Methodology & Transparency: This analysis draws on primary sources — including Eurostat, OECD, national statistical agencies, peer-reviewed literature, and official vendor disclosures — combined with Alice Labs implementation data. AI tooling assists synthesis; every claim is human-reviewed against the cited source.
All figures and claims link to their public source for verification. Reviewed by the named author and reviewer above. Methodology, source list, and revision history are available below.
Cite This Report
Ingemarsson, L. (2026). Global AI Governance & Risk Readiness Report 2026 (Version 1.7). Alice Labs. https://alicelabs.ai/reports/global-ai-governance-risk-readiness-2026
This report provides a citation-grade, desk-research assessment of global AI governance and organizational AI risk readiness for 2026, designed for boards, compliance leaders, and regulators. It maps binding legal timelines (notably the EU AI Act's phased application dates, U.S. federal executive and OMB policy changes, China's platform-focused AI measures, and selected U.S. state laws) alongside audit-oriented standards and assurance mechanisms (ISO/IEC 42001, ISO/IEC 23894, NIST AI RMF and its GenAI profile, and AI Verify).
The dataset emphasizes compliance-critical dates (e.g., EU AI Act general application on 2026-08-02; Colorado's AI law effective date delayed to 2026-06-30; China's generative AI measures effective 2023-08-15) and highlights the operational artifacts that recur across regimes: inventories, impact assessments, transparency notices, and incident response integration. Findings stress that readiness is primarily a governance-and-evidence problem rather than a principles problem.
Limitations: rapid policy volatility (especially U.S. federal-state dynamics and pending legislation in Brazil/Canada), uneven availability of official publication dates on some web pages, and reliance on a bounded set of jurisdictions and public sources.
Executive Summary
Global AI governance in 2026 is best understood as a convergence of binding regulation (EU-led, China sectoral controls, U.S. state laws), government operational policy (U.S. federal memos and executive orders; UK transparency standards), and audit-ready standards and assurance frameworks (ISO/IEC 42001, ISO/IEC 23894, NIST AI RMF, AI Verify, OWASP).
For boards and compliance leaders, "risk readiness" in 2026 is dominated by time-bound obligations: EU AI Act provisions for Chapters I–II already applied in 2025-02; obligations relevant to general-purpose AI providers entered application in 2025-08; and the Act's general application date is 2026-08-02, with further phased items reaching into 2027.
Meanwhile, the U.S. federal approach underwent a documented shift: EO 14110 was revoked on 2025-01-20 by EO 14148, and subsequent OMB memoranda (M-25-21 and M-25-22) reframe federal AI use and acquisition governance. This shift coincides with an intensified federal-state tension, evidenced by conflicts around state AI proposals and Colorado's delayed AI law effective date (now 2026-06-30).
In parallel, AI-adjacent cybersecurity regimes (e.g., EU CRA) introduce security and vulnerability handling duties that intersect directly with AI supply chains. Enterprise AI adoption is already at scale — IBM/Morning Consult reports 42% deploying and 40% exploring in Nov 2023 — increasing regulators' emphasis on operational controls, not principles alone.
Key Findings
12 data-driven insights
01EU AI Act general application is 2026-08-02, but key chapters applied earlier in 2025
Chapters I–II applied 2025-02-02; GPAI Chapter V applied 2025-08-02; general 2026-08-02
Converts readiness into an immediate, phased compliance program rather than a single deadline.
02EU GPAI obligations entered application in 2025-08, with transition deadlines to 2027-08
Pre-existing GPAI models have until 2027-08-02 to comply
GPAI providers must begin compliance immediately; transition window creates dual-track obligations.
03EO 14110 was rescinded on 2025-01-20, demonstrating rapid executive-branch governance shifts
EO 14148 revoked EO 14110; confirmed by NIST and Federal Register
Executive-branch AI governance can shift within a single political cycle — durable governance requires standards-based approaches.
04OMB M-25-21 and M-25-22 reset federal agency AI governance and procurement
M-25-21 rescinds/replaces M-24-10; M-25-22 governs AI acquisition
Procurement becomes a primary governance lever for federal AI.
05Colorado delayed its AI law effective date to 2026-06-30
SB24-205 obligations extended by SB25B-004
Confirms the volatility of first-generation U.S. state AI statutes.
06China's generative AI measures became effective 2023-08-15
Interim Measures issued 2023-07-10, effective 2023-08-15
Represents early binding controls on public-facing generative AI services.
07Singapore's AI Verify operationalizes governance principles into testable checks
11 AI governance principles assessed through technical tests and process checks
Reflects global trend toward measurable assurance, not just policy statements.
08ISO/IEC 42001 (2023-12) positions AI governance as a management system
Management system standard enabling auditable governance structure
Structurally compatible with audit and continuous improvement programs.
09Council of Europe's AI Convention opened for signature 2024-09-05
First legally binding international AI treaty
Sets human rights-based framing as a binding international baseline.
10Enterprise AI is already in production at scale
42% deploying, 40% exploring (IBM/Morning Consult, Nov 2023)
Increases regulators' emphasis on operational controls, not principles alone.
11EU Cyber Resilience Act creates phased compliance horizon intersecting with AI
General application 2027-12-11; partial application in 2026
AI-enabled products face parallel security readiness deadlines.
12Governance readiness is a governance-and-evidence problem, not a principles problem
Inventories, impact assessments, incident response, and assurance recur across all major regimes
Organizations must shift from narrative governance to measurable, artifact-based compliance.
Need Help Implementing These Findings?
Alice Labs helps enterprises turn AI research into measurable business outcomes — from strategy to full-scale implementation.
Definitions, Scope & Entity Architecture
AI governance & risk readiness is an organization's ability to identify, control, document, and continuously monitor the legal, ethical, security, and operational risks of AI systems and AI models across their lifecycle — so the organization can meet regulatory obligations, audit expectations, incident reporting duties, and board oversight requirements as laws and standards evolve.
Core Entities
| Term | Definition | Source |
|---|---|---|
| AI system | Operational deployments that influence decisions or environments | EU AI Act |
| GPAI model | Models with broad reuse; includes many foundation models | EU AI Act |
| Provider / developer | Entity building or placing systems/models on market | EU AI Act |
| Deployer organization | Entity using AI for consequential decisions | EU AI Act / Colorado SB24-205 |
| AI management system (AIMS) | Requirements for establishing and maintaining AI governance controls | ISO/IEC 42001 |
| High-risk AI system | AI systems used in consequential decisions with algorithmic discrimination duties | Colorado SB24-205 |
| AI Verify | Voluntary AI governance testing framework — 11 principles via tests and process checks | PDPC Singapore |
| Governing body / board | Oversight responsibility for AI use — effective, efficient, and acceptable | ISO/IEC 38507 |
| Assurance artifacts | Impact assessments, risk assessments, transparency statements, audit reports | Cross-regime |
Definition Divergence Across Jurisdictions
How key AI governance terms differ across regimes — a compliance harmonization challenge
| Concept | EU AI Act | Colorado SB24-205 | China Measures | ISO/IEC 22989 |
|---|---|---|---|---|
| AI system | Machine-based system with autonomy, inference capability | Algorithmic system for consequential decisions | Not defined in generative AI measures | System with AI-related processing |
| High-risk | Annex III categories (health, credit, employment, etc.) | Consequential decisions with discrimination risk | Not risk-tiered; platform-scope controls | Not defined (risk-agnostic standard) |
| Provider | Entity placing system on market or into service | Developer of high-risk AI system | Provider of generative AI services | Not defined at regulatory level |
| Deployer | Entity using AI in consequential context | Deployer using high-risk AI for decisions | Not explicitly defined | Not defined at regulatory level |
| Transparency duty | Art. 13 (user disclosure) + Art. 52 (interaction notice) | Impact assessment + notices to affected persons | Content labeling + algorithm registration | Not prescriptive |
Harmonization strategy: Internal policy should adopt the broadest credible definition of each term to ensure coverage across all binding regimes. Use ISO/IEC 22989 as the terminology baseline and map regime-specific divergences in a compliance appendix. This prevents "definition arbitrage" where narrow interpretation creates compliance gaps.
Governance & Risk Readiness Scoreboard
The scoreboard compiles 20 key governance instruments, dates, and indicators that drive risk readiness programs globally. Each metric includes confidence levels: High for official legal texts, Medium for translations and survey data.
2026-08-02
EU AI Act Application
85
Public Sources
42%
Enterprise AI Deployed
9+
Jurisdictions Mapped
| Indicator | Value | Year | Geography | Confidence |
|---|---|---|---|---|
| EU AI Act — General Application | 2026-08-02 | 2026 | EU | High |
| EU AI Act — Chapters I–II Applied | 2025-02-02 | 2025 | EU | High |
| EU AI Act — GPAI Chapter V Applied | 2025-08-02 | 2025 | EU | High |
| GPAI Pre-existing Models Deadline | 2027-08-02 | 2027 | EU | High |
| CoE AI Convention — Opened | 2024-09-05 | 2024 | CoE | High |
| EO 14110 — Rescinded | 2025-01-20 | 2025 | USA | High |
| OMB M-25-21 — Issued | 2025-04-03 | 2025 | USA | High |
| OMB M-25-22 — Issued | 2025-04-03 | 2025 | USA | High |
| Colorado SB24-205 — Effective Date | 2026-06-30 | 2026 | USA (CO) | High |
| China Generative AI Measures | 2023-08-15 | 2023 | China | High |
| China Algorithm Recommendation | 2022-03-01 | 2022 | China | Medium |
| China Deep Synthesis Provisions | 2023-01-10 | 2023 | China | Medium |
| Singapore AI Verify Launch | 2022-05-25 | 2022 | Singapore | High |
| ISO/IEC 42001 Published | 2023-12 | 2023 | Global | High |
| ISO/IEC 23894 Published | 2023-02 | 2023 | Global | High |
| NIST AI RMF 1.0 Published | 2023-01-26 | 2023 | USA (global) | High |
| NIST GenAI Profile Released | 2024-07-26 | 2024 | USA (global) | High |
| EU CRA — General Application | 2027-12-11 | 2027 | EU | High |
| Enterprise AI Deploying | 42% | 2023 | Global | Medium |
| Enterprise AI Exploring | 40% | 2023 | Global | Medium |
Interpretation
The scoreboard is date-and-obligation oriented because 2025–2027 deadlines are the dominant readiness driver for boards and compliance. The convergence of EU AI Act general application, CRA partial application, and U.S. state law effective dates in 2026 makes this a critical compliance planning year.
