By Editor

May 13, 2025—The article below is republished in full from the Daiki blog as a repost, by permission. It was written for Daiki, the AI and quantum governance company co-founded by Mauritz Kop, and sets out the case for a standards-centric path to artificial intelligence governance—one anchored in ISO/IEC 42001 and the NIST AI Risk Management Framework rather than sweeping prescriptive rules. The piece is most useful to U.S. companies operating in, or selling into, the European Union, where ISO 42001 can serve as a bridge to EU AI Act readiness. We reproduce it here with its original spellings, figures, and outbound references intact. The author's own as-of dates ("as of April 2025") are preserved. Original: The US ISO 42001 Standards Centric Approach to AI Governance: Compliance, Trust, and Innovation.

Republished from the Daiki blog. Author: Mauritz Kop, Co-Founder, May 13, 2025.

The US standards-centric approach to AI governance

As artificial intelligence (AI) technologies rapidly evolve, the United States faces the complex challenge of governing AI in a way that fosters innovation, protects consumers, and ensures global competitiveness. Rather than relying exclusively on sweeping prescriptive regulation that could stifle innovation, the US is increasingly adopting a "standards-centric" approach, with the ISO 42001 technical standard emerging as a cornerstone for responsible AI management. This strategy leverages internationally recognized standards to create a flexible, risk-based governance framework—one that aligns with the country's regulatory philosophy and aims to position US companies for success both domestically and abroad.

The US 'laissez faire' regulatory environment for AI is characterized by fragmentation and deregulation, with Executive Order such as EO 14179 removing barriers to American leadership in artificial intelligence, alongside federal bodies like the Federal Trade Commission (FTC), Equal Employment Opportunity Commission (EEOC), and Food and Drug Administration (FDA) issuing sector-specific guidance, while individual states such as California, Virginia, Illinois and New York enact their own AI and data privacy legislation. Further, the HIPAA (Health Insurance Portability and Accountability Act of 1996) Privacy and Security Rules directly impact a subset of AI systems used in healthcare, such as medical devices, requiring safeguards for electronic protected health information (ePHI) through encryption, access controls, and audit trails. In the context of AI rules, the US government has expressed a preference for industry-led standards as the foundational element for AI governance, aiming to avoid rigid, top-down regulations that could impede innovation.

In this contribution, we explore the rationale behind the US "standards-centric" approach, the practical impact of ISO 42001 on AI governance, and how integrated compliance solutions like the Daiki tool suite empower organizations to navigate the patchwork of US and international AI regulations, especially for US companies doing business in the EU.

Figure 1: US vs. EU AI Governance Approaches

FeatureUS Approach (Exemplified by NIST AI RMF)EU Approach (EU AI Act) Legal StatusVoluntary GuidanceLegally Binding Regulation Primary FrameworkNIST AI Risk Management Framework (RMF)EU AI Act ApproachRisk Management Process Focus (Govern, Map, Measure, Manage)Risk Categorization & Tiered Rules (Unacceptable, High, Limited, Minimal) ScopePrimarily US focus, globally applicable principlesExtraterritorial, EU market focus EnforcementIndirect (Market pressures, potential future regulation)Direct (Fines, Penalties via AI Office/Member States) Primary FocusPromoting Innovation & Trustworthy AIProtecting Fundamental Rights & Safety

This table illustrates the philosophical divergence between the US and EU approaches to AI governance, highlighting the US preference for voluntary standards versus the EU's prescriptive regulatory model.

ISO/IEC 42001: The Global Standard for Trustworthy AI Management

Adopting and achieving certification for ISO 42001 offers tangible business benefits. Critically, it provides a solid foundation for meeting emerging regulatory requirements globally, helping organizations prepare for laws like the EU AI Act.

Beyond immediate compliance benefits, embracing ISO 42001 represents a strategic investment in proactive de-risking. In an environment marked by rapid technological change and evolving regulatory expectations, the standard helps organizations build the internal capabilities, processes, and culture of responsibility needed to adapt. It encourages a shift from reactive, checklist-based compliance towards an integrated, continuously improving management system. This holistic approach helps mitigate a broader spectrum of risks, including reputational damage from ethical missteps, operational failures due to poorly managed AI, or potential legal liabilities, ultimately fostering more resilient and trustworthy AI deployment.

