Eighteen months ago, AI regulation was mostly theoretical — white papers, proposed frameworks, and a lot of hand-wringing. That era is over. The EU AI Act’s first enforcement provisions took effect in February 2025, with the full high-risk regime landing in August. China has been enforcing its algorithm registry since 2023. And the United States, despite bipartisan noise about AI safety, still has no comprehensive federal statute on the books.

The result is a fractured global landscape where the same AI system can be banned in Brussels, registered in Beijing, lightly scrutinized in London, and entirely unregulated in Washington. For any company shipping AI products across borders — which is to say, nearly all of them — this patchwork is now the single biggest operational headache in the industry.

The Four Regulatory Regimes at a Glance

The EU AI Act: The World’s Most Detailed Rulebook

The EU AI Act (Regulation 2024/1689) is a 458-page monument to regulatory ambition. It classifies every AI system into one of four risk tiers, each with escalating obligations.

Unacceptable risk (Article 5) — effective since February 2, 2025. These systems are flatly prohibited:

• Social scoring by public authorities (Art. 5(1)(c))
• Real-time remote biometric identification in public spaces for law enforcement, with narrow exceptions for kidnapping, terrorism, and locating missing persons (Art. 5(1)(h))
• Emotion recognition in workplaces and educational institutions (Art. 5(1)(f))
• AI that exploits vulnerabilities of age, disability, or social situation (Art. 5(1)(a))
• Untargeted scraping of facial images from the internet or CCTV to build recognition databases (Art. 5(1)(e))

High risk (Articles 6-49) — the big hammer, effective August 2, 2026. This covers AI used in hiring, credit scoring, educational admissions, migration and border control, critical infrastructure, and medical devices. Deployers of high-risk systems must conduct a Fundamental Rights Impact Assessment (Art. 27), maintain human oversight (Art. 14), and submit to third-party conformity assessments for biometric systems.

General-Purpose AI (GPAI) models get their own chapter (Articles 51-56). Any model trained with more than 10^25 FLOPs is automatically classified as presenting “systemic risk” and must undergo adversarial testing, report serious incidents to the AI Office within 72 hours, and maintain energy consumption documentation. As of early 2026, this threshold captures roughly a dozen frontier models from OpenAI, Google DeepMind, Anthropic, Meta, and Mistral.

Enforcement reality

The EU AI Office, stood up in Brussels with an initial staff of roughly 140, published its first General-Purpose AI Code of Practice in November 2025. But enforcement remains largely prospective. No fines have been issued under the AI Act as of May 2026 — the high-risk compliance deadline hasn’t arrived yet, and the office has focused on building relationships with providers rather than punitive action.

That said, the chilling effect is real. At least three major U.S. AI companies have delayed European launches of consumer products pending legal review. Meta restricted its multimodal AI features in the EU through mid-2025 before reaching an accommodation on data processing grounds.

Startup impact: The compliance burden falls disproportionately on smaller companies. A conformity assessment for a high-risk system can cost 200,000-400,000 EUR and take 6-12 months. The open-source exemption (Art. 2(12)) helps, but it evaporates the moment a model is classified as GPAI with systemic risk — an awkward position for well-funded open-weight labs like Mistral and Meta AI.

United States: Fifty Laboratories of Regulation

The absence of a federal AI law is not the same as the absence of regulation. The U.S. approach is better described as regulation by enforcement action and state legislation.

Federal actions:

• Executive Order 14110 (October 2023) required developers of frontier models to share safety test results with the federal government. The order’s practical effect was limited — it applied to models trained with more than 10^26 FLOPs, a threshold only a handful of training runs have crossed.
• The FTC has pursued enforcement actions against companies making deceptive AI claims. In 2024, the agency settled with five companies for “AI washing” — overstating AI capabilities in marketing materials. Fines ranged from $500,000 to $6.8 million.
• The SEC issued Staff Accounting Bulletin No. 121 guidance clarifying that public companies must have a reasonable basis for AI-related claims in earnings calls and filings.

State legislation is where the action is. As of May 2026:

• Colorado (SB 24-205): requires deployers of “high-risk” AI in consequential decisions (employment, lending, insurance, housing) to conduct impact assessments and provide consumer notice. Effective February 2026.
• California vetoed SB 1047 (the frontier model safety bill) in September 2024, but passed AB 2013 requiring disclosure of AI training data composition for models offered in the state.
• Illinois expanded its Biometric Information Privacy Act to cover AI-inferred biometric data, creating a private right of action with statutory damages of $1,000-$5,000 per violation.
• Texas, New York, and Connecticut have passed AI-in-hiring laws requiring bias audits for automated employment decision tools.

