Welcome back to The Current, where we cut through the noise to highlight the risk and third-party management updates that actually matter. As teams shift into year-end planning, AI governance is accelerating, not slowing down. Federal policymakers are signaling a move toward a national AI rulebook, while industry standards make it clear that “experimental” AI no longer gets a free pass. What happens at the top of the regulatory world is quickly landing on your risk and vendor oversight agenda.
From a potential federal AI preemption order to ISACA’s AI checklist signaling a shift to formal governance, a lot is changing as the year wraps up. We’ve distilled what matters, what it means for your program, and what to prioritize before year-end.
Let’s dive in.🌊
Quick Note: Risk Tide shares educational insights and our take on regulatory changes, this is not legal or compliance advice. Every organization is different, so always check with your legal or compliance teams. Think of us as your "practical" TPRM guide, not your lawyers.
ISACA’s AI Audit Toolkit offers a helpful reminder that AI is increasingly expected to fit within established governance and risk frameworks, and provides concrete checklists that can help organizations get their ducks in a row.
What’s changed: AI is now commonly expected to have clearer ownership, documented policies, and lifecycle oversight. Organizations benefit from understanding which AI systems are in use, what data they rely on, how decisions are made, and where accountability sits. The toolkit’s checklists offer a practical way to establish internal consistency against a recognized framework. AI risk is also being approached as an enterprise-wide consideration that touches governance, security, privacy, compliance, and ethics.
What didn’t change: AI still brings familiar challenges. Bias, data quality concerns, privacy exposure, transparency gaps, and model drift continue to require attention. Automation doesn’t eliminate responsibility, it can surface existing control gaps if governance isn’t well defined.
What it means for business: Managing AI like any other critical system, including third-party AI used on your behalf, supports consistency, compliance, and trust. The checklist can serve as a useful starting point for evaluating existing processes and understanding how third parties interact with your business operations. Clear governance helps reduce regulatory, operational, and reputational risk.
Translation: AI governance isn’t about reacting to a breaking issue, it’s about keeping pace. If AI is part of your environment, ISACA’s checklist provides a practical reference for assessing your own processes, creating internal alignment, and understanding how AI fits into your broader risk and vendor oversight program.
Potential For One US Rule Book
The Trump Administration may sign an executive order aimed at creating a single national standard for AI, preempting most state-level AI laws.
What changed: The White House is signaling a shift toward a national view of AI regulation, with the federal government preparing to assert primary authority. A proposed executive order would preempt certain state and local AI laws that conflict with a new federal framework, potentially tying compliance expectations to federal funding. This move could help make regulatory consistency a reality, even if compliance itself does not necessarily become easier. There is also discussion of an AI Litigation Task Force designed to challenge state regulations viewed as incompatible with federal policy, signaling a more centralized and assertive approach to AI oversight.
What didn’t change: Preemption doesn’t eliminate risk, it redistributes it. Concerns around algorithmic bias, privacy, and consumer protection remain, and organizations should expect requirements similar to those emerging in the EU and certain U.S. states. States would also have fewer tools to address localized harms.
What it means for business: Companies may benefit from reduced regulatory fragmentation and clearer national rules, but should not assume compliance becomes simpler. Federal oversight is likely to bring its own enforcement priorities, reporting expectations, and litigation exposure. The key question for organizations is whether the controls and processes they’ve already built to meet state-level requirements are ready to scale to national applicability.
Translation: This isn’t deregulation, it’s consolidation. A single federal lens may improve consistency, but the bar for AI governance is unlikely to be lower.
Where in the world is Garit?
Risk Tide co-founder (and frequent flyer) Garit Gemeinhardt is always on the move, so we’ve decided to keep track of his travels.
This week’s destination: Zurich, Switzerland🇨đź‡â›°ď¸Ź
Feeling the Holiday Hustle?
Our Holiday Office Playlist on Spotify delivers just the right mix of seasonal cheer and productivity vibes to keep your team energized through the rest of December.
