NIST AI RMF — the de facto standard
Voluntary, but expected of federal contractors and mapped into sector frameworks (e.g. Treasury's control set for finance).
ISO/IEC 42001 by region
There is no single federal AI law. US organisations navigate the voluntary NIST AI RMF as the de facto standard, a fast-moving patchwork of state laws, FTC enforcement against overstated AI claims, and procurement demands. ISO/IEC 42001 is the certifiable international layer that maps to NIST and travels across every state.
The regulatory landscape
As of 2026 there is no comprehensive federal AI statute. Federal policy leans on the voluntary NIST AI Risk Management Framework — now the de facto operational standard, and mapped into federal-contractor and Treasury financial-services expectations — while states legislate separately. California (SB 53, AB 2013, SB 942, from January 2026), Texas (TRAIGA), Colorado's new automated-decision law (from January 2027, after the original AI Act was repealed), New York City's Local Law 144 and Utah all impose overlapping duties. The FTC pursues "AI-washing" under Section 5 regardless of administration.
What's driving it
Voluntary, but expected of federal contractors and mapped into sector frameworks (e.g. Treasury's control set for finance).
California, Texas, Colorado (automated-decision law, 2027), Illinois, NYC Local Law 144 and Utah — different rules, overlapping obligations.
"AI-washing" and unsubstantiated AI claims are pursued under Section 5 authority.
Buyers and agencies increasingly require demonstrable, documented AI governance.
How ISO/IEC 42001 fits
ISO/IEC 42001's management system operationalises NIST's govern–map–measure–manage functions with auditable, repeatable evidence.
A single AIMS covers overlapping state duties — consumer notices, human review, documentation — instead of a per-state scramble.
Documented validation and monitoring back up the AI claims the FTC scrutinises.
A credential customers, partners and procurement teams already understand — internationally.
Questions
Because the NIST AI RMF is already the de facto expectation, states are actively legislating, the FTC enforces against overstated claims, and buyers demand proof. ISO/IEC 42001 is the certifiable system that satisfies all of these and maps to NIST.
They're complementary. NIST is a voluntary risk framework; ISO/IEC 42001 is a certifiable management system that operationalises and evidences it. Many US organisations run both — NIST for the risk method, ISO/IEC 42001 for the auditable system and certificate.
There are federal preemption efforts, but existing state laws remain enforceable unless struck down in court. A management-system approach is the resilient hedge against a shifting landscape.
Related
The toolkit operationalises NIST-aligned governance into an auditable, certifiable management system — ready to tailor to your AI systems and states of operation.