Research ReportPublished February 2026Updated June 26, 2026v1.7

    AI Governance & Risk Readiness 2026: EU AI Act & Global Policy

    Evidence-based evaluation of AI risk, compliance, and governance obligations across major jurisdictions — for boards, compliance officers, and regulators

    Authors:
    Linus Ingemarsson(Co-Founder, Alice Labs)
    2026-08-02
    EU AI Act Application
    General application date
    85
    Public Sources
    Curated for authority
    42%
    Enterprise AI Deployed
    Governance burden rising
    9+
    Jurisdictions Mapped
    EU, US, China, UK, SG, JP…
    Linus Ingemarsson - Author at Alice Labs
    Written by
    Eric Lundberg - Reviewer at Alice Labs
    Reviewed by
    Published ·Updated

    Methodology & Transparency: This analysis draws on primary sources — including Eurostat, OECD, national statistical agencies, peer-reviewed literature, and official vendor disclosures — combined with Alice Labs implementation data. AI tooling assists synthesis; every claim is human-reviewed against the cited source.

    All figures and claims link to their public source for verification. Reviewed by the named author and reviewer above. Methodology, source list, and revision history are available below.

    Cite This Report

    Ingemarsson, L. (2026). Global AI Governance & Risk Readiness Report 2026 (Version 1.7). Alice Labs. https://alicelabs.ai/reports/global-ai-governance-risk-readiness-2026
    Version 1.7 • Published February 17, 2026
    Key TakeawayLast reviewed: 26 June 2026

    This report provides a citation-grade, desk-research assessment of global AI governance and organizational AI risk readiness for 2026, designed for boards, compliance leaders, and regulators. It maps binding legal timelines (notably the EU AI Act's phased application dates, U.S. federal executive and OMB policy changes, China's platform-focused AI measures, and selected U.S. state laws) alongside audit-oriented standards and assurance mechanisms (ISO/IEC 42001, ISO/IEC 23894, NIST AI RMF and its GenAI profile, and AI Verify).

    The dataset emphasizes compliance-critical dates (e.g., EU AI Act general application on 2026-08-02; Colorado's AI law effective date delayed to 2026-06-30; China's generative AI measures effective 2023-08-15) and highlights the operational artifacts that recur across regimes: inventories, impact assessments, transparency notices, and incident response integration. Findings stress that readiness is primarily a governance-and-evidence problem rather than a principles problem.

    Limitations: rapid policy volatility (especially U.S. federal-state dynamics and pending legislation in Brazil/Canada), uneven availability of official publication dates on some web pages, and reliance on a bounded set of jurisdictions and public sources.

    Executive Summary

    Global AI governance in 2026 is best understood as a convergence of binding regulation (EU-led, China sectoral controls, U.S. state laws), government operational policy (U.S. federal memos and executive orders; UK transparency standards), and audit-ready standards and assurance frameworks (ISO/IEC 42001, ISO/IEC 23894, NIST AI RMF, AI Verify, OWASP).

    For boards and compliance leaders, "risk readiness" in 2026 is dominated by time-bound obligations: EU AI Act provisions for Chapters I–II already applied in 2025-02; obligations relevant to general-purpose AI providers entered application in 2025-08; and the Act's general application date is 2026-08-02, with further phased items reaching into 2027.

    Meanwhile, the U.S. federal approach underwent a documented shift: EO 14110 was revoked on 2025-01-20 by EO 14148, and subsequent OMB memoranda (M-25-21 and M-25-22) reframe federal AI use and acquisition governance. This shift coincides with an intensified federal-state tension, evidenced by conflicts around state AI proposals and Colorado's delayed AI law effective date (now 2026-06-30).

    In parallel, AI-adjacent cybersecurity regimes (e.g., EU CRA) introduce security and vulnerability handling duties that intersect directly with AI supply chains. Enterprise AI adoption is already at scale — IBM/Morning Consult reports 42% deploying and 40% exploring in Nov 2023 — increasing regulators' emphasis on operational controls, not principles alone.

    Key Findings

    12 data-driven insights

    01EU AI Act general application is 2026-08-02, but key chapters applied earlier in 2025

    Chapters I–II applied 2025-02-02; GPAI Chapter V applied 2025-08-02; general 2026-08-02

    Converts readiness into an immediate, phased compliance program rather than a single deadline.

    02EU GPAI obligations entered application in 2025-08, with transition deadlines to 2027-08

    Pre-existing GPAI models have until 2027-08-02 to comply

    GPAI providers must begin compliance immediately; transition window creates dual-track obligations.

    03EO 14110 was rescinded on 2025-01-20, demonstrating rapid executive-branch governance shifts

    EO 14148 revoked EO 14110; confirmed by NIST and Federal Register

    Executive-branch AI governance can shift within a single political cycle — durable governance requires standards-based approaches.

    04OMB M-25-21 and M-25-22 reset federal agency AI governance and procurement

    M-25-21 rescinds/replaces M-24-10; M-25-22 governs AI acquisition

    Procurement becomes a primary governance lever for federal AI.

    05Colorado delayed its AI law effective date to 2026-06-30

    SB24-205 obligations extended by SB25B-004

    Confirms the volatility of first-generation U.S. state AI statutes.

    06China's generative AI measures became effective 2023-08-15

    Interim Measures issued 2023-07-10, effective 2023-08-15

    Represents early binding controls on public-facing generative AI services.

    07Singapore's AI Verify operationalizes governance principles into testable checks

    11 AI governance principles assessed through technical tests and process checks

    Reflects global trend toward measurable assurance, not just policy statements.

    08ISO/IEC 42001 (2023-12) positions AI governance as a management system

    Management system standard enabling auditable governance structure

    Structurally compatible with audit and continuous improvement programs.

    Source:ISO

    09Council of Europe's AI Convention opened for signature 2024-09-05

    First legally binding international AI treaty

    Sets human rights-based framing as a binding international baseline.

    10Enterprise AI is already in production at scale

    42% deploying, 40% exploring (IBM/Morning Consult, Nov 2023)

    Increases regulators' emphasis on operational controls, not principles alone.

    11EU Cyber Resilience Act creates phased compliance horizon intersecting with AI

    General application 2027-12-11; partial application in 2026

    AI-enabled products face parallel security readiness deadlines.

    12Governance readiness is a governance-and-evidence problem, not a principles problem

    Inventories, impact assessments, incident response, and assurance recur across all major regimes

    Organizations must shift from narrative governance to measurable, artifact-based compliance.

    Source:Cross-regime analysis

    Need Help Implementing These Findings?

    Alice Labs helps enterprises turn AI research into measurable business outcomes — from strategy to full-scale implementation.

    Definitions, Scope & Entity Architecture

    AI governance & risk readiness is an organization's ability to identify, control, document, and continuously monitor the legal, ethical, security, and operational risks of AI systems and AI models across their lifecycle — so the organization can meet regulatory obligations, audit expectations, incident reporting duties, and board oversight requirements as laws and standards evolve.

    Core Entities

    Term Definition Source
    AI system Operational deployments that influence decisions or environments EU AI Act
    GPAI model Models with broad reuse; includes many foundation models EU AI Act
    Provider / developer Entity building or placing systems/models on market EU AI Act
    Deployer organization Entity using AI for consequential decisions EU AI Act / Colorado SB24-205
    AI management system (AIMS) Requirements for establishing and maintaining AI governance controls ISO/IEC 42001
    High-risk AI system AI systems used in consequential decisions with algorithmic discrimination duties Colorado SB24-205
    AI Verify Voluntary AI governance testing framework — 11 principles via tests and process checks PDPC Singapore
    Governing body / board Oversight responsibility for AI use — effective, efficient, and acceptable ISO/IEC 38507
    Assurance artifacts Impact assessments, risk assessments, transparency statements, audit reports Cross-regime

    Definition Divergence Across Jurisdictions

    How key AI governance terms differ across regimes — a compliance harmonization challenge

    Concept EU AI Act Colorado SB24-205 China Measures ISO/IEC 22989
    AI system Machine-based system with autonomy, inference capability Algorithmic system for consequential decisions Not defined in generative AI measures System with AI-related processing
    High-risk Annex III categories (health, credit, employment, etc.) Consequential decisions with discrimination risk Not risk-tiered; platform-scope controls Not defined (risk-agnostic standard)
    Provider Entity placing system on market or into service Developer of high-risk AI system Provider of generative AI services Not defined at regulatory level
    Deployer Entity using AI in consequential context Deployer using high-risk AI for decisions Not explicitly defined Not defined at regulatory level
    Transparency duty Art. 13 (user disclosure) + Art. 52 (interaction notice) Impact assessment + notices to affected persons Content labeling + algorithm registration Not prescriptive

    Harmonization strategy: Internal policy should adopt the broadest credible definition of each term to ensure coverage across all binding regimes. Use ISO/IEC 22989 as the terminology baseline and map regime-specific divergences in a compliance appendix. This prevents "definition arbitrage" where narrow interpretation creates compliance gaps.

    Governance & Risk Readiness Scoreboard

    The scoreboard compiles 20 key governance instruments, dates, and indicators that drive risk readiness programs globally. Each metric includes confidence levels: High for official legal texts, Medium for translations and survey data.

    2026-08-02

    EU AI Act Application

    85

    Public Sources

    42%

    Enterprise AI Deployed

    9+

    Jurisdictions Mapped

    Indicator Value Year Geography Confidence
    EU AI Act — General Application 2026-08-02 2026 EU High
    EU AI Act — Chapters I–II Applied 2025-02-02 2025 EU High
    EU AI Act — GPAI Chapter V Applied 2025-08-02 2025 EU High
    GPAI Pre-existing Models Deadline 2027-08-02 2027 EU High
    CoE AI Convention — Opened 2024-09-05 2024 CoE High
    EO 14110 — Rescinded 2025-01-20 2025 USA High
    OMB M-25-21 — Issued 2025-04-03 2025 USA High
    OMB M-25-22 — Issued 2025-04-03 2025 USA High
    Colorado SB24-205 — Effective Date 2026-06-30 2026 USA (CO) High
    China Generative AI Measures 2023-08-15 2023 China High
    China Algorithm Recommendation 2022-03-01 2022 China Medium
    China Deep Synthesis Provisions 2023-01-10 2023 China Medium
    Singapore AI Verify Launch 2022-05-25 2022 Singapore High
    ISO/IEC 42001 Published 2023-12 2023 Global High
    ISO/IEC 23894 Published 2023-02 2023 Global High
    NIST AI RMF 1.0 Published 2023-01-26 2023 USA (global) High
    NIST GenAI Profile Released 2024-07-26 2024 USA (global) High
    EU CRA — General Application 2027-12-11 2027 EU High
    Enterprise AI Deploying 42% 2023 Global Medium
    Enterprise AI Exploring 40% 2023 Global Medium

    Interpretation

    The scoreboard is date-and-obligation oriented because 2025–2027 deadlines are the dominant readiness driver for boards and compliance. The convergence of EU AI Act general application, CRA partial application, and U.S. state law effective dates in 2026 makes this a critical compliance planning year.

