1. Key terms
Governance terms used throughout this guide. Technical terms are in the Hardware and Software guides.
| Term | Definition |
|---|---|
| EU AI Act | Regulation 2024/1689. The world's first comprehensive AI law. Risk-based framework. Entered force August 1, 2024. |
| High-risk AI | Under the EU AI Act, AI systems posing significant risk to health, safety, or fundamental rights. Includes AI in medical devices, vehicles, critical infrastructure, employment, law enforcement. |
| Machinery Regulation | EU Regulation 2023/1230. Replaces the old Machinery Directive. AI in machinery performing safety functions is automatically high-risk. |
| NIST AI RMF | National Institute of Standards and Technology AI Risk Management Framework. Voluntary US framework. Govern, Map, Measure, Manage. |
| CAISI | Center for AI Standards and Innovation. NIST division. Launched the AI Agent Standards Initiative in February 2026. |
| NCCoE | National Cybersecurity Center of Excellence. NIST division. Published a concept paper on AI agent security (comments closed April 2, 2026). Treats prompt injection as a security control problem. |
| ISO 10218 | International standard for industrial robot safety. The 2025 revision is the first since 2011; integrates ISO/TS 15066 (cobot safety) and adds cybersecurity requirements. |
| SAE J3016 | SAE International's driving automation taxonomy (Levels 0-5). Level 2 is partial (Tesla FSD), Level 4 is full in a geofence (Waymo), Level 5 does not exist. |
| NemoClaw | NVIDIA's security and governance layer for AI agents (GTC 2026). Monitors AI reasoning and enforces safety guardrails. "Inspects the intent of the AI's logic." |
| Safety case | A structured argument, supported by evidence, that a system is acceptably safe for its intended use. Required by the proposed SELF DRIVE Act. |
| Conformity assessment | The process of verifying that a product meets regulatory requirements. Self-assessment or third-party. High-risk AI in the EU requires third-party. |
| Product liability | Legal responsibility for harm caused by a product. EU's Revised Product Liability Directive (December 2026) formally recognizes software as a product. |
| MCP | Model Context Protocol. Anthropic's open standard. NIST mentions it as a candidate interoperability protocol in the Agent Standards Initiative. |
2. The four-layer model
Governance is the foundation layer. Everything above it (hardware, software, complete systems) operates within the boundaries that governance defines. Without governance, a robot arm is a liability lawsuit waiting to happen, an autonomous car is a weapon, and a surgical robot is a medical malpractice case.
3. Why governance is the least developed layer
Hardware is mature (servo motors have not fundamentally changed in decades). Software is advancing rapidly but has clear frameworks (ROS2, Isaac, LeRobot). Governance is where Physical AI has the biggest gap between what exists and what is needed.
What governance exists today
Robot safety standards (ISO 10218) for industrial arms. Vehicle safety rules (NHTSA / FMVSS) for cars. Medical device approval (FDA 510(k)) for surgical robots. EU AI Act for high-risk AI. These are sector-specific, well-established, and functional. They work for the systems they were designed for.
What governance is missing
No framework governs autonomous AI agents acting in the physical world. No standard for auditing world models (Cosmos, JEPA). No protocol for inspecting AI intent before physical action. No liability framework for when an AI agent autonomously causes harm. No governance for humanoid robots operating in human spaces. Only 14.4% of organizations have security controls for AI agents.
4. The regulatory landscape
Physical AI governance comes from multiple sources, each covering different aspects. No single authority governs the whole stack.
