The Schellman Blog

The information in this article was originally presented on January 15, 2026, at a Public Hearing to the New York State Senate Standing Committee on Internet and Technology to discuss risks, solutions, and best practices with respect to the use of artificial intelligence in consequential or high-risk contexts, and related issues.

As the Department of Defense (DoD) continues to accelerate its Zero Trust strategy, organizations supporting national security missions face increasing expectations for how they secure, monitor, and manage sensitive information.

As interest in ISO 42001 certification has surged over the past year, we've heard a steady stream of questions from organizations seeking to build their AI governance strategy and operationalize their Artificial Intelligence Management Systems (AIMS) responsibly. From understanding practical preparation steps to what to expect during the audit, many teams are looking for clearer guidance as they navigate this newer management system standard.

As organizations expand their digital footprints and adopt AI at scale, global privacy expectations are rising worldwide. At the same time, cyber threats are growing more sophisticated, further driving the need for more advanced, resilient privacy programs to meet both regulatory and security demands.

The California Air Resources Board (CARB) continues to progress its climate disclosure laws, but the path forward remains unclear. Despite statutory deadlines that have been on the books since 2023, CARB has repeatedly shifted its own rulemaking timeline while still expecting companies to meet firm compliance dates.

Organizations that rely on Germany’s Cloud Computing Compliance Criteria Catalogue (C5) can expect meaningful changes on the horizon. The public comment period for C5:2025 formally closed in September 2025, and we anticipate that the finalized version of the refreshed framework will be released sometime in 2026.

As artificial intelligence becomes increasingly embedded in core business operations and customer-facing product offerings, organizations are under growing pressure to ensure their AI systems are safe, ethical, transparent, and well-governed. ISO 42001, the world’s first international standard for AI management systems, provides the structure needed to build trustworthy AI and demonstrate responsible governance to customers, regulators, and partners.

If you've received a report labeled "Red Team Assessment" and can’t help but notice it reads more like a penetration test report, you're not alone. We've seen this pattern repeatedly. Organizations invest in what they believe is a Red Team engagement, only to receive a penetration test with a different label. This deception can be more damaging than helpful as it is fundamental to your security posture that you understand the depth of assessment your organization actually received.