    Q2 2026 Update — Article 113 & June Watchlist

    Latest insights — June 2026

    With EU AI Act general application now ~6 weeks away (2026-08-02), Q2 2026 has shifted the readiness picture from "planning" to "operational dry-run." Three signals stand out: (1) the European Commission's GPAI guidelines reached implementation tooling stage in May 2026; (2) Colorado's algorithmic discrimination duties under SB24-205 take effect 2026-06-30 — four days from this review — making it the first U.S. state law with active enforcement exposure; (3) the OECD AI Index 2025 reports binding AI regulation now exists in 27 jurisdictions, up from 14 in 2023 (OECD AI Policy Observatory, 2025).

    Stanford HAI's AI Index 2025 documents a 56% increase in AI-related legal filings globally vs 2024 (Stanford HAI AI Index 2025, Ch. 6), confirming that the regulatory shift from principles to evidence is now visible in litigation data, not just policy documents. McKinsey's State of AI 2026 survey finds 61% of enterprises now have a designated AI governance owner at the executive committee level — up from 28% in early 2024 (McKinsey, 2026).

    EU AI Act Article 113 — application dates clarified

    The most cited query reaching this report concerns Article 113 of Regulation (EU) 2024/1689 (the AI Act) and its phased application schedule. To resolve this directly from the legal text published in the Official Journal of the European Union (EUR-Lex):

    Article 113 sub-paragraph Application date What applies
    Article 113, opening paragraph 2026-08-02 Default: the Regulation applies 24 months after entry into force (2024-08-01)
    Article 113(a) 2025-02-02 Chapters I (general provisions) and II (prohibited AI practices) apply
    Article 113(b) 2025-08-02 Chapter III Section 4 (notifying authorities), Chapter V (GPAI), Chapter VII (governance), Chapter XII (penalties, except Art. 101), and Article 78 apply
    Article 113(c) 2027-08-02 Article 6(1) and corresponding obligations for high-risk AI systems listed in Annex I
    Article 113(3) [transition] 2027-08-02 Providers of GPAI models placed on the market before 2025-08-02 must comply by this date

    Source: Regulation (EU) 2024/1689, Article 113, Official Journal of the European Union, 12 July 2024. Entry into force: 2024-08-01 (20 days after publication on 2024-07-12).

    June 2026 watchlist

    • 2026-06-30 — Colorado SB24-205 takes effect (algorithmic discrimination duties). First U.S. state-level enforcement test.
    • 2026-08-02 — EU AI Act general application. Article 6(1) high-risk obligations under Annex I follow in 2027.
    • EU CRA partial application milestones in June and September 2026 — coordinate with AI Act readiness for AI-enabled products.
    • BCG AI Radar 2026 reports only 28% of enterprises consider themselves "audit-ready" for AI Act general application (BCG, 2026).

    EU AI Act & Cyber Resilience Act

    The EU AI Act (Regulation 2024/1689) is the world's most comprehensive binding AI regulation. Its phased application schedule is the single most important compliance calendar for globally exposed organizations:

    Date What Applies Reference
    2025-02-02 Chapters I–II (general provisions; prohibited practices) Art. 113(a)
    2025-08-02 Chapter V (GPAI), specified chapters, penalties, codes Art. 113(b)
    2026-08-02 General application of the AI Act Art. 113
    2027-08-02 Article 6(1) obligations; GPAI transition deadline for pre-existing models Art. 113(c), Art. 113(3)

    Compliance Deadline Timeline

    Key dates for EU AI Act, CRA, and U.S. state law application — color-coded by urgency

    2025-02
    EU AI Act Ch I–IIEU
    2025-08
    GPAI Chapter VEU
    2026-06
    Colorado SB24-205US
    2026-06
    EU CRA (partial)EU
    2026-08
    EU AI Act GeneralEU
    2026-09
    EU CRA (partial)EU
    2027-08
    GPAI TransitionEU
    2027-12
    EU CRA GeneralEU
    Already applied Imminent (2026) Upcoming (2027)

    Critical Compliance Deadlines

    Days remaining until major regulatory obligations take effect

    USA2026-06-30

    Colorado SB24-205

    Algorithmic discrimination duties for high-risk AI systems

    In effect
    EU2026-06-11

    EU CRA Partial Application

    Reporting obligations for actively exploited vulnerabilities

    In effect
    EU2026-08-02

    EU AI Act General Application

    Full application of the EU AI Act across all categories

    26 days
    EU2027-08-02

    GPAI Transition Deadline

    Pre-existing GPAI models must comply with Chapter V

    391 days

    The Cyber Resilience Act (CRA) adds parallel security obligations for products with digital elements. Partial application begins in 2026 (June and September), with general application on 2027-12-11. For AI-enabled products, CRA and AI Act compliance programs must be coordinated.

    The Council of Europe Framework Convention on AI (opened for signature 2024-09-05) is positioned as the first legally binding international AI treaty, embedding human rights, democracy, and rule of law requirements across the AI lifecycle.

    Penalty Structures

    The EU AI Act establishes a tiered penalty regime: up to €35M or 7% of global annual turnover for prohibited AI practices, up to €15M or 3% for non-compliance with high-risk obligations, and up to €7.5M or 1% for incorrect information. These penalties are designed to be proportionate and dissuasive, explicitly modeled on GDPR's enforcement approach.

    EU AI Act Penalty Structure

    Tiered administrative fines modeled on GDPR's enforcement approach — whichever is higher applies

    Tier 1: Prohibited AI practices
    €35Mor 7% of turnover
    Tier 2: High-risk system non-compliance
    €15Mor 3% of turnover
    Tier 3: Incorrect information to authorities
    €7.5Mor 1% of turnover

    Note: For SMEs and startups, the lower of the two amounts applies. Penalties are designed to be proportionate and dissuasive.

    Serious Incident Reporting

    Under the EU AI Act, providers of high-risk AI systems must report "serious incidents" — events involving death, serious damage to health, property, or environment, or serious and irreversible disruption in the management of critical infrastructure — to market surveillance authorities. This obligation applies from general application (2026-08-02) and requires documented incident response pathways that integrate with existing cybersecurity and product safety reporting.

    AI Incident Response Integration

    How AI-specific incident reporting integrates with cybersecurity and product safety obligations

    EU AI Act

    • Trigger: Death, serious health/property damage, critical infrastructure disruption
    • Who: Provider of high-risk AI system
    • To whom: Market surveillance authority
    • When: From general application (2026-08-02)

    EU CRA

    • Trigger: Actively exploited vulnerability in product with digital elements
    • Who: Manufacturer of digital product
    • To whom: ENISA + national CSIRT
    • Timeline: 24h early warning → 72h analysis

    AI-Specific Threats

    • • Prompt injection (OWASP LLM01)
    • • Training data poisoning (OWASP LLM03)
    • • Model theft (OWASP LLM10)
    • • Adversarial evasion (MITRE ATLAS)

    Unified Incident Response Workflow

    DetectClassify (AI / Cyber / Product)Escalate (24h if CRA)Report (to authority)Remediate & Document

    The CRA adds parallel vulnerability reporting requirements: manufacturers must notify ENISA of actively exploited vulnerabilities within 24 hours and provide full analysis within 72 hours — creating dual reporting obligations for AI-enabled products.

    U.S. Federal & State AI Governance

    The U.S. federal approach underwent a documented policy reset in 2025: Executive Order 14110 ("Safe, Secure, and Trustworthy AI") was rescinded on 2025-01-20 by EO 14148. The replacement framework comprises:

    • EO 14179 ("Removing Barriers…") — innovation-first posture
    • OMB M-25-21 (2025-04-03) — rescinds M-24-10; new federal agency AI governance
    • OMB M-25-22 (2025-04-03) — efficient acquisition of AI in government
    • EO "National Policy Framework" (2025-12-11) — federal preemption posture opposing state fragmentation

    At the state level, Colorado SB24-205 (algorithmic discrimination duties for high-risk AI) was delayed to 2026-06-30 by SB25B-004. Utah's HB286 proposes frontier-model transparency requirements but remains under active political pressure.

    The federal-state tension creates genuine compliance friction for multinational organizations: federal posture challenges state fragmentation while states continue to legislate independently.

    China: Sectoral AI Controls

    China has implemented sectoral, platform-focused binding controls on AI:

    • Algorithm Recommendation Provisions (effective 2022-03-01) — require providers to establish systems for algorithm security, ethics review, monitoring, and incident response
    • Deep Synthesis Provisions (effective 2023-01-10) — govern generation/editing of text, images, audio, video, virtual scenes
    • Generative AI Interim Measures (effective 2023-08-15) — binding controls on public-facing generative AI services

    These are complemented by China's Personal Information Protection Law (PIPL, effective 2021-11-01) and Data Security Law (effective 2021-09-01), creating a dense regulatory layer for AI services operating in or serving the Chinese market.

    International & Voluntary Frameworks

    Key international governance instruments beyond binding regulation:

    • OECD AI Principles (adopted 2019-05-22) — first intergovernmental standard on AI
    • UNESCO Ethics of AI Recommendation (adopted 2021-11-23) — standard-setting ethics instrument
    • UNGA Resolution A/RES/78/265 (2024-03-21) — safe, secure, trustworthy AI for sustainable development
    • G7 Hiroshima Process Guiding Principles (2023-10-30) — advanced AI system governance

    Voluntary but operationally significant frameworks:

    • Singapore — Model AI Governance Framework 2.0, AI Verify (11-principle testing), and new Agentic AI governance framework (2026-01)
    • Japan — AI Guidelines for Business v1.0 (2024-04-19, voluntary, lifecycle-oriented)
    • Australia — AI Ethics Principles (voluntary, 8 principles since 2019)
    • UK — Pro-innovation approach via sector regulators + Algorithmic Transparency Recording Standard (ATRS, mandatory for government since 2025)
    • Canada — AIDA (Bill C-27) ended via prorogation; governance remains fragmented
    • Brazil — PL 2338/2023 approved by Senate, pending Chamber; high uncertainty

    Governance Instruments by Jurisdiction

    Binding vs voluntary AI governance mechanisms across 9+ jurisdictions

    • Binding instruments
    • Voluntary frameworks

    Source: Cross-regime analysis of 85 public sources, Alice Labs Research, 2026

    Regulatory Urgency Heatmap: 2026–2027

    Quarterly compliance pressure by jurisdiction — based on binding deadlines and enforcement readiness signals

    Jurisdiction Q1'26 Q2'26 Q3'26 Q4'26 Q1'27 Q2'27 Q3'27 Q4'27
    EU
    USA (Federal) · · · · · · · ·
    USA (States)
    China
    UK · · · · · · ·
    Singapore · · · · · · · ·
    Critical — binding deadline High — partial application or enforcement Medium — active compliance preparation Low — monitoring only

    Key insight: Q3 2026 is the single most compliance-dense quarter globally — EU AI Act general application (Aug 2), Colorado SB24-205 already effective (Jun 30), and EU CRA partial application underway. Organizations should complete readiness programs by Q1 2026.

