AI Laws: 2026 Guide to US and Global Regulation
AI laws and regulation in 2026 are a fast-moving puzzle. This guide is for AI builders, deployers, investors, and legal teams who need to understand the evolving landscape of AI laws to help you navigate compliance and risk in a rapidly changing legal environment. If you build, deploy, or invest in artificial intelligence systems, you’re now navigating a fragmented landscape where US federal actions, aggressive state statutes, and ambitious global frameworks like the EU AI Act all demand attention. This guide cuts through the noise to give you what actually matters.
Key Takeaways
The US still lacks comprehensive federal ai legislation, but Trump’s December 11, 2025 Executive Order and America’s AI Action Plan are actively reshaping the balance between federal policy and state ai laws-with litigation likely to follow.
Major state laws take effect in 2026: California’s Transparency in Frontier Artificial Intelligence Act (January 1), Texas’s RAIGA (January 1), and the Colorado AI Act (June 30), each imposing distinct duties around transparency, high-risk ai systems, and discrimination.
Globally, the EU AI Act enters full application by August 2026, while China’s Interim AI Measures and South Korea’s AI Act set stricter, risk-based standards that cross-border AI teams must track.
Organizations need flexible, jurisdiction-aware ai governance programs to adapt as courts and regulators clarify how these overlapping ai laws will actually be enforced.
Practical compliance starts with an AI inventory, alignment with recognized frameworks like NIST’s AI RMF, and continuous monitoring of structural legal shifts rather than chasing every draft ai bill.
What Are “AI Laws” in 2026?
Many jurisdictions have implemented AI-specific laws, while others address AI-related concerns through existing legal frameworks. AI laws encompass any binding rules-statutes, regulations, or executive orders-that specifically target ai systems or heavily impact how ai technology can be developed, deployed, and used. They’re distinct from voluntary guidelines or ethics principles, though those often inform the binding rules.
The EU AI Act is the first comprehensive horizontal legal framework for the regulation of AI systems across EU Member States.
Understanding the landscape requires separating three categories:
Category | Examples | Binding? |
|---|---|---|
AI-specific laws | EU AI Act, Colorado AI Act, California TFAIA | Yes |
General laws applied to AI | Privacy statutes, consumer protection, anti-discrimination | Yes |
Soft-law frameworks | NIST AI RMF, OECD AI Principles, company ethics codes | Usually no |
The 2026 ai regulation environment is characterized by fragmentation. The US has no single federal AI statute, so federal vs. state tensions dominate. Meanwhile, the EU, US, and China operate under sharply different philosophies-the EU prescriptive and risk-tiered, the US leaning innovation-first, China integrating AI rules with content and security policy.
For busy AI leaders (the core KeepSanity AI readership), the goal isn’t memorizing every statute. It’s understanding the main regimes, timelines, and risk themes they introduce-then building governance that can flex as clarity emerges.
US Federal AI Policy: Executive Orders and National Frameworks
The US still has no single comprehensive AI statute. In 2026, the federal landscape is driven by executive orders, policy plans, and existing agency powers rather than new federal legislation passed by Congress.
President Trump signed Executive Order 14365 on December 11, 2025, titled “Ensuring a National Policy Framework for Artificial Intelligence.” Its core aim: maintaining American leadership in ai development via a minimally burdensome national policy framework that can preempt conflicting state laws.
This order rescinded the Biden administration’s October 2023 AI executive order, which had emphasized safety testing and equity reporting for frontier ai models. The shift moves away from broad “AI safety” mandates toward economic policy and national security competitiveness-explicitly targeting “global AI dominance.”
Complementing the executive order, America’s AI Action Plan (published July 2025) outlines over 90 initiatives:
Boosting AI research funding through NSF and other federal agencies
Expanding ai compute infrastructure via public-private partnerships
International AI diplomacy (G7 Hiroshima AI Process)
Voluntary risk-management practices aligned with NIST’s AI Risk Management Framework
The earlier statutory foundation-the National Artificial Intelligence Initiative Act of 2020-still underpins federal R&D coordination, NIST standards work, and cross-agency collaboration in 2026. It’s the quiet backbone supporting efforts like the AI Safety Institute and ongoing AI RMF updates.
Trump’s 2025 Executive Order: Building a Uniform Federal AI Framework
This section breaks down the December 2025 Executive Order and its potential to disrupt state ai laws taking effect in 2026. If you’re tracking compliance obligations, these are the mechanics that matter.
