AI regulations and governance gaps: what IAM teams need to know

TL;DR: AI regulation is shifting from policy discussion to real enforcement, with cases from Italy, the Netherlands, and China showing that privacy, explainability, and accountability failures now carry operational consequences, according to WitnessAI. The practical issue for IAM teams is that AI governance increasingly intersects with identity, access, logging, and lifecycle controls across human, NHI, and autonomous systems.

NHIMG editorial — based on content published by WitnessAI: What Are AI Regulations?

Questions worth separating out

Q: How should organisations govern AI systems under multiple regulatory regimes?

A: They should start with a single governance baseline for identity, access, logging, and approval evidence, then add local regulatory overlays for sector and jurisdiction requirements.

Q: Why do AI regulations matter to IAM and NHI teams?

A: Because many AI obligations depend on who accessed the system, what permissions they had, and whether the resulting actions can be traced.

Q: What do security teams get wrong about AI compliance?

A: They often treat AI compliance as a model review exercise and miss the surrounding identity and access layer.

Practitioner guidance

• Map AI systems to regulatory risk tiers Create an inventory that records where each AI system operates, what data it touches, which jurisdictions apply, and which approvals are required before deployment or change.
• Tie AI evidence to identity records Link model activity, prompt access, administrative access, and approval logs to named identities so explainability claims can be supported during audit or enforcement review.
• Unify access review across AI and non-AI systems Use one governance baseline for human users, service accounts, and AI-driven workflows so certification, offboarding, and exception handling remain consistent across regions.

What's in the full article

WitnessAI's full article covers the jurisdiction-by-jurisdiction detail this post intentionally leaves for the source:

• Country-specific regulatory examples across the EU, US, Asia, and the Middle East for teams building global compliance maps
• Named laws and frameworks such as the EU AI Act, NIST AI RMF, GDPR, and sector-specific statutes for direct reference during policy work
• Practical compliance guidance for organisations that need to structure AI governance, documentation, and internal oversight
• The AI Regulation Tracker resource, which helps teams monitor changing legislation and regulatory timelines

👉 Read WitnessAI's overview of AI regulations and global governance requirements →

AI regulations and governance gaps: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →