Why the Pace Has Accelerated

For most of the last decade, AI governance meant voluntary frameworks and strongly worded white papers. That era is over. The shift from aspirational guidelines to binding legal obligations has compressed into roughly eighteen months, driven by three converging pressures that regulators could no longer treat as theoretical.

First, the EU AI Act moved out of its extended drafting phase and into active enforcement staging, transforming what had been a negotiating text into a compliance deadline with real penalties. European regulators had spent years absorbing industry feedback; the clock is now running in the other direction. Second, disputes over frontier model capabilities forced disclosure questions into the open in ways no one was fully prepared for. The confrontation between Anthropic and US government interlocutors over Mythos-level capability assessments illustrated that national security and economic competitiveness concerns can override typical enterprise confidentiality assumptions — and that AI developers may face mandatory transparency obligations on capability benchmarks they currently treat as proprietary. Third, the Meta employee-tracking data breach crystallized a risk that many organizations had underweighted: AI training pipelines that ingest behavioral data create compounding regulatory exposure. When that data includes keystrokes, productivity metrics, and communication patterns collected without granular employee consent, the training artifact becomes evidence of the underlying violation. That case is no longer an edge scenario. It is a template regulators are actively studying.

The EU AI Act: What It Actually Requires

The EU AI Act structures obligations around four risk tiers. Unacceptable-risk systems — social scoring by public authorities, real-time biometric surveillance in public spaces — are prohibited outright. High-risk systems face conformity assessments, mandatory human oversight mechanisms, logging requirements, and registration in an EU database before deployment. Limited-risk systems carry transparency obligations. Minimal-risk systems are largely unregulated.

The practical question for most organizations is what lands in high-risk. The regulation is explicit: automated hiring and CV-screening tools, credit scoring systems that influence lending decisions, AI used in critical infrastructure management (energy grids, water systems, transport), and systems used in educational assessment all qualify. If your company uses a third-party ATS with AI ranking, that is a high-risk system under the Act, regardless of whether you built it. The deployer obligation is real.

Transparency requirements for AI-generated content require labeling at the point of interaction. Synthetic audio, video, and text intended for public distribution must be machine-readable marked. For developers building content generation features into products sold to EU users, this is a product requirement, not a policy aspiration. The conformity assessment process for high-risk systems requires documented technical files, risk management systems, data governance procedures, and post-market monitoring. Third-party assessment is mandatory for certain categories including biometric identification. The prohibited-use provisions applied from August 2024. High-risk obligations for most categories apply from August 2026. Build that date into your roadmap now.

The US Regulatory Approach

The United States has not passed comprehensive AI legislation at the federal level. What exists is sectoral and, in many cases, still voluntary. The NIST AI Risk Management Framework has become the operational standard that federal contractors and regulated industries treat as binding in practice even where it is formally guidance. If you are selling to US federal agencies, NIST AI RMF alignment is already a procurement expectation — the FAR and agency-specific acquisition rules are embedding it.

Mandatory requirements are emerging at the edges. Critical infrastructure operators — financial institutions under OCC guidance, healthcare entities under HHS AI considerations, energy sector participants under FERC review — face sector-specific obligations that are hardening. The Anthropic-government capability disclosure dispute points toward a regime where sufficiently capable models may require advance notification to relevant agencies before deployment, analogous to export control logic. That framework is not yet law, but the policy architecture is being constructed. Developers building at the frontier should be engaging regulatory counsel now rather than when the rule text appears.

The Data Privacy Intersection

GDPR has always applied to AI training data involving personal information. What is changing is enforcement appetite. The Irish Data Protection Commission, which has primary jurisdiction over most major US tech companies' EU operations given their Dublin establishments, has signaled that AI training data practices are an active investigative priority. The expected enforcement action stemming from Meta's employee keystroke monitoring case will establish binding precedent on a core question: whether behavioral data collected under an employment relationship can be repurposed for AI training without specific, informed consent for that purpose. The answer, under existing GDPR logic, is almost certainly no. Every company with EU employees or users who has been feeding behavioral data into model training pipelines should treat that expected ruling as directed at their practices.

Three Things to Do Now

  • Audit your AI stack against EU AI Act high-risk categories. Pull an inventory of every AI system your organization deploys or procures. For each one, map it against the Act's Annex III high-risk list. Pay particular attention to HR tools, customer credit or scoring systems, and any system touching safety functions. Deployer obligations apply even when you did not build the system.
  • Review AI vendor contracts for training data clauses and breach notification requirements. Most enterprise AI contracts signed before 2024 do not adequately address whether vendor models are trained on your data, what happens to that data in a breach, and who bears regulatory liability when training data practices are challenged. Require explicit contractual representations and audit rights before your next renewal.
  • Designate a regulatory monitoring owner before enforcement creates urgency. The single most common failure mode is treating AI regulation as a one-time legal review rather than a continuous operational function. Assign a named individual — in legal, compliance, or a senior product role — whose explicit responsibility includes tracking regulatory developments across your operating jurisdictions. The organizations that will struggle most in 2026 are those still building their compliance function after the first enforcement action lands.