[Upcoming Linkedin Live] FedRAMP 20X: What CSPs Need to Know Right Now | May 20th

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
ENS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

AI Regulation Keeps Evolving: How to Develop an AI Governance Framework That Adapts
Danny Manimbo

By: Danny Manimbo

Print/Save as PDF

AI Regulation Keeps Evolving: How to Develop an AI Governance Framework That Adapts

Artificial Intelligence | ISO 42001

Published: May 19, 2026

This article was drafted based on a LinkedIn Live discussion between Danny Manimbo (Managing Principal, Schellman) and Christian Hyatt (CEO & Co-Founder, risk3sixty). Watch their full session here.

The regulatory landscape for AI is shifting rapidly between evolving federal policies, an explosion of state-level legislation, and the emergence of industry-specific compliance requirements. Many organizations know they need AI governance but may face uncertainty about how to navigate the evolving landscape.

The most forward-thinking companies aren’t waiting for regulatory clarity, they’re building governance frameworks now that will position themselves to adapt and comply with whatever comes next while simultaneously enabling AI innovation at scale.

The State of AI Regulation 

The scale of regulatory activity is striking. In 2026 alone, 45 states have proposed more than 1,500 AI-related bills, which already surpassed the entire output of 2024. By 2025, all 50 states had proposed at least one AI bill, with 145 bills enacted that year alone.

These laws address diverse concerns, including algorithmic accountability, generative AI transparency, employment discrimination, deepfakes, and high-risk automated decision-making. These AI laws generally span three broad categories:  

  • Comprehensive laws targeting high-risk AI systems used in consequential decision-making. Colorado’s AI Act, which notably was repealed on May 14, 2026, weeks before its effective date, was the first state law to attempt a comprehensive approach, with others such as the Texas Responsible AI Governance Act (TRAIGA) following suit.  
  • Foundation model developer-focused laws like New York’s RAISE Act, which directly target large language model (LLM) creators, making them accountable for harm before they occur rather than retroactively.  
  • Sector-specific laws addressing narrow use-cases, including New York City (NYC) Local Law 144’s AEDT (Automated Employment Decision Tools) laws requiring annual algorithmic bias audits, Utah’s AI Disclosure Act requiring chatbot users to know they’re interacting with AI, and Tennessee’s ELVIS Act protecting musicians from AI voice cloning.  

The Federal Government’s Impact on AI Regulation  

In addition to state efforts, the federal government has signaled its own approach to AI regulation. President Trump’s executive order proposes a uniform federal AI policy framework designed to preempt state laws deemed “excessive,” specifically calling out Colorado’s AI Act as an example of overregulation.

In a significant shift, Colorado’s original AI Act has since been repealed and replaced with SB 189, “Automated Decision-Making Technology,” marking a significant shift from the state’s previous regulatory approach. The new law adopts a lighter-touch regulatory regime that eliminates certain obligations for developers and deployers of AI systems, replacing the comprehensive governance framework with a disclosure-driven approach focused on consequential decision-making.  

SB 189 also eliminates several of the Colorado AI Act's key requirements for "high-risk AI systems," including risk assessment programs, impact assessments, and the duty to use reasonable care to prevent algorithmic discrimination.  

Colorado's regulatory overhaul may signal how the federal government's deregulatory approach is influencing state-level policy decisions. Elsewhere, the EU is also pushing back timelines for high-risk AI obligations.

Between the rise of new legislation, evolving requirements, and shifting timelines, organizations face increasing ambiguity about how to design and operate their AI governance strategies despite their best attempts to get ahead. 

How The United States Is Approaching AI Regulation  

One fact remains clear: the U.S. is committed to being a strategic leader in AI development with a staggering scale of investment. The U.S. spent $700 billion on AI infrastructure in a single year, surpassing the $630 billion spent over the span of 36 years to build the entire federal highway system. National security imperatives and economic competitiveness make slowing down politically difficult.

At the same time, states and advocates want guardrails in place and believe governance is necessary to address potential harms. In response, the EU has chosen centralized, comprehensive frameworks (GDPR, the EU AI Act), while the U.S. favors a patchwork of state and federal laws.  

The question remains: how should organizations approach AI governance so that it stays compliant as regulations evolve across local, state, federal and global levels simultaneously? 

How to Build an Adaptable AI Governance Program  

Organizations should avoid building their compliance programs around a single regulation. For example, if you were basing everything you’re doing from a compliance perspective around Colorado’s AI Act, it doesn’t mean you should abandon AI governance altogether now that the Act has been repealed and replaced because risk still remains, and other regulations will continue to emerge.

Instead, organizations should build compliance on principles-based frameworks that work regardless of which specific regulation holds up. 

  1. Start With ISO 42001  
    Many organizations are gravitating toward ISO 42001, the international AI management systems standard, as foundational infrastructure. It establishes core principles applicable across jurisdictions including governance committees, risk assessments, impact assessments, and accountability structures. 
    Because every regulation shares basic governance requirements, ISO 42001 offers flexibility that positions you to make decisions quickly, while giving you infrastructure to comply with future mandates and current business demands.  
    We’re already seeing ISO 42001 becoming a dealbreaker with one company we know losing out on major deals because competitors had achieved ISO 42001 certification and they hadn't. Within weeks of a competitor's announcement, their CEO demanded they pursue it too. 