Core Policy Statement
The order commits the US to “global AI dominance” under a uniform federal policy framework that is explicitly “minimally burdensome.” It directly challenges what the Trump administration calls state-level “regulatory patchworks.”
AI Litigation Task Force
Within 30 days of December 11, 2025, the Department of Justice was required to create an ai litigation task force. Its mandate:
Identify state laws that unconstitutionally burden interstate commerce
Challenge state ai laws that conflict with federal ai policy
Target laws compelling alterations to “truthful outputs” of ai models
Address potential First Amendment violations
Commerce Department Evaluation
By March 11, 2026, the Secretary of Commerce must publish an evaluation of existing state ai laws, flagging “onerous” statutes. Examples of problematic laws include those that:
Force ai systems to distort factual content
Impose excessive disclosure requirements
Require ai models to produce outputs that the administration considers ideological bias corrections
Federal Communications Commission Proceedings
Within 90 days of key publications, the Federal Communications Commission must initiate proceedings for a federal AI reporting and disclosure standard. The intent: this rule would preempt conflicting state transparency requirements for ai models.
Federal Trade Commission Policy Statement
The FTC issues a policy statement clarifying that the FTC Act preempts state ai laws requiring “deceptive changes” to AI outputs. The order explicitly cites the Colorado AI Act as potentially problematic-arguing it could force models to produce “false results” to mitigate discrimination risks.
Funding Leverage
States whose ai laws are identified as “onerous” may lose access to certain federal funds, including:
Broadband Equity Access and Deployment (BEAD) Program funds
Discretionary grants conditioned on compliance with federal AI policy
This creates strong financial incentives for states to align with the federal ai framework.
Carve-Outs Preserved
The executive order explicitly preserves state authority in specific areas:
Child safety regulation
AI compute and data center infrastructure (excluding generally applicable permitting reforms)
State government procurement rules
What This Means
For companies, expect litigation and uncertainty. Courts will ultimately decide how far the executive order’s preemption vision extends against California, Colorado, and Texas AI statutes. The ai litigation task force may seek injunctive relief against specific state provisions, but outcomes remain unclear through at least 2027.
Key US State AI Laws Taking Effect in 2026
While the federal government talks about uniform federal policy framework, 2026 is the year several major state ai laws actually start to bite. These require immediate compliance decisions.
Three flagship regimes demand attention: California’s Transparency in Frontier Artificial Intelligence Act (TFAIA), Texas’s Responsible Artificial Intelligence Governance Act (RAIGA/TRAIGA), and the Colorado AI Act. They share themes-risk-based regulation, transparency, anti-discrimination-but implement them in different, sometimes conflicting ways.
Each law has its own triggers and enforcement structures:
State | Effective Date | Key Triggers | Enforcement |
|---|---|---|---|
California TFAIA | January 1, 2026 | 10^26 FLOPs, $500M revenue | State authority |
Texas RAIGA | January 1, 2026 | Impact on Texas residents | Attorney General, civil penalties |
Colorado AI Act | June 30, 2026 | High-risk decision domains | Attorney General, civil penalties |
California’s Transparency in Frontier Artificial Intelligence Act (TFAIA)
The California AI Transparency Act framework (TFAIA) takes effect January 1, 2026, targeting “frontier” ai development activity occurring in or significantly affecting California.
Who qualifies as a “frontier developer”:
Entities training large-scale ai models requiring more than 10^26 floating-point operations (FLOPs)
Or a comparable compute threshold set by regulators
Revenue threshold: Frontier developers with annual global revenue of at least USD 500 million must prepare and publish a “Frontier AI Framework” describing:
Catastrophic risk assessments (including existential threats from loss of control)
Red-teaming protocols for adversarial testing
Safety policies and incident response plans
Critical safety incident reporting: Developers must monitor, document, and report serious system failures or misuse events within specified timelines. Reportable incidents include:
Unauthorized model weight access or modification causing death or injury
Catastrophic harms from control loss
Deceptive bypasses of safeguards
The TFAIA layers atop concurrent California laws also effective January 1, 2026:
AB 2013 (Training Data Transparency Act): Requires dataset disclosures for generative ai training, with penalties up to USD 5,000 per violation
SB 942: Mandates labeling of AI-generated content, addressing abstract digital formats and concerns about deceased personality’s voice usage in sound recording contexts
This creates a dense compliance environment for companies with large-scale AI operations touching California residents.
