AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← News
Research2026-07-08

Eight Governance Themes from 2025 Reveal Widening Gaps Between Regulatory Ambition and Enterprise Readiness

Source

AI Governance in 2025: a year in review

Oliver Patel Substack

What happened

Oliver Patel's AI Governance in 2025: a year in review, published July 7, 2026, synthesizes eight significant AI governance developments that shaped the compliance landscape during the prior year. The review covers the emergence of new US state AI laws, the progression of ISO/IEC 42006 as a formal audit standard for AI management systems, and iterative drafts of the EU AI Code of Practice, all of which moved faster than many enterprise governance programs could absorb. Patel identifies persistent gaps in frontier AI transparency requirements, noting that voluntary commitments from developers have not converged with the disclosure expectations now embedded in emerging legislation. The analysis is framed explicitly around the practical implications for enterprise compliance teams, making it a useful checkpoint for programs that have been tracking individual regulatory items in isolation rather than as a system of interlocking obligations.

Why it matters

  • ·Compliance teams that have been tracking regulations individually are now exposed to interaction effects: US state laws, ISO/IEC 42006, and EU Code of Practice drafts create overlapping and sometimes conflicting audit, disclosure, and transparency obligations that require a unified mapping exercise rather than siloed responses.
  • ·The emergence of ISO/IEC 42006 as a formal audit standard for AI management systems means that external auditors and certification bodies will soon apply a structured conformance lens to AI governance programs, raising the bar for documentation, internal audit capability, and management system design beyond what most current programs have built.
  • ·Frontier AI transparency gaps identified in the review signal that regulators are moving toward mandatory disclosure requirements that vendor contracts and third-party risk assessments have not yet been designed to capture, creating procurement and vendor governance blind spots for organizations deploying large models.

Governance controls affected

What to do now

  • Conduct a cross-jurisdictional mapping exercise that places your current controls against US state laws active as of 2025, ISO/IEC 42006 audit requirements, and the EU AI Code of Practice obligations simultaneously, identifying any controls that satisfy one regime but are silent under another.
  • Review your third-party AI vendor contracts and risk assessment templates to determine whether they include disclosure and transparency requirements sufficient to satisfy emerging frontier AI transparency standards, and update them where gaps exist.
  • Assess whether your internal audit function has the technical competency and documentation standards required to support an ISO/IEC 42006 conformance review, and develop a readiness plan if significant gaps are present.
  • Update your AI model registry and associated documentation to capture the information fields that frontier AI transparency requirements are likely to demand, including training data summaries, capability claims, and safety evaluation results.
  • Brief your board AI governance committee on the compounding regulatory pressure identified in the 2025 review, and document the organization's current readiness posture and prioritized remediation plan as a formal board-level record.

What to watch next

Compliance teams should monitor the finalization of ISO/IEC 42006 and any associated certification scheme announcements, as these will set the audit standard against which AI management systems are formally evaluated by external parties. The EU AI Code of Practice is expected to reach a more settled state in 2026, and any convergence or divergence with ISO standards will have direct implications for organizations seeking to satisfy both simultaneously. US state-level AI legislation continues to accelerate, and the Commerce Department's evaluation of state AI laws may signal whether federal preemption efforts will reduce or sustain the current patchwork compliance burden.

Related Coverage

Research2026-06-30

EU-US Regulatory Divergence on AI Creates Structural Compliance Gaps for Multinational Enterprises

A December 2024 analysis from the Oxford Internet Institute examines accelerating fragmentation in global AI governance, highlighting the EU Code of Practice for general-purpose AI and divergent US-EU approaches to agentic AI as the central compliance challenge. The research identifies ISO and OECD standards as the primary coherence mechanism available to enterprises operating across jurisdictions. Compliance teams at multinational organizations face structural gaps where no single regulatory framework covers the full scope of their AI deployments.

Research2026-07-04

Voluntary AI Commitments Are Not Enough: Brookings Calls on G7 to Make Behavioral Standards Legally Enforceable

A June 2025 analysis from the Brookings Institution, authored by Tom Wheeler, argues that G7 nations should accept the international AI standards framework on offer but convert its voluntary commitments into binding, enforceable obligations. The piece calls for inclusive standards-setting that incorporates governments and civil society, not just industry. For enterprise compliance teams, the central implication is that behavioral AI standards currently treated as voluntary benchmarks may soon carry legal weight across the world's largest economies.

Research2026-06-19

ITU 2025 AI Governance Report Sets Benchmarks for Adaptive, Cross-Jurisdictional Compliance Programs

The International Telecommunication Union has published its Annual AI Governance Report 2025, calling for proactive, inclusive, and adaptive governance frameworks for AI systems deployed across jurisdictions. The report, issued under UN auspices and aligned with ISO and OECD standards, provides authoritative benchmarks that enterprise compliance programs can use to assess maturity and identify gaps. It emphasizes cross-functional governance structures, continuous policy updating, and structured risk assessment as core enterprise requirements.