While the European Union AI Act has been the biggest news in AI regulation, state and local governments in the United States have been rolling out their own rules too.

Businesses are increasingly struggling to comply a web of new laws.

One potential answer: ISO 42001.

This AI governance certification framework is likely to become a “harmonised standard” under the EU AI Act, providing a presumption of compliance with certain articles. But what does ISO 42001 mean for compliance with U.S. state-level AI regulations?

Here are 3 examples:

Colorado SB-205

Passed in 2024, this law mentions the ISO 42001 standard by name.

Compliance with it can be an affirmative defense to some alleged violations (found during red-teaming or through responsible disclosure).

So this would be a clear cut regulatory benefit of certification.

New York Local Law 144-21

Passed in 2021, it applies to companies making hiring decisions in New York City using AI tools.

The law requires “an impartial evaluation by an independent auditor” of an AI tool's “disparate impact” on an employment decision on the basis of protected characteristics.

An ISO 42001 audit is impartial evaluation of an organization’s AI Management System, rather than an individual tool. So it might not qualify for this specific requirement.

With that said, employers using such AI tools must make available:

• information about the type of data collected

• the source of such data

• their retention policy

Detailing these is a key part of control A7 in Annex A, so ISO 42001 can definitely prepare for (and serve as evidence of) compliance.

California SB-1047

Not yet law, but in its current form, the bill requires covered companies to put in place:

• administrative

• technical

• physical

cybersecurity protections to prevent

• unsafe post-training modifications

• unauthorized access

• misuse

of covered models and all derivatives.

ISO 42001 (especially combined with ISO 27001) would absolutely help develop a process to meet these (and other) requirements.

Need help complying with the growing array of AI rules and regulations?

ISO 42001 (or any certification) is not a silver bullet for compliance with any law.

But it:

• requires building a system to track/obey regulations

• provides a defensible AI governance standard

• builds trust with customers

Through our AIMS Accelerator, StackAware helps companies working in:

• Financial services

• Healthcare

• B2B SaaS

achieve ISO 42001 certification.

Want to learn more?

Book a call