CISO
Compliance Officer
CIO
Board
Industry relevance
Financial Services
Healthcare
Government
JULY 26, 2024
NIST published 400+ governance actions for generative AI in 2024. Most regulated organizations have implemented none of them systematically.
NIST AI 600-1, the Generative AI Profile companion to the AI Risk Management Framework, was released on July 26, 2024. Developed with input from a 2,500-person public working group, it identifies risks unique to generative AI and proposes more than 400 actions organized across the Govern, Map, Measure, and Manage functions of the AI RMF. It covers governance, content provenance, pre-deployment testing, and incident disclosure.
GOVERNANCE IMPLICATION
NIST AI 600-1 is the most comprehensive published governance framework for generative AI systems, developed with input from over 2,500 stakeholders. Its 400+ suggested actions cover the full AI lifecycle including governance structure, pre-deployment testing, content provenance, incident disclosure, and ongoing monitoring. The gap for most regulated organizations is not awareness of the framework — it is the absence of any systematic mapping between their current AI deployments and 600-1's governance actions. When a regulator or board asks which AI governance framework the organization follows, the absence of a coherent answer is itself a governance finding.
SCENARIO
A healthcare system's CISO is asked in a board meeting what governance framework applies to the organization's Microsoft 365 Copilot deployment. The CISO references the internal AI acceptable use policy. A board member who has read the NIST Generative AI Profile asks whether the policy addresses content provenance, pre-deployment bias assessment, and incident disclosure. The CISO commits to a gap analysis. The analysis takes eight weeks and reveals 23 unmapped NIST 600-1 governance actions in the current policy.
THE GOVERNANCE QUESTION
NIST AI 600-1 provides more than 400 suggested actions for organizations deploying generative AI. Most organizations deploying Microsoft 365 Copilot or Agent 365 are applying zero of them systematically. The framework is voluntary — until a regulator, a client, or a board asks which framework governs your AI deployment and your team cannot name one. What is your documented answer to that question today?
CONTROL GAP
Most organizational AI policies are written as acceptable use documents rather than as governance frameworks mapped to a recognized standard. NIST AI 600-1 provides that standard but requires the organization to perform the mapping — a process that rarely happens without a board or examiner prompt.
REGULATORY RELEVANCE
NIST Ai RMF
HIPAA
SEC Cyber
FINRA
PRIMARY SOURCE
Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile
NIST
Read the primary source ->(opens in new tab)CONTINUE READING
MAY 19, 2026
ComplianceOn May 19, 2026, the European Commission published draft guidelines on classifying high-risk AI systems under Article 6 of the EU AI Act and opened a stakeholder consultation running until June 23, 2026 (European Commission, Shaping Europe's Digital Future, May 19, 2026). Issued under Article 6(5), the three-part guidance covers general classification principles, the Annex I product-safety route, and the Annex III use-case route across eight domains including biometrics, employment, and essential services. The draft addresses anti-circumvention for modular and agentic systems and clarifies that human oversight under Article 14 does not by itself remove a system from the high-risk category.
MAY 8, 2026
ComplianceNIST published the final SP 800-70 Revision 5 on May 8, 2026 via CSRC, updating the National Checklist Program for IT Products. Revision 5 introduces expanded coverage for cloud platforms, IoT, and AI systems; enhanced mapping to NIST CSF 2.0 outcomes and SP 800-53 controls; explicit support for automated checklist formats; and detailed guidance for tailoring checklists to stand-alone, enterprise, and legacy environments. The document is intended for both checklist users and developers who participate in the National Checklist Program.
MAY 7, 2026
ComplianceOn May 7, 2026, EU legislators reached political agreement on the Digital Omnibus revisions to the EU AI Act. The agreement introduces a 16-month postponement for most high-risk Annex III AI systems, covering employment screening, credit decisions, biometric identification, education, and law enforcement applications, moving the effective deadline to approximately December 2027. Product-embedded high-risk AI systems receive a 12-month postponement to approximately August 2027. Transparency obligations for AI-generated content shift to December 2026 (three-month delay only). The agreement remains subject to formal adoption by the European Parliament and Council. Source: European Commission digital-strategy.ec.europa.eu, updated May 2026.