The NIST AI Risk Management Framework (NIST AI RMF)

The US approach to AI governance is fundamentally risk-based, sectorally specific in many implementations, and primarily relies on voluntary standards rather than overarching federal legislation. Developed collaboratively with inputs from private and public sector experts, the NIST AI Risk Management Framework (RMF) exemplifies this philosophy. Originating from directives like the 2020 National Artificial Intelligence Initiative Act and subsequent Executive Orders, the framework serves as guidance for organizations designing, developing, deploying, or using AI systems. Its goal is to promote trustworthy and responsible AI by providing a structured approach to managing AI-related risks, enhancing public trust without mandating specific legal requirements.

The NIST AI RMF acts as a playbook for responsible AI adoption, structured around four core functions designed to be integrated throughout the AI lifecycle:

• Govern: This foundational function involves establishing the necessary policies, organizational culture, structures, roles, and responsibilities to manage AI risks effectively. It ensures that AI risk management is prioritized by leadership and aligned with organizational values, ethical principles, and relevant standards.

• Map: This function focuses on establishing the context for risk management. It involves identifying the intended purposes and potential impacts of an AI system, categorizing the system, understanding the operational environment and stakeholders, and mapping potential risks and benefits across the AI lifecycle.

• Measure: Here, organizations develop and employ methods—quantitative, qualitative, or hybrid—to analyze, assess, and track AI risks and performance. This includes using metrics related to accuracy, reliability, fairness, security, and other trustworthy characteristics to ensure the system operates as intended and to monitor for potential harms.

• Manage: Based on the risks identified and measured, this function involves developing and implementing strategies to treat those risks. This includes allocating resources to address prioritized risks, implementing mitigation measures, and establishing processes for continuous monitoring and improvement to ensure AI systems remain compliant, secure, and aligned with objectives over time.

Throughout these functions, the NIST AI RMF emphasizes cultivating trustworthy AI characteristics, including safety, security and resilience, transparency and explainability, fairness (managing harmful bias), accountability, and privacy-enhancement. While the framework is officially voluntary, its influence extends beyond mere guidance. Market pressures, the need to build stakeholder trust, its adoption in regulated sectors like finance and healthcare, and its alignment with international best practices create a strong incentive for US companies, particularly those operating globally or in sensitive domains, to engage seriously with its principles. The framework provides insights into potential future regulatory directions, making its adoption a prudent step for forward-looking organizations. It represents the preferred US blueprint for how to manage AI risk, even if the legal obligation remains voluntary.

US vs. EU AI Governance Approaches

This US approach to AI governance contrasts sharply with the European Union's AI Act: permissionless innovation (US) versus the precautionary principle (EU). Both innovation systems juxtapose with China's state driven surveillance capitalism. The EU AI Act is a comprehensive, legally binding regulation with extraterritorial reach, impacting any company placing AI systems on the EU market or whose AI output is used within the EU. Unlike the NIST RMF's flexible process guidance, the EU AI Act categorizes AI systems based on risk (Unacceptable, High, Limited, Minimal) and imposes specific, mandatory requirements, particularly for high-risk systems. High-risk systems, such as those used in employment, critical infrastructure, or law enforcement, face stringent obligations regarding data governance, human oversight, risk management systems, technical documentation, conformity assessments, and post-market monitoring. The Act establishes enforcement mechanisms, including significant fines for non-compliance.

ISO/IEC 42001, published in December 2023, is the world's first international standard for Artificial Intelligence Management Systems (AIMS). It establishes a comprehensive framework for the responsible development, deployment, and oversight of AI systems.

Key elements include:

• Risk-based governance: Systematic identification, assessment, and mitigation of AI-related risks across the entire lifecycle.

• Transparency and documentation: Requirements for technical documentation, impact assessments, and explainability.

• Continuous improvement: Ongoing monitoring, internal audits, and management reviews to adapt to evolving risks and regulations.

• Human oversight: Mechanisms to ensure human-in-the-loop controls for high-impact or high-risk AI applications.

