Download eBook: Preparing for AI Compliance

AI technologies are being deployed by organizations at one of the fastest rates we’ve ever seen, and in response, regulatory and standards bodies are working to implement new compliance obligations that will eventually impact every IT department.

Recently, I presented a session at the Data Connectors conference on emerging AI compliance standards. There were many questions, in particular, which standards are going to impact me, and what does this all mean? It’s not surprising that professionals are confused – there are over 800 measures under consideration in over 60 countries to regulate AI, plus many potential standards. The International Organization for Standardization (ISO) committee on Artificial Intelligence currently has either published or is considering 55 separate standards addressing AI.

In my talk, I dove into some of the most significant compliance standards, specifically the U.S. National Institute of Standards and Technology (NIST) AI Risk Management Framework (Framework), and a subset of the most consequential standards of the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC).

Why you need to know about the NIST AI RMF 1.0

The Framework is a set of guidelines developed by NIST and released on January 26, 2023. The Framework is intended to help organizations design, develop, use, and evaluate artificial intelligence (AI) systems in a trustworthy and responsible way. The Framework aims to address the various risks to privacy, security, and safety that AI systems may pose to individuals, organizations, and society.

The Framework is divided into two parts. Part 1 discusses how organizations can frame the risks related to AI. Part 2 is the core of the Framework, and consists of four functions: Govern, Map, Measure and Manage. Govern applies across all AI risk management processes and procedures, and the Map, Measure, and Manage functions can be applied at specific stages of the AI development process. Each function is further broken down into specific sub-functions.

Why you need to know about ISO standards for AI

The ISO in 2017 created the ISO/IEC JTC1/SC 42 committee to develop international standards for AI. Since then, the committee has published 20 standards and has 35 more under development. The standards developed by the committee are intended to have broad application across the entire AI ecosystem and across industries. Some of the key standards are:

  • ISO/IEC 42001 – AI Management System provides guidance on integrating AI policy and objectives with business processes, assessing the organizational risk represented by AI, and documents AI control objectives and implementation recommendations.
  • ISO/IEC 23894 – Guidance on AI Risk Management, which extends ISO 31000:2018 –Risk Management with AI-specific guidelines. The standard contains three main parts: principles, a framework, and processes of risk management applied to AI.
  • ISO/IEC 38507 – Governance Implications of AI Use provides recommendations for human responses to the opportunities, risks, and responsibilities AI creates.
  • ISO/IEC TR 24028 – Overview of AI Trustworthiness surveys existing approaches that can improve trustworthiness and their potential application to AI systems, as well as approaches to mitigating AI system vulnerabilities related to trustworthiness.


An eBook to help you make sense of AI compliance

To help you understand what you need to know, we’ve released a new eBook, on this topic, Preparing for AI Compliance, which gives an overview of the current compliance environment for AI, and how this will lead to new compliance obligations. Learn about the common themes in these new standards, and the practical steps you should be taking now to get ready.

eBook: Preparing for AI Compliance

How Tangible Security can help

Tangible Security can help organizations struggling with AI compliance. Our Governance, Risk, and Compliance (GRC) consulting services provide organizations with expert guidance and support in managing their governance, risk, and compliance initiatives. Our consultants work closely with organizations to develop and implement effective GRC frameworks, policies, and processes tailored to their specific needs and industry requirements. We offer expertise in risk assessment, regulatory compliance, policy development, and monitoring. We help organizations streamline their operations, mitigate risks, and ensure adherence to legal and industry standards. With our GRC consulting services, organizations can enhance their governance practices, strengthen risk management capabilities, and achieve comprehensive compliance across their operations.

Contact us today and find out how we can help you.