Anyone using or developing AI systems in 2026 must navigate a regulatory landscape that has grown complex quickly and will continue to do so. The EU AI Act is in force. Colorado, Illinois, New York City and Utah already have operational laws. In 2025, legislators in all 50 US states introduced AI proposals, and concrete measures were approved in 38 states. There is no single federal US law to serve as a reference: each jurisdiction legislates independently.
The good news is that a common structure exists. A comparative analysis of regulations shows that European and American legislators have focused, at varying levels of depth, on the same three principles: transparency, risk management and fairness. Those who build their compliance strategy on these three axes can cover most current obligations and prepare for future ones without starting from scratch with every new law.
Transparency: disclose when AI is in use
Nearly all active regulations require that users be informed when they interact with AI systems or when decisions affecting them involve automated processes. The forms vary: Colorado requires consumer notification for "consequential" decisions in areas such as employment, credit and housing. Illinois and NYC require that candidates and employees be informed when AI is used in hiring and evaluation processes. The EU AI Act requires notification whenever AI automates decision-making processes or when users interact with chatbots.
Operationally, the most efficient way to meet these obligations is to embed notification into existing policies and processes: update chatbot notices to inform users of AI interaction and offer the option to speak with a human operator; add a mechanism to internal labeling processes for tagging AI-generated content.
Risk management: assess before deploying
Colorado and the EU AI Act are the most demanding regulations on this front. Colorado requires annual impact assessments for high-risk AI systems, with a risk management program aligned to recognized frameworks -- the NIST AI Risk Management Framework is explicitly cited. The EU AI Act establishes even more extensive requirements: conformity assessment, Fundamental Rights and Algorithms Impact Assessment (FRAIA), mandatory human oversight, documentation of testing and monitoring processes.
For those already subject to the GDPR, the starting point exists: the DPIAs (Data Protection Impact Assessments) already in use for high-risk processes can be extended to incorporate the FRAIA-required questions. Colorado risk assessment questions can be integrated into existing enterprise risk assessments. This does not eliminate the work, but significantly reduces it compared to building separate processes for each regulation.
The operational prerequisite is an AI use case inventory: you cannot assess what you do not know. The inventory must map AI systems in use, the processes they support, the data they use and the critical dependencies with applications and infrastructure. Organizations that already have a model inventory or data inventory can adapt existing resources; those starting from scratch must build it as a first priority.
Fairness: audits, documentation and anti-bias processes
NYC, Colorado and the EU AI Act all require measures to prevent algorithmic discrimination, with different approaches. NYC mandates annual bias audits for those using automated hiring tools, with mandatory publication on the company website. Colorado requires system documentation from developers of high-risk AI systems, to be shared with the organizations using them. The EU AI Act requires bias risk validation as part of the mandatory assessment for high-risk uses.
A practical point: many organizations struggle to know which departments -- and which vendors -- are using AI technology. The Records of Processing Activities (RoPAs) used by the privacy function to track personal data processing can serve as a starting point for identifying AI processes that use sensitive data. A well-maintained RoPA significantly reduces the time needed to track and monitor AI use across the organization.
A global policy or differentiated policies by jurisdiction?
Organizations operating across multiple jurisdictions must choose between two approaches: differentiated policies for each law, or a global policy aligned to the most stringent standards. The second option is more efficient for those subject to the EU AI Act: since American legislators explicitly drew inspiration from the European risk-based approach, a well-structured EU AI Act compliance program largely covers US state requirements as well.
The main risk to manage is regulatory fragmentation itself: uncoordinated laws across different states, uncertainty about federal preemption initiatives over state laws, and a pace of regulatory production that makes monitoring an ongoing activity, not a one-time project. 47% of legal leaders plan to strengthen their regulatory tracking processes within the next 12-18 months. The states to monitor with high priority are California, Connecticut, Maryland and New York.
Those who build an AI governance structure based on transparency, risk management and fairness today are not just doing compliance: they are preparing to respond to whatever law is enacted in the coming years without having to start from scratch.
