privacy risk assessments before initiating processing that presents significant risk to consumer privacy, including selling personal data, processing sensitive data, using AI for consequential decisions, and training AI on personal data or biometric technology. The opt-out right for consumers has been extended to cover any automated decision producing legal or similarly significant effects. A new "right to contest" profiling decisions has been added alongside the existing opt-out rights.

For organizations that collected personal data before 2026 and used it to train AI systems, the new rules require a retroactive assessment completed by December 31, 2027, with a senior executive attestation and summary due April 1, 2028. Annual submissions are required thereafter. Organizations subject to new cybersecurity audit requirements based on revenue and data-volume thresholds will have phased first certification deadlines between 2028 and 2030.

Which Certifications and Platforms Does Your Business Actually Need

Before getting into specific profiles, it helps to slow this down for a second and really sit with one assumption that quietly throws a lot of teams off track. These certifications and platforms are not reserved for a certain type of company, and they are definitely not limited to teams that label themselves as advanced or forward leaning. In reality, almost every company that builds software, touches customer data, processes transactions, or sells into enterprise environments is already operating inside a compliance conversation whether they fully acknowledge it or not. What actually changes, and this is where things start to get nuanced, is which obligations apply, how urgent they feel, and which tools are actually built to address that pressure. When that alignment drifts even slightly, the outcome can look convincing on the surface, almost polished enough to pass a quick review, while the real exposure continues underneath, waiting for the moment when someone external asks a harder question.

The SaaS Startup Trying to Close Enterprise Deals

This situation shows up earlier than most founders expect, and when it does, it carries a kind of frustration that is difficult to articulate at first. The product works, conversations are moving, interest is there, and then something shifts. Momentum slows, deals stretch out, and nobody gives a clean explanation for why. That is usually the moment where procurement steps in and starts asking for documentation that simply does not exist yet in a form they trust.

SOC 2 Type 2 becomes the immediate focus here because it gives buyers something familiar to evaluate. It shows how controls behave over time, not just how they are described in theory. As companies begin looking outward toward international markets, ISO 27001 starts to surface more often, especially in environments where it is treated as an expected baseline rather than something optional.

When it comes to execution, Vanta and Delve tend to come up in the same conversation, and for good reason. Vanta brings a longer track record, a wide integration layer, and that Trust Center feature that allows teams to share live compliance posture during active deals, which can ease some of the tension that shows up in security reviews. Delve approaches the same goal from a different angle, usually moving faster, keeping the footprint lighter, and fitting teams that do not need that level of integration complexity right away. Both get you to SOC 2, though the path can feel very different depending on how your environment is set up and how much visibility your buyers expect during the process.

Choose Vanta if:

• You need the Trust Center to share live compliance status with enterprise prospects

• Your environment has complex infrastructure requiring deep integration coverage

• You want the most established platform with the longest vendor track record

Choose Delve if:

• You need to get to SOC 2 quickly without a heavy implementation cycle

• Your stack is relatively lean and does not require extensive integrations yet

• You prefer a lighter operational setup that still gets the job done

This pattern shows up across industries. It is not tied to one category of company. When the report is missing, the signal rarely comes as a direct no. It comes as silence, delay, and a slow loss of momentum that becomes harder to recover from the longer it sits.

The Bank or Financial Institution Deploying Machine Learning Models

In financial services, the pressure carries a different tone. It does not just come from customers, it comes from regulators, and that changes how seriously it is taken from the beginning. Institutions working in credit, fraud, underwriting, or risk are expected to align with SR 11-7, which stretches across the entire lifecycle of a model.

That lifecycle naturally splits into two phases, and once you see that split clearly, everything else starts to make more sense. Before deployment, the work centers around documentation, validation, and producing evidence that can stand up during examination. After deployment, the focus shifts toward monitoring behavior in real conditions, maintaining records that prove oversight is continuous, and catching drift before it becomes a larger issue.

ValidMind and Monitaur map cleanly to those phases. ValidMind supports the earlier stage by structuring how models are documented and validated so that the output holds up under review. Monitaur supports the later stage by tracking models in production, maintaining governance records, and surfacing changes that need attention. For institutions building this capability from scratch, starting with ValidMind tends to create a stable foundation, with Monitaur layered in once systems are live and oversight becomes ongoing.

