Header image: gov-04-header.png

If you had asked me at the start of 2024 to explain the global AI regulatory landscape, I would have needed one PowerPoint slide. The EU was drafting the AI Act. The US had voluntary commitments and an executive order. Everyone else had principles, frameworks, and forums. That was pretty much the whole story.

By mid-2026, that same slide is unrecognisable. The EU AI Act is partially in force. The US has moved through one executive order under Biden, its rescission under Trump, a new executive order, a National Policy Framework, a proposed federal AI Act, and a growing thicket of state laws (with the Trump administration actively working to preempt them). Australia has had two supervisory letters in a single week from its two major financial regulators. Singapore has closed consultation on formal AI risk management guidelines. Canada, Brazil, the United Kingdom, the UAE, Qatar, China, Japan, and South Korea are all in various stages of building out sector-specific or horizontal regimes.

You cannot govern AI in an enterprise without understanding this map. Not because you need to comply with everything everywhere, but because the map determines what your customers, your regulators, your investors, and your board expect. A great deal of good governance work is being done to comply with rules that do not technically apply to you, because they represent the direction of travel and because compliance now is cheaper than remediation later.

This article is the map. I have tried to keep it current as of mid-2026 and to flag where the picture is still moving.

The dominant model: risk-based, horizontal, sectoral overlay

Before we go region by region, it helps to understand the shape most regimes are converging on.

The dominant model has three layers. At the top is a horizontal framework, applying to AI generally, that classifies uses by risk and imposes proportionate obligations. The EU AI Act is the archetype. Below that are sectoral rules, applying to specific industries, that translate general principles into industry-specific obligations. Financial services regulation, healthcare regulation, and law enforcement rules are the most common examples. At the base are general-purpose laws that continue to apply regardless of AI use: data protection, anti-discrimination, consumer protection, contract, tort, and criminal law.

Different jurisdictions weight these layers differently. The EU has emphasised the horizontal layer. The US, for now, has emphasised the base layer plus sectoral. Australia and Singapore, in different ways, have emphasised the sectoral layer while relying on general law at the base. But almost everywhere, all three layers are present.

The practical implication is that “does the AI Act apply to me” is almost never the right question. The right question is: given what I am building and where I am deploying it, what combination of horizontal, sectoral, and general obligations applies, and what does compliance look like at their intersection?

European Union

The EU AI Act (Regulation 2024/1689) is the world’s first comprehensive horizontal AI law. It entered into force on 1 August 2024 and phases in over three years.

As of mid-2026, the following are in force. The prohibited practices of Article 5 (since 2 February 2025). The AI literacy obligation of Article 4 (also since 2 February 2025). The GPAI provider obligations of Articles 51 to 55 for models placed on the market after 2 August 2025.

The Digital Omnibus on AI, on which negotiators reached a provisional political agreement on 7 May 2026, has deferred several key deadlines. Annex III high-risk system obligations move from 2 August 2026 to 2 December 2027. Article 50(2) transparency obligations for synthetic content generation move from 2 August 2026 to 2 December 2026 for systems already on the market before 2 August 2026. National regulatory sandbox obligations move from 2 August 2026 to 2 August 2027. High-risk AI systems embedded in regulated products (Annex I) move to 2 August 2028.

New prohibitions take effect 2 December 2026: AI systems generating or manipulating non-consensual intimate imagery of identifiable individuals, and AI systems generating CSAM as defined by Directive 2011/93/EU.

Two things are important to understand about the Omnibus deferrals. First, they are provisional pending formal adoption; treat them as planning anchors but confirm before final decisions. Second, they defer some deadlines but not the enforceability of what is already in force. Prohibited practices and GPAI obligations are enforceable now, with fines up to €35 million or 7% of global annual turnover.

The AI Act is extraterritorial. Organisations placing AI systems on the EU market, or whose AI outputs are used in the EU, are in scope regardless of where they are headquartered. This is the reason so many non-EU organisations are aligning with the Act even where local law does not require it.

United States

The US position has shifted materially since November 2024 and continues to evolve.

At the federal level, Executive Order 14110 (Biden, October 2023) was rescinded shortly after the change in administration. Executive Order 14365 (Trump, 11 December 2025), titled “Ensuring a National Policy Framework for Artificial Intelligence,” established an AI Litigation Task Force within the Department of Justice, directed the Department of Commerce to condition Broadband Equity, Access and Deployment (BEAD) funding on states’ AI regulatory posture, and directed the FTC to issue a policy statement on AI-related deceptive practices.

