ISO/IEC 42001 by region

ISO/IEC 42001 in the United States

There is no single federal AI law. US organisations navigate the voluntary NIST AI RMF as the de facto standard, a fast-moving patchwork of state laws, FTC enforcement against overstated AI claims, and procurement demands. ISO/IEC 42001 is the certifiable international layer that maps to NIST and travels across every state.

The regulatory landscape

US — NIST-led framework, state patchwork

No comprehensive federal law — NIST plus a state patchwork

As of 2026 there is no comprehensive federal AI statute. Federal policy leans on the voluntary NIST AI Risk Management Framework — now the de facto operational standard, and mapped into federal-contractor and Treasury financial-services expectations — while states legislate separately. California (SB 53, AB 2013, SB 942, from January 2026), Texas (TRAIGA), Colorado's new automated-decision law (from January 2027, after the original AI Act was repealed), New York City's Local Law 144 and Utah all impose overlapping duties. The FTC pursues "AI-washing" under Section 5 regardless of administration.

What's driving it

The rules and pressures that matter

NIST AI RMF — the de facto standard

Voluntary, but expected of federal contractors and mapped into sector frameworks (e.g. Treasury's control set for finance).

A moving state patchwork

California, Texas, Colorado (automated-decision law, 2027), Illinois, NYC Local Law 144 and Utah — different rules, overlapping obligations.

FTC enforcement

"AI-washing" and unsubstantiated AI claims are pursued under Section 5 authority.

Procurement & enterprise trust

Buyers and agencies increasingly require demonstrable, documented AI governance.

How ISO/IEC 42001 fits

One certifiable system across a fragmented landscape

Maps onto the NIST AI RMF

ISO/IEC 42001's management system operationalises NIST's govern–map–measure–manage functions with auditable, repeatable evidence.

One system across many states

A single AIMS covers overlapping state duties — consumer notices, human review, documentation — instead of a per-state scramble.

Substantiates your AI claims

Documented validation and monitoring back up the AI claims the FTC scrutinises.

Certifiable and recognised

A credential customers, partners and procurement teams already understand — internationally.

Questions

United States — quick answers

There's no federal AI law — why bother with ISO/IEC 42001?

Because the NIST AI RMF is already the de facto expectation, states are actively legislating, the FTC enforces against overstated claims, and buyers demand proof. ISO/IEC 42001 is the certifiable system that satisfies all of these and maps to NIST.

How does ISO/IEC 42001 relate to the NIST AI RMF?

They're complementary. NIST is a voluntary risk framework; ISO/IEC 42001 is a certifiable management system that operationalises and evidences it. Many US organisations run both — NIST for the risk method, ISO/IEC 42001 for the auditable system and certificate.

Will a federal law override state rules?

There are federal preemption efforts, but existing state laws remain enforceable unless struck down in court. A management-system approach is the resilient hedge against a shifting landscape.

Related

Keep reading

One recognised AI credential across the US

The toolkit operationalises NIST-aligned governance into an auditable, certifiable management system — ready to tailor to your AI systems and states of operation.