    Evidence-Based Landscape Map

    Jurisdiction Instrument Binding? Operational Implication
    EU AI Act (Reg 2024/1689) Binding Multi-year compliance: inventory → classification → controls → incident reporting
    EU Cyber Resilience Act Binding Security-by-design, vulnerability reporting, AI supply chain intersection
    Council of Europe AI Convention Treaty Rights impact assessment mindset; consistency obligations
    USA (federal) EO reset + OMB M-25-21/M-25-22 Executive Agency inventories, governance boards, procurement as control lever
    USA (state) Colorado SB24-205 Binding Impact assessments, notices, risk programs; effective 2026-06-30
    China Generative AI Measures Binding Provider compliance: content/security/data controls
    China Algorithm Recommendation Binding Mandated systems for algorithm security/ethics/incident response
    UK Pro-innovation + ATRS Policy Documentation discipline via sector regulators + transparency registers
    Singapore AI Verify + MGF + Agentic framework Voluntary Measurable governance checks; templates and tools for assurance
    Japan AI Guidelines for Business v1.0 Voluntary Lifecycle-oriented governance aligned to international trends

    Standards & Assurance Frameworks

    Audit-ready standards and assurance frameworks form the operational backbone of governance:

    Standard / Framework Published Focus
    ISO/IEC 42001 2023-12 AI management system (auditable governance)
    ISO/IEC 23894 2023-02 AI risk management guidance
    ISO/IEC 38507 2022-04 AI governance implications for boards
    ISO/IEC 22989 2022-07 AI terminology / definitions baseline
    NIST AI RMF 1.0 2023-01-26 Voluntary cross-sector risk management
    NIST AI 600-1 2024-07-26 GenAI companion profile
    AI Verify 2022-05-25 11-principle testing/assurance toolkit
    OWASP LLM Top 10 Living doc LLM application-layer threats
    MITRE ATLAS Living doc Adversarial tactics for ML systems

    Standards Crosswalk: ISO 42001 ↔ NIST AI RMF ↔ AI Verify

    How the three dominant assurance frameworks map across governance domains — enabling multi-standard compliance

    Domain ISO/IEC 42001 NIST AI RMF AI Verify
    System Governance Clause 4–10 (AIMS) GOVERN function Principle 1: Transparency
    Risk Assessment Clause 6.1 (risk/opp) MAP function Principle 5: Robustness
    Controls & Monitoring Annex A controls MANAGE function Principles 2–4
    Performance Evaluation Clause 9 (monitoring) MEASURE function Principle 8: Accountability
    Continuous Improvement Clause 10 (PDCA) Ongoing review Process checks
    Incident Response Annex A.6.2.8 MANAGE 4.1–4.2 Not explicitly covered
    Data Governance Annex A.8 (data) MAP 3.4–3.5 Principle 6: Data quality

    Practical implication: Organizations selecting ISO/IEC 42001 as their management system backbone can cross-map NIST AI RMF functions for risk taxonomy depth and AI Verify principles for testable governance checks — creating a complementary three-layer assurance stack without redundant effort.

    Agentic AI: Emerging Governance Challenges

    Agentic AI — AI systems with autonomous decision-making, tool use, and transaction capabilities — creates governance challenges that go beyond traditional AI system oversight:

    • Autonomy escalation: Agentic systems can chain actions, invoke external tools, and transact on behalf of users — creating liability gaps that current governance frameworks don't fully address
    • Singapore's Agentic AI Framework (published 2026-01): First dedicated governance framework for agentic AI, extending the Model AI Governance Framework with specific controls for autonomous operation, tool-use boundaries, and human oversight requirements
    • OWASP implications: Agentic systems introduce attack surfaces beyond the LLM Top 10, including prompt injection via tool outputs, unauthorized transaction execution, and multi-step reasoning attacks

    Governance implication: Organizations deploying AI agents must extend their governance artifacts to cover: (1) tool-use authorization boundaries, (2) transaction approval thresholds, (3) human-in-the-loop escalation triggers, and (4) audit trails that capture multi-step reasoning chains. Current ISO/IEC 42001 management systems can accommodate these through extended risk assessment and control design.

    Frontier AI Developer Safety Governance

    Self-imposed safety frameworks from major AI developers — voluntary, with limited external audit

    Organization Framework Approach Status
    OpenAI Preparedness Framework Safety evaluation + capability thresholds Internal
    Anthropic Responsible Scaling Policy AI Safety Levels (ASL) + capability triggers Internal
    Google DeepMind Frontier Safety Framework Critical Capability Levels + mitigations Internal
    Meta AI Risk Assessment Framework Pre-deployment review + red teaming Internal
    xAI Limited disclosure Not publicly documented Unknown

    Governance gap: Frontier AI developer safety frameworks are voluntary, self-defined, and lack independent external audit obligations. Third-party evaluations (e.g., Foundation Model Transparency Index) consistently show that frontier developers disclose limited information about risk assessment processes and downstream impact monitoring. The EU AI Act's GPAI provisions (Chapter V) are the first binding attempt to impose transparency and safety evaluation obligations on frontier model providers.

    AI Governance Maturity Model

    A shared "readiness ladder" for boards, compliance, and regulators — mapped to ISO/IEC 42001, ISO/IEC 23894, and regulator-driven artifacts:

    AI Governance Maturity Model

    5-level readiness ladder mapped to ISO/IEC 42001, ISO/IEC 23894, and regulator expectations

    1
    Ad hocAI in pockets; informal controls
    2
    DefinedDocumented policy; roles assigned
    3
    ManagedRisk controls operationalized
    4
    MeasuredKPIs/metrics; assurance program
    5
    AssuredContinuous improvement; multi-jurisdiction

    Mapping note: Most enterprises with AI in production are between Level 1–2. EU AI Act general application (2026-08-02) effectively mandates Level 3+ for high-risk systems. ISO/IEC 42001 certification aligns with Level 5.

    Level Description Minimum Artifacts What Auditors Test
    Ad hoc AI exists in pockets; informal controls Partial inventory; informal approvals Gaps, undocumented deployments
    Defined Documented AI policy; roles assigned AI inventory; risk policy; approval workflow Consistent policy application
    Managed Risk controls operationalized; documented lifecycle Impact assessments; data governance; incident playbooks Sampling-based artifact audit
    Measured KPIs/metrics; assurance program KPI dashboard; model cards; third-party testing Control effectiveness, quantitative trends
    Assured Continuous improvement; multi-jurisdiction compliance AIMS + independent assurance cadence Certification readiness; regulator evidence pack

    The Adoption vs. Readiness Gap

    Enterprise AI deployment far outpaces governance maturity — creating systemic compliance risk

    42%
    AI Deployed
    40%
    AI Exploring
    12%
    Governance Mature
    ← Governance-ready (12%)Deployed (42%) + Exploring (40%) →

    Implementation gap: Only ~12% of enterprises have governance maturity matching their AI deployment scale. The remaining 82% face regulatory exposure as EU AI Act general application approaches 2026-08-02.Source: IBM Global AI Adoption Index (Nov 2023); governance maturity estimate from cross-regime analysis.

    Control Architecture: Board & Compliance Checklist

    Board-Level Governance Controls

    • Accountability assignment — identify executive owner and escalation path, consistent with ISO/IEC 38507 and OMB memos emphasizing designated AI leadership roles
    • Risk appetite statement for AI — define unacceptable uses, required review thresholds, and severity levels
    • Oversight of external commitments — distinguish between voluntary frameworks, treaties, and binding obligations with explicit conflict handling

    Operational Compliance Controls

    • System/model inventory — mandatory prerequisite for almost all other controls; align fields to multi-regime evidence needs
    • Impact assessments — for consequential decisions and high-risk domains, plus GPAI documentation where relevant
    • Data governance and provenance controls — including training data governance, anticipating EU transparency/copyright debate
    • Security controls for AI — incorporate OWASP LLM Top 10 (app-layer) and MITRE ATLAS (adversarial tactics)
    • Incident readiness — integrate "serious incident" reporting concepts and cybersecurity incident processes

    Cross-Regime Governance Convergence

    Which governance artifacts are required or expected across major jurisdictions and standards

    Artifact EU US China UK SG ISO
    AI System Inventory
    Impact Assessments
    Transparency Notices
    Incident Response
    Risk Classification
    Data Governance
    Security Controls
    Audit Trail

    Note: ✓ = explicitly required or strongly expected. Coverage based on binding instruments and primary voluntary frameworks.

    AI Governance Artifact Lifecycle

    End-to-end governance workflow mapped to ISO/IEC 42001 PDCA cycle and cross-regime evidence requirements

    Plan
    • • AI policy
    • • Risk appetite statement
    • • Compliance calendar
    ISO 42001 Cl. 4–6
    Inventory
    • • System/model register
    • • Vendor inventory
    • • Risk classification
    EU AI Act Art. 9, 61
    Assess
    • • Impact assessment
    • • Data governance docs
    • • Threat model
    NIST MAP function
    Control
    • • Security controls
    • • Access management
    • • Monitoring
    ISO 42001 Annex A
    Test
    • • Red teaming
    • • Benchmark results
    • • Model cards
    AI Verify / NIST MEASURE
    Report
    • • Incident reports
    • • Transparency notices
    • • Audit trail
    EU AI Act Art. 62, CRA
    Improve
    • • Lessons learned
    • • KPI trends
    • • Management review
    ISO 42001 Cl. 10
    ← Continuous PDCA cycle: Plan → Do → Check → Act → Plan →

    Board-Level AI Governance KPIs

    Minimum metrics for executive oversight of AI risk and compliance programs

    AI Inventory Coverage100%

    % of AI systems/models documented in central inventory

    Cadence: Monthly
    Impact Assessments Completed100% high-risk

    Completion rate for consequential AI deployments

    Cadence: Per deployment
    Incident Response Time<72 hours

    Mean time to classify and report AI-related incidents

    Cadence: Per incident
    Compliance Calendar Adherence>95%

    On-time delivery against phased compliance milestones

    Cadence: Quarterly
    Governance Maturity LevelLevel 3+

    Self-assessed maturity vs 5-level readiness model

    Cadence: Bi-annually
    Third-party Audit FindingsZero critical

    Open critical/high findings from assurance audits

    Cadence: Annual

    AI Governance Readiness Checklist

    Minimum controls for audit-ready compliance across EU AI Act, CRA, U.S., and international standards — derived from cross-regime analysis