By adopting ISO 42001, US companies can demonstrate a proactive commitment to responsible AI, satisfy many regulatory expectations, and build trust with customers and partners.

Figure 2: ISO 42001 vs EU AI Act – US Standards-centric Approach

AspectISO 42001EU AI Act Regulatory ApproachVoluntary certificationLegally binding for EU market access ScopeBroad AI management systemsFocus on high-risk AI systems (e.g., biometrics) Risk ManagementGeneral risk-based frameworkTiered obligations based on risk level TransparencyRequires documentation and reportingMandates explainability for end-users

ISO 42001 reflects the US preference for industry-led standards that promote global interoperability, over prescriptive regulation, aligning with Trump-era deregulation principles (e.g., E.O. 14179). US companies leverage ISO 42001 as a bridge between fragmented federal/state regulations and global standards, streamlining compliance and fostering innovation.

Benefits of ISO 42001 Certification for US Companies Operating in the EU

Crucially, implementing an ISO 42001-compliant AIMS can significantly aid US companies in demonstrating readiness for the stringent requirements of the EU AI Act. While ISO 42001 certification does not automatically equate to EU AI Act compliance, the standard's requirements overlap considerably with the Act's principles and obligations, especially for high-risk systems. ISO 42001 mandates robust processes for risk management, data governance, transparency, documentation, human oversight, and managing the AI system lifecycle—all critical components demanded by the EU AI Act for high-risk applications. Therefore, achieving ISO 42001 certification provides tangible evidence of diligence and helps build the necessary structures and processes to meet many EU AI Act requirements.

Furthermore, in a global marketplace characterized by diverging national regulations, achieving certification to a globally recognized standard like ISO 42001 provides a powerful signal of commitment to responsible AI practices. It enhances credibility and fosters trust with international partners, customers, and regulatory bodies. This can be particularly valuable in easing market access and navigating compliance discussions in jurisdictions like the EU, which place a high premium on demonstrable AI safety and ethics. ISO 42001 effectively acts as a "common language" for AI governance. It offers a globally understood baseline that bridges the philosophical gap between the US "standards-centric" approach and the EU's regulatory model. By adopting this international standard, US companies can implement a consistent framework to manage AI governance across different jurisdictions, demonstrating due diligence in a way that resonates with diverse regulatory expectations, rather than building entirely separate compliance systems for each market.

In sum, the adoption of ISO 42001 offers several tangible benefits for US companies operating in the EU:

1. Streamlined Compliance: ISO 42001's risk-based framework aligns closely with NIST AI RMF and agency-specific mandates. By implementing ISO 42001, companies can satisfy documentation and transparency requirements for the FTC, EEOC, and FDA. It also allows for the reuse of technical documentation, risk assessments, and audit trails across different jurisdictions, minimizing redundancy and administrative burden. Furthermore, it aids in preparing for prospective regulations, such as the introduced ADPPA, by integrating algorithmic impact assessments and bias audits into governance processes.

2. Enhanced Trust and Market Differentiation: Achieving ISO 42001 certification signals a commitment to ethical, transparent, and accountable AI practices, thereby enhancing trust among stakeholders, including customers, partners, and regulators. This is particularly crucial in sensitive sectors such as healthcare, finance, and public services.

3. Global Readiness: With the advent of the EU AI Act and other international frameworks, ISO 42001 provides a foundation for cross-border compliance. US companies can leverage their ISO 42001 management systems to address overlapping requirements in the EU and other regions, facilitating market entry and mitigating legal risks.

US Companies with ISO 42001 Certification

Despite being a relatively new standard, several US companies or companies with significant US operations have already achieved ISO 42001 certification, demonstrating early leadership in responsible AI governance. Based on available information as of April 2025, these include:

• Microsoft: Certified for Microsoft 365 Copilot and Microsoft 365 Copilot Chat.

• Amazon Web Services (AWS): Certified as a major cloud provider.

• Google: Also certified as a major cloud provider.

• Anthropic: An early frontier AI lab to receive accredited certification.

• KPMG: Certified among technology integrators.

• Cognizant: Certified as an IT services and consulting company.