Start with ValidMind when:

• You are building SR 11-7 compliance infrastructure from scratch

• Models are still in development or pre-deployment

• Regulators are asking for validation evidence you cannot yet produce

Add Monitaur when:

• Models are already live and need continuous oversight

• You need a running governance record instead of a point-in-time review

• Your team needs visibility when behavior starts to drift

ValidMind stays closely tied to financial services expectations, while Monitaur extends into other regulated industries where similar pressures exist, which makes its role a bit broader in practice.

What Most Organizations Should Focus on in 2026

The volume of certifications, frameworks, and laws covered in this guide can look overwhelming when considered together. It is not, in practice, because most organizations face a specific subset of these requirements based on their geography, industry, customer base, and product type. The list below reflects the starting points most commonly relevant in 2026, not a ranking of importance across all organizations.

A few principles apply across all of these starting points. Use NIST AI RMF as the organizational framework for thinking through AI risk regardless of what certifications or laws are in play — it is the most widely referenced voluntary standard and aligns with state-level requirements better than any other option. Do not conflate achieving a certification with solving the underlying problem. SOC 2 Type 2 tells buyers your controls worked over a period of months; it does not tell them anything about how your AI systems are governed post-deployment, which is where most of the 2026 regulatory pressure is focused. Organizations that treat compliance as an ongoing capability built into how AI systems are developed and operated will be in a significantly better position than those building audit packages after systems are already live.

Updated June 2026. This guide will be updated as new laws take effect and regulatory guidance develops.

The Company Selling AI Products Into European Markets

This profile tends to catch teams off guard because it is defined by usage, not location. The moment a product is used by customers in the European Union, obligations begin to apply, and they do not wait for internal readiness or planning cycles.

GDPR sets the baseline, shaping how data is collected, processed, and eventually removed. Beyond that, companies need to understand how their systems are classified under the EU AI Act, because that classification determines what expectations follow. ISO 42001 is starting to appear more often in enterprise conversations, while ISO 27001 continues to anchor security expectations across the region.

From a tooling perspective, Vanta and Delve support ISO 27001 and help structure GDPR-aligned controls. The more difficult part, and the one that still feels unresolved for many teams, is classification under the EU AI Act. Most organizations still rely on advisory support for that work, which introduces interpretation that technology alone has not replaced. In practical terms, the next move is not selecting another tool. It is engaging legal or regulatory expertise to formally document classification decisions, because that document becomes the reference point everything else builds on.

If your product is used by EU customers you need to address:

• GDPR compliance as a baseline requirement

• EU AI Act classification before applicable deadlines

• ISO 27001 as a standard expectation in procurement

• ISO 42001 where buyers expect structured governance

• Legal or regulatory advisory support to document decisions properly

The Healthcare Organization or Vendor Touching Patient Data

Healthcare creates a boundary that is difficult to ignore. Once protected health information is involved, HIPAA requirements apply, and that changes how every decision is evaluated.

If a vendor is not compliant, the impact is immediate. Deals stop moving. Existing relationships come under review. In some cases, the healthcare organization itself carries risk simply by continuing to engage. There is very little room to work around that reality.

HIPAA becomes the central requirement, shaping vendor selection and system evaluation. On top of that, SOC 2 often appears as part of enterprise review, and ISO 27001 becomes relevant when operations extend beyond domestic markets.

Vanta and Delve both support HIPAA workflows alongside SOC 2 by automating evidence collection and monitoring controls over time. They are not built exclusively for healthcare, though they provide enough structure for organizations to manage compliance in a way that can be reviewed and trusted.

The Regulated Enterprise Managing High Volumes of Compliance Documents

In this case, the problem shows up in the day to day flow of work rather than in preparation for a certification. Documents, policies, and communications need to align with regulations before they leave the organization, and that responsibility sits with people who are often already stretched thin.

Norm AI addresses this by translating regulatory text into logic that can be applied directly within document workflows. When embedded into environments like Microsoft 365, review happens at the point of creation, which shifts compliance from something reactive into something built into how work is done.

