← AI Regulation Global 🕐 39 min read
AI Regulation Global

Global AI Regulation: Comprehensive Research Corpus

How to Use This Document · March 2026

This corpus maps every material AI regulation across 14 jurisdictions as of May 2026. Each entry follows a consistent structure:

As of May 2026 | For Fortune 500 CIO/CFO/GC Audiences Research use only — not legal advice. Consult qualified counsel before acting on any regulatory obligation.

This corpus maps every material AI regulation across 14 jurisdictions as of May 2026. Each entry follows a consistent structure:

  1. Jurisdiction + regulation name + effective date
  2. Who it applies to (size thresholds, sectors, use cases)
  3. Key requirements
  4. Fines / penalties for non-compliance
  5. How enterprises avoid penalties (safe harbors, exemptions, compliance steps)
  6. Flag: whether geographic targeting of sales/marketing is a viable avoidance lever

Regulations are grouped by geography. Within each geography, the most immediately enforceable obligations appear first.

PART I: EUROPEAN UNION

1.1 EU AI Act — Prohibited Practices (Unacceptable Risk)

Regulation: Regulation (EU) 2024/1689 — Chapter II
Effective: February 2, 2025
Source: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

Who It Applies To

Any provider, deployer, importer, or distributor placing AI systems on the EU market or putting them into service in the EU, regardless of where the company is incorporated. Extra-territorial by design — a US company selling into the EU is in scope.

What Is Banned Outright

  • Cognitive behavioral manipulation exploiting vulnerabilities (e.g., addiction-pattern targeting)
  • Social scoring by public authorities
  • Real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions)
  • Emotion recognition in workplaces and educational institutions
  • AI-based profiling to predict criminal behavior based solely on demographics
  • Scraping facial images from the internet or CCTV footage at scale to build recognition databases

Fines

  • Up to €35 million or 7% of total worldwide annual turnover, whichever is higher
  • No cure period — violations are per se unlawful from day one

Compliance Steps

  1. Audit your AI system inventory against the banned-practice list; any system touching emotion recognition in workplace/HR contexts is presumptively prohibited
  2. Shut down or block EU-market access for non-compliant systems before market entry
  3. Maintain written records confirming the legal basis for any remote biometric identification use (law enforcement carve-out is narrow and requires prior judicial authorization)

Geographic avoidance lever: YES — if you do not place AI systems on the EU market and do not target EU individuals, you are outside scope. Effective for US-only products with no EU sales/distribution.

1.2 EU AI Act — General-Purpose AI (GPAI) Models

Regulation: Regulation (EU) 2024/1689 — Chapter V (Articles 51–56)
Effective: August 2, 2025 (obligations in force); August 2, 2026 (Commission enforcement powers active)
Source: https://artificialintelligenceact.eu/enforcement-of-chapter-v-under-the-eu-ai-act/
GPAI Code of Practice: https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai

Who It Applies To

Providers of GPAI models — foundation models (e.g., GPT-class, Claude-class, Gemini-class, Llama-class) — that are placed on the EU market or whose outputs are used by EU individuals or businesses. Threshold for “GPAI model” presumption: training compute ≥ 10²³ FLOPs.

Systemic risk tier (heightened obligations): Models trained with ≥ 10²⁵ FLOPs, or models the EU AI Office designates as systemic-risk based on capabilities. Providers must notify the EU AI Office within two weeks of crossing the threshold.

Key Requirements — All GPAI Providers

  • Maintain technical documentation of model architecture, training data, compute used, testing methodology
  • Publish a summary of training content (copyright-relevant transparency)
  • Implement and maintain a copyright policy respecting EU copyright law, including opt-out mechanisms for rightsholders
  • Provide downstream deployers with information sufficient to comply with their own AI Act obligations

Key Requirements — Systemic Risk GPAI Providers (additional)

  • Conduct adversarial testing (red-teaming) for systemic risks prior to market release and after significant updates
  • Maintain incident tracking and report serious incidents to the EU AI Office without undue delay
  • Implement cybersecurity safeguards commensurate with the model’s risk profile
  • Submit annual risk assessments to the AI Office
  • Provide the AI Office with model weights and documentation on request

GPAI Code of Practice (Safe Harbor)

The Code of Practice, finalized July 2025 by independent experts, covers three chapters: Transparency, Copyright, Safety and Security. Voluntarily signing and adhering to the Code provides a “presumption of conformity” — a legally significant safe harbor reducing enforcement risk. Non-signatories must demonstrate compliance through alternative means. The AI Office administers the Code.

Fines

  • Non-compliance with GPAI obligations: up to €15 million or 3% of global annual turnover
  • Providing incorrect or misleading information to the AI Office: up to €7.5 million or 1.5% of global annual turnover
  • Full enforcement powers (including fines) active from August 2, 2026

Compliance Steps

  1. Determine whether your model qualifies as GPAI (≥ 10²³ FLOPs threshold) or systemic risk (≥ 10²⁵ FLOPs)
  2. Sign the GPAI Code of Practice to obtain the presumption-of-conformity safe harbor
  3. For systemic risk models: establish an adversarial testing protocol pre-launch and a live incident-reporting pipeline to the EU AI Office

Geographic avoidance lever: PARTIAL — applies to providers placing models on the EU market. A company that does not distribute or license its model in the EU, and whose model outputs do not flow to EU users, is outside scope. Practically difficult for large consumer-facing models.

1.3 EU AI Act — High-Risk AI Systems

Regulation: Regulation (EU) 2024/1689 — Chapter III
Effective: August 2, 2026 (full compliance deadline for most high-risk systems)
Extended transition: August 2, 2028 for AI embedded in products already regulated under EU product-safety directives (medical devices, machinery, automotive safety systems)
Source: https://artificialintelligenceact.eu/article/6/ | https://artificialintelligenceact.eu/article/16/

Who It Applies To

Providers (developers who place high-risk AI on the EU market) and deployers (organizations that put high-risk AI into service for a specific purpose). Both roles carry distinct obligations.

High-risk categories (Annex III):

  • Biometric identification and categorization of natural persons
  • Critical infrastructure management (water, gas, electricity, transport)
  • Education/vocational training (admissions, assessments that determine access to education)
  • Employment and worker management (recruitment, CV sorting, promotion, termination decisions)
  • Essential private and public services (credit scoring, social benefits, emergency services dispatch)
  • Law enforcement (risk assessments, polygraphs, crime prediction)
  • Migration and asylum (border control, document verification)
  • Administration of justice and democratic processes

Note on employment AI: Any AI system used in recruitment — CV screening, interview assessment, job-match scoring — is Annex III high-risk. This is the category most relevant to Fortune 500 HR technology stacks.

