The Standards Landscape Explained
Depth · Core
Good for: Leaders · Operators · Insurance
There is no single AI rulebook. What exists is a patchwork of two different kinds of instrument: voluntary standards and frameworks you choose to adopt, and binding regulations you must obey where they apply. The difference matters. A standard such as ISO/IEC 42001 is something you opt into and can be certified against; a regulation such as the EU AI Act applies whether you opt in or not, with penalties attached. The practical task is not to memorize all of them but to know which actually bite where you operate, and how they line up.
That patchwork is exactly what an assurance program has to satisfy and what insurance underwriting maps to, which is why it sits in the Learn section rather than buried in a directory. This page explains the major instruments; the Landscape maps the full set by region.
The certifiable standard: ISO/IEC 42001
Published in December 2023, ISO/IEC 42001 is the first certifiable international standard for managing AI. It specifies an AI management system, the organizational machinery for governing AI across its lifecycle, in the same way ISO 27001 specifies one for information security. Because it can be independently audited and certified, it is on a path to become for AI what SOC 2 is for security: the credential a buyer or regulator asks for as shorthand for “this organization governs its AI properly.” Early certified organizations include IBM, Anthropic, Microsoft, KPMG, and Changi Airport. For most organizations, this is the natural anchor for an assurance program.
The dominant framework: NIST AI RMF
The NIST AI Risk Management Framework, released in the United States in 2023, is voluntary but widely used as the shared vocabulary for AI risk. Its functions, govern, map, measure, and manage, give teams a common language, and a Generative AI Profile added in 2024 extended it to generative systems. It is increasingly referenced in US federal procurement and state-level rulemaking, so while it carries no penalties of its own, adopting it is fast becoming a practical expectation.
The binding regulation: the EU AI Act
The EU AI Act is the world’s first binding, horizontal AI law, in force since August 2024 and applying in stages by risk level. Its early milestones have already landed: prohibited practices and AI literacy obligations from February 2025, and obligations for general-purpose AI models from August 2025.
The later and more demanding milestones, however, have moved. A 2025 to 2026 reform package known as the Digital Omnibus deferred them: the Article 50 transparency rules (including watermarking of synthetic content) to December 2026, the high-risk obligations for Annex III stand-alone systems to December 2027, and the high-risk obligations for AI in regulated products to August 2028. As of late June 2026, these revised dates had been agreed by the European Parliament and were awaiting formal adoption and publication in the Official Journal.
Editor’s note: EU AI Act dates verified 27 June 2026. The Digital Omnibus revisions were approved by the European Parliament on 16 June 2026 and await formal adoption and Official Journal publication, expected in July 2026. Treat the deferred dates as agreed but not yet final.
The gap: the withdrawn AI Liability Directive
Alongside the Act, the EU had proposed an AI Liability Directive that would have eased the burden of proving causation when a high-risk AI system caused harm, through a rebuttable presumption of causation. The Commission withdrew that proposal in October 2025, and no replacement has been tabled. The practical effect is that, even as the EU regulates how AI may be built and deployed, the question of who is liable when it causes harm remains governed by existing national law rather than a harmonized AI-specific regime.
The regional patchwork
Outside the EU, most jurisdictions have so far preferred guidance and frameworks to binding AI statutes.
- United Kingdom. A principles-led, regulator-by-regulator “pro-innovation” approach rather than a single AI Act. There is no binding AI law as of mid-2026; in October 2025 the government published a regulation “Blueprint” centered on an AI Growth Lab sandbox.
- Singapore. AI Verify, a voluntary governance testing framework and open-source toolkit combining technical tests and process checks, widely used by vendors selling across ASEAN.
- Australia. The National AI Centre’s Guidance for AI Adoption, released in October 2025 with six essential practices (the “AI6”), updating the earlier Voluntary AI Safety Standard. The 2024 mandatory-guardrails proposal was not legislated; the December 2025 National AI Plan relies on existing law plus voluntary guidance and a new AI Safety Institute.
