AI regulation news today reads like a patchwork — dozens of jurisdictions moving at different speeds, with different priorities, towards rules that will reshape how every organisation builds and deploys AI. If you only track one country’s developments, you are already missing obligations that may apply to your business.
This article cuts through the noise. We cover the major regulatory developments across the EU, US, UK, and G7 as of March 2026, and translate each into concrete actions for business leaders.
À retenir
- The EU AI Act has three deadlines already in force, with high-risk system obligations arriving in August 2026
- Colorado and Illinois lead a wave of US state-level AI laws targeting automated decision-making and biometric data
- The UK is shifting from voluntary principles towards binding obligations for frontier AI models
- The G7 Hiroshima AI Process established an international code of conduct for AI developers
- Organisations operating across borders face overlapping compliance requirements — preparation now avoids costly retrofitting later
EU AI Act: three deadlines down, two to go
The EU AI Act remains the most comprehensive AI regulation in the world. Since entering into force on 1 August 2024, it has moved from abstract policy to enforceable law faster than many organisations anticipated.
As of March 2026, three major milestones are already in effect:
- Prohibited AI practices became illegal on 2 February 2025 — including social scoring, subliminal manipulation, and workplace emotion recognition
- Article 4 (AI literacy) has applied to every organisation using AI since 2 August 2025 — requiring documented staff training proportionate to each role
- General-purpose AI obligations and the GPAI Code of Practice took effect alongside Article 4
The next critical deadline is 2 August 2026, when high-risk AI system obligations begin. Organisations using AI in employment, education, credit scoring, or essential services must have risk management systems, technical documentation, and human oversight mechanisms in place. For a full breakdown, see our guide to EU AI Act requirements.
€35M
maximum fine under the EU AI Act for non-compliance with high-risk AI obligations — or 7% of global annual turnover
Source : EU AI Act, Article 99
The enforcement landscape is also maturing. National authorities across all 27 member states are building dedicated AI oversight teams, and the EU AI Office in Brussels is coordinating cross-border enforcement. Organisations without documented AI governance frameworks are increasingly exposed.
US AI regulation: states lead where federal law stalls
The United States has no federal AI legislation. Multiple proposals have circulated through Congress, but none has passed. The real regulatory action is happening at state level — and it is moving quickly.
Colorado AI Act
Colorado’s AI Act, signed in May 2024 and effective from 1 February 2026, is the most significant US state-level AI law to date. It targets “high-risk AI systems” — a term deliberately echoing the EU AI Act — and requires:
- Impact assessments before deploying AI systems that make consequential decisions about employment, housing, insurance, education, or lending
- Notice obligations — consumers must be told when AI is making or substantially influencing decisions about them
- Bias auditing — developers and deployers must evaluate systems for algorithmic discrimination
- Documentation requirements — records of system design, training data, and risk mitigation efforts
Colorado’s law applies to any organisation serving Colorado residents, regardless of where the company is headquartered. For international businesses already working towards EU AI Act compliance, the overlap is significant — and strategic.
Illinois and biometric AI
Illinois continues to lead on biometric data through its Biometric Information Privacy Act (BIPA), which has generated billions of dollars in settlements and class-action litigation. Recent amendments extend BIPA’s reach to AI systems that process facial geometry, voiceprints, and other biometric identifiers — including systems used for employee monitoring, customer authentication, and security screening.
Other states to watch include California (pending AI transparency bills), Texas (AI in healthcare regulation), and New York City (Local Law 144 on automated employment decisions, now in its second year of enforcement).
US state-level AI laws create a compliance patchwork. Organisations operating across multiple states face different requirements in each jurisdiction. Without a unified AI policy, meeting overlapping obligations becomes exponentially harder.
UK approach: from principles to binding rules
The UK initially positioned itself as the “pro-innovation” alternative to the EU’s prescriptive approach. Rather than a single AI Act, the government asked existing sector regulators — the FCA, Ofcom, the ICO, the CMA — to apply AI-specific guidance within their existing mandates.