Key Requirements — Providers

  • Risk management system: Documented process spanning the full development lifecycle; continuous post-market monitoring
  • Data governance: Training datasets meet quality criteria (representativeness, error-free, appropriate for intended purpose); documented data lineage
  • Technical documentation (Annex IV): System description, design choices, training data, testing methodology, performance metrics, limitations
  • Automatic logging: High-risk systems must generate audit logs sufficient to enable ex-post review of decisions
  • Human oversight: Systems must be designed so humans can understand, override, and halt system outputs; cannot be designed to circumvent human review
  • Accuracy, robustness, cybersecurity: Documented performance benchmarks; adversarial robustness testing
  • Conformity assessment: Internal (for most Annex III) or third-party notified body (for biometrics and critical infrastructure); EU Declaration of Conformity drafted and signed
  • CE marking: Affixed after conformity assessment
  • EU database registration: Register system before placing on market; the EU AI Act database is publicly searchable

Key Requirements — Deployers

  • Implement provider’s instructions for use
  • Designate a human oversight mechanism (named responsible person)
  • Monitor for performance deviations in operational context
  • Conduct fundamental rights impact assessments before deploying high-risk systems in public-authority or essential-services contexts (legal basis: Article 27)
  • Notify affected individuals when an automated decision materially affects them

Fines

  • Non-compliance with high-risk obligations: up to €15 million or 3% of global annual turnover
  • Prohibited practices (if incorrectly classified): up to €35 million or 7%

Compliance Steps

  1. Map all deployed AI systems against Annex III categories — prioritize employment, credit, and essential-services applications
  2. For each high-risk system: complete Annex IV technical documentation, conformity assessment, and CE marking by August 2, 2026
  3. Register all high-risk systems in the EU AI Act database and designate an EU-based authorized representative if the provider is outside the EU

Geographic avoidance lever: YES for the provider side — non-EU companies with no EU distribution and no EU deployer customers are outside scope. However, any US enterprise that deploys third-party high-risk AI (e.g., HR screening tool, credit decisioning model) for EU employees or EU customers is in scope as a deployer regardless of where the AI company is incorporated.

1.4 EU GDPR — Automated Decision-Making (Article 22) Applied to AI

Regulation: GDPR (EU) 2016/679 — Article 22
Effective: May 25, 2018 (enforcement ongoing and escalating into AI contexts)
Source: https://gdpr-info.eu/art-22-gdpr/ | https://www.financierworldwide.com/gdpr-enforcement-how-eu-regulators-are-shape-ai-governance

Who It Applies To

Any organization processing personal data of EU data subjects using automated systems where the processing produces a legal or similarly significant effect — credit decisions, hiring decisions, insurance underwriting, content moderation leading to account suspension, behavioral profiling. This encompasses most enterprise ML/AI deployments touching EU individuals.

Key Obligations

  • Automated decisions with legal or significant effect are prohibited by default unless:
    • The individual has given explicit consent
    • The decision is necessary for a contract with the individual
    • EU or member-state law authorizes it
  • Where permitted, the controller must:
    • Inform the data subject that automated processing is occurring
    • Provide meaningful information about the logic involved (not necessarily full algorithmic transparency, but substantive explanation)
    • Guarantee the right to human review of any automated decision
    • Allow the data subject to contest the decision and express their point of view
  • Special-category data (health, biometric, racial/ethnic origin) cannot be used in automated decisions even with consent, unless narrow medical necessity or explicit member-state authorization applies

Enforcement — Recent AI-Specific Actions

  • Germany (Hamburg DPA), 2025: €500,000 fine against a financial services provider for automated credit card rejections without human oversight or adequate explanation
  • Italy (Garante): Multiple ongoing investigations into recruitment AI and content-recommendation systems
  • Ireland (DPC): Active investigations into AI systems processing EU data on behalf of US tech companies

Fines

GDPR fines apply on a two-tier basis:

  • Tier 1 (procedural violations): up to €10 million or 2% of global annual turnover
  • Tier 2 (substantive violations including Article 22 breaches): up to €20 million or 4% of global annual turnover

Note: GDPR and AI Act fines can stack where the same system violates both frameworks. Regulators have not yet indicated they will prohibit cumulative enforcement.

Compliance Steps

  1. Map every AI system that produces decisions with legal or material effects on EU individuals; document the legal basis permitting automated processing for each
  2. Build human-review workflows into any high-stakes automated decision — not a rubber-stamp review, but a substantive ability to override
  3. Update privacy notices to include Art. 22-specific disclosure language; implement a process for handling data-subject requests for human review

Geographic avoidance lever: YES — GDPR applies to processing of EU data subjects’ personal data. Organizations that do not target EU customers and do not process EU personal data are outside scope. Effective primarily for B2B-only US enterprises with no EU go-to-market.

PART II: UNITED STATES — FEDERAL

2.1 Executive Order 14179 — “Removing Barriers to American Leadership in Artificial Intelligence”

Signed: January 23, 2025
Effective: Immediately upon signing; agency actions flowing from it ongoing through 2026
Source: https://www.federalregister.gov/documents/2025/12/16/2025-23092/ensuring-a-national-policy-framework-for-artificial-intelligence | https://en.wikipedia.org/wiki/Executive_Order_14179

What It Does

EO 14179 is a deregulatory order — it revoked Biden-era EO 14110 (Safe, Secure, and Trustworthy AI, October 2023) and directed agencies to promote AI development with minimal regulatory burden. It does not create binding compliance obligations on private enterprises. Its primary effects are:

  1. Rescission of prior AI reporting, testing, and notification requirements on federal contractors and AI developers that flowed from EO 14110
  2. Direction to OMB to revise AI-procurement and AI-risk guidance (M-24-10, M-24-18) to be less restrictive
  3. Direction to the AG to establish an AI Litigation Task Force (by January 15, 2026) to challenge state AI laws conflicting with the federal pro-innovation posture
  4. Direction to FTC to issue a policy statement on how existing FTC Act authority applies to AI (deadline: March 11, 2026)
  5. Direction to Commerce to identify “onerous” state laws (deadline: March 16, 2026)

Follow-on: December 2025 EO on state AI law preemption — A second executive order titled “Ensuring a National Policy Framework for Artificial Intelligence” directed federal agencies to actively challenge state AI regulations that impose burdens inconsistent with the federal goal of minimal regulatory friction. This EO was used by the DOJ to intervene in the Colorado AI Act litigation (April 2026).

Who Must Comply

Federal agencies and federal contractors. Private enterprises have no direct compliance obligations under EO 14179 itself, but benefit from the rollback of prior reporting requirements and face reduced federal AI risk-management mandates.

Compliance Impact for Enterprises

  • Federal contractors previously subject to AI reporting requirements under EO 14110 should verify which specific agency-level obligations have been rescinded
  • Enterprises selling AI products to the federal government should monitor updated FAR/DFARS provisions expected in 2026
  • The DOJ’s active intervention in state AI litigation creates legal uncertainty for Colorado AI Act compliance specifically

2.2 NIST AI Risk Management Framework (AI RMF 1.0)

Published: January 2023 (framework); Generative AI Profile (NIST AI 600-1) published July 2024
Status: Voluntary for private sector; functionally mandatory reference for regulated industries
Source: https://www.nist.gov/itl/ai-risk-management-framework | https://www.glacis.io/guide-nist-ai-rmf

Who It Applies To

Voluntary for all; de facto compliance standard for:

  • Financial institutions subject to SR 26-02 / OCC 2026-13 (see 2.3)
  • Federal contractors and agencies
  • Any enterprise that needs to demonstrate AI risk management to regulators, customers, or auditors

Framework Structure

Four core functions — GOVERN, MAP, MEASURE, MANAGE — with subcategories providing specific actions:

  • GOVERN: Establish AI risk policies, governance structures, roles/responsibilities, and risk tolerance thresholds
  • MAP: Identify the AI system’s context, intended uses, stakeholders, and potential risks (including third-party and supply-chain risks)
  • MEASURE: Apply methods to analyze and quantify AI risks — bias testing, performance benchmarking, adversarial robustness evaluation
  • MANAGE: Prioritize and treat identified risks; maintain incident response and monitoring processes

The Generative AI Profile (NIST AI 600-1) extends the RMF to LLM-specific risks: confabulation (hallucination), data poisoning, IP contamination, CBRN information availability, and homogenization risk.

