{"id":40123,"date":"2026-07-07T01:31:13","date_gmt":"2026-07-07T01:31:13","guid":{"rendered":"https:\/\/www.insentragroup.com\/nz\/insights\/uncategorized\/a-new-regulatory-landscape-is-taking-shape\/"},"modified":"2026-07-07T06:26:17","modified_gmt":"2026-07-07T06:26:17","slug":"a-new-regulatory-landscape-is-taking-shape","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/nz\/insights\/not-geek-speak\/generative-ai\/a-new-regulatory-landscape-is-taking-shape\/","title":{"rendered":"A New Regulatory Landscape Is Taking Shape"},"content":{"rendered":"\n<p>The regulatory environment for artificial intelligence is evolving faster than most enterprise compliance frameworks can absorb. Technology and security leaders who are waiting for the dust to settle before acting are already behind. The organisations that will navigate this landscape well are those building governance structures today &#8211; structures flexible enough to adapt as regulations mature.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Major Frameworks You Need to Know&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">EU AI Act&nbsp;<\/h3>\n\n\n\n<p>The European Union&#8217;s AI Act is the world&#8217;s first comprehensive AI regulation, and its reach extends well beyond Europe. Any organisation serving EU customers or&nbsp;operating&nbsp;with EU-based employees must understand it.&nbsp;<\/p>\n\n\n\n<p>The Act classifies AI systems by risk:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Unacceptable risk<\/strong>\u202f(prohibited): social scoring, AI using subliminal, manipulative, or deceptive techniques to distort behaviour causing significant harm, or AI that exploits vulnerabilities such as age, disability, or socioeconomic status to distort behaviour, real-time remote biometric identification in public spaces (prohibited in principle, with narrow law enforcement exceptions under strict conditions)<\/li>\n\n\n\n<li><strong>High risk<\/strong>\u202f(heavily regulated): AI used in employment decisions, credit scoring, critical infrastructure, law enforcement<\/li>\n\n\n\n<li><strong>Limited risk<\/strong>: chatbots and systems that must&nbsp;disclose&nbsp;their AI nature<\/li>\n\n\n\n<li><strong>Minimal risk<\/strong>: most AI applications, with light-touch obligations&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>For most enterprise AI deployments &#8211; HR tools, customer service automation, procurement AI &#8211; the\u202f<strong>high-risk<\/strong>\u202fcategory is where CISOs need to focus. High-risk systems require conformity assessments, technical documentation, human oversight mechanisms, and registration in a central EU database.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">NIST AI Risk Management Framework (AI RMF)&nbsp;<\/h2>\n\n\n\n<p>The US National Institute of Standards and Technology released the AI RMF in 2023 as a voluntary framework for managing AI risks. While not legally binding, it is beginning to be referenced in some government procurement contexts and sector-specific guidance in the US.&nbsp;<\/p>\n\n\n\n<p>The AI RMF organises around four functions:\u202f<strong>Govern, Map, Measure, Manage<\/strong>. CISOs should pay particular attention to the Govern function, which addresses organisational policies, accountability structures, and culture &#8211; the foundations that everything else rests on.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">ISO\/IEC 42001&nbsp;<\/h2>\n\n\n\n<p>The ISO 42001 standard&nbsp;establishes&nbsp;requirements for an\u202f<strong>AI Management System (AIMS)<\/strong>\u202f- the AI equivalent of ISO 27001 for information security. It provides a certifiable framework that organisations can use to&nbsp;demonstrate&nbsp;responsible AI management to customers, regulators, and partners.&nbsp;<\/p>\n\n\n\n<p>For CISOs who have implemented ISO 27001, ISO 42001 will feel familiar. It follows the same high-level structure (HLS), making integration with existing management systems straightforward.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What Governance Structures Do You Actually Need?&nbsp;<\/h3>\n\n\n\n<p>Regulation sets the floor. Good governance aims higher.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">AI Inventory and Risk Classification&nbsp;<\/h3>\n\n\n\n<p>You cannot govern what you cannot see. The foundation of any AI governance programme is a comprehensive inventory of AI systems: every model, every AI-assisted workflow, every automated decision system&nbsp;operating&nbsp;in your environment.