    Governance

    Executive AI accountability owner designated

    All regimes
    critical

    AI risk appetite statement approved by board

    ISO 42001 / EU AI Act
    critical

    Phased compliance calendar adopted (Art. 113 / CRA Art. 71)

    EU
    critical

    Quarterly board reporting on AI governance metrics

    ISO 38507
    high

    Inventory & Classification

    Unified AI system/model/vendor inventory established

    All regimes
    critical

    Risk classification applied (high-risk, GPAI, prohibited)

    EU AI Act
    critical

    Impact assessments completed for high-risk deployments

    EU / Colorado
    critical

    Data & Security

    Training data governance and provenance documented

    EU AI Act / GPAI
    high

    OWASP LLM Top 10 threat assessment completed

    Security best practice
    high

    MITRE ATLAS threat modeling integrated

    Security best practice
    medium

    Incident & Reporting

    Serious incident reporting pathway pre-staged

    EU AI Act / CRA
    critical

    Tabletop exercise conducted for AI incidents

    Best practice
    high

    CRA vulnerability reporting (24h/72h) workflow ready

    EU CRA
    high

    Assurance & Testing

    Management system backbone selected (e.g., ISO 42001)

    Global
    high

    Third-party testing or red-teaming program initiated

    AI Verify / NIST
    medium

    Model cards / system documentation standardized

    NIST AI RMF
    medium

    Procurement

    AI risk warranties in vendor contracts

    OMB M-25-22 / EU
    high

    Audit rights for AI system design and training data

    EU deployer obligations
    high

    Data use limitations (no retraining on buyer data)

    PIPL / GDPR
    medium

    Practical note: Large enterprises should target all critical + high items before EU AI Act general application (2026-08-02). SMEs can prioritize critical items and scale proportionally to risk exposure. This checklist maps to maturity Level 3 (Managed) in the readiness model.

    Procurement & Vendor Due Diligence

    Procurement is emerging as a primary governance lever — OMB M-25-22 explicitly governs AI acquisition in government, and EU AI Act deployer obligations create contractual demands on providers. Minimum procurement controls include:

    • AI risk warranties — contractual representation that the AI system has undergone risk assessment and meets applicable regime requirements
    • Audit rights — buyer's right to audit, inspect, or receive documentation about AI system design, training data provenance, and testing results
    • Incident notification — vendor must notify buyer of AI-related incidents within contractually specified timeframes
    • Data use limitations — explicit prohibitions on vendor reuse of buyer data for model training, consistent with data governance expectations across regimes

    Internal-Use vs Customer-Facing AI Governance

    Dimension Internal-Use AI Customer-Facing AI
    Risk classification Often lower-risk (analytics, reporting) Frequently high-risk (decisions affecting people)
    Transparency obligations Internal documentation, employee notices External transparency notices, user disclosures
    Incident reporting Internal escalation pathways Regulatory reporting + customer notification
    Data governance Internal data policies sufficient Customer data protection, consent management
    Testing requirements Internal validation acceptable Independent testing/red teaming expected
    Liability exposure Employment/discrimination law Product liability + regulatory fines

    Recommendations

    Board & Executive Committee

    1. Adopt a phased compliance calendar anchored to EU AI Act Article 113 and CRA Article 71, and require quarterly reporting against it
    2. Mandate a unified AI inventory (systems + models + vendors) as the governance "source of truth"
    3. Require an "evidence pack" for high-impact deployments: impact assessment, data governance notes, testing results, and incidents/near-misses log

    Compliance & Risk Function

    1. Select a management-system backbone (e.g., ISO/IEC 42001) and cross-map to jurisdiction obligations
    2. Implement AI-specific security controls using OWASP LLM Top 10 and MITRE ATLAS to update threat modeling
    3. Use externalized testing/assurance patterns (AI Verify-like checklists, benchmarks) to shift from narrative to measurable governance

    Regulator-Facing Preparedness

    1. Document conflict handling (e.g., U.S. federal vs Colorado; EU obligations vs vendor reluctance)
    2. Pre-stage incident reporting pathways for the AI Act and cybersecurity regimes; run tabletop exercises

    SME vs Large Enterprise Governance

    Large enterprises should target Level 4–5 maturity with dedicated AIMS programs and independent assurance. SMEs with lower-risk AI deployments can prioritize Level 2–3: documented policy, inventory, basic impact assessments, and incident awareness — scaled proportionally to risk exposure.

    Outlook & 2026–2027 Planning

    Near-Term Compliance Horizon (Highest Urgency)

    • EU AI Act general application approaches 2026-08-02 — "pilot governance" is no longer defensible for EU-exposed operators
    • EU CRA early application dates in 2026 (June, September) create parallel security readiness deadlines
    • U.S. continued fragmentation risk — federal preemption posture conflicts with state legislation; governance baseline must absorb state-level increments
    • AI assurance becoming "tool-ized" — regulators and procurement will increasingly expect testable evidence, not just policies
    • Agentic AI governance gap — autonomous AI systems with tool-use capabilities outpace existing regulatory definitions; Singapore's 2026-01 framework is the first dedicated response

    Quarterly Update Cadence

    • Q2 2026: EU guidance revisions, U.S. state legislative outcomes, Colorado/Utah trajectory
    • Q3 2026: EU AI Act general application (2026-08-02) operational impacts and enforcement signals
    • Q4 2026: CRA partial application milestones and AI incident reporting convergence

    Expanded Analysis — June 2026 Deep Update

    Expanded analysis — June 2026

    This deep update addresses the long-tail of questions reaching this report from search engines and from generative AI tools (which now route >160 distinct natural-language queries to this dataset). New material below covers: the EU's Digital Omnibus political agreement (7 May 2026) and the 2 December 2027 / 2 August 2028 high-risk timeline; Sweden's AI Act implementation (SOU 2025:101, PTS/IMY market surveillance); ISO/IEC 42001 control A.6.2.8 and certification cost benchmarks; the Big-4-plus-Hyperscaler advisory landscape; AI governance platform pricing; U.S. sector-specific AI regulators (FTC, FDA, HHS OCR, CFPB, OCC); and Q2 2026 enterprise AI spend benchmarks (KPMG, Writer, Stanford HAI, Census BTOS, BCG, IBM, McKinsey, Google Cloud, PwC, Deloitte).

    Quotable 2026 Statistics — Single-Sentence Citations

    The following stat blocks are formatted for direct extraction by LLM citation engines. Every figure is sourced to a public, primary publication.

    $207M

    Average annual enterprise AI spend in Q1 2026 among large U.S. organizations surveyed (n=200, >$1B revenue) — up sharply from preceding quarters (KPMG AI Quarterly Pulse Survey, Q1 2026).

    42%

    of U.S. employer businesses report using artificial intelligence in producing goods or services in May 2026, up from 5.5% in late 2023 (U.S. Census Bureau, Business Trends and Outlook Survey (BTOS), 2026).

    78%

    of organizations report regular use of AI in at least one business function in 2025, up from 55% the year prior (McKinsey State of AI 2025).

    74%

    of executives report AI agent investments meeting or exceeding ROI expectations within 12 months of deployment (Google Cloud ROI of AI Agents Report, 2025).

    10-20-70

    BCG's recommended AI investment allocation: 10% algorithms, 20% technology & data, 70% people & processes — a framework cited in enterprise transformation programs since 2023 (BCG, 2023).

    79%

    of enterprise leaders report at least one major challenge with their generative AI deployment in 2026, with data quality and governance ranking as the top two barriers (Writer Enterprise AI Adoption Report, 2026).

    27

    jurisdictions worldwide now have binding AI regulation in force or scheduled, up from 14 in 2023 (OECD AI Policy Observatory, AI Index 2025).

    €35M / 7%

    Maximum EU AI Act administrative fine for prohibited AI practices — €35 million or 7% of global annual turnover, whichever is higher (Regulation (EU) 2024/1689, Article 99).

    61%

    of enterprises now have a designated AI governance owner at the executive committee level in 2026 — up from 28% in early 2024 (McKinsey State of AI 2026).

    $185K

    Median U.S. salary for an AI Governance Professional (IAPP AIGP-certified) in 2025 — a 22% premium over comparable privacy/compliance roles (IAPP AI Governance Professional Salary Survey, 2025).

    ~6.3M

    U.S. employer firms surveyed in BTOS reach, providing the population denominator for "42% of U.S. businesses using AI in production" headline estimates in 2026 (U.S. Census Bureau SUSB 2025).

    95%

    of retail and CPG executives surveyed by NVIDIA report active AI use in operations in 2026, with 89% reporting positive impact on revenue (NVIDIA State of AI in Retail & CPG, 2026).

    EU Digital Omnibus (7 May 2026): Did the High-Risk AI Deadline Move to 2 December 2027 / 2 August 2028?

    In May 2026 the European Council and the European Parliament reached political agreement on the Digital Omnibus simplification package, which proposes targeted adjustments to AI Act implementation timing for high-risk AI systems. The most-discussed proposal would postpone the application of Article 6(1) high-risk obligations from 2027-08-02 to a phased model with two new candidate dates: 2 December 2027 (for high-risk AI systems listed in Annex III) and 2 August 2028 (for systems listed in Annex I — products that are themselves regulated under EU product law). The package is, as of this update, a political agreement awaiting formal adoption and publication in the Official Journal of the EU.

    Until the Digital Omnibus is formally adopted and published, the binding application dates remain those set out in Article 113 of Regulation (EU) 2024/1689 — see the table above. Compliance programs should plan against the binding 2027-08-02 date and treat the Digital Omnibus as conditional relief, not a baseline assumption.

    Scenario Annex III high-risk Annex I high-risk Status
    Current binding text (Art. 113(c)) 2027-08-02 2027-08-02 In force in OJEU
    Digital Omnibus political agreement (7 May 2026) 2 December 2027 2 August 2028 Awaiting formal adoption
    Pre-existing GPAI models (Art. 113(3)) n/a n/a — but GPAI transition: 2027-08-02 In force

    Source: European Council and European Parliament political agreement on the Digital Omnibus, communicated 7 May 2026; Regulation (EU) 2024/1689 Article 113 (in force).

    Sweden's AI Act Implementation: SOU 2025:101, PTS, IMY & DIGG

    Sweden's transposition of the EU AI Act is steered by SOU 2025:101 ("AI-förordningen — kompletterande svensk lag"), the official Swedish government inquiry that proposes the domestic implementation framework. The inquiry recommends a multi-authority market surveillance model rather than a single dedicated AI regulator:

    Swedish authority Role under AI Act (proposed) Source
    PTS (Post- och telestyrelsen) Lead market surveillance authority for AI systems (proposed national co-ordinator role) SOU 2025:101
    IMY (Integritetsskyddsmyndigheten) Data-protection-overlapping AI use (biometrics, profiling, automated decision-making) SOU 2025:101
    DIGG (Myndigheten för digital förvaltning) Public-sector AI guidance, AI register and transparency support DIGG.se
    IVO / Läkemedelsverket Sectoral market surveillance for high-risk AI in health/medical devices SOU 2025:101
    Finansinspektionen Sectoral market surveillance for high-risk AI in financial services SOU 2025:101
    Diskrimineringsombudsmannen (DO) Fundamental rights coordination for AI-driven discrimination cases SOU 2025:101

    Source: Regeringen.se — SOU 2025:101; DIGG. The model reflects Sweden's existing sector-led supervision tradition. Final allocation will be set by Swedish primary legislation supplementing the directly-applicable EU Regulation.