Safe Harbor Value

Texas TRAIGA (see 4.3), FTC policy guidance, OCC 2026-13, and SR 26-02 all explicitly reference NIST AI RMF adherence as a compliance demonstration mechanism. Documented RMF alignment is the closest thing to a universal safe harbor in US AI regulation as of 2026.

Compliance Steps

  1. Complete a formal GOVERN-MAP-MEASURE-MANAGE implementation documented against the RMF categories — even a partial implementation provides evidentiary value in regulatory proceedings
  2. Map your generative AI systems against the 600-1 Generative AI Profile; document which risks are addressed by existing controls
  3. Appoint an internal AI risk owner with documented authority and accountability — regulators and plaintiffs’ attorneys both look for named accountability

2.3 Federal Banking Regulators — SR 26-02 / OCC Bulletin 2026-13

Published: April 17, 2026 (replaced SR 11-7 / OCC 2011-12)
Effective: April 17, 2026; transition period for existing models
Source: https://risktemplate.com/blog/2026-04-24-nist-ai-rmf-sr-26-02-fs-ai-rmf-crosswalk-financial-services/

Who It Applies To

  • SR 26-02: Federal Reserve-supervised banking organizations with total assets exceeding $30 billion
  • OCC 2026-13: National banks and federal savings associations (OCC-chartered), all sizes but with scaled expectations

Scope Clarification

SR 26-02 / OCC 2026-13 updates model risk management for traditional quantitative models: credit scoring, DFAST/stress testing, fraud detection algorithms, VaR models, AML transaction monitoring. Generative AI and agentic AI are explicitly excluded from scope of this guidance, though the agencies have indicated separate guidance for LLM-based systems is in development.

Key Requirements

  • Model inventory: maintain a complete inventory of all in-scope models, including vendor-provided models
  • Independent model validation: every material model must be validated by a team independent of development; validation must assess conceptual soundness, data quality, performance benchmarks, and ongoing monitoring
  • Model risk governance: board-level awareness of aggregate model risk; management-level escalation paths for model failures
  • Vendor model oversight: third-party models (e.g., credit bureau scores, vendor fraud models) subject to the same validation rigor as internal models; due diligence documentation required

Fines / Supervisory Consequences

No fixed statutory fine schedule under SR 26-02 itself, but:

  • Failure of model risk management is a primary exam finding category; repeated findings lead to Matters Requiring Attention (MRAs) and then Matters Requiring Immediate Attention (MRIAs)
  • MRIAs can trigger enforcement actions, consent orders, and capital adequacy adjustments
  • Civil Money Penalties (CMPs) under the Federal Deposit Insurance Act can reach $1 million per day for pattern violations

Compliance Steps

  1. Update model inventory to align with SR 26-02’s revised definitions — include any ML-based risk models not previously treated as “models” under the SR 11-7 framework
  2. For each material model: verify independent validation documentation is current and addresses the updated 2026 guidance criteria
  3. For third-party/vendor models: obtain validation documentation from vendors or conduct shadow validation; this is the most common exam gap at large banks

2.4 FTC AI Enforcement — Section 5 FTC Act

Authority: Section 5 of the FTC Act (15 U.S.C. § 45) — Unfair or Deceptive Acts or Practices
Policy Statement: Required by EO 14179, issued March 11, 2026
Source: https://www.digitalapplied.com/blog/ftc-ai-policy-deadline-march-11-compliance-readiness | https://natlawreview.com/press-releases/ftc-brings-dozen-ai-washing-enforcement-cases-2025-targeting-overstated-ai-claims

Who It Applies To

Any company in or affecting US commerce making claims about AI — in product marketing, investor communications, terms of service, or customer disclosures. No size threshold.

Key Enforcement Priorities (2025–2026)

  1. “AI washing”: Overstating AI capabilities in product marketing or investor materials (at least 12 enforcement actions in 2025 alone); this is the FTC’s most active AI enforcement area
  2. Undisclosed AI: Failing to disclose when AI generates customer-facing communications (including chatbots, AI-generated support responses, personalized content)
  3. Algorithmic discrimination: Using AI in hiring, credit, or housing decisions in ways that produce disparate impacts on protected classes; FTC has signaled coordination with DOJ and EEOC on this front
  4. Deceptive data practices: Collecting biometric or behavioral data to train AI systems without adequate disclosure

Notable Cases

  • DoNotPay (Jan 2025): Settled FTC action for misrepresenting its AI as “the world’s first robot lawyer” — company barred from making false capability claims
  • IntelliVision (Jan 2025): Settled action for misleading claims about facial recognition accuracy; barred from making unsubstantiated performance claims

Fines

  • FTC Act civil penalties: up to $51,744 per violation per day (2026 inflation-adjusted amount) for violations of existing orders or rules
  • First-time unfairness/deception cases: typically settled through consent orders with injunctive relief plus civil penalties negotiated case by case; can reach tens of millions of dollars for large enterprises

Compliance Steps

  1. Audit all marketing copy, product descriptions, and investor communications that reference AI capabilities; remove or qualify any superlative claims not supported by documented testing
  2. Implement clear AI-disclosure language in customer-facing interfaces (chatbots, AI-generated content, automated recommendations)
  3. Document the bias-testing methodology for any AI used in credit, employment, or housing decisions; retain records in the event of an FTC investigative demand

PART III: UNITED STATES — STATE LAWS

3.1 Illinois Human Rights Act (IHRA) — AI Amendment (HB 3773)

Effective: January 1, 2026
Source: https://natlawreview.com/article/illinois-anti-discrimination-law-address-ai-goes-effect-1-january-2026 | https://www.hinshawlaw.com/en/insights/blogs/employment-law-observer/illinois-adopts-new-ai-in-employment-regulations-what-employers-need-to-know-for-2026

Who It Applies To

Employers of any size doing business in Illinois, including remote/hybrid workforces based in Illinois. Applies to employment-related use of AI, including by third-party HR vendors whose tools the employer uses.

