| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
AI Standards and Regulations: NIST, ISO, COBIT, and the EU AI Act
This sixteenth episode of the ISACA Advanced in AI Audit (AAIA) exam prep series surveys the wider ecosystem of guidance that surrounds AI — the best practices, frameworks, and laws auditors are expected to recognize. It frames where this guidance comes from, how the pieces fit together, and how organizations use them to stay compliant in a fast-moving regulatory landscape.
What this episode covers
- Best practices as the foundation — how traditional information assurance carries over and what AI uniquely adds.
- The three sources of best practices — academic research, industry standards, and government regulations — and the role of internal standards.
- Academic research as the early warning system and the role of explainability and community-impact studies.
- The key AI frameworks an auditor should be able to recognize and compare.
- Laws and regulations as the enforcement layer, and why most AI law remains untested in court.
- The major legal initiatives shaping AI governance globally, including risk-tiered approaches.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What are the three sources of AI best practices?
AI best practices are drawn from three main areas: academic research, industry standards, and government regulations. Because global laws are so new and mostly untested in courts, many companies rely on internal standards built by pulling together research, industry guidelines, and their own corporate experience to fill the legal gaps.
What are the key AI frameworks an auditor should know?
Six critical examples are ISO/IEC 23053, which gives a generic framework for machine learning systems; ISO/IEC 42001, focused on the AI management system for ethical use and continuous improvement; IEEE 7000-2021, which embeds human values, privacy, and fairness into system design; the OECD AI Principles, centering on transparency, inclusiveness, accountability, and sustainability; the NIST AI Risk Management Framework, which helps map, measure, and mitigate AI risks; and Singapore’s Model AI Governance Framework for responsible deployment.
How does the EU AI Act classify AI applications?
The proposed EU AI Act groups AI applications by their risk level. An AI that sorts spam email has a very low risk, while an AI that controls hospital medical equipment has a very high risk, and the law imposes much stricter rules on the higher-risk tools.
What is AI explainability?
Explainability is the ability to look at an AI output and easily understand exactly how the computer arrived at that answer. It is like a teacher needing to see a student’s written steps on a math test, not just the final number, so humans can hold the system accountable.
📚 Master the ISACA AAIA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA AAIA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in AI Standards & Regulations: NIST, ISO, COBIT & EU AI Act.