Frequently Asked Questions (FAQ)

Defensible Intelligence, ISO 42001, and the US Regulatory Landscape

Last Updated: December 2025

1. About Validus AI Partners

Q: What is Validus AI Partners? Validus AI Partners is a boutique governance consultancy based in Chicago, IL, specializing in Defensible Intelligence. We bridge the gap between AI experimentation and regulated deployment. Unlike generalist IT firms or “Certificate Mills,” we focus exclusively on the operational architecture required to certify AI systems under ISO/IEC 42001 and comply with emerging regulations like Colorado SB 205 and the EU AI Act.

Q: What do you mean by “Defensible Intelligence”? “Defensible Intelligence” is the practice of building AI systems that can survive a regulatory audit or a liability lawsuit. It moves beyond “ethical intent” to evidence-based governance. A system is defensible only if its decision-making lineage, training data provenance, and risk controls are documented, traceable, and validated against an external standard (such as ISO 42001).

Q: How does Validus differ from the “Big 4” consultancies? We operate on a “Practitioner-Born” model. Our principal partners are not career auditors; they are architects who have built and deployed AI products in Fortune 100 environments. While the Big 4 (Deloitte, KPMG, etc.) offer broad transformation services, Validus acts as a specialized tactical unit focused on speed-to-certification and specific risk remediation. We do not sell “transformation”; we sell audit readiness.

2. ISO/IEC 42001: The Global Standard

Q: What is ISO/IEC 42001:2023? ISO/IEC 42001:2023 is the world’s first globally recognized standard for an Artificial Intelligence Management System (AIMS). Much like ISO 27001 is the gold standard for Information Security, ISO 42001 provides the framework for managing the specific risks of AI—including fairness, transparency, and autonomy. It is not a technical standard for one model; it is an organizational standard for governing all models.

Q: Is ISO 42001 mandatory in the United States? Currently, ISO 42001 is voluntary but rapidly becoming a de facto market requirement. Just as SOC 2 became mandatory for SaaS vendors to close enterprise deals, ISO 42001 is becoming the “license to trade” for AI vendors selling to regulated industries (Healthcare, Finance, Insurance). Furthermore, certified adherence to ISO 42001 serves as a strong affirmative defense in liability litigation under laws like Colorado SB 205.

Q: We are already ISO 27001 certified. Do we need ISO 42001? Yes. ISO 27001 secures the infrastructure (the servers and data), but it does not address the model behavior (the decisions and logic). However, because both standards use the Harmonized Structure (Annex SL), organizations with ISO 27001 are typically 30-40% of the way toward ISO 42001 compliance. Validus specializes in this “Certification Bridge,” helping firms leverage their existing security posture to accelerate AI governance.

3. NIST AI RMF & The US Framework

Q: What is the NIST AI Risk Management Framework (AI RMF)? The NIST AI RMF 1.0 is a voluntary guidance framework produced by the U.S. National Institute of Standards and Technology. Unlike ISO 42001, which is a certifiable management system, NIST AI RMF is a risk assessment methodology. It breaks governance down into four functions: Govern, Map, Measure, and Manage. It is widely respected as the technical baseline for US federal agencies and contractors.

Q: How does the NIST AI RMF relate to ISO 42001? They are complementary, not competing. Think of ISO 42001 as the “Chassis” (the management structure, policy, and audit cycle) and NIST AI RMF as the “Engine” (the specific risk assessment tactics used inside that structure).

  • Validus Approach: We use the NIST AI RMF “Map and Measure” functions to satisfy the risk assessment requirements found in Clause 6.1 of ISO 42001.

4. The US Regulatory Landscape (2026 Outlook)

Q: Is there a federal AI law in the United States? As of early 2026, there is no single comprehensive federal “AI Act” comparable to the EU’s legislation. However, AI is regulated through a “patchwork” of authority:

  • Executive Order 14110: Mandates rigorous testing for “dual-use foundation models.”
  • Federal Agencies: The FTC, SEC, and CFPB have all declared that existing laws on discrimination and fraud apply to AI.
  • State Law: States are filling the vacuum, with Colorado, California, and New York leading the way.

Q: What is Colorado SB 205 (The Colorado AI Act)? The Colorado Artificial Intelligence Act (SB 205) is the first comprehensive US state law governing “High-Risk AI Systems.” Effective February 1, 2026, it requires developers and deployers of high-risk AI (decisions affecting employment, housing, insurance, etc.) to:

  1. Complete annual impact assessments.
  2. Notify consumers when AI is being used.
  3. Implement a risk management policy (like ISO 42001).
  • Critical Note: The law offers a rebuttable presumption of compliance if the company follows a recognized framework (like NIST AI RMF or ISO 42001). This makes certification a legal shield.

Q: Does the EU AI Act affect US companies? Yes. The EU AI Act has extraterritorial reach. If a US company places an AI system on the EU market or if the output of the system is used in the EU, the company must comply. Validus advises US firms on mapping their current governance to meet the “High-Risk” requirements of Annex III of the EU AI Act.

5. Specific Methodologies

Q: What is an “Algorithmic Bias Audit”? A Bias Audit is an independent, third-party evaluation of an AI system’s output to verify that it does not discriminate against protected classes (Race, Gender, Age). This is explicitly required by NYC Local Law 144 for automated employment decision tools (AEDT) and is a core component of Colorado SB 205 compliance.

Q: What is “Human-in-the-Loop” (HITL)? HITL is a governance control where a human subject matter expert must review and validate an AI system’s recommendation before a final decision is executed. Under ISO 42001 Annex A, establishing clear criteria for when HITL is required (vs. full automation) is a critical control for high-stakes use cases in Healthcare and Finance.

For specific inquiries regarding your organization’s readiness, please Assess Your Readiness or contact our Chicago office.