TL;DR: The EU AI Act and the US Executive Order on AI both push organisations toward AI TRiSM, with disclosure, documentation, risk assessment, and stakeholder accountability becoming core compliance duties, according to Lasso Security. The practical shift is that AI governance now has to join legal, procurement, privacy, and security into one operating model rather than a series of disconnected reviews.
NHIMG editorial — based on content published by Lasso Security: Achieving Compliance with AI TRiSM, the EU AI Act and US Executive Order on AI
Questions worth separating out
Q: How should organisations govern AI systems under new regulation?
A: Treat AI governance as a cross-functional control process, not a model-only review.
Q: Why do AI regulations create identity governance work?
A: Because AI services are now governed assets that can touch data, users, and downstream systems.
Q: What do organisations get wrong about AI compliance programmes?
A: They often stop at policy statements, committee formation, or vendor questionnaires.
Practitioner guidance
- Create a governed AI inventory Record every AI service, model, and vendor relationship with an owner, business purpose, data scope, and review date.
- Align legal, procurement, and security approval paths Use one intake process for new AI use cases so risk, privacy, and access questions are assessed together.
- Require evidence for transparency and logging controls Document how users are informed they are interacting with AI, how model outputs are traced, and what logs are retained for review.
What's in the full article
Lasso Security's full blog post covers the operational detail this post intentionally leaves for the source:
- A closer breakdown of the EU AI Act risk categories and how they map to different deployment scenarios.
- The article's specific view of how AI TRiSM technologies support compliance workflows and policy enforcement.
- The vendor's recommendations for building cross-functional AI task forces across legal, procurement, privacy, and security.
- The article's discussion of how GDPR alignment can support AI governance efforts in practice.
👉 Read Lasso Security's analysis of AI TRiSM compliance under the EU AI Act and US AI order →
EU AI Act and US AI order: what changes for AI governance?
Explore further
AI regulation is turning model governance into identity governance. The article shows that compliance is no longer limited to model safety statements or policy language. Once disclosure, documentation, and accountability are required, the organisation must know which AI services exist, who approves them, and what they can access. That makes AI TRiSM a governance discipline shared by legal, security, procurement, and IAM teams, not a standalone AI programme.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Another finding from our research: Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to the same report.
A question worth separating out:
Q: Who is accountable when an AI system violates policy or privacy rules?
A: Accountability should sit with the business owner, the security approver, and the vendor relationship owner, not with a generic AI task force alone. If a system is deployed without a clear owner and review path, the organisation has created an accountability gap that regulatory scrutiny will expose.
👉 Read our full editorial: AI TRiSM compliance under the EU AI Act and US AI order