AI Regulation in 2026: EU AI Act, US Policy, and What Builders Must Know

Regulation is now part of the AI build cycle. The EU AI Act is the world's first comprehensive AI law and its core provisions are in full effect. The US has taken a more fragmented path — executive orders, agency guidance, and a patchwork of state laws. China has its own mandatory framework for generative AI. International agreements are multiplying.

If you are building AI products in 2026, you need to understand this landscape — not because compliance is interesting, but because it shapes what you can build, how you must document it, and what your legal exposure looks like when things go wrong.

This guide covers every major jurisdiction, what each framework actually requires, and what your team should do right now.

Why regulation matters for builders — not just lawyers

Most developers treat regulation as something the legal team handles. That is the wrong frame.

Regulation determines what you can build. Certain AI practices — social scoring systems, real-time mass biometric surveillance, manipulative AI — are now flatly banned in the EU. If you are building in those categories, no amount of careful implementation makes them legal.

Regulation determines how you must build. High-risk AI systems require conformity assessments, technical documentation, human oversight mechanisms, and accuracy testing before they deploy. These are engineering requirements, not paperwork.

Regulation determines what happens when something breaks. Incident reporting timelines, liability allocation, and fines are all defined by the regulatory framework your product operates under. The EU AI Act's maximum fine — €35 million or 7% of global annual turnover, whichever is higher — rivals GDPR's penalties in scope.

The regulatory landscape is also fragmenting globally. A product that is legal in one jurisdiction may be banned or require significant modification in another. Understanding each framework is a product strategy question, not just a legal one.

The EU AI Act — the world's most comprehensive AI law

What it is and when it applies

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. Its provisions rolled out over a two-year transition period:

If you deploy AI in the EU in any category touching Annex III — recruitment tools, credit scoring, educational assessment, law enforcement, migration — August 2026 is your compliance deadline.

The four risk tiers

The Act classifies AI systems into four tiers. Your tier determines your obligations.

Unacceptable risk — banned entirely

These practices are prohibited regardless of context or intent:

• AI that manipulates people through subliminal techniques that bypass conscious awareness to cause harm
• AI that exploits vulnerabilities of specific groups — children, people with disabilities, people in financial hardship — to distort behavior in harmful ways
• Social scoring by public authorities: classifying natural persons based on social behavior or personal characteristics to produce detrimental treatment
• Real-time remote biometric identification in publicly accessible spaces by law enforcement (with narrow, judicially authorized exceptions for specific serious crime investigations)
• Biometric categorization of individuals by sensitive characteristics — political views, religious beliefs, sexual orientation, race — inferred from biometric data
• Predictive policing based solely on profiling individuals

The legal effect is immediate. A product that does any of these things cannot be placed on the EU market — period.

High risk — permitted but heavily regulated

High-risk AI systems can be deployed, but only after meeting substantive requirements. The categories are defined in two annexes:

Annex I — AI used as safety components in products already regulated by EU sectoral law (medical devices, machinery, aviation, automotive, lifts, etc.).

Annex III — Standalone high-risk AI systems in eight areas:

1. Biometric identification and categorization systems
2. Critical infrastructure management (roads, water, energy, waste, financial systems)
3. Education — systems that determine access, assign grades, monitor students, detect prohibited behavior
4. Employment — CV screening, interview assessment, task allocation, performance monitoring
5. Access to essential private services — credit scoring, insurance risk assessment, emergency services dispatch
6. Law enforcement — risk assessment of individuals, polygraph-like tools, crime analytics affecting individuals
7. Migration and asylum — risk assessment of applicants, document authentication, examination applications
8. Administration of justice and democratic processes — legal research tools that influence judicial decisions, election influence tools

If your product touches any of these categories, you must:

• Implement a risk management system — documented, tested, and iteratively updated
• Maintain technical documentation that allows regulators to assess conformity
• Maintain logs automatically generated during operation (minimum six months, longer for regulated sectors)
• Design for human oversight — operators must be able to understand, monitor, and intervene in operation
• Meet accuracy, robustness, and cybersecurity requirements
• Complete a conformity assessment before deployment (for most Annex III systems, self-assessment; for biometric and law enforcement systems, independent third-party assessment)
• Register in the EU database before placing the system on the market

Limited risk — transparency obligations

Limited-risk AI systems face disclosure requirements only:

• Chatbots and AI agents that interact with humans must inform users they are interacting with AI — unless the context makes it obvious
• Deepfakes — AI-generated images, audio, or video of real people or synthetic content — must be labeled as AI-generated
• Emotion recognition and biometric categorization systems (outside prohibited categories) must disclose their operation to users

This tier covers the vast majority of consumer-facing AI products. The compliance burden is low: add a disclosure, label synthetic content, and document it.