What It Covers

Use of AI — including generative AI — in:

  • Recruitment and hiring (sourcing, screening, interview scheduling, assessment)
  • Promotion and tenure decisions
  • Discipline and termination
  • Selection for training or apprenticeships
  • Any decision affecting terms, privileges, or conditions of employment

Key Requirements

  • Notice obligation: Employers must notify employees and applicants when AI is being used in employment decisions — notification must be given before the AI is used
  • Anti-discrimination prohibition: Using AI in ways that discriminate based on protected characteristics (race, color, sex, national origin, disability, age, etc.) is unlawful even if discrimination is unintentional (disparate impact standard)
  • No formal bias audit required: Unlike NYC Local Law 144, Illinois does not mandate third-party audits. However, voluntary documented bias testing is strongly advisable as an affirmative defense

Enforcement / Fines

  • Enforced through the Illinois Department of Human Rights (IDHR)
  • Individual complainants can file charges with IDHR; if found meritorious, cases proceed to the Illinois Human Rights Commission
  • Remedies include back pay, compensatory damages, attorney fees, and civil penalties
  • No statutory per-violation fine cap published yet; IDHR rulemaking on implementing regulations was ongoing as of May 2026

Compliance Steps

  1. Audit all HR technology vendors for AI use in Illinois-based hiring/employment decisions; require contractual representations about notice obligations and bias-testing practices
  2. Draft and deploy employee/applicant AI-notice disclosures; integrate into application portals and onboarding flows
  3. Conduct voluntary bias testing on all AI-assisted hiring tools, documenting methodology and results — this documentation is the primary defensive asset in an IDHR proceeding

3.2 New York City Local Law 144 — Automated Employment Decision Tools (AEDTs)

Effective: July 5, 2023 (enforcement ongoing through 2026)
Source: https://www.ailawsbystate.com/blog/ai-hiring-laws-by-state-compliance-map

Who It Applies To

Any employer or employment agency using an Automated Employment Decision Tool (AEDT) to screen candidates for employment or employees for promotion, where the role is based in New York City or the candidate is located in NYC.

An AEDT is defined broadly as any computational process derived from machine learning, statistical modeling, data analytics, or AI that issues simplified output — including scores, classifications, or recommendations — that substantially assists or replaces discretionary decision-making.

Key Requirements

  • Independent bias audit: Conducted within the prior 12 months by an independent third-party auditor; must assess the tool for bias with respect to sex, race/ethnicity
  • Public disclosure: Summary of bias audit results — including selection rates by demographic — must be posted publicly on the employer’s website
  • Candidate notice: Applicants must be notified at least 10 business days before the AEDT is used on them; notice must include the type of data collected and the opportunity to request an alternative selection process
  • Data retention: Records of bias audits and notices must be retained for at least 3 years

Fines

Enforced by the NYC Department of Consumer and Worker Protection (DCWP):

  • First violation: $500 per violation
  • Each subsequent violation: up to $1,500 per violation
  • Each day a continuing violation persists counts as a separate violation

Note: Per-violation fines are modest but multiply quickly across a large candidate pool; a hiring process that screens 10,000 NYC candidates without a valid audit creates theoretical exposure of $5–15 million.

Compliance Steps

  1. Identify all AEDTs used in NYC hiring/promotion; many enterprises are unknowingly in scope because their ATS or LinkedIn Recruiter tools include ML-based ranking
  2. Commission an independent bias audit from a qualified third-party auditor; ensure the auditor meets DCWP’s qualification criteria (published in implementing rules)
  3. Build audit disclosure and candidate-notice workflows before deploying the tool in NYC hiring cycles

3.3 California — CPPA Automated Decision-Making Technology (ADMT) Rules

Effective: January 1, 2026 (risk assessments required from Jan 1, 2026; notice/opt-out requirements for existing users: January 1, 2027)
Source: https://secureprivacy.ai/blog/california-ai-regulations-2026 | https://www.kolmogorovlaw.com/california-ai-compliance-2025-2026-what-your-business-must-do-now

Who It Applies To

Businesses subject to the California Consumer Privacy Act (CCPA/CPRA) that use Automated Decision-Making Technology (ADMT) — defined as technology that uses computation to execute a decision, replace human decision-making, or substantially facilitate human decision-making. Coverage thresholds: businesses with annual gross revenues exceeding $25 million, or that buy/sell/receive/share personal information of 100,000+ California consumers/households.

Key Requirements

  • Right to opt out: Consumers have the right to opt out of ADMT used for: (a) decisions that produce legal or similarly significant effects; (b) profiling in broadly defined “significant” contexts (employment, education, housing, credit, health care, financial services, business and law)
  • Right to access: Consumers may request access to information about how ADMT processes their personal information
  • Pre-deployment risk assessments: Required for ADMT used in high-risk contexts (employment, credit, health, etc.); assessments must identify risks to consumers’ rights and privacy and document mitigation measures
  • Notice: Clear and conspicuous disclosure that ADMT is being used, before or at point of use

Fines

  • Enforced by the California Privacy Protection Agency (CPPA) and California AG
  • Up to $7,500 per intentional violation under CCPA; each consumer interaction counts as a separate potential violation
  • For a business with 1 million California consumers, a systematic ADMT non-compliance finding carries theoretical exposure exceeding $7 billion — in practice, CPPA has pursued orders and injunctions, with negotiated penalties in the $1–50 million range

Compliance Steps

  1. Build an ADMT inventory — any automated scoring, ranking, recommendation, or filtering system that affects consumers covered by CPPA obligations
  2. Update privacy policy and consumer-facing disclosures to include ADMT disclosure language; implement opt-out mechanisms before the January 1, 2027 enforcement date for existing systems
  3. Complete risk assessments for ADMT in high-stakes contexts; document the assessment and risk-mitigation decisions in a durable, auditable format

3.4 California — AB 2013 (Generative AI Training Data Transparency)

Effective: January 1, 2026
Source: https://calawyers.org/privacy-law/ai-and-privacy-a-guide-to-californias-recently-passed-legislation/

Who It Applies To

Developers who make generative AI systems or substantial modifications to generative AI systems available to Californians.

Key Requirements

Before January 1, 2026 (for systems already available) and before each public release thereafter:

  • Post training-data documentation on the developer’s website including: dataset sources, types of data points, whether datasets include copyrighted works or personal information, how datasets were collected, and the time period covered

Fines

Enforcement mechanism and penalty schedule under the AG’s general consumer protection authority; specific penalty amounts tied to rulemaking expected in 2026.

Compliance Steps

  1. Maintain a training-data data card or datasheet; post it publicly before CA market availability
  2. For each model update qualifying as a “substantial modification,” update the documentation

3.5 California — SB 942 (AI Transparency Act)

Effective: August 2, 2026
Source: https://digital.nemko.com/regulations/california-sb-1047-ai-regulations

Who It Applies To

AI platforms with more than one million monthly active users.

Key Requirements

  • Offer users an AI-content detection tool capable of identifying AI-generated content produced by the platform’s systems
  • Disclose when users interact with generative AI that could be mistaken for human communication

Compliance Steps

  1. Integrate or partner with an AI-content detection/provenance solution before August 2, 2026 if your platform meets the 1M monthly user threshold

3.6 Colorado AI Act — SB 24-205 / SB 189

Current Status (May 2026): Original law (SB 24-205, effective Feb 1, 2026, amended to June 30, 2026) is frozen by federal court injunction. Replacement bill SB 189, passed May 7–9, 2026, pending governor signature as of May 2026. SB 189 effective date: January 1, 2027 contingent on AG rulemaking.
Source: https://leg.colorado.gov/bills/sb24-205 | https://co-aims.com/blog/colorado-ai-act-sb-24-205-complete-compliance-guide

What SB 24-205 Required (now enjoined)

  • Developers of high-risk AI (systems making or substantially contributing to consequential decisions in employment, education, housing, healthcare, financial services, legal services) must use reasonable care to prevent algorithmic discrimination
  • Deployers must implement risk management programs, conduct annual impact assessments, disclose AI use to consumers, and provide appeals mechanisms

What SB 189 Proposes (pending)

SB 189 substantially scales back the original law to a narrower notice-and-transparency framework:

  • Eliminates mandatory risk management programs and annual impact assessments
  • Retains consumer notification when AI is used in consequential decisions
  • Enforcement contingent on AG completing rulemaking (expected 2027)

Current Guidance

Monitor the litigation and SB 189 governor action. No compliance obligation is currently enforceable under either version. Enterprises that voluntarily implemented NIST AI RMF-aligned risk management for Colorado compliance retain that as a multi-jurisdiction asset (Texas, NIST, EU AI Act all recognize similar frameworks).