| Authority | Jurisdiction | What it covers | Key instrument |
|---|---|---|---|
| European Commission | EU (27 countries) | AI risk classification, product liability, machinery safety | EU AI Act, Machinery Regulation, Product Liability Directive |
| NIST | US (voluntary) | AI risk management, agent security, interoperability standards | AI RMF 1.0, AI Agent Standards Initiative, NCCoE |
| ISO / IEC | Global | Robot safety, functional safety, cybersecurity | ISO 10218, ISO 13849, ISO 13482, IEC 62443 |
| NHTSA / DOT | US | Vehicle safety, autonomous driving systems | FMVSS, AV STEP, SELF DRIVE Act (proposed) |
| FDA | US | Medical devices, surgical robots, Software as a Medical Device | 510(k), De Novo, PMA pathways |
| FAA | US | Drone airspace, commercial drone operations | Part 107, Remote ID, BVLOS waivers |
| OSHA | US | Workplace safety with robots | References ISO 10218, ANSI R15.06 |
| UNECE | Global | Vehicle automation type approval | UN Regulation 157 (ALKS), new Global Technical Regulation (January 2026) |
| China MIIT | China | Intelligent connected vehicles, humanoid robot standards | Mandatory safety standards (proposed April 2026) |
5. EU AI Act and Machinery Regulation
The EU has the most comprehensive governance framework for Physical AI. Three major regulations apply simultaneously to AI-powered robots.
EU AI Act (Regulation 2024/1689)
Entered into force: August 1, 2024. Phased enforcement.
Core concept: risk-based classification. Not all AI is regulated equally. Systems posing higher risk face stricter requirements.
| Risk level | Examples | Requirements |
|---|---|---|
| Unacceptable (banned) | Social scoring by governments, manipulation of vulnerable individuals, real-time biometric surveillance (with exceptions) | Prohibited. Cannot be sold or used in the EU. |
| High-risk | AI in medical devices, vehicles, critical infrastructure, employment decisions, law enforcement, AI-powered machinery with safety functions | Conformity assessment, risk management, data governance, transparency, human oversight, logging, cybersecurity, post-market monitoring |
| Limited risk | Chatbots, deepfakes, emotion recognition | Transparency obligations |
| Minimal risk | Spam filters, AI in video games | No specific requirements (voluntary codes of conduct) |
For Physical AI specifically: an industrial robot with AI-powered safety functions (human detection, collision avoidance) is automatically classified as high-risk because it falls under both the AI Act AND the Machinery Regulation.
AI Act Omnibus (agreed May 7, 2026)
The EU Council and Parliament reached political agreement on significant amendments to the AI Act under the Omnibus VII simplification package on May 7, 2026.
| Change | What it means |
|---|---|
| Industrial AI carveout | Machinery products only need to comply with sectoral safety rules instead of both the AI Act and sectoral rules. Direct impact on industrial robotics, factory automation, and surgical equipment. |
| High-risk AI deadlines deferred | Article 6(1) obligations now take effect August 2, 2028 (was 2026). Long-stop dates: December 2, 2027 (high-risk) and August 2, 2028 (product-embedded systems). |
| Transparency timeline | Grace period for AI-generated content transparency reduced from 6 to 3 months, with the new deadline December 2, 2026. |
| GPAI requirements | General-purpose AI models must document training data, capabilities, and reasonably foreseeable uses / misuses. |
Formal adoption expected before August 2, 2026. Sources: EU Council press release; AI Act tracker.
EU Machinery Regulation (2023/1230)
Published June 2023, replacing the old Machinery Directive 2006/42/EC. The key change: it explicitly addresses AI in machinery. If a robot uses machine learning for a safety function (detecting humans, avoiding collisions, adaptive control), it triggers high-risk classification and requires third-party conformity assessment.
Why this matters: under the old Directive, most machinery could self-certify. The new Regulation says: if your robot's safety depends on AI, an independent body must verify it. A fundamental shift from "we checked ourselves" to "someone external checked us."
For Physical AI: nearly every robot with computer vision or adaptive behavior falls under this. A cobot that uses YOLO to detect human presence is using AI for a safety function. That triggers third-party assessment.
Revised Product Liability Directive (December 2026)
Adopted 2024, applicable from December 2026. The most significant change: software is formally recognized as a product for liability purposes. Under the old 1985 directive, only physical products were covered.
Now: if a piece of software is essential for the functioning of a robot, or can cause harm independently, it is subject to the same liability rules as physical products. This closes the "software is not a product" loophole that existed for decades.
