AI Policy 2026: EU AI Act Enforcement, US State Laws, Governance

August 2, 2026 is the day the EU AI Act’s high-risk system obligations come into force, with fines up to €35M or 7% of global turnover under Article 99, and €15M or 3% under Article 101 for general-purpose AI provider breaches. That date is the single most consequential AI policy milestone of the year. Around it, the US has produced a patchwork — Colorado SB 24-205 postponed to June 30, 2026, Texas TRAIGA effective January 1, 2026, Illinois SB 315 just passed both chambers, the federal posture rolled back, and the December 2025 Trump executive order signaling federal preemption of state AI law.

This is the working enterprise-AI-policy map as it actually stands.

EU AI Act: the August 2, 2026 cliff#

The Act phased in over multiple dates. The headline ones:

February 2, 2025 — prohibited practices applied (social scoring, certain biometric categorization, untargeted facial-image scraping).
August 2, 2025 — GPAI provider obligations came into force.
August 2, 2026 — high-risk AI system obligations apply, plus the transparency rules for AI-generated content and active enforcement powers.
August 2, 2028 — extended transition for high-risk AI embedded in regulated products (e.g. medical devices under MDR).

Article 99 and Article 101 fines#

Article 99 sets fines up to €35M or 7% of worldwide annual turnover, whichever is higher, for the most serious violations — typically the prohibited practices. Article 101 covers GPAI provider obligations and goes up to €15M or 3% of global turnover.

The 7% figure exceeds the GDPR ceiling of 4% — the EU deliberately set the AI Act above GDPR for the most serious breaches.

The GPAI Code of Practice#

A voluntary Code of Practice for general-purpose AI was submitted to the Commission by independent experts and covers transparency, copyright, and safety and security. Signing the Code gives signatories a “presumption of conformity” — effectively a safe-harbor route to demonstrating compliance with the underlying obligations. Frontier labs that signed face less aggressive enforcement scrutiny than those that did not.

Enforcement architecture#

AI Office — Commission-level coordinator, hosted in DG CNECT.
National supervisory authorities — each member state designates one. France’s CNIL, Spain’s AESIA, Italy’s data-protection authority, Germany’s federated approach.
EDPB — coordinates on GDPR-adjacent questions.
FRA — the Fundamental Rights Agency informs the high-risk system criteria.
Notified bodies — third-party conformity assessment for high-risk systems sold in regulated product categories.

For any enterprise selling AI products into the EU or deploying them on EU residents, this is now the binding regulatory architecture.

EU AI Act and US AI policy 2026

US state laws: the patchwork in 2026#

The US has no comprehensive federal AI statute. States moved first.

Colorado SB 24-205#

Governor Polis signed SB 25B-004 on August 28, 2025, postponing the Colorado AI Act’s effective date to June 30, 2026 (originally February 1, 2026). The law requires developers and deployers of high-risk AI to use reasonable care against algorithmic discrimination, with the Attorney General as the exclusive enforcer. Penalties can run $20,000 per violation under the Colorado Consumer Protection Act, with each affected consumer, each AI system, and each incident potentially counted separately. Affirmative defenses exist for organizations that discover and cure violations and comply with recognized risk-management frameworks.

Texas TRAIGA#

Governor Abbott signed the Texas Responsible AI Governance Act on June 22, 2025; it took effect January 1, 2026. The final version was pared back from the original draft. It prohibits AI used for behavioral manipulation, discrimination, child sexual abuse material, unlawful deepfakes, and constitutional-rights infringement, creates a regulatory sandbox, and establishes the Texas AI Advisory Council. Enforcement is by the Texas Attorney General with civil penalties from $10,000 to $200,000 per violation. There is no private right of action.

Illinois SB 315#

The Illinois House passed SB 315 unanimously 110-0 on May 27, 2026 after the Senate passed it on May 21. Governor Pritzker indicated he will sign. SB 315 targets large frontier developers (companies above $500M in annual revenue using frontier-scale compute) and is the first US law mandating annual independent third-party audits of frontier-model safety protocols. Audit compliance starts January 1, 2028. Civil penalties run up to $3M per violation, enforced solely by the Illinois Attorney General. The bill also requires safety-incident reporting on a 72-hour clock.

Other states#

Utah AI Policy Act — disclosure obligations for AI use in regulated occupations, in force since 2024.
New York City Local Law 144 — bias audits for automated employment decision tools, the longest-running operational requirement.
California — SB 1047 was vetoed by Governor Newsom in 2024. Subsequent narrower bills (SB 942 watermarking, AB 2013 training-data transparency) became law. The Newsom-convened working group recommended a more targeted frontier-AI safety framework that has not yet been enacted as a single statute.