• Integral Ad Science: One of the first globally, and the first measurement provider, to achieve accredited certification for its AI Management System in its Quality Attention product.

• Synthesia: A leading enterprise AI video communications platform with a global presence including the US, Synthesia was announced as the first AI video company to achieve ISO 42001 certification.

• Mimecast: The first certified US cybersecurity company.

• Datamatics: a global digital technologies, operations, and experiences company announced the ISO AI standard accreditation in June 2024.

These early adopters are setting a benchmark for responsible AI management and proactively addressing stakeholder concerns in a manner that current US regulation does not yet mandate comprehensively.

Navigating AI Governance with Confidence: The Daiki Method

The landscape of AI governance, encompassing standards like ISO 42001 and ISO 27001, regulations like the EU AI Act, and sector-specific rules like the EU MDR for medical devices, presents a significant challenge. Daiki aims to simplify this complexity, offering an integrated methodology and suite of tools designed specifically to help businesses, particularly US companies targeting the EU market, navigate these requirements efficiently and effectively.

The Daiki method is built around a toolkit of six interconnected components, each addressing a critical aspect of AI governance and compliance:

1. AI System Registry: Provides a centralized system for inventorying, tracking, and managing information about an organization's AI and machine learning models throughout their lifecycle. This is fundamental for governance, risk assessment, and transparency.

2. EU AI Act Compliance Toolkit: Offers specific tools, templates, and workflows designed to help organizations understand and meet the requirements of the EU AI Act, likely including risk classification support, documentation generation, and conformity assessment preparation.

3. ISO 42001 Implementation Framework: Delivers a structured approach, including guidance, policies, procedures, and templates, to streamline the process of establishing, implementing, and achieving certification for an ISO 42001-compliant AI Management System.

4. ISO 27001 Data Security Integration: Facilitates the connection between the AI Management System (ISO 42001) and the broader Information Security Management System (ISMS) based on ISO 27001, ensuring that data security considerations are seamlessly integrated into AI governance.

5. MDR/ISO 13485 Compliance for Medical AI: Provides specialized tools and frameworks to address the unique compliance requirements for AI used in medical devices, aligning with the EU Medical Device Regulation (MDR) and the ISO 13485 standard for medical device quality management systems.

6. Responsible Generative AI Adoption Framework: Offers specific guidance, policies, and controls to manage the distinct risks associated with deploying generative AI technologies, -including bias, hallucination, and intellectual property– aligning with emerging best practices and guidance like the NIST Generative AI Profile.

The true value of the Daiki method lies in the integration of these tools. Instead of treating ISO 42001, the EU AI Act, data security, and sector-specific compliance as separate silos, Daiki provides a holistic platform where these requirements can be managed cohesively. This integrated approach enables organizations to identify overlaps, avoid duplication of effort, ensure consistency, and gain a unified view of their AI governance posture. For instance, risk assessments performed for ISO 42001 can inform EU AI Act compliance activities, and data security controls implemented for ISO 27001 can support the data governance requirements of both ISO 42001 and the EU AI Act.

Figure 3: Daiki Cross-Solution Synergies

RequirementDaiki Solutions Involved ISO 42001 + AI ActAI Registry + ISO 42001 Framework + EU AI Act Toolkit MDR + ISO 13485MDR Compliance + AI Registry + ISO 27001 Data SecurityISO 27001 + Responsible AI Framework + AI Registry

This table illustrates how Daiki's modular tools integrate various standards and regulations (ISO 42001, EU AI Act, ISO 27001, ISO 13485/EU MDR, and Generative AI specific considerations) into a unified compliance ecosystem, facilitating navigation of both EU and international AI governance requirements.

For US companies aiming to succeed in the EU market, Daiki offers a clear value proposition. It provides a practical, streamlined pathway to achieve compliance with both the internationally recognized ISO 42001 standard and the mandatory EU AI Act. By leveraging the synergies between the standard and codified AI legislation, and integrating essential data security (ISO 27001) and relevant sector-specific requirements (ISO 13485/MDR), Daiki helps companies build trust, manage risk, and accelerate their entry and growth within the complex European regulatory environment. Notably, Daiki streamlines and automates the bulk of the ISO 42001 requirements with its Agentic AI system. This approach functions as a compliance accelerator; by providing pre-built frameworks and integration points, Daiki significantly reduces the internal time, effort, and specialized expertise that companies would otherwise need to dedicate to navigating these complex standards and regulations independently.