Implications for GR00T, Cosmos, JEPA: when an autonomous robot uses a world model to predict consequences and acts on that prediction, and the action causes harm, the world model software is now a liable product. The manufacturer, the deployer, and potentially the model provider could all face liability claims.
6. NIST frameworks and the AI Agent Standards Initiative
NIST provides voluntary frameworks that heavily influence US industry standards and federal procurement requirements. Unlike the EU's regulatory approach, the US relies on voluntary compliance with NIST frameworks, supplemented by sector-specific regulations (NHTSA for vehicles, FDA for medical).
AI Risk Management Framework (AI RMF 1.0)
Released January 2023. Provides a structured approach to identifying, assessing, and mitigating AI risks. Organized around four functions: Govern (establish policies and accountability), Map (identify and characterize risks), Measure (quantify risks with metrics), Manage (prioritize and act on risks).
For Physical AI: NIST released a concept note on April 7, 2026 for an AI RMF Profile on Trustworthy AI in Critical Infrastructure. This guides operators of critical infrastructure (power plants, transportation, healthcare) on specific risk-management practices when deploying AI.
Key insight: the AI RMF is not a compliance checklist. It is a thinking framework. It forces organizations to answer: "What could go wrong? How do we know? What do we do about it?" This contrasts with the EU's prescriptive approach (specific requirements listed in the AI Act).
AI Agent Standards Initiative (February 2026)
Launched February 17, 2026 by NIST's Center for AI Standards and Innovation (CAISI). The first US government program dedicated to developing standards for autonomous AI agents. Covers agents that can act autonomously, use tools, interact with APIs, and execute multi-step tasks.
| Focus area | What it addresses |
|---|---|
| Identity and authorization | How do we verify that an AI agent is who it claims to be? How do we control what it is allowed to do? |
| Interoperability | How do agents from different vendors communicate securely? MCP (Anthropic's Model Context Protocol) is explicitly mentioned as a candidate. |
| Security controls | Vulnerabilities unique to agents: autonomous task execution, tool use, API integrations, cross-system access, prompt injection. |
| Audit and non-repudiation | Records of what the agent was allowed to do, what context it received, what decision it made, what systems it touched. |
| Post-deployment monitoring | Must span functionality, operations, security, compliance, and human factors. "Is it running?" is insufficient. |
NCCoE concept paper: separately, NIST's National Cybersecurity Center of Excellence published a concept paper on AI agent security. Key insight: it treats prompt injection not as a model-quality issue but as a security control problem. Prevention and mitigation need to be designed into the architecture, not patched on after deployment. Comments closed April 2, 2026.
SP 800-53 control overlays: NIST is developing security control overlays for both single-agent and multi-agent AI systems, building on the existing SP 800-53 framework.
Critical gaps (as of May 2026): no standalone federal agentic AI security standard exists. No FAR (Federal Acquisition Regulation) clause governs AI agent procurement. MITRE ATT&CK does not cover agentic attack patterns (multi-agent lateral movement, reasoning-layer manipulation). Only 14.4% of organizations have security controls for AI agents.
NIST Measurement Science for Robotics
NIST's Intelligent Systems Division runs the Measurement Science for Robotics and Autonomous Systems Program. It develops test methods and performance metrics for: safe operations of collaborative robots, effectiveness of dexterous manipulators, mobility and safety of mobile robots, perception accuracy in dynamic environments, human-robot and robot-robot interaction safety, robot agility in unpredictable environments, and validation of AI/ML using well-documented datasets.
This is the practical counterpart to the policy frameworks: how do you actually test whether a robot is safe? What does "safe enough" mean in measurable terms?