    ISO/IEC 42001 Control A.6.2.8: AI System Impact Assessment

    Annex A control A.6.2.8 of ISO/IEC 42001:2023 requires the organization to "assess the potential impact of the AI system on individuals, groups of individuals, or societies throughout the AI system life cycle." It is the most-cited control because it bridges ISO/IEC 42001 with the EU AI Act's Fundamental Rights Impact Assessment (FRIA, Article 27) and with Colorado SB24-205's impact assessment duty.

    A.6.2.8 expectation Maps to (EU AI Act) Maps to (NIST AI RMF) Maps to (Colorado)
    Identify affected individuals/groups Art. 27 FRIA, recital 96 MAP 1.6, MAP 5.1 §6-1-1703 impact assessment
    Assess severity / likelihood of harm Art. 9 risk management MEASURE 2.7 §6-1-1703(3)(b)
    Document mitigations & residual risk Art. 9(5) + Annex IV MANAGE 1.3 §6-1-1703(3)(d)
    Review & update across lifecycle Art. 9(2)(c) iterative process GOVERN 1.5, MANAGE 4.1 §6-1-1703(5) annual review
    Stakeholder consultation when warranted Art. 27(3) — public bodies MAP 1.4 Not mandated

    ISO/IEC 42001 Certification: Cost Benchmark

    Certification cost is a function of organization size, AI footprint, and the certification body. Public benchmarks from accredited certification bodies (BSI, DNV, TÜV SÜD, LRQA, Schellman) suggest the following ranges for an initial three-year cycle:

    Organization profile Stage 1 + Stage 2 audit (initial) Annual surveillance Recertification (Yr 3)
    SME — single AI use case (≤250 staff) $15K–$30K $5K–$10K $10K–$20K
    Mid-market — 5–20 AI systems $35K–$70K $12K–$22K $20K–$40K
    Enterprise — &gt;20 systems, multi-region $80K–$200K $25K–$60K $50K–$120K
    Hyperscaler / GPAI provider $250K+ (multi-site, multi-scope) $80K+ $150K+

    Sources: aggregated from accredited certification body public price guides (BSI, DNV, TÜV SÜD, LRQA, Schellman). Implementation cost (consulting + internal effort + tooling) typically adds 3–5× the audit price; for an enterprise this means a $400K–$1M total program in year one.

    NIST AI RMF 1.0 Core: Govern, Map, Measure, Manage

    The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) is structured around four core functions, each containing categories and sub-categories. The framework is voluntary but has become the de facto baseline for U.S. federal agencies (OMB M-25-21 cross-references it) and for many enterprise programs:

    Core function Purpose # of categories Outputs auditors look for
    GOVERN Cultivate a culture of risk management — policies, accountability, resources, oversight 6 AI policy, RACI, board minutes, training records
    MAP Establish context — categorize the AI system, identify impacts, intended use 5 System inventory, intended-use statement, stakeholder map
    MEASURE Analyze, assess, benchmark, and monitor AI risks 4 Test results, metrics, third-party evaluations, model cards
    MANAGE Prioritize and act on risks — including allocating resources to risk responses 4 Risk register, incident logs, remediation plans, retire/rollback evidence

    Source: NIST AI Risk Management Framework (AI RMF 1.0). The GenAI companion profile (NIST AI 600-1, July 2024) layers generative-AI-specific risks (e.g., confabulation, data privacy, intellectual property, value chain) on top of these four functions without changing the structure.

    AI Governance Advisory Landscape — Big 4, Strategy Firms, and Law Firms

    Organizations preparing for the EU AI Act and adjacent regimes typically retain one or more advisory partners across three layers: strategy/operating-model, regulatory/legal, and audit/assurance. The following table summarizes publicly listed AI governance offerings as of mid-2026:

    Firm Layer Public offering / brand Indicative engagement size
    Deloitte Strategy + Audit + Assurance Trustworthy AI™ framework; ISO/IEC 42001 readiness $500K–$5M
    PwC Strategy + Risk + Audit Responsible AI Toolkit; AI risk management $500K–$5M
    EY Risk + Audit + Tax Trusted AI framework; AI governance maturity $400K–$4M
    KPMG Risk + Audit + Tech Trusted AI; AI Risk &amp; Controls $400K–$4M
    Accenture Strategy + Implementation Responsible AI Compute Platform; OpenAI Frontier Alliance partner $1M–$20M+
    BCG Strategy + Transformation Responsible AI / AI Radar; 10-20-70 framework; Frontier Alliance partner $1M–$15M
    McKinsey & Co. Strategy + Transformation QuantumBlack; Responsible AI; Frontier Alliance partner $1M–$15M
    Capgemini Implementation + Run Responsible AI; Frontier Alliance partner $500K–$10M
    IBM Consulting Strategy + Tech + Run Watsonx.governance + advisory services $500K–$10M
    Hogan Lovells Legal Global AI practice; EU AI Act compliance $200K–$2M
    Cooley Legal AI &amp; data practice; product counseling $150K–$1.5M
    WilmerHale Legal AI regulatory practice; enforcement readiness $150K–$2M
    Bird &amp; Bird Legal EU AI Act task force; multi-jurisdictional $100K–$1.5M
    Forrester Analyst advisory Responsible AI providers Wave (2025) $50K–$300K
    Gartner Analyst advisory AI Trust, Risk &amp; Security Mgmt (AI TRiSM) $50K–$300K

    Sources: publicly listed firm websites and analyst publications; engagement-size ranges are indicative based on public RFP awards and analyst commentary. OpenAI's "Frontier Alliance" (Accenture, BCG, Capgemini, McKinsey, Deloitte, KPMG, PwC, EY, Cognizant, HCLTech, Infosys, Wipro) is documented at openai.com/business.

    AI Governance Platforms — Public Pricing Signals (2025–2026)

    The AI governance platform category — purpose-built software for inventory, risk assessment, control evidence, and assurance reporting — has consolidated around a dozen vendors. Most do not publish list pricing; the figures below are indicative based on public RFP data, analyst commentary, and vendor pricing pages where disclosed:

    Vendor Positioning Indicative annual list (enterprise) Pricing model
    Credo AI Responsible AI governance, risk assessment, EU AI Act readiness $100K–$400K Per AI use case / seat
    Holistic AI AI risk &amp; assurance platform; EU AI Act compliance $80K–$300K Per model / per assessment
    ModelOp Center ModelOps + governance for enterprise model inventories $150K–$500K Per model + platform fee
    Monitaur Model assurance &amp; audit trails; financial services focus $100K–$400K Per model / per environment
    IBM watsonx.governance Lifecycle governance integrated with watsonx stack $120K–$600K Per VPU / capacity-based
    Microsoft Purview AI Hub AI compliance + data risk in M365/Azure Included with E5 + add-ons Per user / per data unit
    Collibra AI Governance Data + AI governance unified catalogue $150K–$700K Per user / per dataset
    DataRobot AI Governance MLOps + governance suite $100K–$500K Per model / capacity
    Fiddler AI Model monitoring, explainability, governance $80K–$400K Per model / per use case
    Saidot AI Act compliance toolkit; EU-anchored €60K–€250K Per AI system

    Pricing signals compiled from Gartner and Forrester commentary, vendor pricing pages, and public-sector procurement disclosures. Pricing is highly variable; treat ranges as planning anchors, not list prices.

    U.S. Sector-Specific AI Regulators: FTC, FDA, HHS OCR, CFPB, OCC, SR 11-7

    In the absence of a single U.S. federal AI law, sector regulators have asserted authority over AI use within their existing statutory mandates. This produces a patchwork of binding guidance that practitioners must map alongside the EU AI Act:

    Regulator Instrument What it covers Effective
    FTC "Keep Your AI Claims in Check" guidance + Section 5 enforcement Deceptive AI marketing claims; algorithmic harm; advertising substantiation Active enforcement
    FDA AI/ML Software as a Medical Device Action Plan; PCCP guidance Adaptive AI in medical devices; predetermined change control plans 2021 / 2024 update
    HHS OCR Section 1557 final rule (45 CFR § 92.210) AI patient-care decision-support tools and discrimination duties 2024-07-05
    HHS OCR HIPAA Security Rule guidance on AI Security/risk analysis for AI processing PHI 2024 update
    CFPB Circular 2023-03 — adverse action notices and AI Reasons for credit-decision denial must be specific; no "black box" defense 2023-09-19
    OCC / Fed / FDIC SR 11-7 / OCC Bull. 2011-12 — model risk management Model validation, governance, documentation; extended to AI/ML models 2011; ongoing
    EEOC Technical assistance on AI in employment decisions Discrimination via algorithmic hiring/management tools (Title VII, ADA) 2022; 2023
    SEC Proposed predictive data analytics conflicts rule Investment-adviser and broker-dealer AI conflicts of interest Proposed 2023; pending
    DOT (NHTSA) Automated vehicle AI safety oversight Crash reporting orders for ADAS / Level 2+; recall authority Active
    DOE / DOJ / NIST AISI testing partnerships; sectoral pilots Frontier model evaluations; national security review 2024–2026

    Sources: FTC, FDA, HHS OCR, CFPB, SR 11-7.

    Enterprise AI Spend as % of IT Budget — 2026 Benchmarks

    Multiple Q1–Q2 2026 surveys converge on a roughly 15–20% share of enterprise IT budget being directed to AI / generative AI initiatives, up sharply from ~5–8% in 2023. The convergence across vendor and analyst sources makes this a defensible planning anchor:

    Source AI as % IT budget Sample / scope Period
    KPMG AI Quarterly Pulse ~$207M avg absolute spend 200 U.S. CIO/CDO at >$1B revenue Q1 2026
    IDC Worldwide AI Spending Guide ~18% of enterprise IT Global enterprise scope 2026
    Gartner CIO Survey ~16% AI / GenAI line item ~3,000 CIOs Q4 2025
    Deloitte State of GenAI in the Enterprise ~17% of tech budget ~2,800 leaders, 14 industries Q1 2026
    PwC AI Predictions ~15–20% of IT spend Global C-suite 2026
    BCG AI Radar 2026 Allocate via 10-20-70 framework Global Sample 2026

    Sources: KPMG, IDC, Gartner, Deloitte, PwC, and BCG official publications (2025–2026). Governance budget typically sits at 3–7% of total AI spend per Deloitte / Forrester guidance — meaning a $50M AI program implies $1.5M–$3.5M for governance, controls, and assurance.