3.7 Texas Responsible Artificial Intelligence Governance Act (TRAIGA)

Effective: January 1, 2026
Source: https://www.lw.com/en/insights/texas-signs-responsible-ai-governance-act-into-law | https://trustarc.com/resource/ai-compliance-texas-responsible-ai-governance-act-traiga/ | https://www.nortonrosefulbright.com/en/knowledge/publications/c6c60e0c/the-texas-responsible-ai-governance-act

Who It Applies To

All businesses operating in Texas or whose products/services are used by Texas residents that use an AI system. No revenue or size threshold.

Key Requirements

  • Prohibited practices: AI may not be used to make decisions solely based on protected characteristics; specific prohibited uses in criminal justice, healthcare, and public benefit contexts
  • Transparency: Businesses must notify individuals when AI is used in interactions affecting them
  • Documentation: Maintain records of AI system intent, known limitations, and post-deployment monitoring
  • Risk management: Internal review processes aligned with a recognized framework (NIST AI RMF referenced explicitly)

Fines

  • Curable violations: $10,000–$12,000 per violation; 60-day cure period upon notice from AG
  • Uncurable violations: $80,000–$200,000 per violation (no cure period)
  • Continuing violations: $2,000–$40,000 per day
  • Licensed professionals: sanctions up to $100,000 plus license suspension/revocation
  • Enforcement: Texas AG only (no private right of action)

Safe Harbor

Businesses that demonstrate substantial compliance with NIST AI RMF (2023) or the NIST Generative AI Profile (AI 600-1) are protected from liability. This is the strongest statutory safe harbor in any US state AI law as of 2026.

Compliance Steps

  1. Implement and document NIST AI RMF alignment — given the explicit statutory safe harbor, this is the single highest-return compliance investment for Texas operations
  2. Draft AI-disclosure language for customer-facing interactions in Texas; integrate into product UI and terms
  3. Build a documentation system for AI system limitations and post-deployment monitoring; this is the evidence basis for a NIST-alignment defense

PART IV: UNITED KINGDOM

4.1 UK AI Regulatory Approach — Pro-Innovation Framework

Policy document: “A Pro-Innovation Approach to AI Regulation” white paper (March 2023); Government response (February 2024)
Current status (May 2026): No standalone UK AI Act. Sector regulators enforce existing law against AI-specific harms. Targeted legislation for high-risk/frontier AI in development but not yet published.
Source: https://assets.publishing.service.gov.uk/media/65c1e399c43191000d1a45f4/a-pro-innovation-approach-to-ai-regulation-amended-governement-response-web-ready.pdf | https://www.twobirds.com/en/insights/2026/uk/ai-regulation-in-the-uk-the-role-of-the-regulators

Current Enforcement Structure

Five cross-sectoral principles apply via existing sector regulators, not a new AI authority:

  1. Safety, security, and robustness
  2. Appropriate transparency and explainability
  3. Fairness
  4. Accountability and governance
  5. Contestability and redress

Responsible regulators by sector:

  • Financial conduct and stability: FCA, PRA (Prudential Regulation Authority)
  • Data and privacy: ICO
  • Competition: CMA
  • Medicines / medical devices: MHRA
  • Communications: Ofcom

ICO AI Enforcement (Most Immediately Relevant)

The ICO’s 2025/2026 AI enforcement plan (published June 2025) includes:

  • Active scrutiny of automated decision-making in recruitment by major employers and platforms
  • Consultation on updated ADM and profiling guidance
  • Development of a statutory ADM code of practice
  • Enforcement against AI systems that process UK personal data unlawfully

UK GDPR (retained post-Brexit) includes an Article 22 equivalent identical to EU GDPR. ICO can fine up to £17.5 million or 4% of global annual turnover (UK equivalent of EU GDPR Tier 2 penalties).

Compliance Steps

  1. Apply UK GDPR Article 22 analysis to any automated decision-making affecting UK data subjects — identical framework to EU GDPR
  2. Monitor sector regulator (FCA, CMA, ICO) guidance applicable to your industry; the relevant obligation is the sector regulator’s, not a central AI body
  3. Follow the ICO’s published guidance on AI and data protection (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/) — this is the operative compliance standard for data-intensive AI systems in the UK

Geographic avoidance lever: YES — UK GDPR applies to processing of UK data subjects’ personal data. Organizations with no UK sales or data processing are outside scope.

PART V: CANADA

5.1 Canada — AIDA Dead; Privacy Legislation Pending

Status (May 2026): AIDA (Artificial Intelligence and Data Act, proposed in Bill C-27) died when Parliament prorogued in January 2025. No AI-specific law is in force in Canada.
Source: https://www.mcinnescooper.com/publications/the-demise-of-the-artificial-intelligence-and-data-act-aida-5-key-lessons/ | https://www.osler.com/en/insights/reports/2025-legal-outlook/canadas-2026-privacy-priorities-data-sovereignty-open-banking-and-ai/

AI in Canada is governed by:

  • PIPEDA (Personal Information Protection and Electronic Documents Act) — applies to commercial organizations; regulates collection, use, disclosure of personal information in AI systems
  • Provincial privacy laws (Quebec’s Law 25 is most comprehensive and includes AI-specific provisions on automated decisions — see below)
  • Sector-specific guidance from OSFI (financial institutions), Health Canada (medical devices), and other sector regulators

Upcoming Federal Privacy Legislation

A new federal private-sector privacy statute is expected to be introduced in late 2025 or early 2026, potentially incorporating AI-specific rules. Expected penalties: up to C$25 million or 5% of gross global revenue.

Quebec Law 25 (Act Respecting the Protection of Personal Information in the Private Sector)

Quebec’s privacy law, fully effective September 22, 2023, includes AI-specific provisions:

  • Organizations using automated decision-making that exclusively produces decisions about individuals must inform those individuals in advance
  • Individuals have the right to know the personal information used, the reasons and principal factors that led to the decision, and the right to have a person review the decision
  • Penalties: Up to C$25 million or 4% of global revenues (whichever is greater) for serious violations

Compliance Steps

  1. Apply Quebec Law 25 ADM disclosure requirements to any automated decision system touching Quebec customers, employees, or residents — this is the most enforceable AI obligation in Canada today
  2. Conduct a PIPEDA compliance review of AI training data practices; consent and purpose-limitation obligations apply to personal data used in model training
  3. Monitor federal privacy legislation development; draft framework is expected to include AI-specific provisions similar to EU GDPR Article 22

Geographic avoidance lever: PARTIAL — PIPEDA applies where personal information of Canadians is collected. Quebec Law 25 applies to organizations that collect personal information of Quebec residents.