The people who feel this most are compliance officers, legal leads, and regulatory teams who carry the responsibility of approving what leaves the organization. Their day is filled with constant review, revisions, and the quiet awareness that something missed here does not stay contained. When that process becomes structured earlier, the change is noticeable, not just in speed, but in confidence.

Organizations here may still pursue SOC 2 or ISO 27001, though those do not solve the document level problem. Norm AI focuses directly on that gap.

The Company With No Compliance Program Trying to Figure Out Where to Start

For companies that have been moving quickly, the challenge is not whether to engage with compliance, it is figuring out where to begin without losing momentum.

The starting point usually comes from identifying what is creating pressure right now. If deals are slowing, SOC 2 is often the first move. If EU data is involved, GDPR obligations are already active, which means starting with data mapping. If models are in use in financial services, SR 11-7 expectations are already in play.

For many early stage teams, SOC 2 through Vanta or Delve becomes the first step that unlocks movement. From there, ISO 27001 supports expansion, followed by more specialized requirements as the company grows.

The Large Enterprise or Multinational Managing Hundreds of AI Systems

At a certain scale, something shifts, and you can feel it. The focus moves away from individual systems and settles into something broader, where hundreds of systems operate across teams, regions, and regulatory environments at the same time.

The pressure here does not come from a missing document. It comes from the difficulty of maintaining a consistent view across everything already in motion. Policies need to apply across different teams, records need to stay coherent, and oversight needs to be visible when it is questioned. Without that structure, organizations end up piecing together fragments under pressure, which is where things start to break down.

This is where ModelOp fits. It does not replace earlier tools, it connects them. It creates a central system of record, manages lifecycle activity, tracks performance continuously, and enforces policy without relying on manual coordination across teams.

What ModelOp provides at the enterprise scale:

• Centralized system of record across models, applications, and third party systems

• Lifecycle management from intake through retirement

• Continuous monitoring for drift and anomalies across the portfolio

• Policy enforcement through structured workflows

• Alignment with multiple regulatory frameworks across regions

• Recognition in major industry market guidance

For organizations earlier in their journey, this level of structure can feel unnecessary. Yet as the number of systems grows, the challenge becomes coordination, not capability. That is where this layer becomes necessary.

Sources

All statistics and regulatory claims in this article are linked to their primary source documents. Vendor blog posts are not used as primary sources for regulatory or market claims.

Certifications and Standards

AICPA — SOC 2 Overview — American Institute of CPAs, official SOC 2 documentation

ISO — ISO/IEC 27001 Information Security Management — ISO official standard page

ISO — ISO/IEC 42001 AI Management Systems — ISO official standard page

BSI Group — ISO 42006 Explainer — Requirements for AI management system auditors

EC-Council — CRAGE Certification — Certified Responsible AI Governance & Ethics credential

IAPP — AIGP Certification — AI Governance Professional credential

HHS — HIPAA for Professionals — Official HHS HIPAA documentation

PCI Security Standards Council — PCI DSS Document Library — Official PCI DSS standards

FedRAMP — Program Basics — Federal Risk and Authorization Management Program

NIST Frameworks

NIST — AI Risk Management Framework (AI RMF 1.0) — January 2023, foundational document

NIST — Generative AI Profile (NIST-AI-600-1) — Cross-sector GenAI risk management guidance, updated April 2026

NIST — Cyber AI Profile Draft (NIST IR 8596) — Preliminary draft, December 2025

NIST — Cybersecurity Framework 2.0 — Official NIST CSF page

ISO Standards — Frameworks

ISO — ISO/IEC 23894 AI Risk Management — International AI risk management guidance

ISO — ISO/IEC 42005 AI Impact Assessment — Published May 2025, AI system impact assessment guidance

Other Frameworks

OECD — AI Principles (Official) — OECD.ai, official principles page

MIT AI Risk Initiative — AI TRiSM Framework Description — Trust, Risk and Security Management framework

AI Verify Foundation — AI Verify Testing Framework — Official AI Verify documentation

Concentric AI — AISPM Definition and Practice — November 2025, AISPM framework guide