Minimal risk — no mandatory requirements

Everything else — spam filters, recommendation engines, content moderation tools, most productivity AI — faces no mandatory requirements under the Act. The Commission encourages voluntary codes of conduct, but these are not legally binding.

GPAI rules — what foundation model providers must do

"General purpose AI models" (GPAI) are AI models trained on broad data at scale that can serve a wide range of tasks. In practice: large language models and multimodal foundation models made available in the EU.

All GPAI model providers must:

• Maintain and provide technical documentation to downstream deployers
• Comply with EU copyright law — including implementing a policy on text and data mining opt-outs
• Publish a summary of training data content

GPAI models with "systemic risk" — currently defined as training with more than 10^25 FLOPs, or designated as such by the European AI Office — face additional requirements:

• Adversarial testing (red-teaming) before and after release
• Incident reporting to the European AI Office within defined timelines
• Cybersecurity protection for the model and training infrastructure
• Energy efficiency reporting

The European AI Office, established within the Commission, has regulatory authority over GPAI models — including the power to request documentation, conduct evaluations, and impose fines.

Fines

SME and startup relief: the Act provides for proportionate fines for small and medium enterprises.

US AI policy — a fragmented but evolving picture

The US has not passed comprehensive federal AI legislation as of mid-2026. What exists instead is a layered system of executive action, agency guidance, sector-specific rules, and state laws.

The Executive Order on AI (October 2023)

President Biden's Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence was the most significant US AI policy action prior to 2026. Key requirements it created:

• Dual-use foundation model reporting: developers of foundation models that could pose serious risks must report safety test results to the federal government before public release
• Standards development: NIST was directed to develop AI safety standards and red-teaming guidelines; the resulting guidance has been incorporated into federal procurement and sector regulation
• Sector-specific direction: federal agencies were directed to develop AI risk management guidance for their sectors — leading to FDA, FTC, and financial regulator actions
• Immigration: streamlined visa pathways for AI talent
• Critical infrastructure: DHS and sector agencies directed to assess AI risks in critical infrastructure

The EO's status in 2026 is complicated. Some provisions were rescinded or modified by subsequent executive action. The standards and sector-specific guidance that emerged from it remain in force through agency authority, independent of the EO itself.

NIST AI Risk Management Framework

The NIST AI RMF (January 2023) is a voluntary framework organized around four functions:

While voluntary, the NIST AI RMF is now the de facto standard in US federal AI procurement and is referenced in multiple sector regulatory frameworks. If a dispute about AI harm reaches a regulator or court, demonstrating NIST AI RMF adoption is the strongest available signal of reasonable care.

The NIST AI RMF Generative AI Profile (2024) extended the framework to cover generative AI specifically, with new risk categories: data privacy, confabulation, intellectual property, human-AI configuration, and information security.

Sector-specific rules

FDA (medical AI): The FDA's framework for AI-enabled medical devices requires pre-market authorization for devices that use AI/ML to analyze patient data for diagnostic or treatment decision support. The FDA's "predetermined change control plan" pathway allows manufacturers to deploy AI updates without each requiring a new premarket submission — if the change protocol was pre-approved. This is the operative compliance regime for health AI in the US.

FTC (consumer AI): The FTC has authority over deceptive and unfair practices and has applied it to AI on multiple dimensions — deceptive AI-generated reviews, undisclosed AI in consumer interactions, and AI-driven discrimination in advertising. The FTC's AI guidance is not a formal regulation, but enforcement actions create clear red lines: disclose AI use, do not use AI to discriminate in credit or housing, do not generate fake reviews.

Financial regulators: The OCC, Federal Reserve, and CFPB have all issued guidance on AI in banking, credit, and financial services. Common themes: explainability for adverse action notices, disparate impact testing, model risk management (SR 11-7 has been extended to AI models), and vendor oversight for third-party AI.

EEOC: The Equal Employment Opportunity Commission has issued guidance on AI in employment — emphasizing that using an AI hiring tool does not transfer liability from the employer; if the tool has disparate impact, the employer is responsible.