PART VI: CHINA

6.1 China — Generative AI Interim Measures

Regulation: Interim Measures for the Management of Generative AI Services
Effective: August 15, 2023
Administered by: Cyberspace Administration of China (CAC), Ministry of Industry and Information Technology (MIIT)
Source: https://fpf.org/blog/chinas-interim-measures-for-the-management-of-generative-ai-services-a-comparison-between-the-final-and-draft-versions-of-the-text/ | https://www.china-briefing.com/news/how-to-interpret-chinas-first-effort-to-regulate-generative-ai-measures/

Who It Applies To

Organizations providing generative AI services to the public within China. Foreign companies offering gen AI services accessible to Chinese users are in scope. Internal enterprise use (not offered to the public) is partially exempt but still subject to data and security laws.

Key Requirements

  • Content moderation: Providers must ensure generated content does not include: illegal information, defamatory content, discrimination, false information, content undermining national unity or social order
  • User identity verification: Real-name registration required for users; providers must collect and verify identity documents
  • Content labeling: AI-generated content must be labeled as such in a conspicuous manner; national standard GB45438-2025 (effective November 1, 2025) specifies technical labeling method
  • Training data governance: Providers must document training data sources, ensure data is lawfully obtained, and avoid including prohibited content in training datasets
  • Security assessment: Services with the capability to influence public opinion or with more than one million users must complete a security assessment (Algorithm Filing) with the CAC before launch
  • Algorithm filing: All in-scope algorithmic recommendation and generative AI services must file with CAC

Enforcement / Fines

  • Fines under Chinese Cybersecurity Law and related regulations: typically up to CNY 1 million (approximately USD 140,000) per violation for cybersecurity-related violations; substantially higher for national security violations
  • CAC can order suspension of services, require rectification, and revoke business licenses
  • Criminal liability possible for serious violations (disseminating prohibited content at scale)

Compliance Steps

  1. For companies operating or considering China market entry: conduct an algorithm security assessment and CAC filing before launch
  2. Build content filtering (prohibiting the specific categories of illegal content defined in Chinese law) into inference-time output layers — this is not optional
  3. Implement real-name user verification and data localization (user data must reside on servers in China) from day one

Geographic avoidance lever: YES — this regulation applies only to services provided to users in China. Geofencing Chinese users eliminates the compliance obligation but also eliminates the China market.

6.2 China — Algorithmic Recommendation Regulation

Regulation: Administrative Provisions on Recommendation Algorithms in Internet-based Information Services
Effective: March 1, 2022
Source: https://www.twobirds.com/en/capabilities/practices/digital-rights-and-assets/apac-dra/apac-dsd/data-as-a-key-digital-asset/china/data-and-evolving-digital-regulation-algorithm-regulation

Who It Applies To

Any internet information service using algorithms to recommend content, products, or services to users in China.

Key Requirements

  • Promote “mainstream values” and “positive energy” in recommended content
  • Prohibit use of algorithms to manipulate user behavior, create addiction, or exploit psychological vulnerabilities
  • Users must have the ability to turn off algorithmic recommendations and request manual review
  • Operators with more than 50 million monthly active users must register their algorithms with MIIT
  • Prohibit price discrimination — algorithms cannot show different prices to different users for the same product based on user profiling

Compliance Steps

  1. Implement user-facing algorithm transparency and opt-out controls
  2. File algorithm registration with MIIT if MAU exceeds 50 million
  3. Audit personalization algorithms for price discrimination patterns

6.3 China — Deep Synthesis (Deepfake) Regulation

Regulation: Administrative Provisions on Deep Synthesis in Internet-based Information Services
Effective: January 10, 2023
Source: https://www.holisticai.com/blog/china-ai-regulation

Who It Applies To

Any organization providing deep synthesis services — generating synthetic voices, video, images, or text — to users in China.

Key Requirements

  • Synthetic content must be clearly labeled; users must be informed that the content is AI-generated
  • Providers must obtain consent when generating content featuring real individuals’ faces, voices, or identities
  • Providers must not use deep synthesis to produce or distribute illegal content
  • Identity verification of users required

PART VII: JAPAN

7.1 Japan — AI Promotion Act (Act on Promotion of Research and Development and Utilization of AI Technologies)

Enacted: May 28, 2025; most provisions effective June 4, 2025
Source: https://www.whitecase.com/insight-alert/japans-first-ai-legislation-becomes-law-focus-promoting-research-and-development-no | https://fpf.org/blog/understanding-japans-ai-promotion-act-an-innovation-first-blueprint-for-ai-regulation/

Who It Applies To

All AI developers, providers, and users in Japan — but as a framework statute, it creates government obligations and directions to ministries rather than direct compliance mandates on enterprises.

Key Characteristics

  • No monetary penalties for non-compliance by private actors — Japan’s regulatory philosophy intentionally avoids punitive mechanisms for AI
  • Government may request information from AI operators, investigate misuse cases, and issue guidance or advice
  • Ministries authorized to issue sector-specific detailed guidelines (METI for general commercial AI, Ministry of Health/Labor/Welfare for healthcare/employment AI)

Practical Compliance Obligations

The operative compliance standards come from ministry guidelines, not the AI Promotion Act itself:

  • METI AI Guidelines for Business (March 2025): Voluntary guidance on transparency, human oversight, data quality, and safety — de facto standard for enterprise AI risk management in Japan
  • Act on the Protection of Personal Information (APPI): Personal data used in AI training and inference is subject to consent and purpose-limitation requirements under APPI; enforced by the Personal Information Protection Commission (PPC) with fines up to JPY 100 million for serious violations

Compliance Steps

  1. Align AI development and deployment practices with METI AI Guidelines for Business — voluntary but industry-standard; regulators and procurement counterparties expect adherence
  2. Complete APPI analysis for any AI system processing personal data of Japanese individuals; establish legal basis and data subject rights workflows
  3. Monitor sector-specific ministry guidelines relevant to your industry; METI, Ministry of Health, and Financial Services Agency are all expected to issue AI-specific guidance through 2026

Geographic avoidance lever: PARTIAL — APPI applies to personal data of Japanese individuals regardless of where the organization is based. The AI Promotion Act itself has no extraterritorial reach.

PART VIII: BRAZIL

8.1 Brazil — AI Bill (PL 2338/2023)

Status (May 2026): Senate approved December 10, 2024; pending in Chamber of Deputies (special committee reviewing); not yet enacted
Source: https://www.cisac.org/Newsroom/society-news/creators-celebrate-brazils-senate-approval-ai-bill-prepare-tougher-battle | https://www.whitecase.com/insight-our-thinking/ai-watch-global-regulatory-tracker-brazil

Proposed Framework

If enacted, PL 2338/2023 would create:

  • Risk classifications: Excessive risk (prohibited), high risk (mandatory requirements), limited risk (transparency obligations), minimal risk (voluntary codes)
  • High-risk AI obligations: Risk assessments, transparency, human oversight, technical documentation, incident reporting
  • Enforcement: Administered by the Autoridade Nacional de Proteção de Dados (ANPD)
  • Penalties: Up to 2% of revenues in Brazil, capped at BRL 50 million per infraction

Current Status

No AI-specific law is enforceable in Brazil as of May 2026. The General Data Protection Law (LGPD) applies to AI systems that process personal data of Brazilian individuals — this is the operative compliance framework today.