  2. Expect Business-to-Business Enforcement First  
    Organizations should also expect some business-to-business enforcement before there will be regulatory enforcement. Large enterprises are already embedding AI compliance into supplier contracts. Microsoft’s Supplier Security Program (SSP) and similar procurement frameworks increasingly require certifications or evidence of AI governance.  
    AI governance has shifted from nice-to-have to deal-breaker. Legal tech and healthcare tech companies, for example, frequently report that large healthcare systems refuse to do business without a credible AI governance roadmap.  

  3. Own Organizational Alignment  
    When GDPR arrived, organizations appointed Data Protection Officers. Organizations should expect AI governance to follow a similar pattern, bringing the need to identify who owns AI within the organization. 
    AI governance should be treated as a strategic function, with clearly defined roles, responsibilities, and ownership. Effective AI governance requires cross-functional ownership with executive accountability.
    Governance is where business enablement and risk management intersect. AI adoption decisions, including which products to bring to market, whether to deploy company-wide AI enablement tools, and which models to use, are strategic and deserve a designated governance committee. 

  4. Apply a Risk Tiering Approach 
    Many organizations stumble trying to bring every AI use case into scope at once, but not all AI is created equal. Start with visibility by considering what AI systems are actually in use, who owns them, and what they are used for. Evaluate what you’re most worried about, what concerns customers are raising, what could go wrong, and what the impact would be. Then, tier by risk.  
    High-impact use cases, including those handling customer data, influencing financial decisions, or affecting core business revenue, deserve high-priority and deep governance attention. Use cases like internal productivity tools do deserve thoughtful guardrails, but less intensive oversight.  

Good governance leaves marks. If you've done risk assessments and found nothing to address, no incidents, no overrides, that's a red flag. This suggests the governance process isn't genuinely engaging with your systems and risks.

Conversely, when teams are thinking deeply about AI impacts, you hear a different conversation. They're weighing which models to use for which use cases, discussing nuances in guardrails, considering deployment costs and tradeoffs. That's governance that's real. 

Key Considerations for Effective AI Governance  

Impact Assessments vs. Risk Assessments 

Traditional risk assessments consider what could go wrong for us. Impact assessments ask harder questions around what could go wrong for the people affected by our AI.  

The harms to society from a resume screening tool that exhibits bias, or an autonomous vehicle that fails, or a credit decision algorithm that denies loans unfairly, these are fundamentally different from the reputational and legal risks to your organization.

The impact assessment looks outward, forcing critical thinking about societal consequences, misuse, abuse, and downstream effects. Regulators care about this because they're protecting the public, not your business, and this should matter to you too.

Build a Defensible AI Governance Approach 

We don't yet have extensive legal precedent or industry consensus on AI governance best practices. Jurisprudence hasn't caught up to the technology. What you can do is think critically and document your thinking.

Show your homework and justify your decisions. If challenged, you want to demonstrate that you thoughtfully considered impacts, consulted relevant expertise, assessed risks, and made deliberate choices. That defensibility is increasingly the foundation of effective governance.

Don't Confuse Security with Governance

 A common mistake is changing a few words in your information security policy and calling it AI governance. They're inherently different buckets of risk. Security policies address confidentiality, integrity, and availability. AI governance addresses fairness, transparency, accountability, and societal impact. They overlap, but they're not interchangeable. 

The Path Forward to Strong and Adaptable AI Governance 

The evolution and ambiguity around AI legislation and regulation isn't disappearing anytime soon, but uncertainty doesn't justify inaction. Organizations that invest in governance now by establishing committees, defining use cases, conducting impact assessments, and documenting thinking will be positioned to comply with whatever regulatory framework ultimately emerges.

More importantly, they'll build internal alignment around how to innovate responsibly and at scale.

To learn more about how to build a strategic AI governance roadmap, or the role of ISO 42001 in meeting and adapting evolving regulation, contact us today. In the meantime, discover other AI governance insights in these helpful resources:  

About Danny Manimbo

Danny Manimbo is a Principal at Schellman based in Denver, Colorado, where he leads the firm’s Artificial Intelligence (AI) and ISO services and serves as one of Schellman’s CPA principals. In this role, he oversees the strategy, delivery, and quality of Schellman’s AI, ISO, and broader attestation services. Since joining the firm in 2013, Danny has built more than 15 years of expertise in information security, data privacy, AI governance, and compliance, helping organizations navigate evolving regulatory landscapes and emerging technologies. He is also a recognized thought leader and frequent speaker at industry conferences, where he shares insights on AI governance, security best practices, and the future of compliance. Danny has achieved the following certifications relevant to the fields of accounting, auditing, and information systems security and privacy: Certified Public Accountant (CPA), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Internal Auditor (CIA), Certificate of Cloud Security Knowledge (CCSK), and Certified Information Privacy Professional – United States (CIPP/US).

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

 

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.