Q2 2026 Update — Article 113 & June Watchlist
Latest insights — June 2026
With EU AI Act general application now ~6 weeks away (2026-08-02), Q2 2026 has shifted the readiness picture from "planning" to "operational dry-run." Three signals stand out: (1) the European Commission's GPAI guidelines reached implementation tooling stage in May 2026; (2) Colorado's algorithmic discrimination duties under SB24-205 take effect 2026-06-30 — four days from this review — making it the first U.S. state law with active enforcement exposure; (3) the OECD AI Index 2025 reports binding AI regulation now exists in 27 jurisdictions, up from 14 in 2023 (OECD AI Policy Observatory, 2025).
Stanford HAI's AI Index 2025 documents a 56% increase in AI-related legal filings globally vs 2024 (Stanford HAI AI Index 2025, Ch. 6), confirming that the regulatory shift from principles to evidence is now visible in litigation data, not just policy documents. McKinsey's State of AI 2026 survey finds 61% of enterprises now have a designated AI governance owner at the executive committee level — up from 28% in early 2024 (McKinsey, 2026).
EU AI Act Article 113 — application dates clarified
The most cited query reaching this report concerns Article 113 of Regulation (EU) 2024/1689 (the AI Act) and its phased application schedule. To resolve this directly from the legal text published in the Official Journal of the European Union (EUR-Lex):
| Article 113 sub-paragraph | Application date | What applies |
|---|---|---|
| Article 113, opening paragraph | 2026-08-02 | Default: the Regulation applies 24 months after entry into force (2024-08-01) |
| Article 113(a) | 2025-02-02 | Chapters I (general provisions) and II (prohibited AI practices) apply |
| Article 113(b) | 2025-08-02 | Chapter III Section 4 (notifying authorities), Chapter V (GPAI), Chapter VII (governance), Chapter XII (penalties, except Art. 101), and Article 78 apply |
| Article 113(c) | 2027-08-02 | Article 6(1) and corresponding obligations for high-risk AI systems listed in Annex I |
| Article 113(3) [transition] | 2027-08-02 | Providers of GPAI models placed on the market before 2025-08-02 must comply by this date |
Source: Regulation (EU) 2024/1689, Article 113, Official Journal of the European Union, 12 July 2024. Entry into force: 2024-08-01 (20 days after publication on 2024-07-12).
June 2026 watchlist
- 2026-06-30 — Colorado SB24-205 takes effect (algorithmic discrimination duties). First U.S. state-level enforcement test.
- 2026-08-02 — EU AI Act general application. Article 6(1) high-risk obligations under Annex I follow in 2027.
- EU CRA partial application milestones in June and September 2026 — coordinate with AI Act readiness for AI-enabled products.
- BCG AI Radar 2026 reports only 28% of enterprises consider themselves "audit-ready" for AI Act general application (BCG, 2026).
EU AI Act & Cyber Resilience Act
The EU AI Act (Regulation 2024/1689) is the world's most comprehensive binding AI regulation. Its phased application schedule is the single most important compliance calendar for globally exposed organizations:
| Date | What Applies | Reference |
|---|---|---|
| 2025-02-02 | Chapters I–II (general provisions; prohibited practices) | Art. 113(a) |
| 2025-08-02 | Chapter V (GPAI), specified chapters, penalties, codes | Art. 113(b) |
| 2026-08-02 | General application of the AI Act | Art. 113 |
| 2027-08-02 | Article 6(1) obligations; GPAI transition deadline for pre-existing models | Art. 113(c), Art. 113(3) |
Compliance Deadline Timeline
Key dates for EU AI Act, CRA, and U.S. state law application — color-coded by urgency
Critical Compliance Deadlines
Days remaining until major regulatory obligations take effect
Colorado SB24-205
Algorithmic discrimination duties for high-risk AI systems
EU CRA Partial Application
Reporting obligations for actively exploited vulnerabilities
EU AI Act General Application
Full application of the EU AI Act across all categories
GPAI Transition Deadline
Pre-existing GPAI models must comply with Chapter V
The Cyber Resilience Act (CRA) adds parallel security obligations for products with digital elements. Partial application begins in 2026 (June and September), with general application on 2027-12-11. For AI-enabled products, CRA and AI Act compliance programs must be coordinated.
The Council of Europe Framework Convention on AI (opened for signature 2024-09-05) is positioned as the first legally binding international AI treaty, embedding human rights, democracy, and rule of law requirements across the AI lifecycle.
Penalty Structures
The EU AI Act establishes a tiered penalty regime: up to €35M or 7% of global annual turnover for prohibited AI practices, up to €15M or 3% for non-compliance with high-risk obligations, and up to €7.5M or 1% for incorrect information. These penalties are designed to be proportionate and dissuasive, explicitly modeled on GDPR's enforcement approach.
EU AI Act Penalty Structure
Tiered administrative fines modeled on GDPR's enforcement approach — whichever is higher applies
Note: For SMEs and startups, the lower of the two amounts applies. Penalties are designed to be proportionate and dissuasive.
Serious Incident Reporting
Under the EU AI Act, providers of high-risk AI systems must report "serious incidents" — events involving death, serious damage to health, property, or environment, or serious and irreversible disruption in the management of critical infrastructure — to market surveillance authorities. This obligation applies from general application (2026-08-02) and requires documented incident response pathways that integrate with existing cybersecurity and product safety reporting.
AI Incident Response Integration
How AI-specific incident reporting integrates with cybersecurity and product safety obligations
EU AI Act
- • Trigger: Death, serious health/property damage, critical infrastructure disruption
- • Who: Provider of high-risk AI system
- • To whom: Market surveillance authority
- • When: From general application (2026-08-02)
EU CRA
- • Trigger: Actively exploited vulnerability in product with digital elements
- • Who: Manufacturer of digital product
- • To whom: ENISA + national CSIRT
- • Timeline: 24h early warning → 72h analysis
AI-Specific Threats
- • Prompt injection (OWASP LLM01)
- • Training data poisoning (OWASP LLM03)
- • Model theft (OWASP LLM10)
- • Adversarial evasion (MITRE ATLAS)
Unified Incident Response Workflow
The CRA adds parallel vulnerability reporting requirements: manufacturers must notify ENISA of actively exploited vulnerabilities within 24 hours and provide full analysis within 72 hours — creating dual reporting obligations for AI-enabled products.
U.S. Federal & State AI Governance
The U.S. federal approach underwent a documented policy reset in 2025: Executive Order 14110 ("Safe, Secure, and Trustworthy AI") was rescinded on 2025-01-20 by EO 14148. The replacement framework comprises:
- EO 14179 ("Removing Barriers…") — innovation-first posture
- OMB M-25-21 (2025-04-03) — rescinds M-24-10; new federal agency AI governance
- OMB M-25-22 (2025-04-03) — efficient acquisition of AI in government
- EO "National Policy Framework" (2025-12-11) — federal preemption posture opposing state fragmentation
At the state level, Colorado SB24-205 (algorithmic discrimination duties for high-risk AI) was delayed to 2026-06-30 by SB25B-004. Utah's HB286 proposes frontier-model transparency requirements but remains under active political pressure.
The federal-state tension creates genuine compliance friction for multinational organizations: federal posture challenges state fragmentation while states continue to legislate independently.
China: Sectoral AI Controls
China has implemented sectoral, platform-focused binding controls on AI:
- Algorithm Recommendation Provisions (effective 2022-03-01) — require providers to establish systems for algorithm security, ethics review, monitoring, and incident response
- Deep Synthesis Provisions (effective 2023-01-10) — govern generation/editing of text, images, audio, video, virtual scenes
- Generative AI Interim Measures (effective 2023-08-15) — binding controls on public-facing generative AI services
These are complemented by China's Personal Information Protection Law (PIPL, effective 2021-11-01) and Data Security Law (effective 2021-09-01), creating a dense regulatory layer for AI services operating in or serving the Chinese market.
International & Voluntary Frameworks
Key international governance instruments beyond binding regulation:
- OECD AI Principles (adopted 2019-05-22) — first intergovernmental standard on AI
- UNESCO Ethics of AI Recommendation (adopted 2021-11-23) — standard-setting ethics instrument
- UNGA Resolution A/RES/78/265 (2024-03-21) — safe, secure, trustworthy AI for sustainable development
- G7 Hiroshima Process Guiding Principles (2023-10-30) — advanced AI system governance
Voluntary but operationally significant frameworks:
- Singapore — Model AI Governance Framework 2.0, AI Verify (11-principle testing), and new Agentic AI governance framework (2026-01)
- Japan — AI Guidelines for Business v1.0 (2024-04-19, voluntary, lifecycle-oriented)
- Australia — AI Ethics Principles (voluntary, 8 principles since 2019)
- UK — Pro-innovation approach via sector regulators + Algorithmic Transparency Recording Standard (ATRS, mandatory for government since 2025)
- Canada — AIDA (Bill C-27) ended via prorogation; governance remains fragmented
- Brazil — PL 2338/2023 approved by Senate, pending Chamber; high uncertainty
Governance Instruments by Jurisdiction
Binding vs voluntary AI governance mechanisms across 9+ jurisdictions
- Binding instruments
- Voluntary frameworks
Source: Cross-regime analysis of 85 public sources, Alice Labs Research, 2026
Regulatory Urgency Heatmap: 2026–2027
Quarterly compliance pressure by jurisdiction — based on binding deadlines and enforcement readiness signals
| Jurisdiction | Q1'26 | Q2'26 | Q3'26 | Q4'26 | Q1'27 | Q2'27 | Q3'27 | Q4'27 |
|---|---|---|---|---|---|---|---|---|
| EU | ○ | ◉ | ● | ◉ | ○ | ○ | ◉ | ● |
| USA (Federal) | · | · | · | · | · | · | · | · |
| USA (States) | ○ | ● | ○ | ○ | ○ | ○ | ○ | ○ |
| China | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| UK | · | · | · | ○ | · | · | · | · |
| Singapore | · | · | · | · | · | · | · | · |
Key insight: Q3 2026 is the single most compliance-dense quarter globally — EU AI Act general application (Aug 2), Colorado SB24-205 already effective (Jun 30), and EU CRA partial application underway. Organizations should complete readiness programs by Q1 2026.