LGPD Implications for AI

  • Article 20 LGPD: Data subjects have the right to request review of automated decisions that affect their interests; controllers must provide meaningful information and allow for human review
  • Penalties under LGPD: Up to 2% of Brazil revenues capped at BRL 50 million per violation
  • DPA: Enforced by the ANPD

Compliance Steps

  1. Apply LGPD Article 20 automated-decision requirements to AI systems touching Brazilian personal data — this is enforceable today
  2. Monitor PL 2338/2023 progress in the Chamber of Deputies; the bill is expected to be amended and could pass in 2026
  3. Build a risk-classification mapping exercise now against the bill’s proposed categories to prepare for rapid compliance when enacted

PART IX: AUSTRALIA

9.1 Australia — Guidance for AI Adoption (Voluntary)

Published: October 2025 (replaces the Voluntary AI Safety Standard)
Source: https://www.industry.gov.au/publications/voluntary-ai-safety-standard | https://www.spruson.com/australia-ai-governance-reform-moves-forward-with-voluntary-ai-safety-standard-mandatory-guardrails-for-high-risk-settings-consultation/

Status

Australia has no mandatory AI-specific legislation as of May 2026. The October 2025 Guidance for AI Adoption consolidates the original 10 voluntary guardrails into six responsible AI practices:

  1. Governance and accountability
  2. Impact assessment
  3. Risk management
  4. Transparency
  5. Testing and monitoring
  6. Human oversight

An Australian AI Safety Institute (AISI) was targeted to be operational in early 2026, providing technical safety testing and regulatory advice.

Upcoming Mandatory Framework

Consultation on mandatory guardrails for AI in high-risk settings was conducted in 2024–2025. As of May 2026, no mandatory equivalent has been formally enacted. The most likely pathway is mandatory guardrails for government procurement first, then extending to critical sectors.

Privacy Act — Automated Decision-Making Transparency

Effective: December 10, 2026 — Privacy Act entities must disclose in their privacy policies the types of personal information used in substantially automated decisions that significantly affect individuals. This is the first mandatory AI-specific obligation in Australian law.

Compliance Steps

  1. Voluntarily align with the six responsible AI practices in the Guidance for AI Adoption — this is the industry-standard framework for Australian regulator expectations and procurement evaluations
  2. Prepare Privacy Act policy updates for the December 10, 2026 automated-decision-making disclosure requirement
  3. Monitor AISI guidance and any mandatory guardrail legislation emerging from 2026 consultation processes

PART X: INDIA

10.1 India — Digital Personal Data Protection (DPDP) Act + MeitY AI Governance Guidelines

DPDP Act enacted: August 2023; rules notified November 2025; most obligations transitional to May 2027
MeitY AI Governance Guidelines: Published November 2025 (voluntary)
Source: https://www.akandpartners.in/post/india-s-ai-governance-regime-interplay-of-it-act-dpdp-act-and-sectoral-regulations | https://www.india-briefing.com/news/india-ai-regulation-2026-foreign-platform-compliance-42745.html/

DPDP Act — AI-Relevant Obligations

  • Data fiduciary obligations: Organizations that determine the purpose and means of processing personal data must: obtain consent before processing for AI training (unless lawful basis applies); implement data security measures; respond to data principal rights requests (access, correction, erasure, grievance)
  • Significant Data Fiduciaries (SDFs): Designated by the government; must conduct Data Protection Impact Assessments (DPIAs) and periodic audits. Large AI companies operating in India are likely SDF candidates
  • Consent managers: Coming into force November 2026 — will govern how consent is obtained and managed for data processed by AI systems
  • Automated decision-making: No explicit Art. 22-equivalent yet, but February 2026 amendments to IT Intermediary Rules require disclosure of AI-generated synthetic content

MeitY AI Governance Guidelines (Seven Sutras)

Voluntary framework organized around seven principles: Safety and Reliability, Equality and Non-Discrimination, Privacy and Data Protection, Inclusivity and Accessibility, Transparency and Explainability, Accountability and Responsibility, Protection of Rights. Intended to serve as the framework for the forthcoming mandatory regulation.

Penalties Under DPDP Act

  • Up to INR 250 crore (approximately USD 30 million) per breach for inadequate security safeguards
  • Up to INR 200 crore for failure to notify data breach
  • The Data Protection Board (DPB) enforces; operational in 2025

Compliance Steps

  1. Appoint a Data Protection Officer (or equivalent contact) and map all personal data flows into AI training and inference pipelines; establish the lawful basis for each
  2. For platforms with significant Indian user bases: assess Significant Data Fiduciary designation likelihood; begin DPIA-readiness work now
  3. Align internal AI governance documentation with MeitY’s Seven Sutras — this is the preview of forthcoming mandatory requirements

Geographic avoidance lever: PARTIAL — DPDP Act applies to processing of personal data collected within India. Foreign platforms that process data of Indian individuals are in scope.

PART XI: SINGAPORE

11.1 Singapore — Model AI Governance Framework (Agentic AI Edition)

Framework published (Agentic AI): January 2026 (World Economic Forum, Davos)
Previous framework (Generative AI): May 2024
Administered by: Infocomm Media Development Authority (IMDA), Personal Data Protection Commission (PDPC)
Source: https://www.imda.gov.sg/resources/press-releases-factsheets-and-speeches/press-releases/2026/new-model-ai-governance-framework-for-agentic-ai | https://blogs.duanemorris.com/duanemorrisandselvam/2026/03/03/singapores-digital-ai-governance-a-pro-innovation-framework-driven-model/

Status

Singapore’s AI governance is entirely voluntary at the framework level. Binding obligations arise from the Personal Data Protection Act (PDPA) when AI systems process personal data.

Model AI Governance Framework — Agentic AI (January 2026)

The world’s first governance framework specifically for agentic AI systems. Addresses:

  • Unauthorized actions by autonomous agents
  • Data leakage in multi-agent pipelines
  • Cascading failures across interconnected agent networks
  • Accountability gaps when no single operator controls the end-to-end pipeline

Key governance dimensions: accountability structures for multi-agent systems, human oversight thresholds for autonomous decisions, incident reporting across agent networks, data minimization in agentic workflows.

PDPA — Binding AI Obligations

  • Advisory Guidelines on AI Recommendation and Decision Systems (March 2024): Clarify PDPA duties at AI development, B2C deployment, and B2B procurement stages
  • Penalties: Up to SGD 1 million or 10% of annual turnover for PDPA violations in connection with AI systems

Compliance Steps

  1. Align agentic AI deployments with the January 2026 framework; Singapore is the global reference document for agentic AI governance and regulators in other jurisdictions are watching
  2. Conduct PDPA analysis for any AI system processing personal data of Singapore individuals; establish consent, purpose, and data minimization compliance
  3. For financial services AI: MAS TRM Guidelines and the MAS-IMDA joint Veritas methodology for responsible AI apply as sector-specific binding obligations

PART XII: SOUTH KOREA

12.1 South Korea — AI Basic Act (Framework Act on the Development of Artificial Intelligence and Establishment of Trust)

Enacted: January 2025; Effective: January 22, 2026
Administered by: Ministry of Science and ICT (MSIT)
Source: https://www.cooley.com/news/insight/2026/2026-01-27-south-koreas-ai-basic-act-overview-and-key-takeaways | https://koreatechdesk.com/korea-ai-basic-act-enforcement-startups-governance

Who It Applies To

  • AI development business operators: Organizations that develop and provide AI systems
  • AI utilization business operators: Organizations that provide products or services incorporating AI
  • Foreign companies: Companies without a physical Korea presence but with annual revenue exceeding KRW 1 trillion (approximately USD 730 million) must designate a domestic representative agent

High-Impact AI — Heightened Obligations

Systems using compute ≥ 10²⁶ FLOPs are designated high-performance AI; operators must implement a risk management plan and user protection measures across the system lifecycle.