Singapore IMDA Agentic AI Framework

IMDA — Model AI Governance Framework for Agentic AI — Press Release — January 22, 2026, launch at World Economic Forum

IMDA — Full Agentic AI Governance Framework Document — Full text of the framework

IMDA — Updated Model AI Governance Framework for Agentic AI — May 20, 2026, updated version

Bird & Bird — Singapore Agentic AI Framework Analysis — January 23, 2026, legal analysis of framework dimensions

Baker McKenzie — Singapore Agentic AI Framework: Practical Implications — January 29, 2026

EU AI Act and GDPR

EUR-Lex — EU AI Act Full Text (Regulation EU 2024/1689) — Official EU legislative text

Hogan Lovells — EU AI Act Digital Omnibus Analysis — May 2026, Annex III deferral details

Gibson Dunn — EU AI Act Omnibus: Key Changes — May 2026, cross-verification of Omnibus timeline

GDPR.eu — GDPR Official Text Reference — Full regulation text and recitals

DORA

EUR-Lex — DORA Full Text (Regulation EU 2022/2554) — Digital Operational Resilience Act official text

SR 26-2 — Revised Model Risk Management Guidance

Federal Reserve — SR 26-2 Official Supervisory Letter — April 17, 2026, official Federal Reserve document

Federal Reserve — SR 26-2 Attachment: Supervisory Guidance on Model Risk Management — Full guidance text, April 17, 2026

Sullivan & Cromwell — SR 26-2 Legal Analysis — April 29, 2026, detailed breakdown of key changes from SR 11-7

ValidMind — SR 26-2: What Every Bank Needs to Know — April 30, 2026, practical implementation analysis

Cutover — SR 26-2 and Agentic AI: The Governance Gap — April 28, 2026, analysis of GenAI carveout implications

Trump AI Executive Order (June 2, 2026)

White House — Executive Order: Promoting Advanced Artificial Intelligence Innovation and Security — June 2, 2026, official text

Wiley Law — New AI Executive Order Analysis — June 2026, Section 3 framework breakdown

Freshfields — Trump AI Executive Order: Voluntary Framework Analysis — June 2026, 30-day window and NSA benchmark implications

A&O Shearman — Trump AI Executive Order: Full Summary — June 2026

California AI Laws

California Legislature — SB 53: Transparency in Frontier AI Act — Official bill text

California Legislature — AB 2013: AI Training Data Transparency Act — Official bill text

O'Melveny — 2026 Data Security and Privacy Compliance: CCPA ADMT Amendments — April 2026, detailed ADMT amendment analysis

Colorado AI Law

Colorado Legislature — SB 26-189 Official Text — Automated Decision-Making Technology law replacing SB 24-205

VerifyWise — US AI Regulations 2026: State-by-State Analysis — Includes Colorado SB 26-189 replacement analysis

Texas, Illinois, Utah, Nevada, Montana

King & Spalding — New State AI Laws Effective January 1, 2026 — January 2026, TRAIGA, California, Illinois analysis

Utah Legislature — SB 149: Utah Artificial Intelligence Policy Act — Official bill text

New York AI Laws

AI Laws by State — New York AI Laws 2026: Complete Guide — NYC LL 144, RAISE Act, and NYDFS guidance

Stack Cyber — New York RAISE Act & Local Law 144 Compliance Guide — January 28, 2026, detailed RAISE Act threshold analysis

Recording Law — New York AI Laws and Regulation 2026 — Comptroller audit findings and LL 144 enforcement developments

South Korea and Vietnam

Drata — AI Regulations: State and Federal AI Laws 2026 — Includes South Korea Basic AI Act and international developments

Wiz — AI Compliance in 2026: Standards, Frameworks, and Global Regulations — Vietnam AI Law and global expansion context

GAIG Internal References

GetAIGovernance — The State of AI Governance H1 2026 — June 9, 2026, $492M market report covering regulatory stack and enforcement events

GetAIGovernance — Workday AI Hiring Lawsuit Analysis — Accountability gap in AI monitoring and governance

GetAIGovernance — Best AI Compliance Platforms 2026 — Platform evaluation for EU AI Act, SR 26-2, and NIST AI RMF