US AI Regulation Gathers Pace, NIST Updates RMF

Federal agencies are lining up new AI guardrails, and NIST just sharpened the playbook.

The Federal Register has begun to reflect a more active policy cadence around artificial intelligence, signaling that rulemaking is moving beyond talk to formalized governance considerations. While most entries at this stage are notices and requests for comment rather than binding rules, observers say the trend matters: it creates the scaffolding for what compliance could look like for vendors, contractors, and agencies in the near term. In practice, this means risk management, transparency, and accountability are becoming more visible in federal decision-making, even before specific penalties or enforcement teeth exist.

Meanwhile, the National Institute of Standards and Technology is refreshing its AI risk management framework, a cornerstone reference for both government and industry. NIST positions the RMF as guidance for governance, measurement, and mitigation of model risk, bias, and deployment hazards across life cycles. The emphasis remains risk-based, focusing on what needs to be tracked, tested, and reported when AI systems are used publicly or in federal procurement. Although the RMF is described as voluntary guidance, its reach is quickly expanding through procurement clauses, vendor assessments, and agency pilots, making many players treat it as a de facto standard.

Civil liberties advocates for their part are watching the drift closely. The Electronic Frontier Foundation and allied groups have pushed back and forward on how such guardrails balance safety and privacy, stressing the need for meaningful transparency, user rights, and data minimization. The current cadence suggests an evolution toward more formal accountability, but advocates warn against creating a regime that is strong on paperwork and light on real checks for everyday users. The tension between technical safeguards and civil-liberties protections is a throughline in conversations tied to these regulatory signals.

Policy experts say the moment is less about a single rule than about a trajectory: a move from discretionary guidance to a framework that procurement offices, regulators, and developers can reference when designing and deploying AI. The practical effect for institutions is nuance: align development and testing with RMF-aligned risk reporting, prepare for more rigorous vendor due diligence, and anticipate future rules that could tighten what must be disclosed, how audits are conducted, and what accountability looks like for faulty or biased outcomes. For individuals, the shift could mean clearer explanations of how AI impacts public services and stronger expectations that government systems include checks for fairness and privacy.

What this means in the near term: the landscape remains a patchwork of guidance rather than a binding regime, but it is visibly steering how AI is evaluated and purchased in federal contexts. The stakes for compliance teams and product officers are real, even if the penalties and precise requirements are not yet codified.

What we're watching next in other

How quickly federal procurement language begins to require RMF-aligned processes and what that means for vendor risk ratings.

Whether any agency launches a public-facing AI risk disclosure or audit pilot that could foreshadow broader transparency requirements.

The balance between rigorous safeguards and practical deployment costs for organizations integrating AI into services.

Signals from congressional or agency dashboards about enforcement priorities or potential penalties tied to AI failures or bias.

The ongoing dialogue between civil liberties groups and regulators on privacy protections within AI governance.

Sources

Federal Register - AI

EFF Updates

NIST News