Third-Party AI is Risky.
Minimize that Risk.

The EU AI Act establishes the world's first comprehensive legal framework for artificial intelligence. It categorizes AI systems based on risk levels (minimal, limited, high, and unacceptable risk), with stricter requirements for higher-risk applications. The Act prohibits certain AI uses considered harmful to fundamental rights, requires transparency for generative AI, and imposes obligations on high-risk AI providers. Adopted in March 2024, most provisions will apply by 2026, giving companies time to adapt their AI systems to comply with the new regulations.

New York City's Local Law 144, effective since July 2023, regulates the use of automated employment decision tools (AEDTs) in hiring and promotion decisions. It requires employers to conduct annual bias audits of these AI tools, publish results, and notify candidates about AI use in their application process. The law aims to prevent algorithmic discrimination by ensuring fairness and transparency in employment-related AI systems, with violations subject to civil penalties of up to $1,500 per day.

Colorado's SB21-169, enacted in 2021, addresses algorithmic discrimination in insurance practices. The law prohibits insurers from using external consumer data, algorithms, or predictive models that unfairly discriminate based on race, color, national origin, religion, sex, sexual orientation, disability, or other protected characteristics. Insurers must demonstrate that their AI systems and data sources do not result in unfair discrimination and must maintain records of their compliance for regulatory examination.

Part of Canada's Bill C-27 introduced in 2022, the Artificial Intelligence and Data Act (AIDA) aims to regulate high-impact AI systems through requirements for risk assessment, mitigation measures, and transparency. The Act establishes a framework for classifying AI systems based on impact levels, requires organizations to document how their AI systems operate, and gives the government authority to order cessation of high-risk AI use that could cause serious harm. Penalties for non-compliance can reach millions of dollars.

The NIST AI Risk Management Framework (RMF), released in January 2023, provides a voluntary, flexible approach to managing AI risks across the AI lifecycle. It outlines four core functions: govern, map, measure, and manage, helping organizations address trustworthiness concerns like fairness, accountability, transparency, and privacy. The framework includes implementation guidance for organizations of all sizes and sectors, enabling them to design, develop, deploy, and evaluate AI systems responsibly while fostering innovation.

ISO 42001, published in April 2023, is the first international standard for artificial intelligence management systems. It provides organizations with a structured framework to develop, implement, and continually improve AI management practices while addressing associated risks. The standard establishes requirements for governance, transparency, fairness, privacy, security, and technical robustness throughout the AI lifecycle. By following ISO 42001, organizations can demonstrate their commitment to responsible AI development and use, build stakeholder trust, ensure regulatory compliance, and create an organizational culture that promotes ethical AI innovation. The standard is applicable to organizations of all sizes across sectors, whether they develop or deploy AI systems.

The Federal Reserve's Supervisory Letter SR 11-7 on "Model Risk Management" has become a key standard for AI governance in financial institutions. Though created before modern AI's prominence, its principles apply directly to AI systems: sound model development, implementation, use, validation by qualified independent parties, and governance including policies, roles, and documentation. Financial institutions increasingly use this framework to manage risks associated with their AI applications, especially those affecting credit decisions.