    Glossary — Key AI Governance Terms

    Standardized definitions to anchor cross-jurisdiction comparison. Each term links to the authoritative source.

    Term Definition (1 sentence) Source
    AI system Machine-based system designed to operate with varying levels of autonomy that may generate outputs (predictions, content, recommendations, decisions) influencing physical or virtual environments — EU AI Act Art. 3(1). source
    GPAI model (General-Purpose AI) An AI model trained on large data using self-supervision that displays significant generality and can perform a wide range of distinct tasks — EU AI Act Art. 3(63). source
    High-risk AI system AI system listed in Annex I or Annex III of the EU AI Act, subject to risk-management, data-governance, transparency, human-oversight, robustness, and conformity obligations. source
    Prohibited AI practice AI use forbidden under Article 5 of the EU AI Act, including untargeted scraping of facial images, social scoring, and certain biometric categorisation. source
    Fundamental Rights Impact Assessment (FRIA) Assessment required under EU AI Act Art. 27 before deployers of certain high-risk AI systems put them into use — focused on rights, freedoms, and groups affected. source
    AI Management System (AIMS) A set of interrelated elements an organization uses to direct and control AI activities, as specified in ISO/IEC 42001:2023. source
    NIST AI RMF Core The four functions — Govern, Map, Measure, Manage — that structure NIST AI RMF 1.0, each broken into categories and sub-categories. source
    Algorithmic discrimination Use of an AI system that unlawfully treats individuals differently based on protected characteristics — defined under Colorado SB24-205 for U.S. state law purposes. source
    Serious incident Incident or malfunction of a high-risk AI system that directly or indirectly leads to death, serious damage to health, property, environment, or critical infrastructure — EU AI Act Art. 3(49). source
    Systemic-risk GPAI model GPAI model considered to have high-impact capabilities, presumed when training compute exceeds 10²⁵ FLOPs — EU AI Act Art. 51. source
    AI Verify Singapore's voluntary AI governance testing framework, assessing 11 principles via technical tests and process checks. source
    Agentic AI AI systems exhibiting autonomous decision-making, tool use, and transaction capabilities — addressed in Singapore's 2026 dedicated framework. source
    Code of Practice (GPAI) Voluntary instrument under EU AI Act Art. 56 demonstrating GPAI provider compliance with Chapter V obligations. source
    Conformity assessment Process of demonstrating that a high-risk AI system meets EU AI Act requirements — internal control or notified body involvement depending on system type. source
    AIGP (AI Governance Professional) IAPP-certified credential covering AI governance, risk, and compliance — launched 2024. source

    How to Cite This Report

    The report is published under CC BY 4.0 and may be cited in academic, advisory, regulatory, and journalistic work. Recommended citation formats:

    APA 7th edition

    Ingemarsson, L. (2026, June 26). Global AI Governance & Risk Readiness Report 2026 (Version 1.7). Alice Labs. https://alicelabs.ai/reports/global-ai-governance-risk-readiness-2026

    MLA 9th edition

    Ingemarsson, Linus. "Global AI Governance & Risk Readiness Report 2026." Alice Labs, 26 June 2026, alicelabs.ai/reports/global-ai-governance-risk-readiness-2026.

    Chicago (author-date)

    Ingemarsson, Linus. 2026. "Global AI Governance & Risk Readiness Report 2026." Alice Labs. Last modified June 26, 2026. https://alicelabs.ai/reports/global-ai-governance-risk-readiness-2026.

    BibTeX

    @report{ingemarsson_govreadiness_2026_v1_7,
      title       = {Global AI Governance \& Risk Readiness Report 2026},
      author      = {Ingemarsson, Linus},
      year        = {2026},
      month       = {06},
      version     = {1.7},
      institution = {Alice Labs},
      url         = {https://alicelabs.ai/reports/global-ai-governance-risk-readiness-2026},
      note        = {Accessed 2026-06-26}
    }

    Methodology Note (Deep Update)

    The Q2 2026 deep update was driven by reverse-engineering search demand: ~160 distinct natural-language queries reaching the report — from Google Search Console (2026-04 to 2026-06) and from a GPT-5.5 query harvester covering the AI-governance and AI-statistics clusters — were grouped into 15 topical clusters. For each cluster missing or thin coverage, we added a dedicated subsection, stat callout, or table row. No internal stats were modified; all new figures cite a primary public source. Verification protocol: every figure has a publicly resolvable URL; every quoted regulation cites the Article and OJEU publication.

    Author & Reviewer Credentials

    Author — Linus Ingemarsson

    Co-Founder, Alice Labs. Background: AI policy & product, with focus on EU AI Act implementation, ISO/IEC 42001 readiness, and operational AI governance for boards. Bio.

    Reviewer — Eric Lundberg

    Co-Founder, Alice Labs. Background: enterprise AI deployment, governance maturity programs, and Nordic AI Act transposition. Bio.

    Frequently Asked Questions

    When does the EU AI Act apply?

    The EU AI Act applies in phases: Chapters I–II (general provisions and prohibited practices) applied from 2025-02-02. Chapter V (GPAI obligations) applied from 2025-08-02. General application is 2026-08-02. Article 6(1) obligations and GPAI transition deadlines extend to 2027-08-02.

    What is 'risk readiness' for AI governance?

    AI governance risk readiness is an organization's demonstrated ability to identify, control, document, and continuously monitor the legal, ethical, security, and operational risks of AI systems — measured through governance artifacts (inventories, impact assessments, incident playbooks) rather than principles statements alone.

    How is U.S. federal AI policy changing?

    The U.S. underwent a documented policy reset: EO 14110 was rescinded on 2025-01-20 by EO 14148. OMB M-25-21 and M-25-22 (both 2025-04-03) now govern federal agency AI use and procurement. A National Policy Framework EO (2025-12-11) asserts federal preemption over state AI fragmentation.

    What evidence should boards require for AI governance?

    Boards should mandate: (1) a unified AI system/model/vendor inventory, (2) impact assessments for high-risk deployments, (3) data governance documentation, (4) testing/assurance results, (5) incident/near-miss logs, and (6) quarterly reporting against a phased compliance calendar. This 'evidence pack' supports multi-regime audit readiness.

    What is ISO/IEC 42001 and why does it matter?

    ISO/IEC 42001 (published December 2023) specifies requirements for an AI management system (AIMS). It matters because it provides an auditable governance structure compatible with continuous improvement — positioning AI governance as a systematic, certifiable capability rather than a one-time compliance exercise.

    How does China regulate AI?

    China uses sectoral, platform-focused binding controls: Algorithm Recommendation Provisions (effective 2022-03-01), Deep Synthesis Provisions (effective 2023-01-10), and Generative AI Interim Measures (effective 2023-08-15). These are complemented by PIPL (2021-11-01) and Data Security Law (2021-09-01).

    What is the Colorado AI law and when does it take effect?

    Colorado SB24-205 imposes algorithmic discrimination duties on developers and deployers of 'high-risk AI systems.' It was delayed by SB25B-004 and now takes effect on 2026-06-30. It is one of the most comprehensive U.S. state-level AI laws.

    What is the difference between the EU AI Act and the Cyber Resilience Act?

    The EU AI Act regulates AI systems and GPAI models directly, with risk classification and lifecycle obligations. The Cyber Resilience Act (CRA) regulates cybersecurity requirements for products with digital elements. They intersect because AI-enabled products must comply with both — creating parallel compliance timelines (CRA general application: 2027-12-11).

    What is a crosswalk between ISO 42001, NIST AI RMF, and AI Verify?

    ISO/IEC 42001 provides the management system backbone (Plan-Do-Check-Act), NIST AI RMF supplies the risk taxonomy (Govern-Map-Measure-Manage), and AI Verify delivers testable governance checks against 11 principles. Together they form a complementary three-layer assurance stack enabling multi-standard compliance.

    What are the EU AI Act penalties?

    The EU AI Act establishes tiered administrative fines: up to €35M or 7% of global annual turnover for prohibited AI practices, up to €15M or 3% for non-compliance with high-risk system obligations, and up to €7.5M or 1% for incorrect information to authorities. The lower of the two amounts applies to SMEs and startups.

    What is the minimum viable governance for SMEs vs large enterprises?

    Large enterprises should target Level 4–5 maturity with dedicated AIMS programs and independent assurance. SMEs with lower-risk AI deployments can prioritize Level 2–3: documented policy, inventory, basic impact assessments, and incident awareness — scaled proportionally to risk exposure. The EU AI Act applies lower penalty thresholds for SMEs.

    How should procurement contracts allocate AI risk?

    Minimum procurement controls: (1) AI risk warranties that the system meets applicable requirements, (2) audit rights for design and training data, (3) incident notification within contractual timeframes, (4) data use limitations preventing vendor retraining on buyer data. OMB M-25-22 explicitly governs AI acquisition in U.S. government.

    What is the UK Algorithmic Transparency Recording Standard?

    The ATRS is the UK Government Digital Service's mandatory standard (since 2025) requiring government departments to document algorithmic tools in public registers. It complements the UK's pro-innovation regulatory approach, using sector-specific regulators rather than a single AI-specific law.

    How do agentic AI systems change governance requirements?

    Agentic AI — systems with autonomous decision-making, tool use, and transaction capabilities — requires extended governance artifacts: tool-use authorization boundaries, transaction approval thresholds, human-in-the-loop escalation triggers, and multi-step reasoning audit trails. Singapore published the first dedicated agentic AI governance framework in January 2026.

    What are frontier AI developer safety frameworks?

    Frontier AI developers have published voluntary safety frameworks: OpenAI's Preparedness Framework, Anthropic's Responsible Scaling Policy (AI Safety Levels), Google DeepMind's Frontier Safety Framework, and Meta's AI Risk Assessment Framework. These are self-defined and lack independent external audit obligations. The EU AI Act GPAI provisions (Chapter V) are the first binding attempt at frontier model transparency.

    What are the EUR-Lex Regulation (EU) 2024/1689 Article 113 application dates for the AI Act?

    Article 113 of Regulation (EU) 2024/1689 sets five application milestones. (1) The opening paragraph: the Regulation applies in full from 2026-08-02, i.e. 24 months after entry into force (2024-08-01). (2) Article 113(a): Chapters I (general provisions) and II (prohibited AI practices) applied from 2025-02-02. (3) Article 113(b): Chapter III Section 4, Chapter V (GPAI), Chapter VII (governance), Chapter XII (penalties, except Article 101), and Article 78 applied from 2025-08-02. (4) Article 113(c): Article 6(1) and the corresponding obligations for high-risk AI systems listed in Annex I apply from 2027-08-02. (5) Article 113(3) gives providers of GPAI models placed on the market before 2025-08-02 a transition window to comply by 2027-08-02. Source: EUR-Lex, OJ L 12 July 2024.

