AI Compliance in 2026: State Laws and ISO 42001

Most ai compliance programs built over the last two years were designed around two frameworks: the EU AI Act and the NIST AI Risk Management Framework. Both remain essential, but 2026 has added a layer most teams weren’t tracking — US state-level AI laws that are now in effect, binding on companies with no EU footprint, and granular enough to require specific operational controls. Simultaneously, ISO/IEC 42001 has moved from obscure to procurement-critical because it offers something the NIST framework deliberately does not: third-party certification. These two developments are reshaping what an adequate AI compliance program looks like for US-market products.

The State AI Law Patchwork Is Now Binding

The framing of AI regulation as a primarily European concern is no longer accurate. Three states with substantial economic weight have AI compliance obligations in force or imminent for 2026.

Colorado enacted SB 24-205 ↗, which applies to developers and deployers of “high-risk” AI systems making or substantially influencing consequential decisions in employment, housing, credit, education, and healthcare affecting Colorado residents. After a legislative delay, the effective date is June 30, 2026. The obligations are specific: annual impact assessments to detect algorithmic discrimination, written risk management policies, consumer disclosure notices before high-risk AI decisions are made, and an opt-out right. Developers must document and disclose to downstream deployers the known risks and limitations of their systems. Critically, the law targets deployers — the entity using the AI to make decisions about consumers — not only the original developer. If you white-label or API-access an AI system for credit or hiring decisions affecting Colorado residents, the deployer obligations are yours regardless of who built the model.

Texas enacted HB 149, the Texas Responsible Artificial Intelligence Governance Act, effective January 1, 2026. State agencies face mandatory governance frameworks, impact assessments, and oversight structures for AI they procure. For the private sector, the law prohibits specific AI uses: social scoring systems, certain behavioral manipulation techniques, and discriminatory AI applications. The prohibited categories overlap conceptually with the EU AI Act’s “unacceptable risk” tier, though enforcement runs through Texas state law rather than a European certification body.

California entered 2026 with several active AI statutes. SB 53 (Transparency in Frontier AI Act), effective January 1, 2026, requires frontier model developers to establish safety frameworks, report incidents involving serious safety risks to the California Department of Technology, and publish transparency disclosures. AB 2013 requires generative AI developers to publicly disclose training data composition. CCPA automated decision-making regulations under development by the California Privacy Protection Agency will impose pre-use notices, opt-out rights, and disclosure requirements — effective January 1, 2027 if adopted on schedule.

According to Wilson Sonsini’s 2026 regulatory preview ↗, state attorneys general are escalating AI scrutiny in parallel, with settlements already appearing in Pennsylvania and Massachusetts tied to algorithmic discrimination claims. A company deploying an AI-powered credit-decisioning tool via partners in multiple states may simultaneously face Colorado’s high-risk AI deployer requirements, Texas’s discrimination prohibitions, California’s CCPA automated decision-making rules, and federal fair lending obligations — all through different enforcement bodies with different evidentiary standards.

Tracking the regulatory developments at the data protection boundary of these state laws is part of what AI Privacy Report ↗ covers.

ISO/IEC 42001: The Certification Credential NIST Cannot Provide

The NIST AI Risk Management Framework has become the US baseline for enterprise AI governance. But it is explicitly voluntary and non-certifiable. An organization can align its practices to the AI RMF and document that alignment; no independent body issues a certificate confirming compliance. For counterparties — enterprise buyers, regulated-sector auditors, EU market assessors — that gap matters.

ISO/IEC 42001:2023 ↗ fills it. It is the first international management system standard for AI, specifying requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS). It applies to any organization that develops, provides, or uses AI systems, at any scale. Critically, it supports third-party certification by accredited certification bodies, producing a credential that can be presented to customers, regulators, and procurement offices.

The standard uses the Plan-Do-Check-Act methodology familiar from ISO 9001 and ISO 27001. Its scope covers AI governance (leadership accountability, risk appetite, organizational roles), risk management for AI-specific hazards — bias, explainability gaps, data quality failures — and documentation of AI system objectives and design decisions. Organizations already holding ISO 27001 certifications will find the structure integrates cleanly; the AIMS clauses are written to complement existing information security management systems rather than replace them.

The practical pressure is coming from enterprise procurement. Microsoft has obtained ISO 42001 certification for GitHub Copilot, Microsoft 365 Copilot, and several other AI services, explicitly framing it as a way to help enterprise customers support their own compliance assessments. AWS has a similar certification posture. When enterprise buyers start requiring ISO 42001 evidence in vendor qualification processes, the certification cycle takes six to twelve months to complete. Teams that wait until a deal depends on it are already behind schedule.

NIST’s AI standards engagement ↗ is also actively aligning the AI RMF with ISO/IEC standards. The frameworks map closely enough that organizations implementing ISO 42001 are simultaneously building evidence of NIST AI RMF alignment — reducing the documentation overhead of running both programs in parallel.

For teams building the technical controls that both frameworks require — guardrails, content filters, human oversight mechanisms — GuardML ↗ covers the current defensive AI tooling landscape.

What AI Compliance Programs Need to Add This Quarter

EU AI Act and NIST RMF coverage is a foundation, not a complete program, for a US-market AI product in 2026. Three additions most programs still lack:

State law inventory. For every AI system affecting consumers, map which state laws apply based on where those consumers are located and what categories of decisions the system influences. Colorado’s high-risk categories — employment, housing, credit, education, healthcare — cover most consequential AI applications. The June 30 deadline for Colorado is weeks away; if you have Colorado consumers and a system in scope, the impact assessment and disclosure obligations need to be in place.

ISO 42001 readiness assessment. Check whether ISO 42001 is appearing in enterprise procurement requirements for upcoming deals. If it is, scope a certification project. The standard’s requirements are achievable for organizations with existing governance programs; the bottleneck is third-party audit scheduling and documentation build, not the underlying controls.

Sector overlay check. Horizontal AI frameworks do not eliminate sector-specific obligations. Healthcare AI teams should check FDA guidance on Software as a Medical Device and HHS AI action plan requirements. Financial services teams should review OCC, FDIC, and CFPB guidance on algorithmic credit and the fair lending implications of AI-driven underwriting. These sector rules operate alongside — not instead of — the horizontal state and federal frameworks.

AI compliance in 2026 requires managing a stack of overlapping obligations. Programs built around a single framework are leaving coverage gaps that state attorneys general and federal agencies are actively filling.

---

Sources

• ISO/IEC 42001:2023 — Artificial Intelligence Management Systems (iso.org ↗): The official ISO standard page for the international AI management system standard. Specifies requirements for establishing, implementing, maintaining, and continually improving an AIMS. Supports third-party certification by accredited certification bodies.

• SB24-205 Consumer Protections for Artificial Intelligence — Colorado General Assembly (leg.colorado.gov ↗): Full text of Colorado’s AI consumer protection law, including the definition of high-risk AI systems, developer and deployer obligations, annual impact assessment requirements, and consumer disclosure and opt-out framework.

• 2026 Year in Preview: AI Regulatory Developments — Wilson Sonsini (wsgr.com ↗): Law firm analysis of federal and state AI regulatory obligations active in 2026, covering California SB 53, EU AI Act implementation timeline, enforcement trends, and attorney general escalation.

• NIST AI Standards (nist.gov ↗): NIST’s central page for AI standards activities, including the AI Risk Management Framework and NIST’s international alignment work with ISO/IEC standards. Key context for understanding the relationship between the AI RMF and certifiable international management system standards.