Why AI Regulation Is Harder Than It Looks
I've spent the past several months reading through the major regulatory frameworks, talking to compliance teams at AI companies, and watching how enforcement is actually playing out. The headline version — the EU has strict rules, the US is more permissive, China is doing its own thing — is true but so simplified it's almost misleading. The actual picture is considerably more complicated and more interesting.
The core difficulty: AI systems don't fit neatly into existing regulatory categories. Is a large language model a product? A service? A tool? Software? A medical device if it helps with diagnosis? A financial adviser if it helps with investment decisions? Every existing regulatory framework was built for something else, and jurisdictions are making different choices about how to map AI onto those existing categories — or whether to build entirely new ones.
The EU AI Act: What It Actually Says
The EU AI Act became enforceable in stages through 2025 and 2026. The framework uses a risk-based approach: unacceptable risk is banned, high risk carries heavy requirements, limited risk has transparency obligations, and minimal risk is essentially unregulated. The categories that matter for most product teams are high-risk, which includes AI used in hiring, credit scoring, educational assessment, and certain safety-critical applications. [EU AI Act full text]
High-risk requirements are substantial: mandatory conformity assessments, technical documentation, human oversight mechanisms, logging of system operation, accuracy and robustness testing, and registration in an EU database before deployment. For companies without good MLOps practices already, these requirements represent a significant operational investment. The extraterritorial reach is the piece most US and UK companies underestimated — if your system's output affects EU users, EU law applies.
The Act's risk tiering is its defining feature: prohibited practices (social scoring, real-time biometric surveillance in public spaces with narrow exceptions), high-risk systems (employment, credit, education, law enforcement — requiring conformity assessments and registration), limited risk (chatbots — requiring disclosure), and minimal risk (everything else — no specific obligations). The definitions are more precise than they appear in summary: a "biometric categorisation system" that infers political views is prohibited; a fraud detection system that processes transaction patterns is limited risk despite processing sensitive inferences.
The General-Purpose AI (GPAI) model provisions, added late in the legislative process, apply specifically to foundation model providers. Models with training compute above 10²⁵ FLOPs (a threshold that covers GPT-4-class and above models) face additional systemic risk obligations: adversarial testing, model evaluation with standardised protocols, and incident reporting to the European AI Office. These provisions have prompted significant lobbying from US AI companies and are the primary basis for ongoing discussions about regulatory reciprocity between the EU and US.
The US Approach: Executive Action and Sector Regulation
The United States doesn't have a thorough federal AI law as of mid-2026. What it has is a combination of executive orders, agency guidance, and sector-specific regulation. The picture is genuinely fluid — some requirements from the Biden-era executive order on AI have been maintained while others were rolled back. Sector regulators have been more active: the FTC has brought cases against AI companies for deceptive practices, the CFPB has issued guidance on AI in lending, and the FDA has a framework for AI in medical devices that's one of the more mature sector-specific AI regulatory regimes globally.
State-level regulation creates a patchwork that's complex for companies operating nationally. Colorado, Illinois, and California all have AI laws on the books, each with different requirements. Compliance across US states is a genuine operational challenge for companies that can't afford to treat each state separately.
China: Different Goals, Different Architecture
China's AI regulatory framework is built around different priorities than Western regimes. The Generative AI Measures require content moderation aligned with Chinese law, registration of generative AI services, and mechanisms to prevent prohibited content. there's also meaningful industrial policy embedded in the regulatory structure — requirements that are burdensome for foreign companies are sometimes more manageable for domestic ones.
Most major Western AI providers have chosen not to operate consumer-facing AI services in China, not primarily for business reasons but because compliance with content requirements conflicts with how those products are designed to work. this is an uncomfortable but honest reality of operating in a market with incompatible content standards.
Emerging Issues: Deepfakes, Liability, and Transparency
The areas where regulation is moving fastest: synthetic media and deepfakes (most jurisdictions are moving toward mandatory disclosure requirements), AI liability (who is responsible when an AI system causes harm), and foundation model transparency (what must be disclosed about training data and model capabilities). The EU AI Act places primary liability responsibility on deployers — the businesses that use a model in a specific application — rather than model developers. this is already influencing how API terms of service are written throughout the industry.
What Compliance Actually Looks Like for Product Teams
Concretely, if you're building AI products and have not engaged with compliance: start with use case classification. Identify whether any of your applications fall into high-risk categories under EU law or sector-specific regulation in your markets. High-risk applications need dedicated compliance work. Lower-risk applications still need privacy analysis, transparency documentation, and basic audit logging.
