In 2025, AI regulation is a patchwork of national laws, voluntary standards, and international guidelines. The EU has passed a binding law, but most countries, including the U.S., have not. Many organizations follow frameworks such as NIST and ISO to help manage AI risk, ethics, and oversight.

The pace of change remains a significant challenge. Most companies now track both formal regulations (“hard law”) and voluntary frameworks (“soft law”), which may not be legally binding but often shape industry expectations. These include standards used in audits, vendor assessments, and procurement decisions.

As Bartot puts it: “There are people on both sides of the political spectrum issuing dire warnings about AI, but there’s no unified regulatory framework. Under the Biden administration, there was some momentum towards safety, guidelines, and standards. Now, it’s the Wild West.”

He adds: “Meanwhile, AI is being used everywhere, oftentimes surreptitiously by individuals who recognize its great (but still imperfect) utility. It’s a bottom-up adoption, not a top-down rollout where businesses and institutions set rules before the technology reaches the public.”

Because the legal landscape is still shifting, many GRC teams are choosing to align with the most established and demanding standards now, so they’re ready when voluntary guidelines become enforceable.

Here’s a summary of the major regulations and industry standards affecting AI GRC:

• United States (Federal)
  • AI-specific laws:
    • As of May 2025, the United States has not enacted a comprehensive federal law regulating private-sector AI development or deployment.
    • In January 2025, the Trump administration signed an executive order that reversed a Biden-era directive directing federal agencies to implement safeguards for AI use.
      
      
  • Existing Data and Cybersecurity Laws
    Other regulatory frameworks like NIST 800-53, NIST 800-171, and the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC)  aren’t AI-specific but teams often apply them to AI systems because they cover data privacy and security, cybersecurity, and risk management.
    
    
  • NIST AI Risk Management Framework (AI RMF)
    • The National Institute of Science and Technology is a federal agency that regulates technology and cybersecurity standards. Many NIST standards often become international guidelines.
    • Released in 2023, the NIST AI RMF provides voluntary guidance across four pillars: “Govern, Map, Measure, and Manage.” While it’s technically a voluntary framework, it has become a de facto standard for organizations building AI systems, especially in regulated industries or those involved in federal contracting.
      
      
• European Union
  • The Artificial Intelligence Act  (2024)
    • In 2024, the EU introduced the “Artificial Intelligence Act.” The EU AI Act is the world’s first comprehensive, legally binding law regulating the use of AI.
    • The Act bans certain high-risk applications, such as manipulative AI systems and public facial recognition, and imposes strict controls on others. For example, companies offering AI products in the EU must register their models, implement robust data governance, and provide transparency to users.
    • The EU is phasing in compliance over a two-year period and expects organizations to be fully compliant around 2026.
      
      

• Canada

• • Canada drafted the “Artificial Intelligence and Data Act,” but the legislation did not pass parliament as of early 2025.
    
    

• China

• • Interim Measures for Generative AI (2023)

• • • In 2023, China issued the “Interim Measures for Management of Generative AI Services.” Anyone using AI in China must conduct regular security assessments, register their algorithms, and explicitly tell users when they’re using AI-generated content. 
      
      

• International and Voluntary Frameworks

• • OECD AI Principles

• • • The Organization for Economic Cooperation and Development (OECD) is a forum comprising 38 member countries that collaborate to develop policies that promote sustainable global economic growth.

• • • In 2019, the OECD adopted AI principles that major economies, like the US, the EU, and the UK, endorsed. The OECD AI principles were the first intergovernmental standard on AI, and influenced many subsequent standards and guidelines. The standards promote fairness, transparency, accountability, and human-centric AI use.
      
      

• • NIST AI Risk Management Framework (RMF)
    • See U.S. section above. Many global organizations adopt the NIST framework to create unified AI governance practices across jurisdictions.
      
      
  • ISO/IEC AI Standards
    • The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are global standard-setting bodies that create technical and management standards across industries. They often create joint management frameworks for technology and management systems.
    • In late 2023, the ISO and IEC released “ISO/IEC 42001:2023.”
      This framework is modeled after ISO 9001 (quality management) and ISO 27001 (information security). It outlines how organizations should structure policies, assign responsibilities, monitor risks, and ensure lifecycle accountability for AI systems. Organizations can certify against this standard to demonstrate responsible AI oversight.
    • ISO/IEC 23894:2023 offers practical guidance for identifying, analyzing, and mitigating AI-specific risks. It builds on ISO 31000 (general risk management) and tailors it to AI’s unique challenges, such as algorithmic bias, lack of transparency, and data drift.
    • Though voluntary, ISO standards carry weight in procurement processes, third-party audits, and regulatory alignment. Many multinational organizations treat ISO conformance as evidence of due diligence, and some regulators refer to these standards as best practices in evaluating AI risk governance.