State laws — the patchwork

In the absence of federal law, states have moved quickly:

Colorado enacted the AI Act (SB 24-205, effective February 2026), which creates obligations for developers and deployers of "high-risk AI systems" in consequential decisions (employment, housing, credit, insurance, health care). It requires impact assessments, disclosure to affected individuals, and an appeals mechanism. It is the most comprehensive US state AI law.

California passed multiple AI-related laws including requirements for AI disclosure in political advertising, limits on AI-generated content of minors, and provisions on AI watermarking. California's legislation is less unified than Colorado's but broader in certain areas.

Illinois has the AEDT (Artificial Intelligence Video Interview Act) requiring employers using AI to analyze video interviews to disclose it, collect demographic data, and submit to annual third-party audits.

Texas, Connecticut, Virginia, and others have bills at various stages. The state-level patchwork creates compliance complexity for products deployed across jurisdictions.

What is pending

Federal comprehensive AI legislation has been introduced in multiple sessions without passing as of mid-2026. Bipartisan agreement exists on certain elements — AI transparency, critical infrastructure protection, safety research funding — but a comprehensive US AI Act equivalent remains in negotiation. The most likely near-term federal action is sector-specific legislation rather than a horizontal framework.

China's AI regulations

China has taken a different approach — issuing mandatory regulations for specific AI technologies rather than a single comprehensive law.

Generative AI Regulation (effective August 2023)

The Interim Measures for the Management of Generative AI Services impose requirements on providers offering generative AI to users in China:

• Content standards: AI-generated content must not violate core socialist values, laws, or "social morality." This is broad and gives regulators significant discretion
• Real-name verification: providers must verify the real identity of users through mobile phone numbers or national ID — privacy-limiting by design
• Watermarking: AI-generated content must be labeled as such
• Security assessments: providers must complete a security assessment with the Cyberspace Administration of China before offering publicly available generative AI services
• Algorithm filing: providers must register their algorithms with the CAC
• Data governance: training data must comply with data security laws; personal data used in training requires proper basis

For international products serving Chinese users, the practical question is whether your service falls within Chinese jurisdiction. If you have Chinese users accessing a service that incorporates generative AI, Chinese law treats you as subject to these rules even if you are not established in China — enforcement against foreign companies without Chinese presence is limited but not zero, and many companies choose to exclude China from product availability rather than engage with compliance.

What it means for international products

Products that want to operate in China face a choice: build to Chinese requirements (real-name verification, content filtering, CAC registration) or exclude Chinese users. The content restrictions in particular create product-level constraints that are difficult to reconcile with global product design.

UK and international approaches

UK: principles over rules

The UK government has declined to create AI-specific legislation, instead directing existing regulators (ICO, FCA, CMA, MHRA, Ofcom) to apply existing powers and issue AI guidance within their domains. The pro-innovation framing prioritizes flexibility over uniformity. The ICO has published extensive guidance on AI and data protection; the CMA has guidelines on AI foundation models and competition. The lack of a unified law makes UK compliance less clearly defined than EU compliance, but also less burdensome for early-stage products.

International safety cooperation

The Bletchley Declaration (November 2023) — signed at the UK AI Safety Summit — established international agreement that frontier AI models pose serious risks and that states should cooperate on safety evaluation. Twenty-nine countries signed, including the US, EU member states, China, and India. It did not create binding obligations but established the diplomatic basis for subsequent cooperation.

Seoul AI Safety Summit (May 2024) — produced the Seoul Ministerial Statement, in which 27 governments and major AI companies agreed to share information on advanced AI safety evaluations. The AI Safety Institutes of the UK, US, EU, Japan, and others formed a network for coordinating safety testing of frontier models.

International standards: ISO/IEC 42001 (AI Management Systems) published in 2023 provides an international standard for organizational AI governance. It is not legally mandated in most jurisdictions but is increasingly referenced in procurement and certification.