7. Robot safety standards (ISO)
ISO standards are the international backbone of robot safety. They define what "safe" means in measurable, testable terms. Regulations are laws enforced by governments; standards are technical specifications that regulations reference. The EU Machinery Regulation says robots must be safe; ISO 10218 says what "safe" means in practice.
| Standard | Scope | Version | Key content |
|---|---|---|---|
| ISO 10218-1:2025 | Robot manufacturers | 2025 (first revision since 2011) | Safety requirements for robot design: mechanical, controls, stopping functions, cybersecurity. New robot classifications. Added AI considerations. |
| ISO 10218-2:2025 | Robot integrators / users | 2025 | Installation, safeguarding, workspace design. Integrates ISO/TS 15066 (cobot safety). Force limits: 150N transient contact. Replaces "cobot" with "collaborative applications." |
| ISO 13849-1:2023 | Safety-related controls | 2023 | Functional safety of control systems. Performance levels (PL a-e). |
| IEC 62061:2021 | Safety control systems | 2021 | Functional safety using Safety Integrity Levels (SIL 1-3). Alternative to ISO 13849 for complex systems. |
| ISO 13482 | Personal care robots | Current | Non-industrial robots near the public: mobile assistants, telepresence, some humanoids. Covers physical interaction with untrained people. |
| IEC 62443 | Industrial cybersecurity | Current | Cybersecurity for industrial automation and control systems. FANUC's CRX cobots are IEC 62443 certified. |
| ANSI / RIA R15.06 | US robot safety | Being updated | US national adoption of ISO 10218. OSHA references this. Being updated to align with 2025 ISO revision. |
8. Autonomous vehicle regulation
The most active governance battleground. Autonomous vehicles operate on public roads where errors kill people. The US, EU, and China are racing to establish frameworks, but none has a comprehensive federal law yet.
US: NHTSA framework and FMVSS modernization
Current state: NHTSA provides voluntary guidance for SAE Levels 3-5. Federal Motor Vehicle Safety Standards (FMVSS) are being modernized to allow vehicles without human controls.
FMVSS rulemaking (2026): NHTSA proposed amendments to FMVSS No. 102 (transmission shift position), FMVSS No. 103 (windshield defrosting), and FMVSS No. 104 (windshield wiping) on March 16, 2026. The amendments except vehicles without manually operated driving controls from requirements designed around a human driver. Four more proposed rulemakings are planned in 2026 covering indicators, telltales, warning lights, and lighting in ADS-only vehicles.
AV STEP program: the AV STEP voluntary oversight program (proposed January 2025) creates dedicated exemptions for AV deployment.
SELF DRIVE Act of 2026: proposed in Congress (third attempt after 2017 and 2021). Would be the first federal statute dedicated to AV safety. Key provisions: requires manufacturers to develop a safety case (structured argument that the system is safe), creates a federal crash-reporting repository, and prevents a patchwork of state regulations.
The liability question: as vehicles move from Level 2 (human supervises, Tesla FSD today) to Level 4 (no human needed, Waymo in geofenced areas), liability shifts from the human driver to the ADS provider. When a Level 4 vehicle crashes with no human in the loop, who is liable? The vehicle manufacturer? The ADS software provider? The owner who chose to use it?
EU and international
UNECE UN Regulation 157: the first international type-approval standard for Level 3 systems (Automated Lane Keeping Systems). Limits speed to 60 km/h. Requires driver monitoring. Adopted in Japan, the EU, and other UNECE members.
UNECE Global Technical Regulation (January 2026): new harmonized methodology for validating ADS-equipped vehicles. Safety case approach. Anchored in robust R&D processes. Represents global convergence on safety validation methodology.
China (April 2026): Ministry of Industry and Information Technology proposed mandatory safety standards for intelligent connected vehicles. 62-page proposal. Public comments closed April 13, 2026. China aims for nationwide AV regulation and mass production of humanoid robots by 2027.
9. Medical and surgical regulation (FDA)
Medical devices face the strictest governance of any Physical AI category. The FDA's regulatory pathways ensure that surgical robots, exoskeletons, and AI-assisted diagnostics are safe before they touch patients. This is the sector where governance is most mature.
| Pathway | What it is for | Example | Timeline |
|---|---|---|---|
| 510(k) | Device is substantially equivalent to an existing approved device | A new surgical robot similar to da Vinci | 3-6 months typical |
| De Novo | Novel device with no predicate, but low to moderate risk | A new type of AI diagnostic not previously classified | 6-12 months |
| PMA | Class III (highest risk). Must demonstrate safety and effectiveness | Implantable neural interfaces, heart devices | 1-3 years |
| SaMD guidance | Software as a Medical Device. Software that IS the medical device. | AI that diagnoses disease from images | Varies by risk |
10. Industry governance: NemoClaw and safety-by-design
Industry is not waiting for regulators. Companies are building governance into their products because customers (enterprise buyers) demand it, and because liability risks are real.