Texas RAIGA/TRAIGA: Responsible AI Governance with a Sandbox
Texas enacted the Responsible Artificial Intelligence Governance Act (RAIGA or TRAIGA), effective January 1, 2026. It applies to developers and deployers operating ai systems that impact Texas residents.
Prohibited restricted purposes:
Defined categories of social scoring
Unlawful surveillance or unlawful discrimination
Targeted deception (narrowly defined to require intent, not mere disparate impact)
Attorney General powers: The Texas Attorney General may:
Require technical documentation and system descriptions
Demand risk assessment for covered ai systems
Seek civil penalties for violations
Liability defenses: Liability often hinges on knowledge or intent. Defenses include:
Self-identifying harmful issues
Timely mitigation
Adherence to recognized frameworks (e.g., NIST AI RMF)
36-month regulatory sandbox: Texas offers a distinctive feature-businesses can test certain ai systems under relaxed regulatory conditions for up to 36 months, subject to:
Pre-approval and agreed safeguards
Reporting requirements
No blanket immunity from enforcement
Texas positions itself as “pro-innovation but tough on abuse.” This may attract AI firms willing to operate under a sandbox model, though exposure to high-profile enforcement remains if harms occur.
Colorado AI Act: Risk-Based Consumer Protection
The Colorado AI Act (S.B. 24-205) represents one of the first explicit, risk-based US state AI frameworks. Delayed to effective June 30, 2026, it focuses on “high-risk” ai systems making or shaping consequential decisions about consumers.
High-risk domains include:
Employment (hiring, termination, promotions)
Lending and credit decisions
Housing
Insurance eligibility
Education admissions
Access to health care services and essential public services
Reasonable care duty: Developers and deployers of high-risk ai tools must use reasonable care to protect consumers from algorithmic discrimination-bias based on protected characteristics like race, gender, or disability.
Required compliance elements:
Impact assessments documenting data sources and model limitations
Consumer notice and appeal rights
Mechanisms for human review of adverse decisions (addressing automated decision making systems and automated decision making technology concerns)
Enforcement: The Colorado Attorney General can bring actions for violations, with civil penalties and injunctive relief. No private right of action exists, but Colorado becomes a focal point for early AI discrimination enforcement in the US.
Global AI Law Landscape: EU, China, and Beyond
While US law is still converging, 2026 is the year when several non-US regimes operationalize detailed AI statutes affecting any company serving those markets.
The emerging global split:
EU and some Asian jurisdictions: Prescriptive, risk-based regulation
US and UK: Flexible or soft-law frameworks
China: Administrative measures tightly integrated with content and security policy
Critically, many of these laws have extraterritorial reach. If an ai system targets EU users or is placed on the EU market, the EU AI Act may apply regardless of where the provider is based.
European Union: The EU AI Act
The EU AI Act stands as the world’s first comprehensive, horizontal artificial intelligence act. Finalized in 2024-2025, it enters phased applicability with full application by August 2026.
Risk-based structure:
Risk Level | Examples | Requirements |
|---|---|---|
Unacceptable (banned) | Real-time remote biometric ID by law enforcement (with narrow exceptions), manipulative subliminals, emotion inference at work/school | Prohibited |
High-risk | Employment hiring tools, credit scoring, medical devices, critical infrastructure | Full compliance regime |
Limited-risk | Chatbots, deepfake generators | Transparency duties |
Minimal-risk | Most AI applications | Voluntary codes |
Core high-risk obligations:
Data governance and quality controls
Technical documentation and logging
Robustness and cybersecurity requirements
Human oversight mechanisms
Conformity assessments (CE marking) before market placement
Penalties: Administrative fines can reach up to EUR 35 million or 7% of global annual turnover for banned practices violations-similar in scale to GDPR. AI law breaches could be financially existential for major players.
Governance: The Act creates an EU AI Office to coordinate enforcement and update technical standards. National supervisory authorities handle day-to-day oversight.
China: Interim Measures for Generative AI
China’s Interim Administrative Measures for Generative Artificial Intelligence Services, effective since August 2023, continue shaping generative ai offerings in 2026.
Key requirements for public-facing generative AI tools:
Registration with regulators
Security assessments
Outputs must reflect “core socialist values”
Cannot undermine national security or social stability
Operational obligations:
Data source legality (respecting content rules and IP constraints)
Content filtering for prohibited outputs
User identity verification in some contexts
Rapid remediation of problematic outputs
Leading platforms like Baidu’s Ernie implement localized models with heavy content filtering for China-based deployment, creating significant divergence from versions deployed globally. These measures integrate with 2024 Generative AI Safety National Standards specifying training data audits.