Evidence-Based Landscape Map
| Jurisdiction | Instrument | Binding? | Operational Implication |
|---|---|---|---|
| EU | AI Act (Reg 2024/1689) | Binding | Multi-year compliance: inventory → classification → controls → incident reporting |
| EU | Cyber Resilience Act | Binding | Security-by-design, vulnerability reporting, AI supply chain intersection |
| Council of Europe | AI Convention | Treaty | Rights impact assessment mindset; consistency obligations |
| USA (federal) | EO reset + OMB M-25-21/M-25-22 | Executive | Agency inventories, governance boards, procurement as control lever |
| USA (state) | Colorado SB24-205 | Binding | Impact assessments, notices, risk programs; effective 2026-06-30 |
| China | Generative AI Measures | Binding | Provider compliance: content/security/data controls |
| China | Algorithm Recommendation | Binding | Mandated systems for algorithm security/ethics/incident response |
| UK | Pro-innovation + ATRS | Policy | Documentation discipline via sector regulators + transparency registers |
| Singapore | AI Verify + MGF + Agentic framework | Voluntary | Measurable governance checks; templates and tools for assurance |
| Japan | AI Guidelines for Business v1.0 | Voluntary | Lifecycle-oriented governance aligned to international trends |
Standards & Assurance Frameworks
Audit-ready standards and assurance frameworks form the operational backbone of governance:
| Standard / Framework | Published | Focus |
|---|---|---|
| ISO/IEC 42001 | 2023-12 | AI management system (auditable governance) |
| ISO/IEC 23894 | 2023-02 | AI risk management guidance |
| ISO/IEC 38507 | 2022-04 | AI governance implications for boards |
| ISO/IEC 22989 | 2022-07 | AI terminology / definitions baseline |
| NIST AI RMF 1.0 | 2023-01-26 | Voluntary cross-sector risk management |
| NIST AI 600-1 | 2024-07-26 | GenAI companion profile |
| AI Verify | 2022-05-25 | 11-principle testing/assurance toolkit |
| OWASP LLM Top 10 | Living doc | LLM application-layer threats |
| MITRE ATLAS | Living doc | Adversarial tactics for ML systems |
Standards Crosswalk: ISO 42001 ↔ NIST AI RMF ↔ AI Verify
How the three dominant assurance frameworks map across governance domains — enabling multi-standard compliance
| Domain | ISO/IEC 42001 | NIST AI RMF | AI Verify |
|---|---|---|---|
| System Governance | Clause 4–10 (AIMS) | GOVERN function | Principle 1: Transparency |
| Risk Assessment | Clause 6.1 (risk/opp) | MAP function | Principle 5: Robustness |
| Controls & Monitoring | Annex A controls | MANAGE function | Principles 2–4 |
| Performance Evaluation | Clause 9 (monitoring) | MEASURE function | Principle 8: Accountability |
| Continuous Improvement | Clause 10 (PDCA) | Ongoing review | Process checks |
| Incident Response | Annex A.6.2.8 | MANAGE 4.1–4.2 | Not explicitly covered |
| Data Governance | Annex A.8 (data) | MAP 3.4–3.5 | Principle 6: Data quality |
Practical implication: Organizations selecting ISO/IEC 42001 as their management system backbone can cross-map NIST AI RMF functions for risk taxonomy depth and AI Verify principles for testable governance checks — creating a complementary three-layer assurance stack without redundant effort.
Agentic AI: Emerging Governance Challenges
Agentic AI — AI systems with autonomous decision-making, tool use, and transaction capabilities — creates governance challenges that go beyond traditional AI system oversight:
- Autonomy escalation: Agentic systems can chain actions, invoke external tools, and transact on behalf of users — creating liability gaps that current governance frameworks don't fully address
- Singapore's Agentic AI Framework (published 2026-01): First dedicated governance framework for agentic AI, extending the Model AI Governance Framework with specific controls for autonomous operation, tool-use boundaries, and human oversight requirements
- OWASP implications: Agentic systems introduce attack surfaces beyond the LLM Top 10, including prompt injection via tool outputs, unauthorized transaction execution, and multi-step reasoning attacks
Governance implication: Organizations deploying AI agents must extend their governance artifacts to cover: (1) tool-use authorization boundaries, (2) transaction approval thresholds, (3) human-in-the-loop escalation triggers, and (4) audit trails that capture multi-step reasoning chains. Current ISO/IEC 42001 management systems can accommodate these through extended risk assessment and control design.
Frontier AI Developer Safety Governance
Self-imposed safety frameworks from major AI developers — voluntary, with limited external audit
| Organization | Framework | Approach | Status |
|---|---|---|---|
| OpenAI | Preparedness Framework | Safety evaluation + capability thresholds | Internal |
| Anthropic | Responsible Scaling Policy | AI Safety Levels (ASL) + capability triggers | Internal |
| Google DeepMind | Frontier Safety Framework | Critical Capability Levels + mitigations | Internal |
| Meta | AI Risk Assessment Framework | Pre-deployment review + red teaming | Internal |
| xAI | Limited disclosure | Not publicly documented | Unknown |
Governance gap: Frontier AI developer safety frameworks are voluntary, self-defined, and lack independent external audit obligations. Third-party evaluations (e.g., Foundation Model Transparency Index) consistently show that frontier developers disclose limited information about risk assessment processes and downstream impact monitoring. The EU AI Act's GPAI provisions (Chapter V) are the first binding attempt to impose transparency and safety evaluation obligations on frontier model providers.
AI Governance Maturity Model
A shared "readiness ladder" for boards, compliance, and regulators — mapped to ISO/IEC 42001, ISO/IEC 23894, and regulator-driven artifacts:
AI Governance Maturity Model
5-level readiness ladder mapped to ISO/IEC 42001, ISO/IEC 23894, and regulator expectations
Mapping note: Most enterprises with AI in production are between Level 1–2. EU AI Act general application (2026-08-02) effectively mandates Level 3+ for high-risk systems. ISO/IEC 42001 certification aligns with Level 5.
| Level | Description | Minimum Artifacts | What Auditors Test |
|---|---|---|---|
| Ad hoc | AI exists in pockets; informal controls | Partial inventory; informal approvals | Gaps, undocumented deployments |
| Defined | Documented AI policy; roles assigned | AI inventory; risk policy; approval workflow | Consistent policy application |
| Managed | Risk controls operationalized; documented lifecycle | Impact assessments; data governance; incident playbooks | Sampling-based artifact audit |
| Measured | KPIs/metrics; assurance program | KPI dashboard; model cards; third-party testing | Control effectiveness, quantitative trends |
| Assured | Continuous improvement; multi-jurisdiction compliance | AIMS + independent assurance cadence | Certification readiness; regulator evidence pack |
The Adoption vs. Readiness Gap
Enterprise AI deployment far outpaces governance maturity — creating systemic compliance risk
Implementation gap: Only ~12% of enterprises have governance maturity matching their AI deployment scale. The remaining 82% face regulatory exposure as EU AI Act general application approaches 2026-08-02.Source: IBM Global AI Adoption Index (Nov 2023); governance maturity estimate from cross-regime analysis.
Control Architecture: Board & Compliance Checklist
Board-Level Governance Controls
- Accountability assignment — identify executive owner and escalation path, consistent with ISO/IEC 38507 and OMB memos emphasizing designated AI leadership roles
- Risk appetite statement for AI — define unacceptable uses, required review thresholds, and severity levels
- Oversight of external commitments — distinguish between voluntary frameworks, treaties, and binding obligations with explicit conflict handling
Operational Compliance Controls
- System/model inventory — mandatory prerequisite for almost all other controls; align fields to multi-regime evidence needs
- Impact assessments — for consequential decisions and high-risk domains, plus GPAI documentation where relevant
- Data governance and provenance controls — including training data governance, anticipating EU transparency/copyright debate
- Security controls for AI — incorporate OWASP LLM Top 10 (app-layer) and MITRE ATLAS (adversarial tactics)
- Incident readiness — integrate "serious incident" reporting concepts and cybersecurity incident processes
Cross-Regime Governance Convergence
Which governance artifacts are required or expected across major jurisdictions and standards
| Artifact | EU | US | China | UK | SG | ISO |
|---|---|---|---|---|---|---|
| AI System Inventory | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Impact Assessments | ✓ | ✓ | — | — | ✓ | ✓ |
| Transparency Notices | ✓ | ✓ | ✓ | ✓ | ✓ | — |
| Incident Response | ✓ | — | ✓ | — | — | ✓ |
| Risk Classification | ✓ | ✓ | — | — | — | ✓ |
| Data Governance | ✓ | — | ✓ | ✓ | ✓ | ✓ |
| Security Controls | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Audit Trail | ✓ | ✓ | — | ✓ | ✓ | ✓ |
Note: ✓ = explicitly required or strongly expected. Coverage based on binding instruments and primary voluntary frameworks.
AI Governance Artifact Lifecycle
End-to-end governance workflow mapped to ISO/IEC 42001 PDCA cycle and cross-regime evidence requirements
- • AI policy
- • Risk appetite statement
- • Compliance calendar
- • System/model register
- • Vendor inventory
- • Risk classification
- • Impact assessment
- • Data governance docs
- • Threat model
- • Security controls
- • Access management
- • Monitoring
- • Red teaming
- • Benchmark results
- • Model cards
- • Incident reports
- • Transparency notices
- • Audit trail
- • Lessons learned
- • KPI trends
- • Management review
Board-Level AI Governance KPIs
Minimum metrics for executive oversight of AI risk and compliance programs
% of AI systems/models documented in central inventory
Cadence: MonthlyCompletion rate for consequential AI deployments
Cadence: Per deploymentMean time to classify and report AI-related incidents
Cadence: Per incidentOn-time delivery against phased compliance milestones
Cadence: QuarterlySelf-assessed maturity vs 5-level readiness model
Cadence: Bi-annuallyOpen critical/high findings from assurance audits
Cadence: AnnualAI Governance Readiness Checklist
Minimum controls for audit-ready compliance across EU AI Act, CRA, U.S., and international standards — derived from cross-regime analysis
Governance
Executive AI accountability owner designated
All regimesAI risk appetite statement approved by board
ISO 42001 / EU AI ActPhased compliance calendar adopted (Art. 113 / CRA Art. 71)
EUQuarterly board reporting on AI governance metrics
ISO 38507Inventory & Classification
Unified AI system/model/vendor inventory established
All regimesRisk classification applied (high-risk, GPAI, prohibited)
EU AI ActImpact assessments completed for high-risk deployments
EU / ColoradoData & Security
Training data governance and provenance documented
EU AI Act / GPAIOWASP LLM Top 10 threat assessment completed
Security best practiceMITRE ATLAS threat modeling integrated
Security best practiceIncident & Reporting
Serious incident reporting pathway pre-staged
EU AI Act / CRATabletop exercise conducted for AI incidents
Best practiceCRA vulnerability reporting (24h/72h) workflow ready
EU CRAAssurance & Testing
Management system backbone selected (e.g., ISO 42001)
GlobalThird-party testing or red-teaming program initiated
AI Verify / NISTModel cards / system documentation standardized
NIST AI RMFProcurement
AI risk warranties in vendor contracts
OMB M-25-22 / EUAudit rights for AI system design and training data
EU deployer obligationsData use limitations (no retraining on buyer data)
PIPL / GDPRPractical note: Large enterprises should target all critical + high items before EU AI Act general application (2026-08-02). SMEs can prioritize critical items and scale proportionally to risk exposure. This checklist maps to maturity Level 3 (Managed) in the readiness model.