That approach is evolving. The AI Safety Institute (AISI), established in late 2023, has expanded its remit significantly. Key developments in 2025-2026 include:
- Frontier AI safety commitments — voluntary agreements with major AI developers (OpenAI, Anthropic, Google DeepMind, Meta) on pre-deployment safety testing
- Binding obligations under consideration — the government has signalled that voluntary commitments alone are insufficient for frontier models with systemic risk potential
- Cross-border alignment — the UK is actively participating in G7 and OECD frameworks, seeking interoperability with EU and US requirements
For UK organisations, the practical implication is clear: the UK regulatory framework is tightening, and the EU AI Act already applies extraterritorially to any UK business serving EU customers or deploying AI that affects EU residents. Preparing for the EU AI Act is not optional for most UK businesses — see our analysis of whether the EU AI Act applies in the UK.
G7 Hiroshima AI Process: international coordination
The G7 Hiroshima AI Process, launched in 2023 and refined through 2024-2025, produced the first major international framework for AI governance. Its centrepiece is the International Code of Conduct for Organisations Developing Advanced AI Systems, which includes eleven guiding principles:
- Identify and mitigate risks throughout the AI lifecycle
- Report serious incidents and vulnerabilities
- Invest in robust cybersecurity measures
- Publish transparency reports on AI capabilities and limitations
- Support development of international technical standards
- Implement content authentication and provenance mechanisms
The code of conduct is voluntary, but it is increasingly serving as the baseline that national regulators reference when drafting binding rules. The EU AI Act’s GPAI Code of Practice draws directly from Hiroshima principles. US executive orders cite them. The UK AISI’s safety framework mirrors them.
46 countries
have endorsed the OECD AI Principles that underpin the G7 Hiroshima framework — making them the closest thing to a global AI regulatory standard
Source : OECD AI Policy Observatory, 2025
What this means for business leaders
The convergence of these regulatory streams creates both risk and opportunity. Here is what to prioritise:
1. Map your regulatory exposure. Identify every jurisdiction where your AI systems operate, serve customers, or affect individuals. The EU AI Act’s extraterritorial reach, Colorado’s consumer-location trigger, and Illinois’ biometric rules mean geography matters less than you think. Start with an AI risk assessment.
2. Train your people now. The EU AI Act’s Article 4 AI literacy obligation is already enforceable. Colorado requires demonstrable competence in AI risk management. The UK expects “appropriate human oversight.” Every framework points to the same requirement: your staff must understand how AI works, its limitations, and how to use it responsibly. Brain delivers AI training for employees designed for cross-jurisdictional compliance.
3. Build one governance framework, not five. Rather than treating each regulation separately, establish a unified AI governance framework that meets the highest standard — typically the EU AI Act — and adapt downward for other jurisdictions. Consider ISO 42001 certification, which maps to requirements across all major frameworks.
4. Tackle shadow AI before regulators do. Employees adopting AI tools without organisational oversight — shadow AI — is a compliance blind spot under every framework. You cannot govern what you do not know about.
5. Document everything. Across the EU, US, and UK, the common thread is accountability through evidence. Risk assessments, training records, bias audits, incident reports — if it is not documented, it did not happen.
Regulatory convergence is your friend. Organisations that invest in comprehensive AI governance now — training, documentation, risk management — will find themselves compliant across multiple jurisdictions simultaneously. The cost of preparation is a fraction of the cost of retrofitting after enforcement begins.
Test your knowledge of global AI regulation
Stay ahead of AI regulation with Brain
Brain is the AI readiness platform built for organisations navigating a complex regulatory landscape. Role-specific training modules covering AI literacy, data privacy, responsible AI, and regulatory compliance — with audit-ready reporting that satisfies EU, US, and UK requirements.
The regulation is here. The deadlines are real. The time to act is now.
Related articles
EU AI Act News: April 2026 Updates + Enforcement Timeline
Latest EU AI Act updates — enforcement dates, GPAI Code of Practice, fines and what your business must do before August 2026.
EU AI Act Summary: Risk Tiers, Deadlines + Penalties (2026)
EU AI Act in plain English — 4 risk categories, obligations by tier, compliance deadlines, penalties up to €35M, and Article 4 literacy rules.
EU AI Act Explained: A Business Leader's Guide (2026)
Understand the EU AI Act in plain English. Risk categories, timeline, obligations, and what it means for your organisation.