The National Policy Framework for AI, released 20 March 2026, is a legislative recommendation rather than a binding instrument. It outlines seven pillars including child protection, community safeguards, IP, free speech, innovation, workforce, and federal preemption of state AI laws. It is not law; it is the administration’s proposal for what federal law should look like.

The most prominent congressional proposal is the TRUMP AMERICA AI Act, a comprehensive 291-page draft bill introduced by Senator Blackburn in December 2025 and updated in March 2026. It would preempt certain categories of state AI regulation while imposing a duty of care, bias audit requirements, digital replica protections, and Section 230 modifications. Democratic opposition has coalesced around bills like the GUARDRAILS Act, which would repeal EO 14365 and preserve state authority.

At the state level, the picture is dense and moving. Colorado passed the first comprehensive US state AI Act in 2024. It was originally scheduled to take effect 1 February 2026 but has been delayed to 30 June 2026, with active discussion of further amendments. California’s SB 53 (frontier model safety) and New York’s RAISE Act (also frontier model safety) are advancing. Utah, Texas, Illinois, Tennessee, and New York have all passed or advanced AI-related legislation, focused variously on employment, deepfakes, disclosure, and consumer protection.

The practical position for organisations operating in the US in 2026 is unstable. Federal preemption is being asserted but not yet enacted. State laws are on the books, some enforceable now. The direction of travel at both levels remains contested. The next article on the US regulatory picture goes into this in more depth.

Australia

Australia has taken a distinctive path. There is no standalone AI Act, and the direction of travel from the government’s own consultations has been to rely primarily on existing law with targeted amendments where necessary.

What has changed in 2026 is the intensity of regulator attention. The APRA Letter to Industry on Artificial Intelligence, dated 30 April 2026, marks APRA’s first published AI-specific supervisory expectations. Drawing on a targeted engagement with large banks, insurers, and superannuation trustees conducted in late 2025, the letter identified four areas of concern: governance and board literacy, third-party concentration risk, assurance practices not keeping pace with AI adoption, and cyber threat landscape changes driven by frontier AI models. APRA’s principal instruments, CPS 230 (Operational Risk Management) and CPS 234 (Information Security), remain the applicable prudential standards and are technology-agnostic. The letter clarifies what those standards mean in practice for AI.

The ASIC Letter to Industry, dated 8 May 2026, focused on cyber resilience in the context of frontier AI capabilities. ASIC directed that the letter be tabled and discussed at board and risk governance committees. Together, the two letters put boards and executives of regulated financial services entities on notice that supervisory attention has intensified.

Beyond financial services, AI-relevant obligations apply through the Privacy Act 1988 (administered by the OAIC), anti-discrimination law, consumer protection law (administered by the ACCC), and communications law (administered by the ACMA). All four regulators have commented publicly on AI. The Robodebt Royal Commission findings continue to shape regulator expectations around automated decision-making generally.

An important operational point: CPS 230 required regulated entities to update contracts with material service providers, including AI vendors, by their next renewal and at the latest by 1 July 2026. Contract updates should reflect audit rights, model change notification, incident notification, and data handling provisions. Article 8 goes deep on the Australian picture.

Singapore and APAC

Singapore has become one of the most sophisticated AI regulatory jurisdictions globally, without ever enacting an AI Act.

The foundation is the FEAT Principles (Fairness, Ethics, Accountability, Transparency), published by MAS in 2018. The Veritas Initiative operationalised FEAT with a methodology and toolkit produced between 2020 and 2023. Project MindForge extended the framework to generative AI, with Phase 1 concluding in May 2024 and Phase 2 concluding in early 2026 with the publication of the MindForge AI Risk Management Executive Handbook (January 2026) and Operationalisation Handbook (March 2026).

The MAS Consultation Paper on Proposed Guidelines on Artificial Intelligence Risk Management for Financial Institutions was released 13 November 2025 with consultation closing 31 January 2026. Once finalised (expected in 2026), the Guidelines will serve as supervisory expectations, with a 12-month transition period.