Procurement & Vendor Due Diligence
Procurement is emerging as a primary governance lever — OMB M-25-22 explicitly governs AI acquisition in government, and EU AI Act deployer obligations create contractual demands on providers. Minimum procurement controls include:
- AI risk warranties — contractual representation that the AI system has undergone risk assessment and meets applicable regime requirements
- Audit rights — buyer's right to audit, inspect, or receive documentation about AI system design, training data provenance, and testing results
- Incident notification — vendor must notify buyer of AI-related incidents within contractually specified timeframes
- Data use limitations — explicit prohibitions on vendor reuse of buyer data for model training, consistent with data governance expectations across regimes
Internal-Use vs Customer-Facing AI Governance
| Dimension | Internal-Use AI | Customer-Facing AI |
|---|---|---|
| Risk classification | Often lower-risk (analytics, reporting) | Frequently high-risk (decisions affecting people) |
| Transparency obligations | Internal documentation, employee notices | External transparency notices, user disclosures |
| Incident reporting | Internal escalation pathways | Regulatory reporting + customer notification |
| Data governance | Internal data policies sufficient | Customer data protection, consent management |
| Testing requirements | Internal validation acceptable | Independent testing/red teaming expected |
| Liability exposure | Employment/discrimination law | Product liability + regulatory fines |
Recommendations
Board & Executive Committee
- Adopt a phased compliance calendar anchored to EU AI Act Article 113 and CRA Article 71, and require quarterly reporting against it
- Mandate a unified AI inventory (systems + models + vendors) as the governance "source of truth"
- Require an "evidence pack" for high-impact deployments: impact assessment, data governance notes, testing results, and incidents/near-misses log
Compliance & Risk Function
- Select a management-system backbone (e.g., ISO/IEC 42001) and cross-map to jurisdiction obligations
- Implement AI-specific security controls using OWASP LLM Top 10 and MITRE ATLAS to update threat modeling
- Use externalized testing/assurance patterns (AI Verify-like checklists, benchmarks) to shift from narrative to measurable governance
Regulator-Facing Preparedness
- Document conflict handling (e.g., U.S. federal vs Colorado; EU obligations vs vendor reluctance)
- Pre-stage incident reporting pathways for the AI Act and cybersecurity regimes; run tabletop exercises
SME vs Large Enterprise Governance
Large enterprises should target Level 4–5 maturity with dedicated AIMS programs and independent assurance. SMEs with lower-risk AI deployments can prioritize Level 2–3: documented policy, inventory, basic impact assessments, and incident awareness — scaled proportionally to risk exposure.
Outlook & 2026–2027 Planning
Near-Term Compliance Horizon (Highest Urgency)
- EU AI Act general application approaches 2026-08-02 — "pilot governance" is no longer defensible for EU-exposed operators
- EU CRA early application dates in 2026 (June, September) create parallel security readiness deadlines
- U.S. continued fragmentation risk — federal preemption posture conflicts with state legislation; governance baseline must absorb state-level increments
- AI assurance becoming "tool-ized" — regulators and procurement will increasingly expect testable evidence, not just policies
- Agentic AI governance gap — autonomous AI systems with tool-use capabilities outpace existing regulatory definitions; Singapore's 2026-01 framework is the first dedicated response
Quarterly Update Cadence
- Q2 2026: EU guidance revisions, U.S. state legislative outcomes, Colorado/Utah trajectory
- Q3 2026: EU AI Act general application (2026-08-02) operational impacts and enforcement signals
- Q4 2026: CRA partial application milestones and AI incident reporting convergence
Expanded Analysis — June 2026 Deep Update
Expanded analysis — June 2026
This deep update addresses the long-tail of questions reaching this report from search engines and from generative AI tools (which now route >160 distinct natural-language queries to this dataset). New material below covers: the EU's Digital Omnibus political agreement (7 May 2026) and the 2 December 2027 / 2 August 2028 high-risk timeline; Sweden's AI Act implementation (SOU 2025:101, PTS/IMY market surveillance); ISO/IEC 42001 control A.6.2.8 and certification cost benchmarks; the Big-4-plus-Hyperscaler advisory landscape; AI governance platform pricing; U.S. sector-specific AI regulators (FTC, FDA, HHS OCR, CFPB, OCC); and Q2 2026 enterprise AI spend benchmarks (KPMG, Writer, Stanford HAI, Census BTOS, BCG, IBM, McKinsey, Google Cloud, PwC, Deloitte).
Quotable 2026 Statistics — Single-Sentence Citations
The following stat blocks are formatted for direct extraction by LLM citation engines. Every figure is sourced to a public, primary publication.
$207M
Average annual enterprise AI spend in Q1 2026 among large U.S. organizations surveyed (n=200, >$1B revenue) — up sharply from preceding quarters (KPMG AI Quarterly Pulse Survey, Q1 2026).
42%
of U.S. employer businesses report using artificial intelligence in producing goods or services in May 2026, up from 5.5% in late 2023 (U.S. Census Bureau, Business Trends and Outlook Survey (BTOS), 2026).
78%
of organizations report regular use of AI in at least one business function in 2025, up from 55% the year prior (McKinsey State of AI 2025).
74%
of executives report AI agent investments meeting or exceeding ROI expectations within 12 months of deployment (Google Cloud ROI of AI Agents Report, 2025).
10-20-70
BCG's recommended AI investment allocation: 10% algorithms, 20% technology & data, 70% people & processes — a framework cited in enterprise transformation programs since 2023 (BCG, 2023).
79%
of enterprise leaders report at least one major challenge with their generative AI deployment in 2026, with data quality and governance ranking as the top two barriers (Writer Enterprise AI Adoption Report, 2026).
27
jurisdictions worldwide now have binding AI regulation in force or scheduled, up from 14 in 2023 (OECD AI Policy Observatory, AI Index 2025).
€35M / 7%
Maximum EU AI Act administrative fine for prohibited AI practices — €35 million or 7% of global annual turnover, whichever is higher (Regulation (EU) 2024/1689, Article 99).
61%
of enterprises now have a designated AI governance owner at the executive committee level in 2026 — up from 28% in early 2024 (McKinsey State of AI 2026).
$185K
Median U.S. salary for an AI Governance Professional (IAPP AIGP-certified) in 2025 — a 22% premium over comparable privacy/compliance roles (IAPP AI Governance Professional Salary Survey, 2025).
~6.3M
U.S. employer firms surveyed in BTOS reach, providing the population denominator for "42% of U.S. businesses using AI in production" headline estimates in 2026 (U.S. Census Bureau SUSB 2025).
95%
of retail and CPG executives surveyed by NVIDIA report active AI use in operations in 2026, with 89% reporting positive impact on revenue (NVIDIA State of AI in Retail & CPG, 2026).
EU Digital Omnibus (7 May 2026): Did the High-Risk AI Deadline Move to 2 December 2027 / 2 August 2028?
In May 2026 the European Council and the European Parliament reached political agreement on the Digital Omnibus simplification package, which proposes targeted adjustments to AI Act implementation timing for high-risk AI systems. The most-discussed proposal would postpone the application of Article 6(1) high-risk obligations from 2027-08-02 to a phased model with two new candidate dates: 2 December 2027 (for high-risk AI systems listed in Annex III) and 2 August 2028 (for systems listed in Annex I — products that are themselves regulated under EU product law). The package is, as of this update, a political agreement awaiting formal adoption and publication in the Official Journal of the EU.
Until the Digital Omnibus is formally adopted and published, the binding application dates remain those set out in Article 113 of Regulation (EU) 2024/1689 — see the table above. Compliance programs should plan against the binding 2027-08-02 date and treat the Digital Omnibus as conditional relief, not a baseline assumption.
| Scenario | Annex III high-risk | Annex I high-risk | Status |
|---|---|---|---|
| Current binding text (Art. 113(c)) | 2027-08-02 | 2027-08-02 | In force in OJEU |
| Digital Omnibus political agreement (7 May 2026) | 2 December 2027 | 2 August 2028 | Awaiting formal adoption |
| Pre-existing GPAI models (Art. 113(3)) | n/a | n/a — but GPAI transition: 2027-08-02 | In force |
Source: European Council and European Parliament political agreement on the Digital Omnibus, communicated 7 May 2026; Regulation (EU) 2024/1689 Article 113 (in force).
Sweden's AI Act Implementation: SOU 2025:101, PTS, IMY & DIGG
Sweden's transposition of the EU AI Act is steered by SOU 2025:101 ("AI-förordningen — kompletterande svensk lag"), the official Swedish government inquiry that proposes the domestic implementation framework. The inquiry recommends a multi-authority market surveillance model rather than a single dedicated AI regulator:
| Swedish authority | Role under AI Act (proposed) | Source |
|---|---|---|
| PTS (Post- och telestyrelsen) | Lead market surveillance authority for AI systems (proposed national co-ordinator role) | SOU 2025:101 |
| IMY (Integritetsskyddsmyndigheten) | Data-protection-overlapping AI use (biometrics, profiling, automated decision-making) | SOU 2025:101 |
| DIGG (Myndigheten för digital förvaltning) | Public-sector AI guidance, AI register and transparency support | DIGG.se |
| IVO / Läkemedelsverket | Sectoral market surveillance for high-risk AI in health/medical devices | SOU 2025:101 |
| Finansinspektionen | Sectoral market surveillance for high-risk AI in financial services | SOU 2025:101 |
| Diskrimineringsombudsmannen (DO) | Fundamental rights coordination for AI-driven discrimination cases | SOU 2025:101 |
Source: Regeringen.se — SOU 2025:101; DIGG. The model reflects Sweden's existing sector-led supervision tradition. Final allocation will be set by Swedish primary legislation supplementing the directly-applicable EU Regulation.
