Blog Posts
CMMC, HIPAA, EU AI Act, GDPR, NIST AI RMF - the regulatory landscape for enterprise AI is expanding fast. Polygraf maps which regulations apply to your enterprises.
There is no one "AI law" to follow. There is the EU AI Act, the Colorado rewritten ADMT Act, a pile of California statutes, the NYC hiring law, and over a dozen other US state regimes with different triggers, deadlines and penalties. This is the map: which ones apply to you, when they bite and what they actually require.
The question "are we compliant with our AI deployment?" has no single answer in 2026 because there is no single regulator. An enterprise that deploys one customer-facing AI feature can be subject to the EU AI Act (if it impacts EU users), the Colorado automated-decision law (if it impacts Colorado consumers in a material way), California's transparency laws, sector rules such as HIPAA or GLBA, and NYC's bias-audit law for any hiring use, each with its own trigger, its own deadline and its own penalty schedule. Compliance is not a checkbox, it is a matrix.
That matrix is also moving. In the first half of 2026 only: Colorado repealed and replaced its AI Act, pushing the effective date to 2027; the EU provisionally agreed to postpone its high-risk date; and a US federal executive order started to attack state AI laws on preemption. Any guide that has not been updated this year is already wrong on the dates. At Polygraf we help companies build the controls that these frameworks need – inventory, logging, data protection and human oversight – in a way that works across multiple regimes at once. This is the current map.
Before you face the next deadline: find out where you are actually. Polygraf's AI Risk Calculator asks a few short questions about your industry, AI tools, data types and existing controls – and models your financial exposure and shows you exactly which regulations and policies apply to your deployment.
The single most important thing to learn is sequencing: some obligations are already enforceable with real penalties, others are months or years away. Here are the big dates as of mid-2026.
Subliminal manipulation, social scoring and some biometric/emotion-recognition uses became enforceable on 2 Feb 2025 with the highest penalty of €35M / 7%. AI literacy obligations came into effect.
The rules for general-purpose AI model (transparency, documentation, copyright, systemic-risk assessment) entered into force on 2 August 2025. Providers of GPT, Claude, Gemini and other models are obliged to comply with them. The penalty regime entered into force.
Effective January 1, 2026. Any generative AI made available in California by its developer must be accompanied by public disclosure of documentation about the datasets used to train the system.
Risk management, technical documentation, conformity assessment and human oversight of high-risk systems (hiring, credit, medical, education). Provisionally deferred to Dec 2, 2027 under the Digital Omnibus agreement of May 2026 – but that deferral is not yet adopted. Until then Aug 2, 2026 is the legally binding date.
Remaining obligations, including AI systems embedded as safety components in regulated products (Annex I), become applicable Aug 2, 2027.
In May 2026, Colorado repealed and replaced its original 2024 AI Act. The new Automated Decision-Making Technology Act will go into effect on Jan 1, 2027, and is a more limited transparency-based law that focuses on consumer notice and appeal rights.
2026 was a year of regulatory uncertainty. The EU's Digital Omnibus (provisional agreement May 2026) would move high-risk Annex III obligations from August 2026 to December 2027 – but it is still not formally adopted, so the original date is still technically in force. In the US, Colorado repealed and replaced its AI Act before it was ever in force, and a December 2025 federal executive order is trying to preempt state AI laws with the DOJ intervening in litigation over the Colorado statute. The practical point: plan for the requirements, but check the live date before you depend on it.
The following are the frameworks most likely to apply to an enterprise AI deployment. The key question for each is not "what does it say" but "does it apply to us" which depends on where your users are and what your AI does.
You put an AI system on the EU market or an AI system's output is used in the EU, no matter where your company is located. Extraterritorial, like GDPR. Obligations are scaled by risk tier: prohibited, high-risk, limited, minimal.
For high risk systems: risk management, data governance, technical documentation, logging, human oversight, accuracy/robustness, and conformity assessment. For GPAI: transparency and documentation. For low risk: Article 50 transparency labels (e.g. AI-generated content and chatbots).
