Key takeaways
- There is no single global AI law. Compliance means tracking a patchwork of regional and national rules, and the
EU AI Actsets the tone for all of them. - The
EU AI Actis the reference regime worldwide: risk-tiered, extraterritorial, and backed by fines up to EUR 35 million or 7 percent of global turnover. - The United States has no comprehensive federal statute. It runs on a fast-moving patchwork of state laws, with Colorado and Texas in front.
- Voluntary standards,
ISO/IEC 42001and theNIST AI RMF, are the operating spine that lets one control set answer several laws at once. - The durable answer is not another legal tracker. It is one operating model: inventory your AI, classify it, map obligations to controls, and keep evidence.

What AI laws mean in 2026
When teams search for ai laws, they are usually looking at three layers of rules that now overlap. The first layer is binding law: statutes and regulations that carry penalties, such as the EU AI Act, the US state acts, and China’s algorithm and content measures. The second layer is certifiable standards, led by ISO/IEC 42001, the international standard for an AI management system that an accredited body can audit. The third layer is voluntary frameworks, such as the NIST AI RMF and the OECD AI Principles, which are not laws but increasingly shape what regulators and customers expect. The reason this matters is scale. By early 2026, more than 72 countries had launched over 1,000 AI policy initiatives, according to comparative regulatory analysis. Only two jurisdictions, the European Union and South Korea, have adopted comprehensive, horizontal AI statutes. Everywhere else, AI is governed by a mix of sector rules, data protection law, and narrower acts aimed at deepfakes, hiring, or elections. For a governance team, the practical takeaway is that ai laws cannot be read one at a time. A single AI system used across markets can trigger the EU AI Act, a US state act, and a sector regulator all at once. That is why the rest of this guide moves from the map of the rules to a way of operating that holds up across all of them. If your organization is starting from zero, the AI Sigil platform is built to turn this layered picture into a single register of obligations.
The global map of AI laws
AI regulation in 2026 clusters into four broad models. Each treats the same technology differently, so the model that applies to you depends on where your systems are built, deployed, and used.
European Union: the EU AI Act
The EU AI Act is the most complete AI law in force. It classifies systems into four risk tiers: unacceptable (banned), high-risk (heavily regulated), limited-risk (transparency duties), and minimal-risk (largely unrestricted). Obligations phase in over several years. Rules on prohibited practices and AI literacy applied first, general-purpose AI (GPAI) obligations have applied since 2 August 2025, and the core high-risk duties follow later. Under the Digital Omnibus provisional agreement of 7 May 2026, obligations for standalone high-risk systems in Annex III were deferred from 2 August 2026 to 2 December 2027, with product-embedded AI following in 2027, per the official implementation timeline. The Act reaches beyond EU borders: a provider or deployer outside the EU is covered when the system’s output is used in the Union. Penalties run up to EUR 35 million or 7 percent of worldwide turnover for prohibited uses, and up to EUR 15 million or 3 percent for high-risk breaches, as set out in the high-level summary.
United States: a federal vacuum and a state patchwork
The United States has no comprehensive federal AI statute. Instead, states legislate. In December 2025, the White House issued an executive action on a national AI policy framework that seeks to limit state-law obstruction, which adds a preemption question on top of the patchwork rather than removing it. Until that is settled, multistate operators must comply with each state that applies to them.
Asia-Pacific: comprehensive and content-first models
South Korea’s AI Basic Act took effect on 22 January 2026, making it the second jurisdiction after the EU with a comprehensive AI law. China enforces a different model built on binding measures: algorithm registration with the Cyberspace Administration, mandatory labeling of AI-generated content, and security self-assessments. Singapore and Japan lean on frameworks and testing tools rather than hard statutes.
United Kingdom and principles-based regimes
The United Kingdom has chosen a principles-based, regulator-led approach with no dedicated AI statute, relying on existing law and sector regulators, according to a 2026 comparison of the major regimes. Several other economies follow the same adaptive pattern, which keeps rules flexible but leaves more interpretation to the organization.
