Key takeaways
- “AI regulatory” search results split between two meanings, government regulation of AI and AI used inside compliance functions. This guide tracks the first meaning, which dominates ranking pages and search intent in 2026.
- Four anchor regimes shape day-to-day obligations for most organizations, the European Union AI Act (Regulation 2024/1689), the United States patchwork of federal guidance and state laws, the United Kingdom’s pro-innovation sectoral approach, and China’s content-rule framework led by the Cyberspace Administration.
- A treaty layer now sits on top, the Council of Europe Framework Convention on AI, the first legally binding international AI treaty, ratified by the European Union on 15 May 2026.
- Two operational standards keep this picture manageable, ISO/IEC 42001 as an AI Management System backbone and the NIST AI Risk Management Framework as a controls library. One AI management system can satisfy several regulators at once when mapped correctly.
- The practical work is structured by obligation type, transparency, risk management, conformity assessment, post-market monitoring, incident reporting, and data governance. The country a system operates in changes the deadlines and penalty caps, not the structure of the work.
What “AI regulatory” actually means in 2026
The phrase “AI regulatory” pulls together two distinct stories. The first, the one this guide covers, refers to government rules and binding international agreements that constrain how organizations build, place on the market, deploy, and supervise artificial intelligence. The second refers to AI systems used inside compliance and regulatory operations, sometimes called RegTech. The current top of the search results is dominated by the first meaning, with global trackers, country comparisons, and law-review essays consistently framing “AI regulatory” as a question about state action on AI.
The volume is large enough to confuse anyone reading without a map. Public AI Overview content cites more than 900 active AI regulations across 80 jurisdictions. That number sounds intimidating because lists count every directive, sector regulation, executive order, and ministerial guidance as one entry. Compliance teams do not feel 900 regulations as 900 distinct work items. They feel a handful of anchor regimes, a small set of recurring obligation types, and a few cross-cutting standards that let one set of controls satisfy several regulators at the same time.
That reframing is the point of this guide. The country-by-country listicle, which most ranking pages follow, is useful as a reference but unhelpful as an operating model. What follows is the operator’s view: anchor regimes first, treaty layer second, obligation type third, roles split fourth, and convergent operational backbone last.
The four anchor regimes
European Union AI Act, Regulation 2024/1689
The European Union AI Act entered into force on 1 August 2024 and becomes fully applicable on 2 August 2026. Provisions roll out in waves. Prohibited AI practices and AI literacy obligations have applied since 2 February 2025. Governance rules and obligations on general-purpose AI models have applied since 2 August 2025. The high-risk system regime, including the quality management system, conformity assessment, and post-market monitoring duties, becomes fully enforceable on 2 August 2026.
The Act uses a risk-based architecture with four tiers. Prohibited practices include social scoring by public authorities, untargeted facial image scraping, and emotion recognition in workplaces and schools, with narrow exceptions. High-risk systems, defined by Annex III for products and use cases such as employment, credit scoring, biometric identification, critical infrastructure, and law enforcement, must meet a structured set of duties on data governance, technical documentation, human oversight, accuracy, robustness, and cybersecurity. Limited-risk systems, mainly those interacting with natural persons or generating synthetic content, carry transparency obligations. Minimal-risk systems, the bulk of business AI, carry no specific obligations beyond voluntary codes of conduct.
Penalties cap at 35 million euros or 7 percent of worldwide annual turnover, whichever is higher, for breach of the prohibitions. Other breaches scale down to 15 million euros or 3 percent of turnover, and supplying incorrect information to regulators caps at 7.5 million euros or 1 percent of turnover. Member State authorities and the new AI Office at the European Commission share supervision.
United States: federal patchwork and state laws
The United States runs on a different theory. There is no single federal AI law. Instead, sectoral regulators apply existing statutes (consumer protection, employment, finance, health) to AI use, while individual states pass targeted bills. State action has accelerated through 2025 and 2026, with the White & Case Global Regulatory Tracker and NCSL cataloguing dozens of enacted laws on automated decision systems, generative AI disclosures, deepfake elections content, and government use of AI.
The federal layer is mainly executive. Successive White House orders shape procurement standards, agency risk assessments, and disclosure rules. Independent agencies, the Federal Trade Commission, the Equal Employment Opportunity Commission, the Consumer Financial Protection Bureau, the Food and Drug Administration for medical devices, the National Highway Traffic Safety Administration for autonomous vehicles, each apply their existing toolkit to AI cases. Compliance work in the United States, more than in any other anchor regime, lives inside the operating manuals of the sectoral regulators rather than in a single AI statute.