&nbsp;<\/p>\n\n\n\n<p>For each system, document:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The intended use case and the actual use (these often diverge)&nbsp;<\/li>\n\n\n\n<li>The data it accesses and the outputs it produces&nbsp;<\/li>\n\n\n\n<li>The risk classification under relevant frameworks&nbsp;<\/li>\n\n\n\n<li>The owner and accountable executive&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Accountability Chains&nbsp;<\/h2>\n\n\n\n<p>The EU AI Act, ISO 42001, and the NIST AI RMF all emphasise accountability. Someone must&nbsp;be responsible for&nbsp;each AI system &#8211; its safety, its performance, its compliance. In practice, this means:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A designated\u202f<strong>AI Owner<\/strong>\u202ffor each system (typically a business unit leader)<\/li>\n\n\n\n<li>A\u202f<strong>Technical Accountability Lead<\/strong>\u202f(often from IT or data science)<\/li>\n\n\n\n<li><strong>Executive sponsorship<\/strong>\u202fat the CISO or CTO level for high-risk systems&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Policies You Need to Write Now&nbsp;<\/h2>\n\n\n\n<p>If you do not have these policies, you are not ready for an AI audit:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>AI Acceptable Use Policy<\/strong>\u202f- what employees can and cannot use AI for&nbsp;<\/li>\n\n\n\n<li><strong>AI Procurement Policy<\/strong>\u202f- what due diligence is&nbsp;required&nbsp;before adopting a new AI tool&nbsp;<\/li>\n\n\n\n<li><strong>AI Incident Response Procedure<\/strong>\u202f- how you respond when an AI system causes harm or behaves unexpectedly&nbsp;<\/li>\n\n\n\n<li><strong>AI Data Usage Policy<\/strong>\u202f- what data can be sent to AI systems (including third-party AI APIs)&nbsp;<\/li>\n\n\n\n<li><strong>AI Transparency Policy<\/strong>\u202f- when and how you&nbsp;disclose&nbsp;AI use to customers and regulators&nbsp;<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Audit and Monitoring&nbsp;<\/h2>\n\n\n\n<p>Governance without monitoring is theatre. Your AI governance programme needs:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regular algorithmic audits<\/strong>\u202ffor high-risk systems &#8211; at minimum annually, ideally on a rolling basis&nbsp;<\/li>\n\n\n\n<li><strong>Performance monitoring<\/strong>\u202ffor drift and degradation&nbsp;<\/li>\n\n\n\n<li><strong>Incident logging<\/strong>\u202f- every AI-related near-miss, failure, or complaint must be captured&nbsp;<\/li>\n\n\n\n<li><strong>Third-party AI vendor assessments<\/strong>\u202f- your AI providers must meet your governance standards, not just your own internal tools&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">The CISO&#8217;s Role in AI Governance&nbsp;<\/h2>\n\n\n\n<p>AI governance is not a compliance team problem that occasionally touches security. It is a security problem that requires compliance&nbsp;expertise.&nbsp;<\/p>\n\n\n\n<p>CISOs bring exactly what AI governance needs: a risk-based mindset, experience with complex regulatory environments, and the authority to enforce standards across business units.&nbsp;<\/p>\n\n\n\n<p>The most effective AI governance programmes place the CISO in a central coordinating role &#8211; not as a blocker, but as the architect of a framework that lets the business use AI at speed without stumbling into regulatory, reputational, or security risk.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Competitive Advantage of Getting This Right&nbsp;<\/h2>\n\n\n\n<p>Organisations that build robust AI governance frameworks gain something beyond compliance: they gain trust. Trust from customers who need to know their data is&nbsp;handled responsibly. Trust from regulators who see a mature organisation. Trust from partners who are making their own AI governance decisions.&nbsp;<\/p>\n\n\n\n<p>Insentra&nbsp;works with CISOs and technology leaders to design AI governance frameworks that satisfy regulatory requirements without slowing the business down.&nbsp;<a href=\"https:\/\/www.insentragroup.com\/nz\/contact\/\" target=\"_blank\" data-type=\"link\" data-id=\"https:\/\/www.insentragroup.com\/au\/contact\/\" rel=\"noreferrer noopener\">Contact<\/a> us&nbsp;to understand where your current posture stands and what a mature programme looks like.&nbsp;&nbsp;<\/p>\n\n\n\n<style>\nbody .blog-body h3 {\n  text-transform: none !important;\n}\n<\/style>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The regulatory environment for artificial intelligence is evolving faster than most enterprise compliance frameworks can absorb. Technology and security leaders who are waiting for the dust to settle before acting are already behind. The organisations that will navigate this landscape well are those building governance structures today &#8211; structures flexible enough to adapt as regulations&hellip; <a class=\"more-link\" href=\"https:\/\/www.insentragroup.com\/nz\/insights\/not-geek-speak\/generative-ai\/a-new-regulatory-landscape-is-taking-shape\/\">Continue reading <span class=\"screen-reader-text\">A New Regulatory Landscape Is Taking Shape<\/span><\/a><\/p>\n","protected":false},"author":67,"featured_media":40124,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[295],"tags":[],"class_list":["post-40123","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-generative-ai","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/40123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/users\/67"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/comments?post=40123"}],"version-history":[{"count":2,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/40123\/revisions"}],"predecessor-version":[{"id":40126,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/40123\/revisions\/40126"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/media\/40124"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/media?parent=40123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/categories?post=40123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/tags?post=40123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}