Canada
Canada’s Artificial Intelligence and Data Act (AIDA): This federal ai bill, proposed in 2022 and advancing through the legislative process in mid-2026, would regulate “high-impact” ai systems, impose risk-management duties, and empower regulators. It includes Criminal Code amendments for reckless AI harms.
UK
UK approach: The UK relies on “pro-innovation, pro-flexibility” guidance rather than a single Artificial Intelligence Act. Existing regulators (ICO for data protection, CMA for competition, FCA for financial services) apply current legal frameworks to AI. The option to legislate remains if gaps emerge.
South Korea
South Korea’s Framework Act on AI: Enacted December 2024 with phases through 2025-2026, it defines AI broadly as a machine based system inferring outputs influencing environments. It promotes R&D funding (KRW 2.5 trillion by 2027) and introduces early governance requirements.
Multilateral Initiatives
Multilateral initiatives:
G7 Hiroshima AI Process (Code of Conduct, 2025 updates)
OECD AI Principles (adopted by 47 countries)
UN resolutions promoting human rights in AI
Council of Europe AI Convention (2024, ratifying through 2026)
These foster harmonization on accountability and transparency but lack binding enforcement power.
Core Legal Themes Across AI Laws
Rather than memorizing country-by-country details, AI builders should understand the recurring legal themes and design for them by default.
Transparency: Requirements to disclose AI use, label synthetic content, and explain key characteristics of high-risk systems appear across virtually every regime. Whether it’s the California transparency act provisions, EU chatbot disclosure rules, or the FCC’s potential federal disclosure standards.
Safety and robustness: Obligations for testing (red-teaming), monitoring, incident reporting, and controls against catastrophic misuse. California’s TFAIA critical incident reporting and EU high-risk system requirements exemplify this trend.
Fairness and non-discrimination: Laws like the Colorado AI Act and FTC enforcement against biased AI use show that algorithmic discrimination is moving from ethics slides into concrete legal risk. Companies must protect consumers from discriminatory automated decisions.
Accountability and governance: Many regimes require clear assignment of responsibilities across the AI lifecycle:
Developers: document risks, conduct testing
Deployers: perform impact assessments, ensure human oversight
Distributors: verify conformity
Documentation (impact assessments, risk registers, model cards) must stand up in court or to regulators.
Data protection and IP: Existing privacy statutes (GDPR, CCPA, state privacy laws) and copyright rules increasingly interact with AI training data. The data transparency act requirements in California and ongoing litigation like NYT v. OpenAI highlight that training data provenance is now a core compliance issue.
Practical Compliance: How Companies Can Navigate AI Laws
For AI leads and legal teams, the goal is pragmatic: stay compliant without drowning in every minor bill or guidance document. Here’s what works.
AI Inventory
Build an AI inventory: Maintain an up-to-date map of models, datasets, and use cases across your organization. Annotate with:
Geographic deployment locations
Risk level (high-risk vs. experimental)
Applicable regulations by jurisdiction
Framework Alignment
Align with recognized frameworks: NIST’s AI Risk Management Framework and ISO/IEC AI standards (like ISO 42001) create defensible practices across multiple jurisdictions. Alignment demonstrates reasonable care and can serve as a defense under regimes like Texas RAIGA.
Legal Review Integration
Integrate legal review into AI lifecycles: Include counsel or compliance in:
Model design decisions
Procurement and vendor selection
Deployment decisions
Major updates
Don’t wait until launch or an incident to involve legal.
Incident Reporting
Establish incident detection and reporting processes: Define thresholds for when to notify regulators under:
California TFAIA (critical safety incidents)
EU AI Act (serious incidents for high-risk systems)
Other applicable regimes
Build communication templates for affected users.
Contract Language
Lock down contract language: Ensure vendor and customer agreements address:
AI responsibilities and liability allocation
Data usage rights
Audit and documentation access
Compliance cooperation
Ongoing Monitoring
Commit to ongoing monitoring: The 2025 executive order, emerging state acts, and evolving EU secondary legislation mean AI compliance is not a one-time project. Build monitoring into your regular operations through federal agencies updates, state law trackers, and targeted legal alerts.
How to Stay Sane While Tracking AI Laws
This is where KeepSanity AI’s core philosophy applies: reduce noise, surface only what matters.