United Kingdom: pro-innovation sectoral approach
The United Kingdom decided not to legislate horizontally. The UK pro-innovation approach routes AI rules through existing regulators (the Information Commissioner’s Office, the Competition and Markets Authority, the Financial Conduct Authority, Ofcom, and so on), guided by five cross-cutting principles: safety, transparency, fairness, accountability, and contestability. The UK AI Safety Institute conducts model evaluations and publishes findings.
The UK opened a consultation on 21 October 2025 for the UK AI Growth Lab, a programme of cross-economy regulatory sandboxes that allow AI products to be tested under targeted regulatory modifications, with successful pilots feeding back into permanent rule changes. That signals continued movement away from a single AI act and toward iterative, sector-specific reform.
China: CAC-led generative AI rules
China’s framework is shaped by the Cyberspace Administration of China (CAC) and runs through a stack of specific instruments. The Interim Measures for the Management of Generative AI Services, in force since August 2023, set out provider duties on training data legality, content labeling, user consent, and alignment with state values. The Algorithmic Recommendation Provisions (2022) and Deep Synthesis Provisions (2023) layer on labeling and registration duties for recommendation engines and synthetic media. Generated content sold to the Chinese market must carry visible and metadata watermarks. Providers must register algorithms in the CAC’s registry and submit security assessments before deployment.
The Chinese regime is the most prescriptive of the four on content moderation duties, which makes it less of a fit for product design choices that work in Western markets and more of a question for organizations placing AI products on the Chinese market directly.
The treaty layer: Council of Europe Framework Convention on AI
A new layer sits on top of national regimes. The Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225) is the first international treaty specifically devoted to AI governance that is legally binding on its parties. It commits signatories to ensure that AI activities are consistent with human rights, democracy, and the rule of law throughout the lifecycle of AI systems.
The European Union ratified the Convention on 15 May 2026 at the 135th Session of the Committee of Ministers in Chisinau, Republic of Moldova. Signatories also include the United Kingdom, the United States, Canada, Japan, Switzerland, Norway, Israel, Ukraine, Andorra, Georgia, Iceland, Liechtenstein, Montenegro, San Marino, and Uruguay. The treaty enters into force on the first day of the month following the expiration of three months after five signatories, including at least three Council of Europe member states, have ratified it.
The Convention does not duplicate the EU AI Act. It sets a treaty-level floor on rights protection, non-discrimination, transparency, oversight, accountability, and remedies, that parties must transpose into their domestic frameworks. For an organization with operations in multiple signatory jurisdictions, the Convention reduces the risk of fundamental divergence on rights-related obligations and clarifies the human rights baseline that any AI governance programme must respect.
The operator’s playbook: obligations by type
Most published comparisons stop at the country breakdown. That is where the operator’s work actually begins. Across the anchor regimes plus the OECD AI Principles, with 49 adherents as of April 2026, the same families of obligation appear with local variation.
Transparency obligations
Disclosure duties run through every regime. Under the EU AI Act, providers of AI systems interacting with humans must inform users they are interacting with AI unless that is already obvious. Deployers of emotion recognition or biometric categorization systems must notify the affected persons. Providers and deployers of generative AI must label synthetic or manipulated content as such, with technical solutions that allow detection. China requires both visible and metadata watermarking of generated content. The United States adds state-level disclosure laws for automated decision systems in employment and consumer contexts. The practical control set is the same: an inventory of customer-facing AI surfaces, written disclosure templates per surface, watermarking pipelines for generative outputs, and a process to refresh disclosures when the system materially changes.
Risk management and conformity assessment
Article 9 of the EU AI Act requires a documented risk management system for high-risk AI, established, implemented, documented, and maintained throughout the system lifecycle. Conformity assessment, with internal control or notified body involvement depending on the use case, gates market placement. The structure mirrors product safety regulation: identify foreseeable risks, evaluate them, adopt mitigations, test residual risk, and re-assess after significant modifications. NIST’s AI Risk Management Framework, released in January 2023, and the Generative AI Profile published in July 2024 (NIST AI 600-1) supply the operational vocabulary, four core functions (Govern, Map, Measure, Manage) and twelve generative-AI-specific risk categories. Compliance teams that adopt the RMF as a controls library get most of the way to a credible Article 9 risk management system.