How Daiki Can Address Ethical AI Dilemmas

The Daiki process specifically addresses ethical dilemmas through a structured, interdisciplinary approach. This includes employing a Stakeholder-Centric Ethical Matrix during system design to identify and prioritize concerns like fairness and harm prevention based on input from domain experts and affected groups. Furthermore, Daiki aligns AI models with predefined ethical rules, such as harmlessness and truthfulness, using techniques like Constitutional AI principles and Reinforcement Learning from Human Feedback (RLHF) to minimize harmful outputs. Proactive testing through Red-Teaming and Bias Audits helps identify vulnerabilities and evaluate demographic disparities, with human-in-the-loop validation mandated for high-risk applications.

Future Focus: US AI De-Regulation Under the Trump Administration

Looking ahead, the direction of US federal AI policy under a potential second Trump administration is anticipated to lean towards deregulation. As of April 2025, this involved establishing an Artificial Intelligence Action Plan, and repealing or revising existing executive orders on AI, with a focus on reducing perceived barriers to AI development to enhance US competitiveness. Deregulation may result in a lighter federal regulatory touch, potentially relying more heavily on voluntary industry standards and market forces rather than broad mandates – effectively a "standards-centric" approach to AI regulation. However, this trend could also lead to increased AI legislative activity at the state level, potentially creating a more complex and fragmented regulatory landscape for businesses. Specific areas like national security applications of AI, strengthening export controls on AI technologies, and facilitating energy infrastructure for AI data centers could still see focused federal attention.

In this evolving and potentially unpredictable regulatory environment, adherence to robust, internationally recognized standards like ISO/IEC 42001 offers stability and predictability. Committing to the standard provides a consistent internal framework for managing AI risks and demonstrating responsibility that transcends domestic political shifts. It ensures a baseline of good governance and provides a globally recognized signal of diligence, helping companies maintain trust and market access irrespective of the specific direction of US federal policy. Deregulation or not, US companies doing business in the EU still need to abide to the EU AI Act regime and sector-specific rules like the MDR for medical devices.

Conclusion: Your Strategic Path Forward in AI Governance

The path for US companies leveraging AI involves navigating a complex interplay of domestic policy and international regulations. The US "standards-centric" approach, exemplified by the NIST AI RMF, emphasizes voluntary, risk-based management to drive innovation. Concurrently, the global market, particularly the EU with its comprehensive AI Act, demands demonstrable proof of safety, ethics, and robust governance.

In this context, ISO/IEC 42001 stands out as a strategic asset. Its framework for AI Management Systems aligns with the principles of the NIST AI RMF, offering a familiar structure for US companies. Crucially, its international recognition and focus on risk management, ethics, and transparency provide a credible pathway to demonstrate alignment with the core requirements of regulations like the EU AI Act. Adopting ISO 42001 is a proactive measure to mitigate AI-related risks, build stakeholder trust, gain a competitive edge, and simplify navigation of diverse regulatory expectations.

Implementing such a comprehensive management system alongside other compliance demands can be resource-intensive. This is where integrated solutions like the Daiki method offer a distinct advantage. Daiki's tools are designed to provide US companies with a practical and efficient means to implement ISO 42001, prepare for EU AI Act compliance, and manage related security and sectoral requirements in a unified manner. Strengthening your organization's AI governance is not merely an option; it is essential for sustainable innovation and global success. Embracing international standards like ISO/IEC 42001 provides a stable foundation for responsible AI adoption, regardless of future political or regulatory changes.

This article is a repost. It was first published on the Daiki blog on May 13, 2025, by Mauritz Kop, Co-Founder. For Daiki's ISO 42001 implementation framework, see dai.ki/iso-42001. Related coverage on AIRecht: the Daiki Quantum Governance Recipe (QT-QMS), the Daiki EU AI Act compliance solution, and the Daiki SB-53 Recipe.

Last updated: June 6, 2026.