Legal & Regulatory Frameworks
Last reviewed: 2026-05-11AI systems must comply with an increasingly dense landscape of laws, regulations, and standards. Where the 2025 edition of this handbook treated AI law as an emerging field, the 2026 edition treats it as established: dozens of binding instruments are in force across the EU, US states, the UK, Korea, Japan, China, and beyond, and the major international standards bodies have published certifiable AI management standards.
This chapter is organised by jurisdiction and instrument type. Use it as a reference; cross-references between sections highlight overlaps (e.g., GPAI obligations under the EU AI Act and the GPAI Code of Practice covered in Frontier Models).
What’s in this chapter
- International Standards (ISO) — ISO/IEC 42001, 23894, 22989, and the 2025 additions of 42005 (impact assessment) and 42006 (audit/certification body requirements).
- EU AI Act — the world’s first horizontal AI statute, now in phased enforcement and reshaped by the May 2026 Digital Omnibus.
- US Federal — EO 14179, the America’s AI Action Plan, OMB memos M-25-21 and M-25-22, CAISI, NIST AI RMF, and the December 2025 preemption executive order.
- US State Laws — Colorado SB 24-205, Texas TRAIGA, California SB 53 / AB 2013 / SB 942, Utah SB 226, Tennessee ELVIS Act, NYC Local Law 144.
- International — United Kingdom, Canada, South Korea, Japan, China, Brazil, Singapore, plus OECD and UNESCO principles.
- Sectoral — FDA AI/ML medical-device guidance, OCC and Federal Reserve model-risk management, CFPB, EEOC employment AI.
- Copyright & IP — Bartz v. Anthropic, Kadrey v. Meta, training-data disclosure laws, and where the law is still unsettled.
Reading guide
Organisations active in multiple jurisdictions should start with ISO, then layer the most binding regime on top: EU AI Act for any product or service touching EU users; US Federal plus the relevant state laws for US deployment; the International chapter for region-specific obligations. Sector-specific overlays (financial services, healthcare, employment) come last.
Organisations operating in a single jurisdiction can read just the relevant national chapter, the ISO section (for management-system architecture), and the Sectoral section if applicable.