Treat compliance as a design input, not a checklist at the end. Human oversight mechanisms are easier to build in from the start than to retrofit. Regulation is not going to get simpler — the teams that invest in compliance infrastructure now will have a meaningful advantage when the next regulatory wave arrives, and it will arrive.
For teams building on foundation model APIs rather than training their own models, the EU AI Act compliance burden is primarily at the application layer. The key questions to answer for any AI feature in a European product: Does this system make or substantially influence decisions that affect people in the listed high-risk categories? If yes, you need a conformity assessment, technical documentation, human oversight mechanisms, and registration in the EU database before deployment.
Practical compliance infrastructure that scales: a centralized AI system inventory with risk classification, standardised documentation templates for each system (mapping to the Act's required documentation elements), an internal review process that triggers for high-risk classifications, and a designated EU AI compliance function that can interface with national supervisory authorities. Companies that have built this infrastructure proactively report significantly lower compliance costs than those doing it reactively under regulatory pressure — the pattern is identical to early GDPR adoption dynamics.
Sector-Specific Regulation Worth Knowing
Beyond the broad frameworks, sector-specific regulation is where the practical compliance burden actually lands for most product teams. In healthcare, the FDA's AI/ML Software as a Medical Device framework has matured significantly — if your product influences clinical decisions, you need to engage with it seriously. In financial services, regulators globally are issuing guidance on model explainability requirements that go beyond what most AI teams currently document. In HR and recruitment, several jurisdictions have enacted or proposed requirements for bias audits of algorithmic hiring tools.
The pattern across all of these: regulators are moving faster than most AI product teams expected, and the grace period for "we didn't know" is shrinking. The companies that engage with sector regulators proactively — sharing their documentation and inviting dialogue before there's a problem — are building relationships that will matter when the harder questions arrive.
The Compliance Infrastructure That Scales
The teams I've seen handle regulatory complexity well share a common infrastructure investment: a model card or system card for every AI system they deploy, a documented data lineage for every training dataset, a human review process for high-stakes decisions, and an incident response playbook specifically for AI failures. None of these are technically hard. All of them require discipline to maintain as systems evolve.
Build these before you need them. The alternative — scrambling to document what your system does after a regulator asks — is expensive, incomplete, and damaging to the trust relationship you want with regulators. Compliance infrastructure built under pressure looks different from compliance infrastructure built thoughtfully, and regulators can tell the difference.
References & Further Reading
- EU AI Act — Official Text — Full text of the EU Artificial Intelligence Act (Regulation 2024/1689)
- NIST AI Risk Management Framework (AI RMF 1.0) — US government framework for managing AI risk
- Executive Order on the Safe, Secure, and Trustworthy Development of AI (Oct 2023) — US federal AI governance executive order
- AI Governance in 2025: A Global Survey, Alan Turing Institute — Cross-jurisdictional comparison of AI governance approaches
Frequently Asked Questions
What AI regulations exist in 2026?
The EU AI Act is the most comprehensive regulation, fully in force in 2026, classifying AI systems by risk level with strict requirements for high-risk applications. The US has executive orders establishing safety standards for frontier models and federal agency guidance. China has regulations on generative AI services and algorithmic recommendation systems. The UK and Singapore have principles-based frameworks. Sector-specific regulations (medical AI, financial AI) are more mature than horizontal AI regulation in most jurisdictions.
What is the EU AI Act and who does it affect?
The EU AI Act is a horizontal regulation classifying AI applications by risk: prohibited (social scoring, real-time biometric surveillance in public), high-risk (medical devices, employment screening, law enforcement, critical infrastructure), and limited/minimal risk (most consumer applications). High-risk systems require conformity assessments, transparency documentation, human oversight measures, and post-market monitoring. It applies to any AI system deployed in the EU regardless of where the developer is based.
Does the EU AI Act apply to US companies?
Yes. The EU AI Act has extraterritorial scope similar to GDPR — it applies to any provider whose AI systems are used in the EU, regardless of where the company is headquartered. US companies serving EU customers with high-risk AI applications must comply with registration, documentation, and technical requirements. Non-compliance penalties are up to €35 million or 7% of global turnover for the most serious violations.
How should AI startups prepare for AI regulation?
AI startups should: document their AI systems' capabilities, limitations, and intended uses early (not retrofitted after deployment), conduct risk assessments to identify if they fall into regulated categories, implement data governance and model documentation practices as standard engineering hygiene, monitor regulatory developments in their target markets, and engage with legal counsel familiar with both EU AI Act and US federal/state developments. Building compliance into product development is far cheaper than retrofitting it.