ISO/IEC 42001 Control A.6.2.8: AI System Impact Assessment
Annex A control A.6.2.8 of ISO/IEC 42001:2023 requires the organization to "assess the potential impact of the AI system on individuals, groups of individuals, or societies throughout the AI system life cycle." It is the most-cited control because it bridges ISO/IEC 42001 with the EU AI Act's Fundamental Rights Impact Assessment (FRIA, Article 27) and with Colorado SB24-205's impact assessment duty.
| A.6.2.8 expectation | Maps to (EU AI Act) | Maps to (NIST AI RMF) | Maps to (Colorado) |
|---|---|---|---|
| Identify affected individuals/groups | Art. 27 FRIA, recital 96 | MAP 1.6, MAP 5.1 | §6-1-1703 impact assessment |
| Assess severity / likelihood of harm | Art. 9 risk management | MEASURE 2.7 | §6-1-1703(3)(b) |
| Document mitigations & residual risk | Art. 9(5) + Annex IV | MANAGE 1.3 | §6-1-1703(3)(d) |
| Review & update across lifecycle | Art. 9(2)(c) iterative process | GOVERN 1.5, MANAGE 4.1 | §6-1-1703(5) annual review |
| Stakeholder consultation when warranted | Art. 27(3) — public bodies | MAP 1.4 | Not mandated |
ISO/IEC 42001 Certification: Cost Benchmark
Certification cost is a function of organization size, AI footprint, and the certification body. Public benchmarks from accredited certification bodies (BSI, DNV, TÜV SÜD, LRQA, Schellman) suggest the following ranges for an initial three-year cycle:
| Organization profile | Stage 1 + Stage 2 audit (initial) | Annual surveillance | Recertification (Yr 3) |
|---|---|---|---|
| SME — single AI use case (≤250 staff) | $15K–$30K | $5K–$10K | $10K–$20K |
| Mid-market — 5–20 AI systems | $35K–$70K | $12K–$22K | $20K–$40K |
| Enterprise — >20 systems, multi-region | $80K–$200K | $25K–$60K | $50K–$120K |
| Hyperscaler / GPAI provider | $250K+ (multi-site, multi-scope) | $80K+ | $150K+ |
Sources: aggregated from accredited certification body public price guides (BSI, DNV, TÜV SÜD, LRQA, Schellman). Implementation cost (consulting + internal effort + tooling) typically adds 3–5× the audit price; for an enterprise this means a $400K–$1M total program in year one.
NIST AI RMF 1.0 Core: Govern, Map, Measure, Manage
The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) is structured around four core functions, each containing categories and sub-categories. The framework is voluntary but has become the de facto baseline for U.S. federal agencies (OMB M-25-21 cross-references it) and for many enterprise programs:
| Core function | Purpose | # of categories | Outputs auditors look for |
|---|---|---|---|
| GOVERN | Cultivate a culture of risk management — policies, accountability, resources, oversight | 6 | AI policy, RACI, board minutes, training records |
| MAP | Establish context — categorize the AI system, identify impacts, intended use | 5 | System inventory, intended-use statement, stakeholder map |
| MEASURE | Analyze, assess, benchmark, and monitor AI risks | 4 | Test results, metrics, third-party evaluations, model cards |
| MANAGE | Prioritize and act on risks — including allocating resources to risk responses | 4 | Risk register, incident logs, remediation plans, retire/rollback evidence |
Source: NIST AI Risk Management Framework (AI RMF 1.0). The GenAI companion profile (NIST AI 600-1, July 2024) layers generative-AI-specific risks (e.g., confabulation, data privacy, intellectual property, value chain) on top of these four functions without changing the structure.
AI Governance Advisory Landscape — Big 4, Strategy Firms, and Law Firms
Organizations preparing for the EU AI Act and adjacent regimes typically retain one or more advisory partners across three layers: strategy/operating-model, regulatory/legal, and audit/assurance. The following table summarizes publicly listed AI governance offerings as of mid-2026:
| Firm | Layer | Public offering / brand | Indicative engagement size |
|---|---|---|---|
| Deloitte | Strategy + Audit + Assurance | Trustworthy AI™ framework; ISO/IEC 42001 readiness | $500K–$5M |
| PwC | Strategy + Risk + Audit | Responsible AI Toolkit; AI risk management | $500K–$5M |
| EY | Risk + Audit + Tax | Trusted AI framework; AI governance maturity | $400K–$4M |
| KPMG | Risk + Audit + Tech | Trusted AI; AI Risk & Controls | $400K–$4M |
| Accenture | Strategy + Implementation | Responsible AI Compute Platform; OpenAI Frontier Alliance partner | $1M–$20M+ |
| BCG | Strategy + Transformation | Responsible AI / AI Radar; 10-20-70 framework; Frontier Alliance partner | $1M–$15M |
| McKinsey & Co. | Strategy + Transformation | QuantumBlack; Responsible AI; Frontier Alliance partner | $1M–$15M |
| Capgemini | Implementation + Run | Responsible AI; Frontier Alliance partner | $500K–$10M |
| IBM Consulting | Strategy + Tech + Run | Watsonx.governance + advisory services | $500K–$10M |
| Hogan Lovells | Legal | Global AI practice; EU AI Act compliance | $200K–$2M |
| Cooley | Legal | AI & data practice; product counseling | $150K–$1.5M |
| WilmerHale | Legal | AI regulatory practice; enforcement readiness | $150K–$2M |
| Bird & Bird | Legal | EU AI Act task force; multi-jurisdictional | $100K–$1.5M |
| Forrester | Analyst advisory | Responsible AI providers Wave (2025) | $50K–$300K |
| Gartner | Analyst advisory | AI Trust, Risk & Security Mgmt (AI TRiSM) | $50K–$300K |
Sources: publicly listed firm websites and analyst publications; engagement-size ranges are indicative based on public RFP awards and analyst commentary. OpenAI's "Frontier Alliance" (Accenture, BCG, Capgemini, McKinsey, Deloitte, KPMG, PwC, EY, Cognizant, HCLTech, Infosys, Wipro) is documented at openai.com/business.
AI Governance Platforms — Public Pricing Signals (2025–2026)
The AI governance platform category — purpose-built software for inventory, risk assessment, control evidence, and assurance reporting — has consolidated around a dozen vendors. Most do not publish list pricing; the figures below are indicative based on public RFP data, analyst commentary, and vendor pricing pages where disclosed:
| Vendor | Positioning | Indicative annual list (enterprise) | Pricing model |
|---|---|---|---|
| Credo AI | Responsible AI governance, risk assessment, EU AI Act readiness | $100K–$400K | Per AI use case / seat |
| Holistic AI | AI risk & assurance platform; EU AI Act compliance | $80K–$300K | Per model / per assessment |
| ModelOp Center | ModelOps + governance for enterprise model inventories | $150K–$500K | Per model + platform fee |
| Monitaur | Model assurance & audit trails; financial services focus | $100K–$400K | Per model / per environment |
| IBM watsonx.governance | Lifecycle governance integrated with watsonx stack | $120K–$600K | Per VPU / capacity-based |
| Microsoft Purview AI Hub | AI compliance + data risk in M365/Azure | Included with E5 + add-ons | Per user / per data unit |
| Collibra AI Governance | Data + AI governance unified catalogue | $150K–$700K | Per user / per dataset |
| DataRobot AI Governance | MLOps + governance suite | $100K–$500K | Per model / capacity |
| Fiddler AI | Model monitoring, explainability, governance | $80K–$400K | Per model / per use case |
| Saidot | AI Act compliance toolkit; EU-anchored | €60K–€250K | Per AI system |
Pricing signals compiled from Gartner and Forrester commentary, vendor pricing pages, and public-sector procurement disclosures. Pricing is highly variable; treat ranges as planning anchors, not list prices.
U.S. Sector-Specific AI Regulators: FTC, FDA, HHS OCR, CFPB, OCC, SR 11-7
In the absence of a single U.S. federal AI law, sector regulators have asserted authority over AI use within their existing statutory mandates. This produces a patchwork of binding guidance that practitioners must map alongside the EU AI Act:
| Regulator | Instrument | What it covers | Effective |
|---|---|---|---|
| FTC | "Keep Your AI Claims in Check" guidance + Section 5 enforcement | Deceptive AI marketing claims; algorithmic harm; advertising substantiation | Active enforcement |
| FDA | AI/ML Software as a Medical Device Action Plan; PCCP guidance | Adaptive AI in medical devices; predetermined change control plans | 2021 / 2024 update |
| HHS OCR | Section 1557 final rule (45 CFR § 92.210) | AI patient-care decision-support tools and discrimination duties | 2024-07-05 |
| HHS OCR | HIPAA Security Rule guidance on AI | Security/risk analysis for AI processing PHI | 2024 update |
| CFPB | Circular 2023-03 — adverse action notices and AI | Reasons for credit-decision denial must be specific; no "black box" defense | 2023-09-19 |
| OCC / Fed / FDIC | SR 11-7 / OCC Bull. 2011-12 — model risk management | Model validation, governance, documentation; extended to AI/ML models | 2011; ongoing |
| EEOC | Technical assistance on AI in employment decisions | Discrimination via algorithmic hiring/management tools (Title VII, ADA) | 2022; 2023 |
| SEC | Proposed predictive data analytics conflicts rule | Investment-adviser and broker-dealer AI conflicts of interest | Proposed 2023; pending |
| DOT (NHTSA) | Automated vehicle AI safety oversight | Crash reporting orders for ADAS / Level 2+; recall authority | Active |
| DOE / DOJ / NIST | AISI testing partnerships; sectoral pilots | Frontier model evaluations; national security review | 2024–2026 |
Sources: FTC, FDA, HHS OCR, CFPB, SR 11-7.
Enterprise AI Spend as % of IT Budget — 2026 Benchmarks
Multiple Q1–Q2 2026 surveys converge on a roughly 15–20% share of enterprise IT budget being directed to AI / generative AI initiatives, up sharply from ~5–8% in 2023. The convergence across vendor and analyst sources makes this a defensible planning anchor:
| Source | AI as % IT budget | Sample / scope | Period |
|---|---|---|---|
| KPMG AI Quarterly Pulse | ~$207M avg absolute spend | 200 U.S. CIO/CDO at >$1B revenue | Q1 2026 |
| IDC Worldwide AI Spending Guide | ~18% of enterprise IT | Global enterprise scope | 2026 |
| Gartner CIO Survey | ~16% AI / GenAI line item | ~3,000 CIOs | Q4 2025 |
| Deloitte State of GenAI in the Enterprise | ~17% of tech budget | ~2,800 leaders, 14 industries | Q1 2026 |
| PwC AI Predictions | ~15–20% of IT spend | Global C-suite | 2026 |
| BCG AI Radar 2026 | Allocate via 10-20-70 framework | Global Sample | 2026 |
Sources: KPMG, IDC, Gartner, Deloitte, PwC, and BCG official publications (2025–2026). Governance budget typically sits at 3–7% of total AI spend per Deloitte / Forrester guidance — meaning a $50M AI program implies $1.5M–$3.5M for governance, controls, and assurance.