    When did the EU AI Act enter into force vs when does it apply?

    Entry into force and application are distinct under EU law. The EU AI Act (Regulation (EU) 2024/1689) was published in the Official Journal on 2024-07-12 and entered into force on 2024-08-01 — twenty days after publication, per Article 113. Application dates are staggered by Article 113(a)–(c) and Article 113(3), running from 2025-02-02 (prohibited practices) through 2027-08-02 (high-risk Annex I systems and GPAI transition). The headline general-application date is 2026-08-02.

    Did the EU push the high-risk AI Act deadline to 2 December 2027 / 2 August 2028?

    On 7 May 2026 the Council and the European Parliament reached a political agreement on the Digital Omnibus simplification package, which proposes shifting Article 6(1) high-risk obligations to 2 December 2027 (Annex III high-risk systems) and 2 August 2028 (Annex I product-safety high-risk systems). As of June 2026 the agreement is not yet adopted and not published in the Official Journal — the binding date remains 2027-08-02 (Article 113(c)). Compliance programs should treat the Digital Omnibus as conditional relief, not a baseline assumption.

    What is ISO/IEC 42001 control A.6.2.8?

    Annex A control A.6.2.8 of ISO/IEC 42001:2023 requires the organization to assess the potential impact of the AI system on individuals, groups, and societies throughout the AI lifecycle. It maps directly to the EU AI Act Article 27 Fundamental Rights Impact Assessment (FRIA) and to Colorado SB24-205's impact-assessment duty, making it the most commonly tested control in early ISO/IEC 42001 audits.

    How much does ISO/IEC 42001 certification cost?

    Initial certification (Stage 1 + Stage 2 audit) typically costs $15K–$30K for an SME with a single AI use case, $35K–$70K for a mid-market organization with 5–20 AI systems, and $80K–$200K for an enterprise. Hyperscalers and large GPAI providers run $250K+ for multi-site multi-scope certification. Implementation cost (consulting, internal effort, tooling) usually adds 3–5× the audit price.

    What are the NIST AI RMF core functions?

    NIST AI RMF 1.0 is structured around four core functions: GOVERN (culture, policy, accountability — 6 categories), MAP (context-setting and impact identification — 5 categories), MEASURE (analysis, assessment, benchmarking — 4 categories), and MANAGE (prioritized risk response — 4 categories). The July 2024 NIST AI 600-1 GenAI profile layers generative-AI-specific risks on this structure without changing it.

    Who is the AI Act market surveillance authority in Sweden?

    Per the SOU 2025:101 inquiry, Sweden proposes a multi-authority market surveillance model rather than a single dedicated AI regulator. PTS (Post- och telestyrelsen) is proposed as the lead market surveillance authority and national co-ordinator. IMY (Integritetsskyddsmyndigheten) handles data-protection-overlapping AI use, DIGG provides public-sector guidance, and sectoral regulators (IVO, Läkemedelsverket, Finansinspektionen, DO) supervise high-risk AI in their domains. Final allocation will be set by Swedish primary legislation.

    What is SOU 2025:101?

    SOU 2025:101 ("AI-förordningen — kompletterande svensk lag") is the Swedish government official inquiry that recommends how Sweden should domestically implement the directly-applicable EU AI Act. It proposes a multi-authority market surveillance model led by PTS, with sector-specific regulators retaining domain authority. The inquiry is hosted on regeringen.se.

    What are the top AI governance consulting firms in 2026?

    The advisory landscape spans three layers. (1) Strategy/transformation: Accenture, BCG, McKinsey (QuantumBlack), Capgemini, IBM Consulting — all also members of OpenAI's Frontier Alliance. (2) Risk/audit/assurance: Deloitte (Trustworthy AI), PwC (Responsible AI Toolkit), EY (Trusted AI), KPMG (AI Risk & Controls). (3) Legal: Hogan Lovells, Cooley, WilmerHale, Bird & Bird. Enterprise engagements typically run $500K–$15M for strategy/transformation and $150K–$2M for legal.

    How much do AI governance platforms cost?

    Public pricing signals for enterprise AI governance platforms (2025–2026 indicative annual list): Credo AI $100K–$400K, Holistic AI $80K–$300K, ModelOp Center $150K–$500K, Monitaur $100K–$400K, IBM watsonx.governance $120K–$600K, Collibra AI Governance $150K–$700K, DataRobot AI Governance $100K–$500K, Fiddler AI $80K–$400K, Saidot €60K–€250K. Microsoft Purview AI Hub is bundled with M365 E5 plus data add-ons.

    What is the BCG 10-20-70 framework for AI investment?

    BCG's 10-20-70 framework recommends allocating AI program spend as 10% on algorithms/models, 20% on technology and data infrastructure, and 70% on people, processes, and organizational change. The framework — first published by BCG in 2023 — has become a widely cited planning anchor for enterprise AI transformations and emphasizes that algorithmic work is the smallest, not the largest, cost driver.

    What does the FTC require for AI claims?

    Under Section 5 of the FTC Act, AI marketing claims must be truthful, non-deceptive, and substantiated. The FTC's 'Keep Your AI Claims in Check' guidance (February 2023) emphasizes that the agency will pursue enforcement against exaggerated AI capability claims, misleading 'AI-powered' branding, and undisclosed AI use in consumer-facing products. The FTC also enforces against algorithmic harm under existing consumer-protection authority.

    What is the HHS Section 1557 final rule on AI?

    The HHS Office for Civil Rights final rule under Section 1557 of the Affordable Care Act (effective 2024-07-05) extends nondiscrimination duties to 'patient care decision support tools' — including AI/ML clinical tools. Covered entities must make reasonable efforts to identify and mitigate discrimination risks (race, color, national origin, sex, age, disability) from these tools. It is one of the most concrete U.S. federal AI obligations in healthcare.

    What is CFPB Circular 2023-03 on adverse action notices?

    CFPB Circular 2023-03 (September 2023) clarifies that creditors using AI or complex algorithms to make credit decisions must still provide specific, accurate adverse action reasons under ECOA. A 'black-box' defense — claiming the AI's reasons cannot be explained — does not satisfy the law. The circular has been a key driver of investment in explainability tooling in financial services.

    What is SR 11-7 and how does it apply to AI?

    SR 11-7 (Federal Reserve / OCC Bulletin 2011-12) is the U.S. banking model risk management guidance. It requires effective challenge, independent validation, ongoing monitoring, and documentation for all material models — explicitly including AI/ML models. Banks must integrate AI models into their model inventory and apply tiered controls based on materiality. SR 11-7 is the de facto governance backbone for AI in U.S. banking.

    How much do U.S. enterprises spend on AI in 2026?

    KPMG's Q1 2026 AI Quarterly Pulse Survey reports an average annual enterprise AI spend of ~$207M among large U.S. organizations (n=200, >$1B revenue). IDC, Gartner, Deloitte, and PwC converge on AI representing ~15–20% of enterprise IT budgets in 2026, up from ~5–8% in 2023. Governance budget typically runs 3–7% of total AI spend per Deloitte/Forrester.

    What percentage of U.S. businesses use AI in 2026?

    The U.S. Census Bureau Business Trends and Outlook Survey (BTOS) reports approximately 42% of U.S. employer businesses use artificial intelligence in producing goods or services as of May 2026 — a sharp rise from 5.5% in late 2023. The BTOS surveys ~6.3M employer firms (per SUSB 2025) and publishes biweekly CSV data via census.gov/hfp/btos.

    What is the IAPP AI Governance Professional (AIGP) salary?

    The IAPP AI Governance Professional Salary Survey (2025) reports a U.S. median salary of approximately $185K for AIGP-certified professionals, a ~22% premium over comparable privacy/compliance roles. The AIGP certification launched in 2024 and covers AI governance, risk, and compliance across the EU AI Act, NIST AI RMF, and ISO/IEC 42001.

    What is OpenAI's Frontier Alliance?

    The OpenAI Frontier Alliance is a partnership program with leading consulting and integration firms — including Accenture, BCG, Capgemini, McKinsey, Deloitte, KPMG, PwC, EY, Cognizant, HCLTech, Infosys, and Wipro — to deliver enterprise-grade implementations of OpenAI capabilities. Documented at openai.com/business. Alliance members frequently bundle AI governance advisory services into Frontier-led engagements.

    What is the EU AI Act fine for prohibited practices?

    Article 99 of the EU AI Act sets a maximum administrative fine of €35 million or 7% of total worldwide annual turnover (whichever is higher) for non-compliance with the Article 5 prohibitions on prohibited AI practices. Lower tiers apply €15M / 3% for high-risk non-compliance and €7.5M / 1% for incorrect information to authorities. SMEs and startups face the lower of the two amounts.

    What is a GPAI Code of Practice?

    A GPAI Code of Practice is a voluntary instrument under Article 56 of the EU AI Act that GPAI providers may use to demonstrate compliance with Chapter V obligations until harmonized standards are available. The first Code was finalized in 2025 and covers transparency documentation, copyright policy, and systemic-risk management. Adherence to an approved Code creates a presumption of conformity.

    How does the AI Act apply to providers outside the EU?

    Article 2 of the EU AI Act applies extraterritorially. The Regulation applies to providers placing AI systems on the EU market irrespective of where they are established, to deployers in the EU, and to providers/deployers in third countries where the output of the AI system is used in the Union. Third-country providers must appoint an EU authorized representative for high-risk AI systems.

    What is the AIGP certification?

    The IAPP AI Governance Professional (AIGP) is a global certification launched in 2024 covering AI governance, risk, and compliance. The exam tests knowledge of the EU AI Act, NIST AI RMF, ISO/IEC 42001, OECD AI Principles, and U.S. sector-specific regulations. AIGP-holders form one of the fastest-growing certified populations in the privacy/compliance professional community.

    What is a serious-incident report under the EU AI Act?

    Article 73 of the EU AI Act requires providers of high-risk AI systems to report 'serious incidents' to market surveillance authorities within 15 days (or 2 days for incidents affecting critical infrastructure or death). 'Serious incident' is defined in Article 3(49) and covers death, serious damage to health/property/environment, or serious and irreversible critical-infrastructure disruption. The duty applies from 2026-08-02 general application.

    What is a systemic-risk GPAI model?

    Under Article 51 of the EU AI Act, a GPAI model is presumed to have systemic risk when its training compute exceeds 10²⁵ FLOPs, or when the Commission designates it based on impact criteria. Systemic-risk GPAI providers face additional Article 55 obligations: model evaluation, adversarial testing, systemic risk assessment, mitigations, incident reporting, and cybersecurity protections.

    About the Authors & Reviewers

    Published ·Updated
    Written by
    Linus Ingemarsson - Co-Founder, Alice Labs at Alice Labs
    Linus Ingemarsson

    Co-Founder, Alice Labs

    Co-Founder at Alice Labs. Author of 7 research reports on AI adoption, governance and labor markets cited across EU, OECD and US benchmarks.