Post-market monitoring and incident reporting
Once a high-risk AI system is on the market, the obligations do not end. Article 72 of the EU AI Act requires providers to establish a post-market monitoring system proportionate to the nature of the system and its risks, with documented data collection, analysis, and corrective action loops. Article 73 obliges providers to report serious incidents to market surveillance authorities of the Member States where the incident occurred. Other regimes take a less formalized approach but expect similar mechanisms: the UK guidance asks regulated entities to be able to evidence ongoing oversight; United States sectoral regulators apply their own incident reporting (the FDA for adverse device events, banking regulators for operational risk incidents). The practical control set is shared, a feedback loop from production back to design, with an incident severity rubric and a reporting calendar mapped to the regulators in scope.
Data and model governance
Annex III high-risk training, validation, and testing datasets must be relevant, representative, free of errors, and complete. Article 10 of the EU AI Act sets specific data governance duties, including bias examination and mitigation. China requires training data to be lawfully sourced. United States employment law requires job-related, business-necessity-justified screening logic when AI is used in hiring. ISO/IEC 42001 organizes the same questions under its AIMS impact assessment, data quality, and supplier oversight clauses. The convergence point is straightforward: a documented data lifecycle, lineage from source to model, periodic bias examination, and supplier diligence for data brokers and model vendors.
Who has to do what: a roles decision tree
The EU AI Act introduces five operator roles: provider, deployer, importer, distributor, and product manufacturer. The duties depend on which role an organization holds for a given system. The same organization can be a provider for one system, a deployer for another, and a distributor for a third. Mapping roles per system, not per company, is the first step.
A provider places an AI system on the EU market under its own name. Providers carry the heaviest obligation set for high-risk systems: design controls, quality management system, technical documentation, conformity assessment, declaration of conformity, CE marking, post-market monitoring, incident reporting, and corrective action.
A deployer uses an AI system under its authority, typically as part of a business or public-sector activity. Deployer duties include using the system in line with the provider’s instructions, ensuring human oversight, monitoring outputs, keeping logs, conducting a fundamental rights impact assessment where required (Article 27), and informing affected persons of automated decision-making.
An importer or distributor carries verification duties: confirm that the provider has met its obligations before placing the product on the EU market, that the declaration of conformity is present, that the CE marking is affixed, and that the user instructions are complete.
A general-purpose AI model provider, governed by Articles 53 and 55, must publish a sufficiently detailed summary of training content, document the model card, comply with EU copyright law, and (when the model presents systemic risk under Article 51 thresholds) conduct adversarial testing, report serious incidents to the AI Office, and ensure cybersecurity protections at model and physical level.
Sectoral overlays do not disappear. A bank deploying a high-risk credit-scoring system carries both EU AI Act deployer duties and the existing prudential and consumer-protection regime. A medical-device manufacturer using AI carries both EU AI Act provider duties and the Medical Device Regulation.
The convergent operating model: ISO/IEC 42001 plus NIST AI RMF
If the operator’s playbook above seems organized but heavy, that is by design. The work pays off when one programme satisfies several regulators at once. Two voluntary standards make that possible.
ISO/IEC 42001:2023 is the first international AI Management System (AIMS) standard. It provides a Plan-Do-Check-Act management structure familiar from ISO 9001 and ISO 27001, but specific to AI: AI policy, leadership commitment, planning (including AI system impact assessment), support, operation, performance evaluation, and continual improvement. The European version, EN ISO/IEC 42001:2026, brings the standard into the European harmonized landscape, which matters because conformity to harmonized standards offers a presumption of conformity to many EU AI Act requirements.
The NIST AI Risk Management Framework takes the controls layer. Four functions (Govern, Map, Measure, Manage), each split into categories and subcategories, give a granular library that maps cleanly to risk management duties in the EU AI Act, China’s content rules, the United States sectoral regulators, and the OECD principles. The Generative AI Profile (NIST AI 600-1) adds twelve risk categories specific to generative AI (CBRN information, confabulation, dangerous or violent content, data privacy, environmental impact, harmful bias, human-AI configuration, information integrity, information security, intellectual property, obscene content, value chain), each linked back to RMF actions. NIST is also developing a Critical Infrastructure profile (concept note April 2026) and an Agent Interoperability profile planned for late 2026.