The patchwork is genuinely painful for compliance teams. A company deploying an AI hiring tool nationwide must comply with at least seven different state frameworks, each with different definitions of “automated decision,” different audit requirements, and different enforcement mechanisms.

China: Control with a Purpose

China’s regulatory approach is the most prescriptive in the world, but it is also strategically selective. The government regulates AI that influences public opinion aggressively while actively subsidizing AI development in manufacturing, defense, and scientific research.

Key regulations:

• Provisions on the Management of Generative AI Services (effective August 2023): any company offering generative AI to the public in China must file with the CAC and receive approval before launch. Training data must “embody core socialist values.” As of early 2026, over 180 generative AI services have been registered.
• Algorithm Recommendation Regulations (March 2022): companies must file detailed descriptions of how recommendation algorithms work, give users the ability to opt out of personalized recommendations, and avoid using algorithms to set unfair prices.
• Deep Synthesis Provisions (January 2023): AI-generated or manipulated audio, video, and images must be labeled with visible watermarks.

In practice: China’s framework gives regulators broad discretion. Enforcement has been selective — ByteDance and Alibaba have both received guidance letters (effectively warnings) about algorithm transparency, but outright penalties have been rare for large domestic players. Foreign AI companies face a higher bar: OpenAI’s services remain officially unavailable in mainland China, and Google’s Gemini has no approved deployment.

United Kingdom: The Regulator’s Experiment

The UK deliberately chose not to pass a comprehensive AI law, instead publishing a white paper in March 2023 (“A Pro-Innovation Approach to AI Regulation”) that delegated AI oversight to existing sectoral regulators. The five cross-cutting principles — safety, transparency, fairness, accountability, and contestability — are applied by the FCA for finance, the Medicines and Healthcare products Regulatory Agency for health, Ofcom for communications, and so on.

This approach has some genuine advantages. Regulators with domain expertise can craft more practical rules than a one-size-fits-all statute. The FCA’s guidance on AI in consumer credit decisions, published in September 2025, is arguably more useful to the financial industry than the EU AI Act’s broader high-risk provisions.

The downside is inconsistency. A company deploying the same AI system across healthcare and finance must navigate two entirely different regulatory frameworks with different definitions, timelines, and expectations.

The UK’s AI Safety Institute (AISI), established in November 2023, has focused on pre-deployment testing of frontier models. It has published evaluation results for models from OpenAI, Anthropic, Google DeepMind, and Meta — making it the most transparent government AI testing body in the world, even if its recommendations are non-binding.

The Open-Source Flashpoint

Open-source AI models present a fundamental challenge to every regulatory framework. The EU’s carve-out for open-source is narrow and conditional. China makes no distinction between open and closed models for public-facing services. The U.S. has no federal position.

The core tension: once a model’s weights are released, the developer has limited ability to control downstream uses. Regulating the developer for all possible uses of an open model is arguably unfair; regulating only the deployer requires enforcement capacity that most governments lack.

Meta’s Llama models illustrate the problem. Llama 3.1 405B was released under a permissive license in July 2024. It has been fine-tuned for applications ranging from medical diagnosis to malware generation. Meta can’t retroactively prevent either use.

Expect this debate to intensify as open-weight models approach — and in some benchmarks exceed — the capability of closed frontier models.

What This Means for the Next 12 Months

For companies building AI: Regulatory strategy is now a prerequisite for product strategy, not an afterthought. The companies that built compliance infrastructure in 2024-2025 are shipping faster in 2026 than those scrambling to retrofit. Budget 5-10% of product development costs for regulatory compliance if you operate in the EU.

For companies deploying AI: You are liable for the AI systems you put in front of customers, even if you bought them off the shelf. The EU’s deployer obligations (Art. 26) are explicit: you must ensure human oversight, monitor for risks, and report serious incidents. “We didn’t know the model could do that” is not a defense.

For the industry as a whole: Convergence is slow but directional. The EU’s risk-based framework is becoming a de facto global template — Brazil’s AI Act (approved April 2025) borrows heavily from it, and Canada’s AIDA follows similar contours. Even the U.S. state laws echo the EU’s emphasis on impact assessments and transparency.

The regulatory era for AI has arrived. It is messy, fragmented, and incomplete. But the direction is unmistakable: more transparency, more accountability, and real penalties for getting it wrong. The companies that treat compliance as product discipline rather than legal overhead will have a structural advantage in every market that matters.