Regulations & Standards
AI oversight has become a board-level duty. This is the landscape of obligations, standards, and exposure, in board language, not legalese.
The fiduciary duties boards already hold extend directly to AI. The novelty is the speed, opacity, and reach of the decisions now being made below the boardroom.
Directors must understand the AI systems the company deploys well enough to oversee them, not to code, but to ask the right questions and weigh the risks before approving.
Oversight in good faith means ensuring information and reporting systems exist for the risks that matter. For many companies, AI is now one of them.
Under the Caremark line of cases and Marchand, courts expect a good-faith effort to oversee mission-critical risks, and to document that the board did.
There is no single AI rulebook. Obligations arrive by jurisdiction, by sector, and by use case, and they are moving.
A risk-tiered regime. High-risk systems face conformity assessment, documentation, human-oversight, and transparency duties, with extraterritorial reach and significant penalties.
No omnibus law yet. The SEC scrutinizes overstated AI claims ("AI washing") and material-incident disclosure; the FTC pursues deceptive or unfair AI practices.
Colorado's AI Act (algorithmic-discrimination duties), NYC Local Law 144 (bias audits for hiring tools), Illinois BIPA (biometrics), and Utah's AI disclosure law, among others.
Model-risk management in banking (SR 11-7), fair lending (ECOA / FHA), medical AI as a device (FDA), and the NAIC model bulletin for insurers.
Voluntary frameworks increasingly set the baseline regulators, insurers, and courts measure against.
The de facto US reference. Organizes AI risk into four functions, Govern, Map, Measure, Manage, and is widely cited in policy and contracts.
ISO/IEC 42001 is the first certifiable AI management-system standard; 23894 provides AI risk-management guidance. Certification is becoming a procurement signal.
The OECD AI Principles set widely adopted values; the DOJ's evaluation of corporate compliance programs now probes how firms manage AI and emerging-tech risk.
The same capability that creates value concentrates liability. These are the fault lines.
Defensible oversight is evidenced, not assumed. These are the artifacts that show a board did its job.
This page is a general orientation for directors, not legal advice. Regulations and standards referenced here evolve quickly and vary by jurisdiction and industry. Consult qualified counsel about your board's specific obligations.
The Compass translates these obligations into a governance baseline your board can act on, and evidence. Request a briefing to see how.