A working operating model uses ISO 42001 as the management spine and NIST AI RMF as the control library. Evidence collected once (data lineage records, impact assessments, monitoring logs, incident reports, training records) can be mapped against the EU AI Act Annex IV technical documentation, the OECD Due Diligence Guidance for Responsible AI (published 19 February 2026), the Council of Europe Framework Convention’s accountability and transparency commitments, and the upcoming European harmonized standards from CEN-CENELEC, including the prEN 18228 and prEN 18282 drafts on AI risk management and AI cybersecurity terminology.
This convergent model is also the answer to scale. The 900 regulations counted across 80 jurisdictions are not 900 distinct designs. They are mostly variations on the same obligation types with different deadlines, penalties, and procedural rules. A well-built AIMS turns each new regulation into a configuration question, not a rebuild.
FAQ
Who regulates AI in the United States? There is no single AI regulator. Sectoral agencies apply existing law to AI, the Federal Trade Commission on consumer protection, the Equal Employment Opportunity Commission on hiring, the Consumer Financial Protection Bureau on credit, the Food and Drug Administration on medical AI, the National Highway Traffic Safety Administration on autonomous vehicles, and so on. State legislatures pass narrower laws on automated decision systems, generative AI disclosures, and government use of AI. The White House sets policy through executive orders that bind federal agencies and shape procurement. The result is layered rather than centralized.
Is AI going to be regulated? It already is. The European Union AI Act, the Council of Europe Framework Convention on AI, China’s CAC framework, dozens of United States state laws, and sectoral applications of existing statutes everywhere amount to a working regulatory environment, not a future one. The question is no longer whether AI will be regulated but how to operationalize the obligations that already apply.
What is an AI regulator? In the EU AI Act sense, regulators are the national competent authorities designated by Member States to supervise AI systems on their market, plus the AI Office at the European Commission, which coordinates supervision of general-purpose AI models. In other jurisdictions, “AI regulator” usually means the sectoral agency applying its existing toolkit to AI cases. The Council of Europe treaty does not create a single supervisor and leaves national implementation to parties.
Does AI have any regulations today? Yes. The EU AI Act’s prohibited-practice and AI literacy provisions have applied since 2 February 2025, and GPAI obligations since 2 August 2025. China’s Interim Measures on generative AI have applied since August 2023. United States state laws on automated decisions in employment, finance, and insurance are enforceable now. Sectoral rules in health, finance, and consumer protection apply to AI use under existing statutory authority.
Which AI law has the largest fines? The EU AI Act, with a cap of 35 million euros or 7 percent of worldwide annual turnover, whichever is higher, for breaches of the prohibition list. Other AI Act breaches cap at 15 million euros or 3 percent. United States state laws and sectoral enforcement use different cap structures, often per-violation or revenue-based but lower in absolute terms.
Do startups have to comply with the EU AI Act? Yes, with proportional measures. The Act explicitly contemplates SMEs and start-ups through simplified conformity assessment paths, dedicated regulatory sandbox access, and reduced administrative fees for notified body services. Start-ups must still meet substantive obligations on prohibited practices, transparency, high-risk system design where applicable, and GPAI rules for foundation model developers.
Does ISO/IEC 42001 replace the EU AI Act? No. ISO/IEC 42001 is a voluntary management system standard. The EU AI Act is binding law. The standard is most useful as the implementation framework that makes EU AI Act compliance, and the equivalent duties under other regimes, operationally tractable. Certification can be a signal of governance maturity but is not a substitute for the legal duties themselves.
Conclusion: from tracker to operating model
The country tracker had its moment. It was useful when AI regulation was new, sparse, and unevenly distributed. In 2026 it is the wrong frame. With more than 900 active rules across 80 jurisdictions, a binding international treaty, and harmonized standards arriving on a quarterly cadence, no compliance team has the bandwidth to read every new regulation as a fresh problem.
The operating model wins. Anchor on the four regimes that account for most regulated AI activity. Treat new countries as overlays. Organize the work by obligation type. Use ISO/IEC 42001 as the management spine and NIST AI RMF as the controls library. Collect evidence once and map it many times.
AI Sigil provides exactly this backbone for regulated industries, EU AI Act conformity assessment, ISO/IEC 42001 management system support, and NIST AI RMF controls, in a single governance, risk, and compliance system designed to absorb new rules without redesign.