If AI is the new electricity, the world is still arguing over the voltage.

On one side, you have the European Union dropping the EU AI Act, the first full-blown law that tries to regulate everything from high-risk medical AI to frontier models behind tools like ChatGPT, Claude, and Gemini. On another, the U.S. is leaning heavily on a “voluntary but influential” playbook from its standards body, NIST. Meanwhile, UNESCO, the G7, and ISO are busy writing global ethics principles and management standards.

None of these groups fully agree, yet all of them want their rules to become the default. That tension is what people are starting to call the AI standards wars – a quiet but high‑stakes fight over who gets to define “trustworthy AI” for the entire planet.

If you are shipping AI products, using vendor models in your stack, or just trying to stay ahead of regulation, this is not an abstract policy debate. The frameworks and standards that win will shape what you are allowed to build, how you must document and test it, and even whether you can offer your product in key markets like the EU.

What Do “AI Standards” Actually Mean?

First, it helps to separate a few layers that often get blurred together:

  • Hard law – binding regulations like the EU AI Act, which entered into force on 1 August 2024 and phases in over several years as the world’s first comprehensive AI law.Source
  • Soft standards and frameworks – guidance like the NIST AI Risk Management Framework (AI RMF) in the U.S., which is technically voluntary but already being used by companies as a de facto baseline.Source
  • Ethical principles and recommendations – global reference points like UNESCO’s 2021 Recommendation on the Ethics of AI, adopted by all 194 UNESCO member states as the first worldwide standard on AI ethics.Source
  • Technical management standards – things like ISO/IEC 42001, a management system standard for AI that organizations can certify against, designed to align with risk management and governance requirements in the EU AI Act.Source

When people talk about who “sets the rules,” they are really talking about who dominates across these layers: who sets the law, who sets the technical baseline others copy, and whose ethics language gets embedded into contracts, audits, and product requirements.

The EU AI Act: Brussels Aims to Export Its Rulebook

The EU AI Act is the most ambitious attempt so far to hard‑code AI rules into law. It uses a risk-based approach:

  • Unacceptable risk systems (for example, social scoring by governments) are banned.
  • High-risk AI (think credit scoring, employment screening, medical devices, critical infrastructure) must meet strict requirements around risk management, data quality, documentation, and human oversight.
  • General‑purpose and frontier models – the sort that power tools like ChatGPT – face transparency and safety obligations, especially if they exceed certain compute thresholds.

The Act entered into force in August 2024 and is phasing in over roughly three years, with bans on the most harmful systems coming first, followed by full obligations for high‑risk and general‑purpose AI providers.Source For you, that means:

  • If you place AI systems on the EU market, you will eventually have to align with this law, even if you are based elsewhere.
  • Even if you only use third‑party tools (ChatGPT, Claude, Gemini, etc.), your procurement and risk processes will be judged against its logic.

Critically, the EU is not just writing rules for Europe. It is following a “Brussels effect” play: set strict rules for a massive market and let global providers decide it’s easier to comply everywhere than maintain separate versions. The same thing happened with GDPR and is already showing up in how big AI labs talk about safety and transparency for their models.

The U.S. Approach: NIST as a Quiet Power Broker

The United States does not (yet) have a single comprehensive AI law like the EU. Instead, it is leaning hard on standards and guidance, with the National Institute of Standards and Technology (NIST) playing a pivotal role.

In January 2023, NIST released the AI Risk Management Framework (AI RMF 1.0) – a voluntary guide that helps organizations “map, measure, manage and govern” AI risks across the lifecycle of a system.Source It offers:

  • A definition of “trustworthy AI” (valid, reliable, safe, secure, explainable, accountable, fair, and privacy‑enhancing).
  • A set of core functions (Map, Measure, Manage, Govern) that companies can build into their AI pipelines.
  • Shared terminology that regulators, auditors, and vendors can all use.

Even though it is voluntary, U.S. federal agencies and many private companies are already using the AI RMF as their reference template for AI governance and vendor due diligence. Industry groups have explicitly urged the U.S. government to keep the framework as a central pillar for AI risk policy because, in the absence of hard federal law, it is the closest thing to a national standard.

For you, the NIST AI RMF matters because:

  • It is increasingly the language of AI risk you will see in RFPs, audits, and security questionnaires.
  • It is relatively compatible with the EU’s risk‑based approach, making it a practical bridge if you operate globally.

Global Bodies: UNESCO, G7, OECD and the Ethics Layer

Beyond specific countries or regions, several multilateral bodies are shaping how the world talks about AI ethics and safety.

  • In 2021, UNESCO adopted its Recommendation on the Ethics of Artificial Intelligence, the first global normative instrument on AI ethics. All 194 member states committed to align their national AI policies with its principles around human rights, transparency, accountability, and environmental sustainability.Source
  • The G7 Hiroshima Process on Generative AI produced guiding principles and a voluntary code of conduct for advanced AI developers in 2023, aimed at frontier models and generative AI risks like misinformation and systemic bias.Source
  • The OECD AI Principles, originally adopted in 2019, are still widely cited and have influenced both the EU AI Act and various national strategies.