NVIDIA NemoClaw (GTC 2026)
NemoClaw is NVIDIA's security and governance layer for AI agents, announced at GTC 2026. It works alongside AgenticROS and the broader NVIDIA Isaac platform. NemoClaw monitors the AI agent's reasoning process in real time and enforces safety guardrails.
The key phrase: NemoClaw "inspects the intent of the AI's logic." This is not monitoring actions after they happen (reactive). It is monitoring reasoning before actions execute (proactive). This is a fundamental distinction and the first commercial product that attempts to govern AI intent, not just AI output.
What it monitors: AI agent reasoning chains, context understanding, tool use decisions, and cross-system interactions. If the agent's reasoning violates safety constraints, NemoClaw intervenes before the physical action occurs.
Limitation: NemoClaw is a security tool, not a governance framework. It enforces technical guardrails defined by the deployer. It does not answer the higher-level questions: who decides what the guardrails should be? Who audits the guardrail definitions? Who is accountable when guardrails fail?
Safety-by-design practices
| Practice | What it means | Who does it |
|---|---|---|
| Safety case methodology | Structured argument with evidence that the system is safe. Standard in aviation and nuclear. Emerging in robotics and AV. | Waymo, Boston Dynamics, proposed SELF DRIVE Act |
| Red teaming | Adversarial testing to find failure modes before deployment. Stress-testing the robot's AI. | Anthropic, OpenAI, NVIDIA (for GR00T) |
| Simulation validation | Testing billions of scenarios in simulation (Isaac Sim) before physical deployment. Documenting sim-to-real transfer gaps. | NVIDIA, Waymo, Tesla, Figure AI |
| Fleet monitoring | Continuous post-deployment monitoring of robot fleet behavior. Identifying anomalies, failures, near-misses in real time. | Agility Robotics (Agility Arc), Waymo, Amazon Robotics |
| Disengagement reporting | Public reporting of when autonomous systems fail and require human intervention. California DMV requires this for AV testing. | Waymo, Cruise (when active), CA DMV requirement |
| Open safety research | Publishing safety research, sharing failure data, contributing to standards development. | Anthropic (Constitutional AI), NVIDIA (open-source GR00T) |
11. Six governance gaps
These are the areas where governance does not yet exist but is urgently needed. The biggest risks and the biggest opportunities for governance practitioners.
Detailed gap analysis
- Autonomous AI agent liability. When an AI agent acts autonomously and causes harm, who is liable? The user who delegated authority? The company that deployed the agent? The vendor that built the model? No jurisdiction has answered this clearly. Amazon v. Perplexity (November 2025) is an early test case.
- World model governance. Neither Cosmos (NVIDIA) nor JEPA (LeCun) has any governance framework. A world model predicts physical consequences and informs autonomous action. Who audits these predictions? How do you verify a latent-space representation of physics?
- Humanoid robot governance. No governance framework exists specifically for humanoid robots operating in human spaces (homes, hospitals, airports). ISO 13482 covers "personal care robots" but was written before modern humanoids existed. JAL deployed humanoids at airports (May 2026) with no humanoid-specific safety standard.
- Cross-border AI agent interoperability. NIST mentions MCP as a candidate protocol, but no international agreement exists on how AI agents should communicate, authenticate, or be governed across jurisdictions. EU and US have fundamentally different approaches (prescriptive vs voluntary). A robot operating in both needs to satisfy both.
- AI intent inspection. NemoClaw "inspects intent" but is a proprietary, single-vendor tool. No open standard exists for inspecting AI reasoning before physical action. No interoperable protocol for intent auditing across different AI platforms.