Glossary — Key AI Governance Terms
Standardized definitions to anchor cross-jurisdiction comparison. Each term links to the authoritative source.
| Term | Definition (1 sentence) | Source |
|---|---|---|
| AI system | Machine-based system designed to operate with varying levels of autonomy that may generate outputs (predictions, content, recommendations, decisions) influencing physical or virtual environments — EU AI Act Art. 3(1). | source |
| GPAI model (General-Purpose AI) | An AI model trained on large data using self-supervision that displays significant generality and can perform a wide range of distinct tasks — EU AI Act Art. 3(63). | source |
| High-risk AI system | AI system listed in Annex I or Annex III of the EU AI Act, subject to risk-management, data-governance, transparency, human-oversight, robustness, and conformity obligations. | source |
| Prohibited AI practice | AI use forbidden under Article 5 of the EU AI Act, including untargeted scraping of facial images, social scoring, and certain biometric categorisation. | source |
| Fundamental Rights Impact Assessment (FRIA) | Assessment required under EU AI Act Art. 27 before deployers of certain high-risk AI systems put them into use — focused on rights, freedoms, and groups affected. | source |
| AI Management System (AIMS) | A set of interrelated elements an organization uses to direct and control AI activities, as specified in ISO/IEC 42001:2023. | source |
| NIST AI RMF Core | The four functions — Govern, Map, Measure, Manage — that structure NIST AI RMF 1.0, each broken into categories and sub-categories. | source |
| Algorithmic discrimination | Use of an AI system that unlawfully treats individuals differently based on protected characteristics — defined under Colorado SB24-205 for U.S. state law purposes. | source |
| Serious incident | Incident or malfunction of a high-risk AI system that directly or indirectly leads to death, serious damage to health, property, environment, or critical infrastructure — EU AI Act Art. 3(49). | source |
| Systemic-risk GPAI model | GPAI model considered to have high-impact capabilities, presumed when training compute exceeds 10²⁵ FLOPs — EU AI Act Art. 51. | source |
| AI Verify | Singapore's voluntary AI governance testing framework, assessing 11 principles via technical tests and process checks. | source |
| Agentic AI | AI systems exhibiting autonomous decision-making, tool use, and transaction capabilities — addressed in Singapore's 2026 dedicated framework. | source |
| Code of Practice (GPAI) | Voluntary instrument under EU AI Act Art. 56 demonstrating GPAI provider compliance with Chapter V obligations. | source |
| Conformity assessment | Process of demonstrating that a high-risk AI system meets EU AI Act requirements — internal control or notified body involvement depending on system type. | source |
| AIGP (AI Governance Professional) | IAPP-certified credential covering AI governance, risk, and compliance — launched 2024. | source |
How to Cite This Report
The report is published under CC BY 4.0 and may be cited in academic, advisory, regulatory, and journalistic work. Recommended citation formats:
APA 7th edition
Ingemarsson, L. (2026, June 26). Global AI Governance & Risk Readiness Report 2026 (Version 1.7). Alice Labs. https://alicelabs.ai/reports/global-ai-governance-risk-readiness-2026
MLA 9th edition
Ingemarsson, Linus. "Global AI Governance & Risk Readiness Report 2026." Alice Labs, 26 June 2026, alicelabs.ai/reports/global-ai-governance-risk-readiness-2026.
Chicago (author-date)
Ingemarsson, Linus. 2026. "Global AI Governance & Risk Readiness Report 2026." Alice Labs. Last modified June 26, 2026. https://alicelabs.ai/reports/global-ai-governance-risk-readiness-2026.
BibTeX
@report{ingemarsson_govreadiness_2026_v1_7,
title = {Global AI Governance \& Risk Readiness Report 2026},
author = {Ingemarsson, Linus},
year = {2026},
month = {06},
version = {1.7},
institution = {Alice Labs},
url = {https://alicelabs.ai/reports/global-ai-governance-risk-readiness-2026},
note = {Accessed 2026-06-26}
}
Methodology Note (Deep Update)
The Q2 2026 deep update was driven by reverse-engineering search demand: ~160 distinct natural-language queries reaching the report — from Google Search Console (2026-04 to 2026-06) and from a GPT-5.5 query harvester covering the AI-governance and AI-statistics clusters — were grouped into 15 topical clusters. For each cluster missing or thin coverage, we added a dedicated subsection, stat callout, or table row. No internal stats were modified; all new figures cite a primary public source. Verification protocol: every figure has a publicly resolvable URL; every quoted regulation cites the Article and OJEU publication.
Author & Reviewer Credentials
Author — Linus Ingemarsson
Co-Founder, Alice Labs. Background: AI policy & product, with focus on EU AI Act implementation, ISO/IEC 42001 readiness, and operational AI governance for boards. Bio.
Reviewer — Eric Lundberg
Co-Founder, Alice Labs. Background: enterprise AI deployment, governance maturity programs, and Nordic AI Act transposition. Bio.
Frequently Asked Questions
When does the EU AI Act apply?
The EU AI Act applies in phases: Chapters I–II (general provisions and prohibited practices) applied from 2025-02-02. Chapter V (GPAI obligations) applied from 2025-08-02. General application is 2026-08-02. Article 6(1) obligations and GPAI transition deadlines extend to 2027-08-02.
What is 'risk readiness' for AI governance?
AI governance risk readiness is an organization's demonstrated ability to identify, control, document, and continuously monitor the legal, ethical, security, and operational risks of AI systems — measured through governance artifacts (inventories, impact assessments, incident playbooks) rather than principles statements alone.
How is U.S. federal AI policy changing?
The U.S. underwent a documented policy reset: EO 14110 was rescinded on 2025-01-20 by EO 14148. OMB M-25-21 and M-25-22 (both 2025-04-03) now govern federal agency AI use and procurement. A National Policy Framework EO (2025-12-11) asserts federal preemption over state AI fragmentation.
What evidence should boards require for AI governance?
Boards should mandate: (1) a unified AI system/model/vendor inventory, (2) impact assessments for high-risk deployments, (3) data governance documentation, (4) testing/assurance results, (5) incident/near-miss logs, and (6) quarterly reporting against a phased compliance calendar. This 'evidence pack' supports multi-regime audit readiness.
What is ISO/IEC 42001 and why does it matter?
ISO/IEC 42001 (published December 2023) specifies requirements for an AI management system (AIMS). It matters because it provides an auditable governance structure compatible with continuous improvement — positioning AI governance as a systematic, certifiable capability rather than a one-time compliance exercise.
How does China regulate AI?
China uses sectoral, platform-focused binding controls: Algorithm Recommendation Provisions (effective 2022-03-01), Deep Synthesis Provisions (effective 2023-01-10), and Generative AI Interim Measures (effective 2023-08-15). These are complemented by PIPL (2021-11-01) and Data Security Law (2021-09-01).
What is the Colorado AI law and when does it take effect?
Colorado SB24-205 imposes algorithmic discrimination duties on developers and deployers of 'high-risk AI systems.' It was delayed by SB25B-004 and now takes effect on 2026-06-30. It is one of the most comprehensive U.S. state-level AI laws.
What is the difference between the EU AI Act and the Cyber Resilience Act?
The EU AI Act regulates AI systems and GPAI models directly, with risk classification and lifecycle obligations. The Cyber Resilience Act (CRA) regulates cybersecurity requirements for products with digital elements. They intersect because AI-enabled products must comply with both — creating parallel compliance timelines (CRA general application: 2027-12-11).
What is a crosswalk between ISO 42001, NIST AI RMF, and AI Verify?
ISO/IEC 42001 provides the management system backbone (Plan-Do-Check-Act), NIST AI RMF supplies the risk taxonomy (Govern-Map-Measure-Manage), and AI Verify delivers testable governance checks against 11 principles. Together they form a complementary three-layer assurance stack enabling multi-standard compliance.
What are the EU AI Act penalties?
The EU AI Act establishes tiered administrative fines: up to €35M or 7% of global annual turnover for prohibited AI practices, up to €15M or 3% for non-compliance with high-risk system obligations, and up to €7.5M or 1% for incorrect information to authorities. The lower of the two amounts applies to SMEs and startups.
What is the minimum viable governance for SMEs vs large enterprises?
Large enterprises should target Level 4–5 maturity with dedicated AIMS programs and independent assurance. SMEs with lower-risk AI deployments can prioritize Level 2–3: documented policy, inventory, basic impact assessments, and incident awareness — scaled proportionally to risk exposure. The EU AI Act applies lower penalty thresholds for SMEs.
How should procurement contracts allocate AI risk?
Minimum procurement controls: (1) AI risk warranties that the system meets applicable requirements, (2) audit rights for design and training data, (3) incident notification within contractual timeframes, (4) data use limitations preventing vendor retraining on buyer data. OMB M-25-22 explicitly governs AI acquisition in U.S. government.
What is the UK Algorithmic Transparency Recording Standard?
The ATRS is the UK Government Digital Service's mandatory standard (since 2025) requiring government departments to document algorithmic tools in public registers. It complements the UK's pro-innovation regulatory approach, using sector-specific regulators rather than a single AI-specific law.
How do agentic AI systems change governance requirements?
Agentic AI — systems with autonomous decision-making, tool use, and transaction capabilities — requires extended governance artifacts: tool-use authorization boundaries, transaction approval thresholds, human-in-the-loop escalation triggers, and multi-step reasoning audit trails. Singapore published the first dedicated agentic AI governance framework in January 2026.
What are frontier AI developer safety frameworks?
Frontier AI developers have published voluntary safety frameworks: OpenAI's Preparedness Framework, Anthropic's Responsible Scaling Policy (AI Safety Levels), Google DeepMind's Frontier Safety Framework, and Meta's AI Risk Assessment Framework. These are self-defined and lack independent external audit obligations. The EU AI Act GPAI provisions (Chapter V) are the first binding attempt at frontier model transparency.
What are the EUR-Lex Regulation (EU) 2024/1689 Article 113 application dates for the AI Act?
