Eight Governance Themes from 2025 Reveal Widening Gaps Between Regulatory Ambition and Enterprise Readiness
What happened
Oliver Patel's AI Governance in 2025: a year in review, published July 7, 2026, synthesizes eight significant AI governance developments that shaped the compliance landscape during the prior year. The review covers the emergence of new US state AI laws, the progression of ISO/IEC 42006 as a formal audit standard for AI management systems, and iterative drafts of the EU AI Code of Practice, all of which moved faster than many enterprise governance programs could absorb. Patel identifies persistent gaps in frontier AI transparency requirements, noting that voluntary commitments from developers have not converged with the disclosure expectations now embedded in emerging legislation. The analysis is framed explicitly around the practical implications for enterprise compliance teams, making it a useful checkpoint for programs that have been tracking individual regulatory items in isolation rather than as a system of interlocking obligations.
Why it matters
- ·Compliance teams that have been tracking regulations individually are now exposed to interaction effects: US state laws, ISO/IEC 42006, and EU Code of Practice drafts create overlapping and sometimes conflicting audit, disclosure, and transparency obligations that require a unified mapping exercise rather than siloed responses.
- ·The emergence of ISO/IEC 42006 as a formal audit standard for AI management systems means that external auditors and certification bodies will soon apply a structured conformance lens to AI governance programs, raising the bar for documentation, internal audit capability, and management system design beyond what most current programs have built.
- ·Frontier AI transparency gaps identified in the review signal that regulators are moving toward mandatory disclosure requirements that vendor contracts and third-party risk assessments have not yet been designed to capture, creating procurement and vendor governance blind spots for organizations deploying large models.
Governance controls affected
What to do now
- ☐Conduct a cross-jurisdictional mapping exercise that places your current controls against US state laws active as of 2025, ISO/IEC 42006 audit requirements, and the EU AI Code of Practice obligations simultaneously, identifying any controls that satisfy one regime but are silent under another.
- ☐Review your third-party AI vendor contracts and risk assessment templates to determine whether they include disclosure and transparency requirements sufficient to satisfy emerging frontier AI transparency standards, and update them where gaps exist.
- ☐Assess whether your internal audit function has the technical competency and documentation standards required to support an ISO/IEC 42006 conformance review, and develop a readiness plan if significant gaps are present.
- ☐Update your AI model registry and associated documentation to capture the information fields that frontier AI transparency requirements are likely to demand, including training data summaries, capability claims, and safety evaluation results.
- ☐Brief your board AI governance committee on the compounding regulatory pressure identified in the 2025 review, and document the organization's current readiness posture and prioritized remediation plan as a formal board-level record.
What to watch next
Compliance teams should monitor the finalization of ISO/IEC 42006 and any associated certification scheme announcements, as these will set the audit standard against which AI management systems are formally evaluated by external parties. The EU AI Code of Practice is expected to reach a more settled state in 2026, and any convergence or divergence with ISO standards will have direct implications for organizations seeking to satisfy both simultaneously. US state-level AI legislation continues to accelerate, and the Commerce Department's evaluation of state AI laws may signal whether federal preemption efforts will reduce or sustain the current patchwork compliance burden.