The pattern: high-risk algorithmic decisioning (Colorado), behavioral and content prohibitions (Texas), frontier-lab audits (Illinois), employment bias audits (NYC), and disclosure (Utah). No state has tried to do all of these at once.

The federal question#

The Biden order and its rollback#

President Biden’s Executive Order 14110 (October 2023) was the most ambitious federal AI policy instrument to date — Safety Institute, reporting thresholds, FedRAMP-style government use, and a long list of agency taskings. President Trump revoked it on January 20, 2025, and on January 23, 2025 issued Executive Order 14179 (“Removing Barriers to American Leadership in Artificial Intelligence”). A federal AI Action Plan followed in July 2025.

The December 2025 preemption order#

In December 2025 the Trump administration issued a further executive order, “Ensuring a National Policy Framework for Artificial Intelligence,” signaling federal preemption of state AI laws — directly aimed at Colorado, Texas, and the Illinois bill that had not yet been signed. The legal status is contested; states are positioned to litigate. The political effect is that compliance teams cannot assume a single nationwide rule will emerge in 2026.

NIST AI RMF#

The NIST AI Risk Management Framework continues as the de facto compliance reference. Enterprises adopt it because it gives auditors a shared vocabulary even where statutory requirements are unsettled, and several state and EU frameworks reference it explicitly.

International coordination#

UK AI Safety Institute — operational evaluations of frontier models in partnership with leading labs; the UK posture remains lighter-touch than the EU.
Bletchley follow-on summits — Seoul (2024), Paris (2025), and continued international declarations on frontier-AI safety.
G7 Hiroshima Process — the international code of conduct for advanced AI developers continues as a coordination layer.
Singapore IMDA, Japan METI — Asia-Pacific governance frameworks lean voluntary and standards-driven rather than prescriptive.
China — generative-AI measures (effective 2023), algorithmic recommendation rules, and the deep-synthesis framework form a parallel governance stack with different priorities.

Enterprise AI governance programs

How enterprises actually structure AI governance in 2026#

Across our client base, the AI governance programs that work share a recognizable shape.

The committee layer#

AI governance council — cross-functional (legal, risk, security, business owners, engineering). Meets monthly. Approves new use cases above a threshold.
Use-case intake — every proposed AI workload is registered, classified by risk tier, and routed to the right reviewers. EU high-risk vs limited-risk distinctions map cleanly onto this.
Model registry — every model in production, with owner, data lineage, intended use, evaluation results, monitoring status. The single source of truth that audit and regulators ask for.

The technical layer#

Inventory and discovery — finding the AI you didn’t know you had (shadow AI is real; vendor-embedded AI is everywhere).
Logging and audit trail — every inference logged with model version, input hash, output, user, outcome. Non-negotiable for any regulated workload.
Evaluation harness — pre-deployment and ongoing. Subgroup performance, drift, safety classifiers.
Incident response — what happens when the model produces a bad output that reaches a customer or a regulator? Who’s notified? Documented playbook.

The documentation layer#

Model cards — for internally developed models and for evaluated third-party models.
Impact assessments — Colorado-style algorithmic impact assessment, EU-style fundamental-rights impact assessment.
Vendor due diligence — every third-party AI vendor reviewed for data residency, training-data provenance, evaluation rigor, BAA / DPA terms.

The teams that under-invest here ship a few AI features and then stop, because every new use case becomes a six-month legal review. The teams that build the scaffolding ship continuously.

Where pdpspectra fits#

AI governance is mostly an operations problem dressed up as a legal problem. Our work concentrates on the layers that actually have to function under audit.

Audit logging, model registry, and evaluation infrastructure — the data plumbing that lets you answer “what model said what, when, to whom?” at any moment (data engineering).
MLOps and monitoring — drift, bias, subgroup performance, incident detection (ML & MLOps).
LLM governance — prompt and tool governance, guardrails, RAG provenance, vendor interop, BAA / DPA discipline (AI & LLM integration).
DevOps and CI/CD — deployment gates, evaluation-as-code, change-control tied to the model registry (DevOps & CI/CD).

We don’t draft the policy. We build the scaffolding that lets legal and risk sign off on production deployments month after month.

Banking AI Roadmap: What to Build First in 2026 — the regulated-industry sequencing pattern.
AI for Health in 2026 — how the FDA AI/ML Action Plan and PCCP fit into the broader governance picture.
Bedrock vs OpenAI vs Anthropic for Enterprise — how hosted model choice interacts with EU AI Act and US state-law compliance.

Most enterprises will spend 2026 building the AI governance scaffolding they should have built in 2024. If you’re sizing an AI governance program — EU AI Act readiness, state-law mapping, model registry, evaluation infrastructure — and want a second pair of eyes, tell us about the program.