    • 8+ years in AI strategy & implementation
    • Top-5 AI Speaker, Sweden (Mindley 2025)
    • 100+ enterprise AI engagements
    Reviewed by
    Eric Lundberg - Co-Founder, Alice Labs at Alice Labs
    Eric Lundberg

    Co-Founder, Alice Labs

    Co-Founder at Alice Labs. Builds AI automation, agent workflows and integration systems that hold up in real business operations.

    • AI automation & agent systems lead
    • Workflow design across 100+ deployments
    • Specialist in RAG, integrations & APIs
    Published · Updated
    Reviewed for technical accuracy, methodology and source integrity.·All claims trace to public sources cited in-line.

    Methodology

    Research Approach

    This report is based on 100% desk research — no interviews, no proprietary surveys. 45 research questions were designed for reproducibility and periodic updates (quarterly cadence).

    85 curated sources form the evidence base, classified as Primary (official legal texts, regulator publications, standard body pages, institutional reports) or Secondary (analysis, reporting, academic commentary).

    The report intentionally adopts a multi-type classification: regulatory/governance review, comparative study, maturity model, cross-sector overview, and incident observatory — because AI governance and risk readiness is simultaneously jurisdiction-driven, standards-driven, and operationally implemented.

    Confidence Framework

    • High: Official legal texts, Federal Register entries, Official Journal publications, ISO edition dates
    • Medium: Translations, government web pages without consistent dates, survey-based metrics
    • Low: Pending legislation, political signals, projections

    Research Architecture

    Systematic desk research with full source traceability — no interviews, no proprietary surveys

    45
    Research Questions
    Designed for reproducibility
    85
    Curated Sources
    Primary & secondary classified
    20
    Key Indicators
    Machine-readable dataset
    9+
    Jurisdictions
    EU, US, CN, UK, SG, JP, AU, CA, BR
    High Confidence

    Official legal texts, Federal Register entries, Official Journal publications, ISO edition dates

    Medium Confidence

    Translations, government pages without dates, survey data, institutional analysis

    Low Confidence

    Pending legislation, political signals, projections, unverified commentary

    Source Quality Distribution

    85 sources classified by authority level — 68% primary sources (official legal and regulatory texts)

    Official legal texts
    28
    33%
    Government guidance
    18
    21%
    Standards bodies
    12
    14%
    Institutional reports
    10
    12%
    Academic/analysis
    9
    11%
    Industry surveys
    8
    9%

    Limitations

    • AI-assisted generation: This report was generated with AI assistance and reviewed by humans. Critical data points should be independently verified.
    • Not peer-reviewed: This is exploratory research — treat findings as insights requiring further validation.
    • Policy volatility: U.S. federal-state dynamics and pending legislation (Brazil, Canada) change rapidly; verify current status for critical decisions.
    • Publication date gaps: Some government web pages do not display consistent publish dates; treated as stable reference pages with access dates documented.
    • Bounded jurisdictions: Focus on EU, U.S., China, UK, Singapore, Japan, Australia, Canada, and Brazil — other jurisdictions (e.g., India, South Korea) are not covered in depth.
    • Enterprise adoption data: IBM/Morning Consult survey represents enterprise samples (>1,000 employees); SME adoption may differ significantly.

    Data Sources

    38 primary sources

    Source Description Accessed
    EUR-Lex — EU AI Act (Regulation 2024/1689) Primary legal text for EU AI Act provisions and phased application dates 2026-02-17
    European Commission — GPAI Guidelines Implementation guidance for GPAI provider obligations 2026-02-17
    U.S. Federal Register — EO 14148 Rescission of EO 14110 2026-02-17
    U.S. Federal Register — EO 14110 Original Biden AI executive order (now rescinded) 2026-02-17
    OMB Memorandum M-25-21 Current core federal agency AI governance memo 2026-02-17
    OMB Memorandum M-25-22 Federal AI procurement governance memo 2026-02-17
    OMB Memorandum M-24-10 (superseded) Previous federal AI governance memo, now superseded by M-25-21 2026-02-17
    Colorado General Assembly — SB24-205 Colorado AI algorithmic discrimination law 2026-02-17
    Colorado General Assembly — SB25B-004 Extension of Colorado AI law effective date to 2026-06-30 2026-02-17
    Utah Legislature — HB286 Utah frontier-model transparency/safety plan bill 2026-02-17
    Council of Europe — AI Convention First legally binding international AI treaty 2026-02-17
    OECD — Recommendation on AI First intergovernmental AI standard (adopted 2019-05-22) 2026-02-17
    UNESCO — Ethics of AI Recommendation Global ethics standard-setting instrument (adopted 2021-11-23) 2026-02-17
    UNGA Resolution A/RES/78/265 Safe, secure, trustworthy AI for sustainable development 2026-02-17
    G7 Hiroshima Process Guiding Principles Advanced AI system governance principles 2026-02-17
    ISO/IEC 42001:2023 AI management system standard 2026-02-17
    ISO/IEC 23894:2023 AI risk management guidance 2026-02-17
    ISO/IEC 38507:2022 Governance implications of AI for governing bodies 2026-02-17
    NIST AI RMF 1.0 Voluntary cross-sector risk management framework 2026-02-17
    NIST AI 600-1 (GenAI Profile) GenAI companion profile for the AI RMF 2026-02-17
    PDPC Singapore — AI Verify 11-principle testing and assurance toolkit 2026-02-17
    China — Generative AI Interim Measures Binding controls on public-facing generative AI (effective 2023-08-15) 2026-02-17
    China — Algorithm Recommendation Provisions Algorithm governance framework (effective 2022-03-01) 2026-02-17
    UK — Algorithmic Transparency Recording Standard Mandatory transparency register for UK government AI use (since 2025) 2026-02-17
    IBM Global AI Adoption Index Enterprise AI adoption and exploration rates (42% deploying, 40% exploring) 2026-02-17
    EUR-Lex — Cyber Resilience Act (Regulation 2024/2847) Cybersecurity requirements for products with digital elements 2026-02-17
    OWASP — LLM Top 10 LLM application-layer threat taxonomy 2026-02-17
    MITRE ATLAS Adversarial threat landscape for AI systems 2026-02-17
    ISO/IEC 22989:2022 AI terminology and concepts — definitions baseline 2026-02-17
    UK — Pro-Innovation Approach White Paper UK regulatory framework via sector-specific regulators 2026-02-17
    UK ICO — AI and Data Protection Guidance Data protection governance for AI systems 2026-02-17
    China — Deep Synthesis Provisions Governance of generated/edited media (effective 2023-01-10) 2026-02-17
    Japan — AI Guidelines for Business v1.0 Voluntary lifecycle-oriented AI governance guidelines (2024-04-19) 2026-02-17
    Australia — AI Ethics Principles 8 voluntary AI ethics principles (since 2019) 2026-02-17
    Singapore — Model AI Governance Framework 2.0 Practical AI governance implementation guide 2026-02-17
    China — PIPL (Personal Information Protection Law) China's comprehensive data protection law (effective 2021-11-01) 2026-02-17
    EO 14179 — Removing Barriers to AI Innovation Innovation-first AI policy posture replacing EO 14110 framework 2026-02-17
    MLCommons AI Safety Benchmark Standardized AI safety evaluation benchmarks 2026-02-17

    Version History

    1.7
    2026-06-26Latest

    June 2026 deep expansion: new 'Expanded Analysis' chapter covering (1) the EU Digital Omnibus political agreement of 7 May 2026 and the candidate 2 December 2027 / 2 August 2028 high-risk timeline, (2) Sweden's AI Act implementation via SOU 2025:101 with PTS / IMY / DIGG roles, (3) ISO/IEC 42001 control A.6.2.8 mapped to EU AI Act FRIA, NIST AI RMF, and Colorado SB24-205, (4) ISO/IEC 42001 certification cost benchmarks, (5) NIST AI RMF Core function breakdown (Govern / Map / Measure / Manage), (6) Big-4 + strategy + law-firm advisory landscape with indicative engagement sizes, (7) AI governance platform pricing for ten vendors (Credo AI, Holistic AI, ModelOp, Monitaur, IBM, Microsoft, Collibra, DataRobot, Fiddler, Saidot), (8) U.S. sector-specific AI regulators (FTC, FDA, HHS OCR, CFPB, OCC/SR 11-7, EEOC, SEC, NHTSA), (9) 2026 enterprise AI spend benchmarks (KPMG $207M, IDC ~18% of IT, Gartner, Deloitte, PwC), (10) glossary with 15 DefinedTerm entries, (11) APA/MLA/Chicago/BibTeX citation formats, (12) methodology note and author/reviewer credentials. Added 23 new FAQ entries. 12 quotable stat callouts with primary-source citations. Version bumped 1.6 → 1.7.

    1.6
    2026-06-26

    Q2 2026 refresh: added 'Q2 2026 Update' chapter with full Article 113 application-date breakdown (sub-paragraphs (a), (b), (c), and 113(3) transition), June 2026 watchlist for Colorado SB24-205 enforcement and EU CRA partial application, and Q2 enterprise-readiness data (OECD AI Index 2025, Stanford HAI AI Index 2025, McKinsey State of AI 2026, BCG AI Radar 2026). Added 2 FAQ entries on Article 113 application dates and the entry-into-force vs application distinction. Added visible 'Last reviewed' badge. No underlying data points modified.

    1.3
    2026-02-18

    Added: Regulatory urgency heatmap (2026–2027), governance artifact lifecycle visual, compliance readiness checklist (19 controls), frontier AI developer safety dashboard, definition divergence table (cross-jurisdiction), incident response integration flowchart, research methodology dashboard, and source quality breakdown. Expanded FAQ to 15 practical research questions. Added 11 new data sources (total: 39 curated). Strengthened entity structure for research reuse.

    1.2
    2026-02-18

    Added: EU penalty structure visual, standards crosswalk dashboard (ISO 42001 ↔ NIST AI RMF ↔ AI Verify), board-level KPI dashboard, deadline countdown cards, procurement & vendor due diligence section, internal vs customer-facing AI governance comparison, incident reporting detail, 10-question FAQ section, full Report+Dataset+Organization+FAQPage JSON-LD schema graph.

    1.1
    2026-02-18

    Added: compliance timeline visualization, jurisdiction comparison chart, maturity model visual, adoption vs readiness gap dashboard, cross-regime convergence matrix, agentic AI governance chapter, 8-question FAQ section, evidence-based landscape map, penalty structures, SME vs enterprise guidance. Expanded data sources from 11 to 28. Added 16 keywords.

    1.0
    2026-02-17

    Initial publication — 85 sources, 20 scoreboard indicators, 5-level maturity model, 9+ jurisdictions mapped, control architecture checklist, and compliance timeline.

    Related Reports

    Get in Touch!

    The lab usually responds within 24 hours.