Which AI laws apply to you
Before reading any statute, answer two questions: what is your role, and where is the output used. These two axes decide most of your obligations. Role is the first axis. The EU AI Act, and most laws modeled on it, separate the provider (who develops or places a system on the market) from the deployer (who uses it under their own authority). Providers carry the heavier load: technical documentation, conformity assessment, and registration. Deployers carry a lighter but real set of duties. Under Article 26, a deployer must use a high-risk system in line with the provider’s instructions, assign competent human oversight, monitor operation and suspend use where risk appears, and keep automatically generated logs for at least six months, as summarized in the Act’s high-level summary. Many organizations are deployers of third-party AI and providers of their own, so they hold both sets of duties at the same time. Territory is the second axis. Extraterritorial reach means the question is not where you are based but where the system’s output lands. If output is used in the EU, the EU AI Act can apply. If a decision affects a Colorado or Texas resident, that state’s act can apply. Sector overlays then add a third layer: finance, healthcare, and employment carry their own AI-relevant rules regardless of the horizontal law. A short applicability checklist: list each AI system, mark whether you provide it or deploy it, note every market where its output is used, and flag any regulated sector it touches. That single table tells you which of the ai laws in this guide are live for you, and it becomes the backbone of the operating model described below. A structured AI risk management register makes this repeatable rather than a one-time spreadsheet.
US state AI laws: the fastest-moving front
The most common question behind ai laws is a US one: which states regulate AI. The pace is steep. States enacted 145 AI bills in 2025, per the NCSL legislation summary, and 29 states enacted AI legislation in 2026, with more than 38 states now holding at least one narrower AI law, often aimed at deepfakes or election content, according to a mid-2026 review of state legislation. Two states show how quickly the ground shifts. Colorado passed SB 24-205, a broad consumer-protection AI act, effective 30 June 2026 after a delay from 1 February 2026. In May 2026, the state repealed and replaced it with SB 26-189, a narrower statute on automated decision-making technology, effective 1 January 2027, as tracked by Cooley. Texas took a different route with the Texas Responsible AI Governance Act (TRAIGA, HB 149), signed 22 June 2025 and effective 1 January 2026, which focuses on a short list of banned uses plus rules for state-government AI, per a state-by-state guide. The lesson for compliance teams is that state acts are moving targets. Effective dates slip, scopes narrow, and definitions change between sessions. Tracking the text is necessary but not sufficient. What lasts is a control layer that can absorb a new state act without a rebuild, which is the subject of the next section.
From legal text to operational controls
This is where most legal trackers stop and where a governance team has to start. Laws describe outcomes; they do not run inside your business. To turn ai laws into daily practice, use a four-step operating model. Step one is inventory. You cannot govern what you cannot see. Build a single register of every AI system, including third-party tools and quietly adopted ones, so that shadow AI does not sit outside the perimeter. Each entry records purpose, data used, owner, and the markets where output is used. The AI Sigil registry exists to make this the source of truth. Step two is classification. Against that register, classify each system by risk and by role. Map it to the EU AI Act tiers, flag whether you are provider or deployer, and tag the jurisdictions in scope. Classification is what converts the applicability table from the earlier section into a prioritized workload. Step three is control mapping. Here is the point that changes the economics of compliance. Most ai laws ask for the same underlying behaviors: risk assessment, data governance, human oversight, logging, transparency, and incident response. Rather than writing a control set per law, define one library of controls and map each control to the obligations it satisfies across laws. A single human-oversight control can answer the EU AI Act, a US state act, and an internal policy at once. Step four is evidence. Regulators and auditors do not accept intentions; they accept records. Every control needs an owner, a cadence, and stored proof: assessments, approvals, logs, and sign-offs. When evidence is captured as work happens, an audit becomes a query rather than a scramble. Note that this is about coverage and completeness of controls, not a single weighted score.
Standards as the compliance spine: ISO 42001 and NIST AI RMF
The control library in step three does not have to be invented. Two standards already provide it, and using them is what lets one program answer many laws. ISO/IEC 42001 is the international standard for an AI management system (AIMS). It is certifiable, which means an accredited body can audit your program and issue a certificate that customers and regulators recognize. It gives you the governance structure: policy, roles, risk process, controls, and continual improvement. The NIST AI RMF is a voluntary US framework organized around four functions, govern, map, measure, and manage, and it is stronger on the practical how of risk work. The two fit together: ISO/IEC 42001 supplies the auditable management system, and the NIST AI RMF supplies the risk method inside it, a pairing described in a plain-English comparison of the three regimes. The payoff is cross-jurisdiction reuse. NIST publishes crosswalks from its framework to the OECD Recommendation and to ISO/IEC 42001, and both standards align closely with the EU AI Act’s expectations for risk management, documentation, and oversight. Build your control library around these standards and a large share of your obligations under the EU AI Act, the US state acts, and the APAC regimes are satisfied by the same evidence. You maintain one program, not one per law. AI Sigil ships its control library pre-mapped to ISO/IEC 42001 and the NIST AI RMF for exactly this reason.