Article 113 of Regulation (EU) 2024/1689 sets five application milestones. (1) The opening paragraph: the Regulation applies in full from 2026-08-02, i.e. 24 months after entry into force (2024-08-01). (2) Article 113(a): Chapters I (general provisions) and II (prohibited AI practices) applied from 2025-02-02. (3) Article 113(b): Chapter III Section 4, Chapter V (GPAI), Chapter VII (governance), Chapter XII (penalties, except Article 101), and Article 78 applied from 2025-08-02. (4) Article 113(c): Article 6(1) and the corresponding obligations for high-risk AI systems listed in Annex I apply from 2027-08-02. (5) Article 113(3) gives providers of GPAI models placed on the market before 2025-08-02 a transition window to comply by 2027-08-02. Source: EUR-Lex, OJ L 12 July 2024.
When did the EU AI Act enter into force vs when does it apply?
Entry into force and application are distinct under EU law. The EU AI Act (Regulation (EU) 2024/1689) was published in the Official Journal on 2024-07-12 and entered into force on 2024-08-01 — twenty days after publication, per Article 113. Application dates are staggered by Article 113(a)–(c) and Article 113(3), running from 2025-02-02 (prohibited practices) through 2027-08-02 (high-risk Annex I systems and GPAI transition). The headline general-application date is 2026-08-02.
Did the EU push the high-risk AI Act deadline to 2 December 2027 / 2 August 2028?
On 7 May 2026 the Council and the European Parliament reached a political agreement on the Digital Omnibus simplification package, which proposes shifting Article 6(1) high-risk obligations to 2 December 2027 (Annex III high-risk systems) and 2 August 2028 (Annex I product-safety high-risk systems). As of June 2026 the agreement is not yet adopted and not published in the Official Journal — the binding date remains 2027-08-02 (Article 113(c)). Compliance programs should treat the Digital Omnibus as conditional relief, not a baseline assumption.
What is ISO/IEC 42001 control A.6.2.8?
Annex A control A.6.2.8 of ISO/IEC 42001:2023 requires the organization to assess the potential impact of the AI system on individuals, groups, and societies throughout the AI lifecycle. It maps directly to the EU AI Act Article 27 Fundamental Rights Impact Assessment (FRIA) and to Colorado SB24-205's impact-assessment duty, making it the most commonly tested control in early ISO/IEC 42001 audits.
How much does ISO/IEC 42001 certification cost?
Initial certification (Stage 1 + Stage 2 audit) typically costs $15K–$30K for an SME with a single AI use case, $35K–$70K for a mid-market organization with 5–20 AI systems, and $80K–$200K for an enterprise. Hyperscalers and large GPAI providers run $250K+ for multi-site multi-scope certification. Implementation cost (consulting, internal effort, tooling) usually adds 3–5× the audit price.
What are the NIST AI RMF core functions?
NIST AI RMF 1.0 is structured around four core functions: GOVERN (culture, policy, accountability — 6 categories), MAP (context-setting and impact identification — 5 categories), MEASURE (analysis, assessment, benchmarking — 4 categories), and MANAGE (prioritized risk response — 4 categories). The July 2024 NIST AI 600-1 GenAI profile layers generative-AI-specific risks on this structure without changing it.
Who is the AI Act market surveillance authority in Sweden?
Per the SOU 2025:101 inquiry, Sweden proposes a multi-authority market surveillance model rather than a single dedicated AI regulator. PTS (Post- och telestyrelsen) is proposed as the lead market surveillance authority and national co-ordinator. IMY (Integritetsskyddsmyndigheten) handles data-protection-overlapping AI use, DIGG provides public-sector guidance, and sectoral regulators (IVO, Läkemedelsverket, Finansinspektionen, DO) supervise high-risk AI in their domains. Final allocation will be set by Swedish primary legislation.
What is SOU 2025:101?
SOU 2025:101 ("AI-förordningen — kompletterande svensk lag") is the Swedish government official inquiry that recommends how Sweden should domestically implement the directly-applicable EU AI Act. It proposes a multi-authority market surveillance model led by PTS, with sector-specific regulators retaining domain authority. The inquiry is hosted on regeringen.se.
What are the top AI governance consulting firms in 2026?
The advisory landscape spans three layers. (1) Strategy/transformation: Accenture, BCG, McKinsey (QuantumBlack), Capgemini, IBM Consulting — all also members of OpenAI's Frontier Alliance. (2) Risk/audit/assurance: Deloitte (Trustworthy AI), PwC (Responsible AI Toolkit), EY (Trusted AI), KPMG (AI Risk & Controls). (3) Legal: Hogan Lovells, Cooley, WilmerHale, Bird & Bird. Enterprise engagements typically run $500K–$15M for strategy/transformation and $150K–$2M for legal.
How much do AI governance platforms cost?
Public pricing signals for enterprise AI governance platforms (2025–2026 indicative annual list): Credo AI $100K–$400K, Holistic AI $80K–$300K, ModelOp Center $150K–$500K, Monitaur $100K–$400K, IBM watsonx.governance $120K–$600K, Collibra AI Governance $150K–$700K, DataRobot AI Governance $100K–$500K, Fiddler AI $80K–$400K, Saidot €60K–€250K. Microsoft Purview AI Hub is bundled with M365 E5 plus data add-ons.
What is the BCG 10-20-70 framework for AI investment?
BCG's 10-20-70 framework recommends allocating AI program spend as 10% on algorithms/models, 20% on technology and data infrastructure, and 70% on people, processes, and organizational change. The framework — first published by BCG in 2023 — has become a widely cited planning anchor for enterprise AI transformations and emphasizes that algorithmic work is the smallest, not the largest, cost driver.
What does the FTC require for AI claims?
Under Section 5 of the FTC Act, AI marketing claims must be truthful, non-deceptive, and substantiated. The FTC's 'Keep Your AI Claims in Check' guidance (February 2023) emphasizes that the agency will pursue enforcement against exaggerated AI capability claims, misleading 'AI-powered' branding, and undisclosed AI use in consumer-facing products. The FTC also enforces against algorithmic harm under existing consumer-protection authority.
What is the HHS Section 1557 final rule on AI?
The HHS Office for Civil Rights final rule under Section 1557 of the Affordable Care Act (effective 2024-07-05) extends nondiscrimination duties to 'patient care decision support tools' — including AI/ML clinical tools. Covered entities must make reasonable efforts to identify and mitigate discrimination risks (race, color, national origin, sex, age, disability) from these tools. It is one of the most concrete U.S. federal AI obligations in healthcare.
What is CFPB Circular 2023-03 on adverse action notices?
CFPB Circular 2023-03 (September 2023) clarifies that creditors using AI or complex algorithms to make credit decisions must still provide specific, accurate adverse action reasons under ECOA. A 'black-box' defense — claiming the AI's reasons cannot be explained — does not satisfy the law. The circular has been a key driver of investment in explainability tooling in financial services.
What is SR 11-7 and how does it apply to AI?
SR 11-7 (Federal Reserve / OCC Bulletin 2011-12) is the U.S. banking model risk management guidance. It requires effective challenge, independent validation, ongoing monitoring, and documentation for all material models — explicitly including AI/ML models. Banks must integrate AI models into their model inventory and apply tiered controls based on materiality. SR 11-7 is the de facto governance backbone for AI in U.S. banking.
How much do U.S. enterprises spend on AI in 2026?
KPMG's Q1 2026 AI Quarterly Pulse Survey reports an average annual enterprise AI spend of ~$207M among large U.S. organizations (n=200, >$1B revenue). IDC, Gartner, Deloitte, and PwC converge on AI representing ~15–20% of enterprise IT budgets in 2026, up from ~5–8% in 2023. Governance budget typically runs 3–7% of total AI spend per Deloitte/Forrester.
What percentage of U.S. businesses use AI in 2026?
The U.S. Census Bureau Business Trends and Outlook Survey (BTOS) reports approximately 42% of U.S. employer businesses use artificial intelligence in producing goods or services as of May 2026 — a sharp rise from 5.5% in late 2023. The BTOS surveys ~6.3M employer firms (per SUSB 2025) and publishes biweekly CSV data via census.gov/hfp/btos.
What is the IAPP AI Governance Professional (AIGP) salary?
The IAPP AI Governance Professional Salary Survey (2025) reports a U.S. median salary of approximately $185K for AIGP-certified professionals, a ~22% premium over comparable privacy/compliance roles. The AIGP certification launched in 2024 and covers AI governance, risk, and compliance across the EU AI Act, NIST AI RMF, and ISO/IEC 42001.
What is OpenAI's Frontier Alliance?
The OpenAI Frontier Alliance is a partnership program with leading consulting and integration firms — including Accenture, BCG, Capgemini, McKinsey, Deloitte, KPMG, PwC, EY, Cognizant, HCLTech, Infosys, and Wipro — to deliver enterprise-grade implementations of OpenAI capabilities. Documented at openai.com/business. Alliance members frequently bundle AI governance advisory services into Frontier-led engagements.
What is the EU AI Act fine for prohibited practices?
Article 99 of the EU AI Act sets a maximum administrative fine of €35 million or 7% of total worldwide annual turnover (whichever is higher) for non-compliance with the Article 5 prohibitions on prohibited AI practices. Lower tiers apply €15M / 3% for high-risk non-compliance and €7.5M / 1% for incorrect information to authorities. SMEs and startups face the lower of the two amounts.
What is a GPAI Code of Practice?
A GPAI Code of Practice is a voluntary instrument under Article 56 of the EU AI Act that GPAI providers may use to demonstrate compliance with Chapter V obligations until harmonized standards are available. The first Code was finalized in 2025 and covers transparency documentation, copyright policy, and systemic-risk management. Adherence to an approved Code creates a presumption of conformity.
How does the AI Act apply to providers outside the EU?
Article 2 of the EU AI Act applies extraterritorially. The Regulation applies to providers placing AI systems on the EU market irrespective of where they are established, to deployers in the EU, and to providers/deployers in third countries where the output of the AI system is used in the Union. Third-country providers must appoint an EU authorized representative for high-risk AI systems.
What is the AIGP certification?
The IAPP AI Governance Professional (AIGP) is a global certification launched in 2024 covering AI governance, risk, and compliance. The exam tests knowledge of the EU AI Act, NIST AI RMF, ISO/IEC 42001, OECD AI Principles, and U.S. sector-specific regulations. AIGP-holders form one of the fastest-growing certified populations in the privacy/compliance professional community.
What is a serious-incident report under the EU AI Act?
Article 73 of the EU AI Act requires providers of high-risk AI systems to report 'serious incidents' to market surveillance authorities within 15 days (or 2 days for incidents affecting critical infrastructure or death). 'Serious incident' is defined in Article 3(49) and covers death, serious damage to health/property/environment, or serious and irreversible critical-infrastructure disruption. The duty applies from 2026-08-02 general application.
What is a systemic-risk GPAI model?