- Agentic attack surface. MITRE ATT&CK does not cover agentic attack patterns. Multi-agent lateral movement, reasoning-layer manipulation, cross-system context poisoning. The security community's standard threat model has not caught up to agents that can act autonomously.
12. The Intent Layer thesis
The Intent Layer thesis argues that understanding, not tools, is the core differentiator in human-AI collaboration. Applied to Physical AI governance:
| Existing governance monitors actions | Missing governance monitors intent |
|---|---|
| ISO 10218 defines force limits (150N). The AI Act requires logging. NHTSA requires crash reporting. These all monitor what the robot DID (or what it must not do). Reactive or boundary-based. | What is the AI trying to accomplish? Why did it choose this action over alternatives? What did its world model predict? Is its reasoning aligned with the human's actual goal? Proactive and understanding-based. |
NemoClaw is the first commercial product that moves toward intent inspection. The NCCoE concept paper treats prompt injection as an architectural problem, not a model quality problem. The NIST AI Agent Standards Initiative asks for audit trails of agent reasoning. These are all early signals of the same direction: governance is moving from monitoring outputs to inspecting process.
Physical AI makes the argument concrete: when a humanoid robot reaches for an object, the governance question is not just "did it exceed 150N of force?" but "why did it reach for that object in the first place, and was that intent aligned with what the human actually wanted?"
13. Regulatory timeline
What is happening when. This is the fastest-changing layer. Verify dates before acting on them.
| Date | Event | Significance |
|---|---|---|
| August 1, 2024 | EU AI Act entered into force | Prohibitions on unacceptable-risk AI practices already in effect |
| January 2025 | EO 14179 (current US AI policy) | Replaced Biden-era EO 14110. Prioritizes AI adoption. |
| February 2025 | ISO 10218:2025 published | First major robot safety standard revision in 14 years |
| January 2026 | SELF DRIVE Act of 2026 proposed | Third attempt at federal AV legislation. Safety case requirement. |
| January 2026 | UNECE Global Technical Regulation for ADS | International harmonized methodology for ADS validation |
| February 17, 2026 | NIST AI Agent Standards Initiative launched | First US program for autonomous AI agent governance. MCP mentioned. |
| March 16, 2026 | NHTSA FMVSS 102/103/104 modernization proposed | Vehicles without manual controls excepted from human-driver requirements |
| March 2026 | NVIDIA NemoClaw announced (GTC) | First product-level AI agent intent inspection |
| April 2, 2026 | NCCoE concept paper comments closed | AI agent security. Prompt injection as security control problem. |
| April 7, 2026 | NIST AI RMF Critical Infrastructure Profile | Concept note for trustworthy AI in critical infrastructure |
| April 13, 2026 | China AV safety standards comment period closed | MIIT mandatory safety standards for intelligent connected vehicles |
| May 7, 2026 | EU AI Act Omnibus agreed | Industrial AI carveout. Extended deadlines. Formal adoption expected before Aug 2, 2026. |
| August 2, 2026 | EU AI Act high-risk compliance deadline (original) | May be effectively deferred by Omnibus for many categories |
| December 2026 | Revised Product Liability Directive takes effect | Software formally becomes a product for liability purposes |
| December 2, 2027 | High-risk AI systems long-stop date (Omnibus) | Latest possible deadline for high-risk AI compliance under amended AI Act |
| August 2, 2028 | Product-embedded AI long-stop date (Omnibus) | Latest possible deadline for AI embedded in products (including robots) |
14. Resource directory
EU regulation
- EU AI Act tracker (full text)
- EU Machinery Regulation (EUR-Lex)
- EU Council press release on the Omnibus (May 7, 2026)
US frameworks
- NIST AI RMF
- NIST AI Agent Standards Initiative
- NIST Robotics Program
- NHTSA Automated Driving Systems
ISO and OSHA
Industry governance
- AgenticROS (the bridge that NemoClaw works alongside)
- ROSClaw paper (arXiv)