Building an AI compliance operating model
Putting the pieces together gives a practical playbook that survives new legislation. Start with the register as the single source of truth for every AI system in use. Layer risk tiers on top so that high-risk systems get the most attention. Split your controls into two groups: foundational controls that apply to the whole organization, such as an AI policy or an AI literacy program, and system controls that apply to a specific use case, such as bias testing or human oversight for a hiring model. Governance needs a home. Assign a committee or accountable owner with real authority to approve high-risk uses, review incidents, and sign off on evidence. Set a monitoring cadence so that controls are re-attested on a schedule rather than checked once and forgotten, because ai laws and your own systems both change between reviews. The advantage of this model is that a new law becomes an update, not a project. When the next state act or delegated regulation lands, you map its requirements to controls you already run, close any gaps, and keep moving. That is the difference between chasing legal text and operating a governance program. The AI Sigil platform is designed to run this loop end to end, from register to evidence.
FAQ
What are the laws of AI? The laws of AI are the binding statutes and regulations that govern how AI is developed and used, plus the standards and frameworks that shape expectations. The clearest binding law is the EU AI Act. Others include US state acts, China’s algorithm and content measures, and South Korea’s AI Basic Act. Alongside these sit certifiable standards such as ISO/IEC 42001 and voluntary frameworks such as the NIST AI RMF, which are not laws but often decide what regulators and customers accept. Which US states have AI laws? More than 38 US states hold at least one AI law, and 29 states enacted AI legislation in 2026. Many of these target narrow issues such as deepfakes or election content. A smaller group has broad, cross-sector rules, with Colorado and Texas the most prominent examples. Because effective dates and scopes change often, the count is best treated as a moving figure rather than a fixed list. Is there a global AI law? No. There is no single global AI law and no world regulator. The closest thing to a global reference point is the EU AI Act, because its extraterritorial reach means many non-EU organizations must comply, and because other governments borrow its risk-tiered structure. Global standards such as ISO/IEC 42001 also create a shared baseline, but they are voluntary rather than binding. What is the EU AI Act and who does it apply to? The EU AI Act is the European Union’s comprehensive AI law. It sorts systems into risk tiers and imposes the heaviest duties on high-risk uses. It applies to providers and deployers, including those outside the EU when the system’s output is used in the Union. Penalties reach up to EUR 35 million or 7 percent of global turnover for prohibited practices. What are the new AI laws in 2026? In 2026, South Korea’s AI Basic Act took effect, Texas TRAIGA became effective on 1 January, and Colorado replaced its original AI act with a narrower automated decision-making statute set for 2027. The EU also deferred parts of the AI Act’s high-risk timeline to December 2027. At the same time, dozens of US states passed narrower measures, keeping the landscape in constant motion. How do companies comply with AI laws across countries? The efficient path is one operating model rather than one project per law. Inventory every AI system, classify each by risk and by role, map obligations to a shared control library built on ISO/IEC 42001 and the NIST AI RMF, and keep evidence for each control. Because these standards align with most AI laws, the same controls and records satisfy several regimes at once, so a new law becomes an update instead of a rebuild.
Conclusion
The defining feature of ai laws in 2026 is fragmentation. There is no single global rulebook, the EU AI Act leads while its own timeline shifts, and the US state patchwork changes session by session. Trying to keep up law by law is a losing race. The organizations that stay compliant treat the patchwork as a permanent condition and answer it with structure: a single AI register, clear risk classification, a control library mapped to ISO/IEC 42001 and the NIST AI RMF, and evidence captured as work happens. That operating model turns each new statute into a manageable update rather than a fire drill. To build it on one platform, from register to audit-ready evidence, start with AI Sigil.