You use automated decision making technology that has a material impact on consequential decisions (employment, housing, health care, lending, education, insurance) of Colorado consumers. Colorado Attorney General enforces it. No private right of action.
The amended Act reduces the scope of the original to operational transparency (consumer notice of ADMT material impact on a consequential decision and appeal/review rights). The broad risk-assessment and algorithmic-discrimination duties of the original 2024 law were greatly reduced.
You are a provider of generative AI to Californians (AB 2013 training-data transparency, effective Jan 1, 2026) or you operate covered AI content/detection tools (SB 942, the AI Transparency Act, effective dates phased into 2026). CCPA/CPRA amendments on automated decision-making are also relevant.
AB 2013: disclosure of training-dataset documentation. SB 942: provenance/disclosure tools for AI-generated content. The state has passed one of the most dense stacks of AI-specific laws in the US, with some of them building on top of the existing CCPA privacy obligations.
You are using an automated employment decision tool (AEDT) to screen candidates or employees for a job in New York City. One of the first AI hiring laws in the US, in effect and enforced since 2023.
Independent bias audit of the tool in the previous year, public disclosure of the audit results and advance notice to the candidates that an AEDT is being used and the job qualifications it is measuring.
You are in a HIPAA, GLBA, SEC Reg S-P, FINRA or other regulated industry and these laws are older than AI but are fully applicable to it. Using regulated data in an AI tool is subject to the existing law.
No AI-specific text: BAA before PHI is sent to an AI vendor (HIPAA), customer financial data (GLBA) protection, and supervision/recordkeeping of AI-assisted communications (FINRA/SEC). Most of the AI obligations that are immediately enforceable for many businesses are found here.
Not laws, but more and more demanded by enterprise customers, partners and auditors as evidence of responsible AI governance. ISO 42001 is certified. NIST AI RMF is a voluntary framework and is used as a baseline.
ISO 42001: a formal AI management system with risk registers, role assignments and impact assessments. NIST AI RMF: GOVERN / MAP / MEASURE / MANAGE functions. Both map to the EU AI Act – building to them covers much of the legal requirement as well.
The EU AI Act's highest tier (€35M / 7%) is deliberately higher than the ceiling of the GDPR (€20M / 4%) – a message that AI infringements are more serious than data-protection infringements. The fine per infringement is the higher of the fixed sum and the turnover percentage.
The EU AI Act's highest tier (€35M / 7%) is deliberately higher than the ceiling of the GDPR (€20M / 4%) – a message that AI infringements are more serious than data-protection infringements. The fine per infringement is the higher of the fixed sum and the turnover percentage.
"Multistate operators are experiencing compliance stacking: one chatbot may require EU Article 50 labels, Colorado notices, and California disclosures. Legal teams are starting to track a jurisdiction matrix per feature."
— AI Regulation Update 2026 analysisThe key strategic insight is that the regulations are different in their wording but all point to the same underlying controls. Build them once and you meet the operational core of almost all the frameworks above – rather than running a separate compliance project for each jurisdiction.
Polygraf AI's Behavioral Control Plane executes controls 1–4 above. It finds and inventories AI use in your organization, detects and masks regulated data (PII, PHI, financial, credentials) at the AI interaction point, logs every interaction in a tamper-proof audit trail, and enforces policy with human-in-the-loop, all on-premise and zero data out. Instead of building separate controls for the EU AI Act, HIPAA, GLBA, and state laws, you build one enforcement layer whose evidence is mapped to all of them. It is the operational engine of a compliance program that can keep up with a changing regulatory map.
Polygraf provides the AI inventory, data protection, audit logging, and oversight required by the EU AI Act, HIPAA, GLBA, and US state AI laws – as a single on-premise enforcement layer with no data egress. Build once, satisfy many.
At Polygraf, we envision a future where AI augments human capabilities without compromising safety, privacy, or ethical standards. Trust in our commitment to building this future with you.
© 2026 Polygraf AI. All rights reserved.
Our Solutions
RegulationsYour download will start now.
Please provide information below and we will send you a link to download the white paper.
Data Privacy
Data Provenance
Content Generation