Key compliance concepts every builder needs

AI system documentation

Most regulatory frameworks require documentation before deployment. What you need to document:

Human-in-the-loop requirements

"Human oversight" appears in the EU AI Act, NIST AI RMF, FDA medical device frameworks, and financial regulator guidance. What it actually requires varies by context:

• High-risk EU AI Act systems: operators must be able to understand the system's output, monitor operation, and override or shut down. The system must be designed to facilitate this — including logging, explainability mechanisms, and override controls
• Financial credit decisions: adverse actions must be explainable to applicants; automated decisions require human review pathways
• Medical AI: many AI-enabled medical devices are authorized only as decision support, not autonomous decision-making — a clinician must review and confirm

Transparency obligations

Across jurisdictions, disclosure is the baseline obligation that applies even to minimal-risk products:

• Label AI-generated content (EU AI Act, China generative AI regulation, California law)
• Disclose AI interaction to users who are not aware they are talking to an AI
• Disclose AI use in employment screening (Illinois, Colorado)
• Disclose AI in political advertising (California and federal rules)

Data governance for AI training

Training data is a regulatory surface. The EU AI Act requires GPAI providers to maintain training data documentation. GDPR requires a lawful basis for processing personal data in training. China's regulations require data security compliance for training data. US copyright litigation has created risk around training on copyrighted material without licensing.

Practical compliance checklist for 2026 products

Before building

• Classify your AI system: what risk tier does it fall into under the EU AI Act?
• Identify applicable sector regulations (FDA if health, FTC if consumer-facing, financial regulators if credit)
• Identify jurisdictions where you will deploy and map to applicable state laws
• Confirm your training data has appropriate licenses, consent bases, or falls within permissible use categories
• Assess whether any use cases touch prohibited practices — eliminate them before building

During building

• Document the system: intended use, training data summary, known limitations
• Implement logging sufficient to reconstruct what happened in any interaction
• Build human override mechanisms into high-risk or sensitive use workflows
• Test for accuracy and disparate impact across relevant demographic groups
• Version-control prompts, model weights, and evaluation suites

Before deploying (EU / high-risk)

• Complete conformity assessment — self-assessment for most Annex III categories
• Register in the EU AI Act database (for high-risk systems)
• Implement disclosure mechanism for users (chatbot, deepfake, emotion recognition)
• Verify oversight training for operators who will use the system

After deploying

• Monitor performance with sliced metrics — not only aggregate accuracy
• Maintain logs for required retention periods (minimum 6 months for most EU AI Act systems)
• Establish incident reporting workflow — serious incidents to EU market surveillance authorities
• Schedule periodic re-evaluation as the model or deployment context changes
• Track regulatory updates in each jurisdiction you operate

Where to track regulatory changes

The AI regulatory landscape is moving fast. Sources worth bookmarking:

• European AI Office — the body administering the EU AI Act and GPAI rules: digital-strategy.ec.europa.eu
• NIST AI Risk Management Framework and updates: airc.nist.gov
• Future of Life Institute AI Policy tracker — covers global AI legislation
• IAPP AI Governance Center — practitioner-focused guidance and news
• State legislature trackers: Colorado AI Act implementation, California AI legislation updates

If you are building in a specific sector — health, finance, employment — the relevant sector regulator (FDA, CFPB, EEOC) is the authoritative source for that domain's AI requirements, which often move faster than horizontal AI law.

What this means in practice

The practical upshot for a team shipping AI products in 2026:

Most products are minimal risk under the EU AI Act. If you are building a writing assistant, a code tool, a search feature, a recommendation engine, or a customer service chatbot — you face transparency obligations (label AI, disclose AI interaction) and best practices, not conformity assessments.

If you touch consequential decisions — hiring, credit, healthcare triage, educational assessment, law enforcement — the regulatory burden is substantial and growing. Plan for it in your roadmap, not as an afterthought after the product is built.

Documentation is leverage. A well-maintained system card, risk assessment, and testing record is not just compliance overhead — it is the primary evidence of reasonable care if something goes wrong. It also forces the design conversations that catch problems early.

The jurisdictional patchwork is real. A product that is fully compliant with US standards may need modification for EU deployment. A product that runs in China needs architecture choices (real-name verification, content filtering) that may be irreconcilable with global product design. Make these decisions explicitly, early.

For a deeper grounding in why regulatory frameworks emphasize oversight and documentation, the article on AI alignment for product teams covers the underlying technical reasons that AI systems fail in ways that require human checks.

Read next

• What is AI alignment? Goals, "outer vs inner," and why product teams should care
• MCP Security Guide 2026: How to Secure AI Agent Tool Access
• AI Benchmarks: A Complete Guide for 2026
• Agentic Era: What the Shift to AI Agents Means for Builders