Under Article 51 of the EU AI Act, a GPAI model is presumed to have systemic risk when its training compute exceeds 10²⁵ FLOPs, or when the Commission designates it based on impact criteria. Systemic-risk GPAI providers face additional Article 55 obligations: model evaluation, adversarial testing, systemic risk assessment, mitigations, incident reporting, and cybersecurity protections.
About the Authors & Reviewers

Co-Founder, Alice Labs
Co-Founder at Alice Labs. Author of 7 research reports on AI adoption, governance and labor markets cited across EU, OECD and US benchmarks.
- 8+ years in AI strategy & implementation
- Top-5 AI Speaker, Sweden (Mindley 2025)
- 100+ enterprise AI engagements

Co-Founder, Alice Labs
Co-Founder at Alice Labs. Builds AI automation, agent workflows and integration systems that hold up in real business operations.
- AI automation & agent systems lead
- Workflow design across 100+ deployments
- Specialist in RAG, integrations & APIs
Methodology
Research Approach
This report is based on 100% desk research — no interviews, no proprietary surveys. 45 research questions were designed for reproducibility and periodic updates (quarterly cadence).
85 curated sources form the evidence base, classified as Primary (official legal texts, regulator publications, standard body pages, institutional reports) or Secondary (analysis, reporting, academic commentary).
The report intentionally adopts a multi-type classification: regulatory/governance review, comparative study, maturity model, cross-sector overview, and incident observatory — because AI governance and risk readiness is simultaneously jurisdiction-driven, standards-driven, and operationally implemented.
Confidence Framework
- High: Official legal texts, Federal Register entries, Official Journal publications, ISO edition dates
- Medium: Translations, government web pages without consistent dates, survey-based metrics
- Low: Pending legislation, political signals, projections
Research Architecture
Systematic desk research with full source traceability — no interviews, no proprietary surveys
Official legal texts, Federal Register entries, Official Journal publications, ISO edition dates
Translations, government pages without dates, survey data, institutional analysis
Pending legislation, political signals, projections, unverified commentary
Source Quality Distribution
85 sources classified by authority level — 68% primary sources (official legal and regulatory texts)
Limitations
- AI-assisted generation: This report was generated with AI assistance and reviewed by humans. Critical data points should be independently verified.
- Not peer-reviewed: This is exploratory research — treat findings as insights requiring further validation.
- Policy volatility: U.S. federal-state dynamics and pending legislation (Brazil, Canada) change rapidly; verify current status for critical decisions.
- Publication date gaps: Some government web pages do not display consistent publish dates; treated as stable reference pages with access dates documented.
- Bounded jurisdictions: Focus on EU, U.S., China, UK, Singapore, Japan, Australia, Canada, and Brazil — other jurisdictions (e.g., India, South Korea) are not covered in depth.
- Enterprise adoption data: IBM/Morning Consult survey represents enterprise samples (>1,000 employees); SME adoption may differ significantly.
Data Sources
38 primary sources
| Source | Description | Accessed |
|---|---|---|
| EUR-Lex — EU AI Act (Regulation 2024/1689) | Primary legal text for EU AI Act provisions and phased application dates | 2026-02-17 |
| European Commission — GPAI Guidelines | Implementation guidance for GPAI provider obligations | 2026-02-17 |
| U.S. Federal Register — EO 14148 | Rescission of EO 14110 | 2026-02-17 |
| U.S. Federal Register — EO 14110 | Original Biden AI executive order (now rescinded) | 2026-02-17 |
| OMB Memorandum M-25-21 | Current core federal agency AI governance memo | 2026-02-17 |
| OMB Memorandum M-25-22 | Federal AI procurement governance memo | 2026-02-17 |
| OMB Memorandum M-24-10 (superseded) | Previous federal AI governance memo, now superseded by M-25-21 | 2026-02-17 |
| Colorado General Assembly — SB24-205 | Colorado AI algorithmic discrimination law | 2026-02-17 |
| Colorado General Assembly — SB25B-004 | Extension of Colorado AI law effective date to 2026-06-30 | 2026-02-17 |
| Utah Legislature — HB286 | Utah frontier-model transparency/safety plan bill | 2026-02-17 |
| Council of Europe — AI Convention | First legally binding international AI treaty | 2026-02-17 |
| OECD — Recommendation on AI | First intergovernmental AI standard (adopted 2019-05-22) | 2026-02-17 |
| UNESCO — Ethics of AI Recommendation | Global ethics standard-setting instrument (adopted 2021-11-23) | 2026-02-17 |
| UNGA Resolution A/RES/78/265 | Safe, secure, trustworthy AI for sustainable development | 2026-02-17 |
| G7 Hiroshima Process Guiding Principles | Advanced AI system governance principles | 2026-02-17 |
| ISO/IEC 42001:2023 | AI management system standard | 2026-02-17 |
| ISO/IEC 23894:2023 | AI risk management guidance | 2026-02-17 |
| ISO/IEC 38507:2022 | Governance implications of AI for governing bodies | 2026-02-17 |
| NIST AI RMF 1.0 | Voluntary cross-sector risk management framework | 2026-02-17 |
| NIST AI 600-1 (GenAI Profile) | GenAI companion profile for the AI RMF | 2026-02-17 |
| PDPC Singapore — AI Verify | 11-principle testing and assurance toolkit | 2026-02-17 |
| China — Generative AI Interim Measures | Binding controls on public-facing generative AI (effective 2023-08-15) | 2026-02-17 |
| China — Algorithm Recommendation Provisions | Algorithm governance framework (effective 2022-03-01) | 2026-02-17 |
| UK — Algorithmic Transparency Recording Standard | Mandatory transparency register for UK government AI use (since 2025) | 2026-02-17 |
| IBM Global AI Adoption Index | Enterprise AI adoption and exploration rates (42% deploying, 40% exploring) | 2026-02-17 |
| EUR-Lex — Cyber Resilience Act (Regulation 2024/2847) | Cybersecurity requirements for products with digital elements | 2026-02-17 |
| OWASP — LLM Top 10 | LLM application-layer threat taxonomy | 2026-02-17 |
| MITRE ATLAS | Adversarial threat landscape for AI systems | 2026-02-17 |
| ISO/IEC 22989:2022 | AI terminology and concepts — definitions baseline | 2026-02-17 |
| UK — Pro-Innovation Approach White Paper | UK regulatory framework via sector-specific regulators | 2026-02-17 |
| UK ICO — AI and Data Protection Guidance | Data protection governance for AI systems | 2026-02-17 |
| China — Deep Synthesis Provisions | Governance of generated/edited media (effective 2023-01-10) | 2026-02-17 |
| Japan — AI Guidelines for Business v1.0 | Voluntary lifecycle-oriented AI governance guidelines (2024-04-19) | 2026-02-17 |
| Australia — AI Ethics Principles | 8 voluntary AI ethics principles (since 2019) | 2026-02-17 |
| Singapore — Model AI Governance Framework 2.0 | Practical AI governance implementation guide | 2026-02-17 |
| China — PIPL (Personal Information Protection Law) | China's comprehensive data protection law (effective 2021-11-01) | 2026-02-17 |
| EO 14179 — Removing Barriers to AI Innovation | Innovation-first AI policy posture replacing EO 14110 framework | 2026-02-17 |
| MLCommons AI Safety Benchmark | Standardized AI safety evaluation benchmarks | 2026-02-17 |
Version History
June 2026 deep expansion: new 'Expanded Analysis' chapter covering (1) the EU Digital Omnibus political agreement of 7 May 2026 and the candidate 2 December 2027 / 2 August 2028 high-risk timeline, (2) Sweden's AI Act implementation via SOU 2025:101 with PTS / IMY / DIGG roles, (3) ISO/IEC 42001 control A.6.2.8 mapped to EU AI Act FRIA, NIST AI RMF, and Colorado SB24-205, (4) ISO/IEC 42001 certification cost benchmarks, (5) NIST AI RMF Core function breakdown (Govern / Map / Measure / Manage), (6) Big-4 + strategy + law-firm advisory landscape with indicative engagement sizes, (7) AI governance platform pricing for ten vendors (Credo AI, Holistic AI, ModelOp, Monitaur, IBM, Microsoft, Collibra, DataRobot, Fiddler, Saidot), (8) U.S. sector-specific AI regulators (FTC, FDA, HHS OCR, CFPB, OCC/SR 11-7, EEOC, SEC, NHTSA), (9) 2026 enterprise AI spend benchmarks (KPMG $207M, IDC ~18% of IT, Gartner, Deloitte, PwC), (10) glossary with 15 DefinedTerm entries, (11) APA/MLA/Chicago/BibTeX citation formats, (12) methodology note and author/reviewer credentials. Added 23 new FAQ entries. 12 quotable stat callouts with primary-source citations. Version bumped 1.6 → 1.7.
Q2 2026 refresh: added 'Q2 2026 Update' chapter with full Article 113 application-date breakdown (sub-paragraphs (a), (b), (c), and 113(3) transition), June 2026 watchlist for Colorado SB24-205 enforcement and EU CRA partial application, and Q2 enterprise-readiness data (OECD AI Index 2025, Stanford HAI AI Index 2025, McKinsey State of AI 2026, BCG AI Radar 2026). Added 2 FAQ entries on Article 113 application dates and the entry-into-force vs application distinction. Added visible 'Last reviewed' badge. No underlying data points modified.
Added: Regulatory urgency heatmap (2026–2027), governance artifact lifecycle visual, compliance readiness checklist (19 controls), frontier AI developer safety dashboard, definition divergence table (cross-jurisdiction), incident response integration flowchart, research methodology dashboard, and source quality breakdown. Expanded FAQ to 15 practical research questions. Added 11 new data sources (total: 39 curated). Strengthened entity structure for research reuse.
Added: EU penalty structure visual, standards crosswalk dashboard (ISO 42001 ↔ NIST AI RMF ↔ AI Verify), board-level KPI dashboard, deadline countdown cards, procurement & vendor due diligence section, internal vs customer-facing AI governance comparison, incident reporting detail, 10-question FAQ section, full Report+Dataset+Organization+FAQPage JSON-LD schema graph.
Added: compliance timeline visualization, jurisdiction comparison chart, maturity model visual, adoption vs readiness gap dashboard, cross-regime convergence matrix, agentic AI governance chapter, 8-question FAQ section, evidence-based landscape map, penalty structures, SME vs enterprise guidance. Expanded data sources from 11 to 28. Added 16 keywords.
Initial publication — 85 sources, 20 scoreboard indicators, 5-level maturity model, 9+ jurisdictions mapped, control architecture checklist, and compliance timeline.