Regulations & Standards

Know what your board is accountable for.

AI oversight has become a board-level duty. This is the landscape of obligations, standards, and exposure, in board language, not legalese.

AI didn't change your duties. It raised the stakes.

The fiduciary duties boards already hold extend directly to AI. The novelty is the speed, opacity, and reach of the decisions now being made below the boardroom.

Duty of Care

Decide on an informed basis.

Directors must understand the AI systems the company deploys well enough to oversee them, not to code, but to ask the right questions and weigh the risks before approving.

Duty of Loyalty

Act in good faith.

Oversight in good faith means ensuring information and reporting systems exist for the risks that matter. For many companies, AI is now one of them.

Duty of Oversight

Mind the mission-critical.

Under the Caremark line of cases and Marchand, courts expect a good-faith effort to oversee mission-critical risks, and to document that the board did.

A widening, uneven map.

There is no single AI rulebook. Obligations arrive by jurisdiction, by sector, and by use case, and they are moving.

European Union

EU AI Act

A risk-tiered regime. High-risk systems face conformity assessment, documentation, human-oversight, and transparency duties, with extraterritorial reach and significant penalties.

United States · Federal

SEC & FTC

No omnibus law yet. The SEC scrutinizes overstated AI claims ("AI washing") and material-incident disclosure; the FTC pursues deceptive or unfair AI practices.

United States · State

A patchwork, accelerating

Colorado's AI Act (algorithmic-discrimination duties), NYC Local Law 144 (bias audits for hiring tools), Illinois BIPA (biometrics), and Utah's AI disclosure law, among others.

Sector-specific

Where AI is already regulated

Model-risk management in banking (SR 11-7), fair lending (ECOA / FHA), medical AI as a device (FDA), and the NAIC model bulletin for insurers.

Standards worth knowing by name.

Voluntary frameworks increasingly set the baseline regulators, insurers, and courts measure against.

NIST

AI Risk Management Framework

The de facto US reference. Organizes AI risk into four functions, Govern, Map, Measure, Manage, and is widely cited in policy and contracts.

ISO / IEC

42001 & 23894

ISO/IEC 42001 is the first certifiable AI management-system standard; 23894 provides AI risk-management guidance. Certification is becoming a procurement signal.

OECD · DOJ

Principles & enforcement

The OECD AI Principles set widely adopted values; the DOJ's evaluation of corporate compliance programs now probes how firms manage AI and emerging-tech risk.

Where boards are exposed.

The same capability that creates value concentrates liability. These are the fault lines.

Securities & disclosure
Overstating AI capability to investors, or failing to disclose a material AI incident, draws SEC scrutiny and shareholder litigation.
Discrimination
Biased hiring, lending, and pricing models create exposure under Title VII, the ADEA, ECOA, and the Fair Housing Act, vendor opacity is no defense.
IP & copyright
Training data of uncertain provenance, and unclear ownership of AI-generated output, can impair assets and trigger injunctions.
Privacy & data
Biometric, personal-data, and cross-border data flows through AI systems carry their own fast-moving statutory regimes.
Vendor & agentic
Dependency on a third-party model, and autonomous agents acting without human review, shift risk the board may not have priced.
Safety & product
AI-enabled products that cause harm raise recall, disclosure, and liability questions that reach the board.

What "good" looks like on the record.

Defensible oversight is evidenced, not assumed. These are the artifacts that show a board did its job.

This page is a general orientation for directors, not legal advice. Regulations and standards referenced here evolve quickly and vary by jurisdiction and industry. Consult qualified counsel about your board's specific obligations.

Turn obligation into a defensible record.

The Compass translates these obligations into a governance baseline your board can act on, and evidence. Request a briefing to see how.

Request a Briefing Explore the Compass