Build a lean monitoring stack:
Subscribe to 1-2 high-signal AI legal trackers (e.g., Orrick’s US State AI Law Tracker)
One weekly summary newsletter for major developments
Targeted alerts for your key jurisdictions rather than daily news overload
Appoint an internal “AI law vanguard”: Often one person in legal plus one in AI/ML, responsible for:
Triaging changes
Mapping them to concrete product impacts
Briefing leadership on what requires action
Focus on structural shifts: Chase the big moves, not every draft bill:
Enactment of EU AI Act high-risk obligations
New federal preemption moves from the ai litigation task force
Major state laws becoming effective
Most draft bills never pass. Don’t build compliance programs around speculation.
Design for flexibility: When uncertainty is high-such as pending court challenges to the 2025 executive order-build modular governance processes that can be tightened or relaxed as clarity emerges. Prioritize adaptability over rigid, jurisdiction-specific silos.
The ai race is real, and so is the regulatory attention. But panicking at every headline wastes resources. Focus on your highest-risk use cases, align with frameworks that travel across borders, and let courts and regulators sort out the edge cases before you overreact.
FAQ
Do AI laws apply to small startups, or only to big tech companies?
While some rules explicitly target very large developers-California’s TFAIA Frontier AI Framework obligations require USD 500M+ in revenue and 10^26 FLOPs compute-many ai regulations apply regardless of company size.
The Colorado AI Act can apply to smaller firms offering high-risk decision tools in employment or lending. EU AI Act obligations depend on the nature of the system, not company size. And existing consumer protection or discrimination laws in the US already cover small employers and service providers using AI for consequential decisions.
If you’re deploying ai tools that affect individuals in covered jurisdictions or high-risk domains, size alone won’t exempt you.
Is there a single definition of “AI” in law that I can rely on?
No universal, uniform legal definition exists. The EU AI Act, US federal initiatives, and state privacy laws each define AI or “automated decision-making” in slightly different ways.
Most definitions focus on machine-based systems that infer from inputs to generate outputs (predictions, recommendations, decisions) affecting real-world environments or individuals. But thresholds vary-some laws target specific compute levels, others focus on use cases, and some capture any algorithmic decision system.
Always check the specific definition in each regime you’re subject to. It determines whether your tools fall within scope.
How do AI laws interact with existing data protection and privacy rules?
AI laws typically sit on top of existing privacy frameworks rather than replacing them. You must comply with both simultaneously.
Practical examples:
Training AI on personal data in the EU still requires GDPR compliance (lawful basis, minimization, data subject rights)
US state privacy acts (CCPA/CPRA in California, CPA in Colorado) restrict how personal data can be collected and used for AI
China’s data and cybersecurity laws heavily constrain cross-border data flows for AI training
Data governance-lawful basis, minimization, security, rights handling-is now core to AI compliance, not a separate issue.
Can I rely on “sandbox” programs to avoid AI liability?
Regulatory sandboxes like Texas RAIGA’s 36-month program or EU member state variants can reduce enforcement risk during supervised experimentation-but they don’t grant blanket immunity.
Sandbox participation typically requires:
Defined, pre-approved use cases
Regular reporting to regulators
Guardrails on who can be exposed to the system
Clear exit criteria and transition plans
Treat sandboxes as opportunities to test and document robust controls early, not as a way to ignore long-term compliance obligations. Harms that occur during sandbox testing can still trigger enforcement action.
What should I prioritize if I’m just starting to build an AI compliance program?
Start with three building blocks:
Accurate inventory: Know what ai systems and use cases exist across your organization
Lightweight risk classification: Categorize systems as high vs. low risk, aligned with EU/Colorado-style definitions
Standardized documentation templates: Create reusable formats for data sources, model behavior, human oversight, and risk assessment
Once those are in place, layer jurisdiction-specific requirements (EU AI Act, Colorado AI Act, California TFAIA) rather than building bespoke processes for each law from scratch.
Prioritize your most consequential ai use cases first-hiring, lending, health, or safety-critical systems-because those are most likely to be treated as “high-risk” under emerging laws and face the maximum extent of regulatory scrutiny.
The ai laws landscape in 2026 demands vigilance without panic. Build flexible governance, focus on high-risk use cases, align with frameworks that travel across jurisdictions, and monitor structural shifts rather than every draft bill. The signal is there-you just need to filter out the noise.