These are not laws. But when UNESCO, the G7, or the OECD define what counts as “human‑centric AI” or “responsible AI,” their language shows up in national strategies, corporate responsibility reports, and sometimes the preambles of binding legislation.

In practice, that means if you align your internal policies with UNESCO and OECD principles today, you are less likely to be wildly out of step with tomorrow’s laws.

Technical Standards: ISO/IEC 42001 and Company‑Level Governance

On the more technical side, ISO and IEC (international standards bodies) are creating the plumbing that lets auditors, certifiers, and risk officers test whether your AI claims are real.

A standout example is ISO/IEC 42001, an international standard published in 2023–2024 that defines an AI management system – think of it as ISO 27001 (information security), but for AI governance. It is designed to be compatible with the EU AI Act’s requirements for high‑risk systems, including risk management, data governance, documentation, and human oversight.Source

Why this matters for you:

  • If ISO/IEC 42001 certifications become common, your customers may start asking whether your AI program is certified, just like they ask for ISO 27001 or SOC 2 today.
  • It gives you a structured way to operationalize all the high‑level principles coming from governments and global bodies.

In other words, while politicians argue on TV, ISO quietly writes the checklists that your compliance team will live with.

Big Tech and Frontier Labs: De Facto Standards by Code

While governments and standards bodies draft documents, AI labs and platforms are setting their own, sometimes competing, standards in code and policy.

  • OpenAI changes the usage policies and safety filters for ChatGPT and its APIs.
  • Anthropic embeds a “constitution” of principles into Claude’s training and moderation pipeline.
  • Google sets red lines and safety constraints in Gemini and its underlying policies.

Because millions of developers build on top of these platforms, their choices about red‑teaming, transparency, content moderation, and safety interfaces become de facto standards. If the Gemini API blocks certain medical use cases, or Anthropic requires particular disclosures for autonomous agents, those decisions ripple through the entire downstream ecosystem.

As governments move faster, you are seeing more explicit cross‑pollination:

  • Labs publicly commit to government‑backed safety processes (for example, G7 codes of conduct).
  • Companies adopt NIST AI RMF language and EU AI Act categories in their own documentation and dashboards.
  • Cloud providers build “compliance modes” into their AI offerings that pre‑wire certain logging, testing, and documentation steps.

So… Who Actually Sets the Rules?

There is no single referee here. Instead, AI standards are emerging from a tug‑of‑war among:

  • The EU, leveraging legal power and market size to export the AI Act model.
  • The U.S., projecting influence through NIST frameworks, sector‑specific rules, and the gravitational pull of its tech industry.
  • Global organizations like UNESCO, the OECD, and the G7, which coordinate ethical principles and safety guidelines.
  • Technical bodies (ISO/IEC, IEEE, national standards agencies) that translate principles into certifiable checklists.
  • AI labs and platforms, whose APIs, policies, and tooling shape what is actually easy or hard for you to build.

In practice, the “winner” is likely to be a patchwork consensus:

  • The EU AI Act will anchor global legal minimums for many high‑risk and frontier AI uses.
  • NIST and ISO standards will define how organizations operationalize risk management and governance.
  • UNESCO/OECD/G7 principles will keep pulling the conversation back to human rights and societal well‑being.
  • Major platforms (OpenAI, Anthropic, Google, Meta, etc.) will continue to set interaction‑level rules for what everyday AI applications can do.

What You Should Do Now

You do not need to become an AI lawyer, but you cannot ignore the standards wars either. Three concrete moves you can start on right away:

  1. Pick a primary framework and map your AI systems to it.
    For most organizations, that means using the NIST AI RMF or ISO/IEC 42001 as your backbone, then layering on EU AI Act requirements if you touch the EU. Start by inventorying where you already use AI – from recommendation engines to internal copilots – and rating their risk levels.

  2. Align your internal language with emerging global principles.
    Use terms like “trustworthy AI,” “human oversight,” and “risk‑based approach” the way NIST, the EU AI Act, and UNESCO define them. That shared vocabulary will make it much easier to work with regulators, customers, and auditors as rules tighten.

  3. Pressure your AI vendors and teams for standards‑aware practices.
    When you adopt tools like ChatGPT, Claude, or Gemini, ask: How are they aligning with NIST, the EU AI Act, and UNESCO ethics guidance? What documentation, logs, and controls can they expose to you? Build those expectations into contracts and internal guidelines now, before they are forced on you by regulation later.

The AI standards wars are not about abstract policy turf. They are about who decides what you can build, how safely you must build it, and which markets you are allowed to play in. The sooner you plug into that ecosystem of rules, the less likely you are to be blindsided as the new AI rulebook hardens into place.