Beyond financial services, the IMDA and PDPC jointly maintain the Model AI Governance Framework, updated across multiple versions and extended in January 2026 to cover agentic AI. AI Verify is the government-developed testing toolkit. AI TAP is the accreditation programme for third-party AI testers. Singapore has also pushed international standards, including the ISO/IEC 42119-8 proposal for generative AI testing methodology.

Hong Kong continues to rely on existing law, particularly the Personal Data (Privacy) Ordinance (PDPO), with intensifying supervisory attention from the Privacy Commissioner for Personal Data (PCPD). Compliance checks initiated in January 2026 across 60 organisations produced results published in May 2026 showing 95% AI usage in day-to-day operations.

China’s Interim Measures for the Management of Generative AI Services took effect August 2023 and remain the world’s first comprehensive generative AI regulation. Japan has continued with its soft-law approach, updated periodically through METI and the AI Strategy Council. South Korea’s Framework Act on the Development of AI, passed in December 2024 and taking effect January 2026, adopts a horizontal risk-based structure similar in shape to the EU AI Act.

Article 9 goes deep on the APAC picture.

Figure 1: The global map at a glance

Diagram 1: gov-04-diagram1.png

Figure 1 shows the state of AI regulation across major jurisdictions as of mid-2026. The shading distinguishes jurisdictions with a horizontal AI law in force (EU, China, South Korea), jurisdictions with active federal-level frameworks that are not yet binding law (US, Canada), jurisdictions relying on sectoral supervision (Australia, Singapore, Hong Kong, UK), and jurisdictions with early-stage or draft regimes (Brazil, UAE, Qatar, others). The map understates complexity, because in most jurisdictions multiple layers apply simultaneously, but it gives a workable orientation.

Other jurisdictions worth flagging

Several other jurisdictions have moved enough to be worth naming.

Canada’s Artificial Intelligence and Data Act (AIDA), part of Bill C-27, was under consideration until Parliament was prorogued in early 2025. Its future is now uncertain. In the meantime, the Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems continues to operate.

The United Kingdom has taken a “pro-innovation” approach, relying on existing regulators to apply cross-sector principles rather than enacting an AI Act. The AI Safety Institute continues to operate and has been rebranded and reorganised through 2025 and 2026. The direction under the current government is toward more targeted intervention, but no horizontal statute has been introduced.

Brazil’s AI regulation (Projeto de Lei nº 2338/2023) has advanced through the legislative process with a structure similar to the EU AI Act.

The UAE has issued a CBUAE AI Guidance Note (February 2026) for the banking sector, closely aligned with EU supervisory expectations. Qatar’s central bank has issued similar guidance. Both signal that Gulf financial regulators are aligning with, rather than diverging from, the emerging global consensus.

Switzerland’s FINMA has communicated expectations on AI in financial services. Germany’s BaFin, France’s ACPR, and the Netherlands’ AFM and DNB have all published AI supervisory statements as national implementations of the EU framework.

What this means for a governance program

Three points, and then we go region by region.

First, if you operate in multiple jurisdictions, harmonise upward. Build to the highest applicable standard rather than the lowest. This is almost always cheaper than trying to maintain separate compliance postures per region, because the highest standards tend to become the international default within a few years anyway.

Second, watch the sectoral layer as closely as the horizontal layer. In practice, most enterprise AI governance is being shaped by financial services regulators, healthcare regulators, and privacy regulators, not by the horizontal AI laws themselves. The horizontal law tells you the shape. The sectoral regulator tells you what compliance actually looks like on Tuesday morning.

Third, deadlines will keep moving. The Omnibus deferrals in the EU are a clear example. State-level moves in the US are another. Colorado’s delay is a third. If your compliance planning depends on specific dates staying fixed, it will produce a series of small crises. Better to plan for compliance readiness that is robust to timeline shifts.

Figure 2: The compliance readiness curve

Diagram 2: gov-04-diagram2.png

Figure 2 shows a typical compliance readiness curve for an enterprise AI governance program. The horizontal axis is time; the vertical is capability. What you notice is that regulatory deadlines are pinch points on the curve, but capability build is continuous. Organisations that treat deadlines as the driver end up in reactive posture. Organisations that treat capability build as the driver end up ahead of the deadlines. The shape of the curve is what matters. The specific deadlines are the punctuation, not the sentence.

The next article goes deep on the EU AI Act, which is the most demanding regulatory instrument in force today, and which sets the shape of much of what comes after.