- Australia, prudential. APRA’s CPS 230 operational risk standard, effective 1 July 2025, does not name AI but captures it as operational and material service-provider risk, which is already driving internal demand for AI controls at Australian banks and insurers.
- New Zealand. The Privacy Act 2020 governs AI that handles personal data, the voluntary Algorithm Charter covers public-sector use, and the national AI strategy “Investing with Confidence” (July 2025) sets an adoption-focused, principles-based direction with no new prescriptive regime.
At a glance
| Instrument | Type | Where | Status |
|---|---|---|---|
| ISO/IEC 42001 | Certifiable standard | Global | Published Dec 2023 |
| NIST AI RMF | Voluntary framework | US | Active; GenAI Profile 2024 |
| EU AI Act | Binding regulation | EU | In force; later dates deferred to 2026 to 2028 |
| EU AI Liability Directive | Proposed regulation | EU | Withdrawn Oct 2025 |
| UK approach | Non-statutory guidance | UK | Active; no binding Act |
| AI Verify | Voluntary framework | Singapore | Active |
| Guidance for AI Adoption (AI6) | Voluntary guidance | Australia | Released Oct 2025 |
| APRA CPS 230 | Binding prudential standard | Australia | Effective 1 Jul 2025 |
| NZ AI Strategy | Non-prescriptive strategy | New Zealand | Released Jul 2025 |
How to use them
The instruments are not alternatives to choose between; they layer. A workable approach for most organizations is to anchor on ISO/IEC 42001 because it is certifiable and globally recognized, use the NIST AI RMF for shared vocabulary and structure, and then, for each market you operate in, add the binding rule that applies, the EU AI Act in Europe, APRA CPS 230 for Australian prudential entities, and so on. Doing that well is also what makes the underlying AI systems insurable: the same evidence that demonstrates compliance is what underwriters increasingly want to see.
Standards and regulation set the baseline that the rest of this reference builds on. The controls that satisfy them are covered in What Is AI Assurance?, the cover that sits on top in What Is AI Insurance?, and the way regulatory exposure fits the broader picture in The AI Risk Stack.
Common questions
Is there a single AI standard or law to follow? No. AI governance is a patchwork of voluntary standards and frameworks you can adopt, such as ISO/IEC 42001 and the NIST AI RMF, and binding regulations you must obey where they apply, most notably the EU AI Act. The practical task is knowing which actually bite where you operate and how they line up.
What is the difference between a standard and a regulation here? A standard or framework is voluntary: you adopt it to organize and demonstrate good practice, and some, like ISO/IEC 42001, can be independently certified. A regulation is binding law that applies whether or not you opt in, with penalties for non-compliance. The EU AI Act is the leading example of binding AI regulation.
When does the EU AI Act take effect? It entered into force in August 2024 and applies in stages. Prohibited practices applied from February 2025 and general-purpose AI obligations from August 2025. The 2025 to 2026 Digital Omnibus deferred the later milestones: transparency rules to December 2026, high-risk Annex III systems to December 2027, and high-risk AI in regulated products to August 2028. As of late June 2026 these revised dates were agreed by the European Parliament and awaiting Official Journal publication.
Which standard should I anchor an assurance program on? For most organizations, ISO/IEC 42001 is the natural anchor because it is certifiable and internationally recognized, with the NIST AI RMF providing shared vocabulary. If you operate in the EU or sell into it, map those controls to the EU AI Act’s binding requirements, and add the relevant regional rules for the markets you serve.
Primary sources
- ISO/IEC 42001, AI Management System Standard
- AI Risk Management Framework
- Regulatory framework for AI (EU AI Act)
- AI Act, delayed application (Digital Omnibus, Parliament vote)
- AI Liability Directive (withdrawn)
- What is AI Verify
- Voluntary AI Safety Standard and Guidance for AI Adoption
- Prudential Standard CPS 230, Operational Risk Management
- Algorithm Charter for Aotearoa New Zealand