Key Requirements

  • User notification: Advance notice to users when AI is used in a service interaction; clear labeling of AI-generated content that could be mistaken for human-generated
  • Transparency: Providers of high-impact AI and generative AI must disclose to users that AI is being used
  • Domestic representative: Foreign enterprises above the KRW 1 trillion revenue threshold must appoint a Korea-based representative

Fines

  • Administrative fines up to KRW 30 million (approximately USD 21,000) for:
    • Failure to notify users about AI use
    • Failure to appoint a domestic representative
    • Refusal of government inspections or violation of corrective orders

Grace period: MSIT has announced a one-year grace period from January 22, 2026, during which administrative fines will be imposed only in exceptional circumstances (loss of life, serious human rights violations). Fact-finding investigations will be conducted only for serious incidents during this period.

Compliance Steps

  1. Revenue-screen against the KRW 1 trillion threshold; if met, appoint a Korea-based domestic representative before June 2026 (before grace period ends for this obligation)
  2. Implement AI disclosure notices in Korean-language user interfaces for services available to Korean users
  3. Map any AI systems exceeding the 10²⁶ FLOP threshold for high-performance AI obligations; prepare lifecycle risk management documentation

Geographic avoidance lever: PARTIAL — applies to services provided to Korean users. The domestic representative obligation specifically targets large foreign platforms.

PART XIII: CROSS-JURISDICTIONAL SYNTHESIS

13.1 Regulations Where Geographic Targeting Is the Primary Avoidance Lever

The following regulations are most effectively avoided by not operating in or targeting residents of the jurisdiction. For each, the compliance cost of market entry can be weighed against the revenue opportunity:

Regulation Jurisdiction Avoidance Lever
EU AI Act (all tiers) European Union Do not place AI on EU market; do not target EU individuals
EU GDPR Art. 22 European Union + EEA Do not process EU personal data
UK GDPR Art. 22 equivalent United Kingdom Do not process UK personal data
China Generative AI Interim Measures China Geofence Chinese users (exits China market)
China Algorithmic Recommendation China Do not offer recommendation services in China
China Deep Synthesis China Do not offer deep synthesis in China
Colorado AI Act (when enforceable) Colorado, USA Not viable — cannot exclude one US state without significant product friction
NYC Local Law 144 New York City Cease NYC hiring; not commercially viable for large employers
South Korea AI Basic Act South Korea Geofence Korean users (below KRW 1T threshold)
India DPDP Act India Do not collect personal data from Indian individuals

13.2 Regulations Requiring Compliance Regardless of Geography

The following cannot be avoided by geographic targeting for any enterprise with US operations or US employees:

Regulation Trigger Avoidance Option
FTC Section 5 AI enforcement Any AI claim in US commerce None — applies to any entity in US commerce
Texas TRAIGA Any business in Texas or serving Texas residents Cannot exclude Texas from US commercial operations
Illinois IHRA Any employer with Illinois employees or applicants Cannot exclude Illinois from US employment
NIST AI RMF (banking) Any federally supervised financial institution None for regulated entities

13.3 Converging Requirements Across Jurisdictions

Enterprises can satisfy multiple jurisdictions through a single program by building around these converging obligations:

1. Risk classification / impact assessment Required or expected by: EU AI Act (Annex III), California ADMT Rules, Colorado SB 24-205 (when enforceable), Brazil PL 2338 (when enacted), India DPDP (Significant Data Fiduciaries), Australia (voluntary best practice)

2. Human oversight of high-stakes automated decisions Required by: EU GDPR Art. 22, EU AI Act (Annex III), UK GDPR, Quebec Law 25, Brazil LGPD Art. 20, California ADMT Rules, Illinois IHRA (implied by anti-discrimination standard)

3. Consumer/user disclosure when AI is used Required by: EU AI Act (limited-risk transparency, Art. 52), South Korea AI Basic Act, China Generative AI Measures, Illinois IHRA, California ADMT Rules, Texas TRAIGA, NYC Local Law 144

4. Documented AI governance framework (NIST-aligned) Required or provides safe harbor in: Texas TRAIGA (explicit statutory safe harbor), SR 26-02/OCC 2026-13, EU AI Act (for GPAI Code of Practice), FTC enforcement expectations, Colorado AI Act (when enforceable)

Recommended single-program structure for Fortune 500 enterprises:

  1. Implement NIST AI RMF across the enterprise (activates Texas safe harbor; satisfies SR 26-02; demonstrates good-faith governance to FTC, EU AI Office, and ICO)
  2. Conduct Annex III high-risk AI mapping under the EU AI Act framework (the most comprehensive risk-category taxonomy; applying it globally catches all US state equivalents)
  3. Build a universal human-oversight and appeal workflow for consequential automated decisions (satisfies GDPR Art. 22, UK GDPR, Quebec Law 25, LGPD Art. 20, California ADMT, and Illinois IHRA simultaneously)
  4. Deploy AI-use disclosures in all user-facing surfaces (satisfies EU AI Act transparency, South Korea, China, California, Illinois, and NYC obligations in one pass)

PART XIV: REGULATORY TIMELINE — KEY DATES THROUGH 2027

Date Jurisdiction Event
Feb 2, 2025 EU Prohibited AI practices ban effective
Aug 2, 2025 EU GPAI model obligations effective
Nov 1, 2025 China GB45438-2025 AI content labeling standard effective
Jan 1, 2026 Illinois, USA IHRA AI amendment effective
Jan 1, 2026 California, USA CPPA ADMT risk assessments required; AB 2013 training data transparency effective
Jan 1, 2026 Texas, USA TRAIGA effective
Jan 22, 2026 South Korea AI Basic Act effective (one-year grace period on fines)
Apr 17, 2026 USA (banking) SR 26-02 / OCC 2026-13 effective
May 2026 Colorado, USA SB 189 pending governor signature; prior law frozen by injunction
Aug 2, 2026 EU High-risk AI system obligations fully effective; GPAI Commission enforcement powers active
Aug 2, 2026 California, USA SB 942 AI Transparency Act effective
Nov 13, 2026 India Consent manager rules effective under DPDP Act
Dec 10, 2026 Australia Privacy Act automated-decision transparency disclosure required
Jan 1, 2027 Colorado, USA SB 189 (replacement law) effective if signed, contingent on AG rulemaking
May 2027 India Most DPDP Act fundamental obligations in force
Aug 2, 2028 EU High-risk AI in regulated products (medical devices, machinery) — extended transition deadline
TBD 2026-2027 Canada New federal privacy legislation expected; C$25M / 5% global revenue penalties proposed
TBD 2026-2027 Brazil PL 2338/2023 Chamber of Deputies vote; BRL 50M per infraction if enacted
TBD 2026-2027 UK Targeted legislation for high-risk and frontier AI in development

SOURCES