The Great AI Regulation Standoff: How Companies Must Navigate Three Clashing Legal Systems at Once
In 2026, a single AI system can fall under the EU AI Act, multiple US state laws, and evolving federal policy all at the same time, forcing companies to satisfy several rulebooks with one governance program. This jurisdictional collision is reshaping how organizations approach AI compliance, moving it from a checklist exercise into a complex, multi-front legal operation.
The compliance reality is stark: there is no single global AI rulebook. Instead, companies operating internationally must now juggle three distinct regulatory regimes that differ fundamentally in their approach, timeline, and enforcement mechanisms. The EU has enacted binding, risk-tiered obligations that are largely in effect. The US federal government is pushing light-touch rules and attempting to preempt state laws. And individual US states have enacted their own patchwork of AI laws that remain in force unless and until they are actually preempted.
What Is the EU AI Act Requiring Right Now?
The EU AI Act represents the global high-water mark for AI compliance. It classifies AI systems by risk level and attaches specific obligations to each tier. The Act entered into force in August 2024, but 2026 is the year when most of its binding obligations moved from "coming soon" to "in effect".
The timeline has been complex. Prohibited practices and AI-literacy duties began applying in early 2025. Obligations on general-purpose AI models began in August 2025, with the European Commission's enforcement powers over those providers arriving in August 2026. Most remaining provisions, including transparency duties for AI-generated content labeling and chatbot disclosure, were set to apply from August 2026.
However, a provisional "Digital Omnibus" agreement reached in spring 2026 deferred several high-risk obligations. Use-based high-risk systems gained additional time beyond the original August 2026 date, and product-regulated high-risk systems gained time beyond their later deadline. These deferrals are not yet final and should be confirmed with legal counsel.
Penalties for non-compliance remain substantial. The most serious violations, around prohibited practices, can reach tens of millions of euros or a meaningful percentage of global annual turnover, with lower caps for other breaches.
How Does the US Federal Approach Differ From the EU Model?
The US federal approach in 2026 favors a light-touch, innovation-first standard and is actively working to preempt state AI laws it views as burdensome. There is still no single comprehensive federal AI statute. Instead, the federal posture is being set through executive action and proposed legislation, and it remains contested.
In December 2025, the Trump administration signed an executive order directing federal agencies toward a uniform national policy and tasking them with challenging state AI laws seen as inconsistent with it. That order set in motion a Department of Justice litigation effort to contest certain state laws, a Commerce Department evaluation of which state laws are burdensome, and an FTC policy position on how existing consumer-protection law applies to AI.
In March 2026, the White House followed with a national policy framework recommending that Congress legislate broad preemption of state AI laws under a light-touch standard. However, preemption is not settled law. Congressional efforts to preempt state AI regulation have repeatedly stalled, and courts will ultimately decide how far executive action can reach.
The crucial caveat for compliance planning is that state obligations remain in force unless and until they are actually preempted. The prudent posture is to keep complying with applicable state law while monitoring the federal picture closely.
In June 2026, the Trump administration also took more aggressive action on frontier AI models. The administration signed an AI executive order asking frontier AI developers to voluntarily submit their models to the federal government for review up to 30 days before releasing them to "trusted partners." The order directed the Treasury Secretary, the Secretary of Defense through the Director of the National Security Agency, and the Secretary of Homeland Security through the Director of the Cybersecurity and Infrastructure Security Agency to develop a classified benchmarking process to identify and assess covered frontier AI models.
This federal intervention escalated when the Trump administration imposed export controls on Anthropic's Fable 5 and Mythos 5 models after Amazon CEO Andy Jassy reportedly flagged a jailbreak in Fable 5 to Treasury Secretary Scott Bessent. Anthropic CEO Dario Amodei refused senior officials' request to voluntarily withdraw the models, arguing that a "narrow potential jailbreak" falling short of a universal bypass did not justify pulling access broadly. When the administration imposed the controls anyway, Anthropic removed public access to both models globally.
Andy Jassy
"When ad hoc executive actions replace clear standards, America risks surrendering its lead in AI and allowing genuinely dangerous technology to be deployed," warned Brad Carson, president and co-founder of Americans for Responsible Innovation.
Brad Carson, President and Co-founder of Americans for Responsible Innovation
The export controls drew widespread pushback. Legal technology firm Legion LegalTech sued the federal government, arguing the restrictions caused "immediate, irreparable, and existential" harm to its Canada-based developers. A bipartisan group of four House members sent a letter to Commerce Secretary Howard Lutnick demanding answers on the export controls' legal basis and the timeline for restoring access.
After two weeks of negotiation, the Department of Commerce partially restored Mythos 5 on June 26 to roughly 100 vetted US companies, federal agencies, and national labs, and fully rescinded the export controls on June 30. In a letter to Anthropic, Commerce Secretary Howard Lutnick warned the department "reserves the right to reevaluate" if the company fails to maintain adequate safeguards.
What Are the Key US State AI Laws Companies Must Follow?
US states have enacted a patchwork of AI laws that remain in force in 2026, spanning algorithmic accountability, transparency, biometric privacy, and sector-specific rules. Several took effect around the start of 2026, and they are the reason a US compliance program cannot wait for federal clarity.
- Colorado: A risk-based law focused on algorithmic discrimination in consequential decisions, requiring companies to assess and mitigate discriminatory outcomes in high-stakes AI systems.
- California: Measures touching AI transparency, training-data disclosure, and automated decision-making, including requirements to disclose when AI is used in consequential decisions.
- Texas: A responsible-AI governance law requiring organizations to establish governance frameworks and accountability mechanisms for AI systems.
- Utah: AI disclosure and consumer-protection requirements, mandating transparency when AI is used in decisions affecting consumers.
- Illinois: Long-standing biometric privacy rules and AI-in-employment provisions, including restrictions on how biometric data can be collected and used.
Common threads run through these state laws: disclosure when AI is used in consequential decisions, risk assessments for higher-stakes systems, and protections against discriminatory outcomes. The compliance reality is that these laws differ in scope and timing, and they are under active federal preemption pressure that may or may not succeed.
How Should Organizations Operationalize Compliance Across All Three Regimes?
The regimes differ in force, structure, and what they demand, but they converge on a common set of controls. What the EU AI Act asks for in practice maps closely to good governance: classify each system by risk, maintain technical documentation and record-keeping, ensure human oversight, manage data quality, and meet transparency duties. Those are controls, not just disclosures, which is why operationalizing them beats documenting them.
An organization operating nationally faces a genuine patchwork, which is exactly the argument the federal preemption effort makes. Until that effort resolves, the safe path is to map AI systems against the state laws that apply to users and operations, and to build controls flexible enough to absorb change.
On Capitol Hill, Reps. Jay Obernolte (R-CA) and Lori Trahan (D-MA) released a 269-page discussion draft of the Great American Artificial Intelligence Act in June 2026. The bill would require the largest frontier developers to publish safety frameworks, undergo twice-yearly third-party audits, and report critical incidents to federal regulators, with penalties of up to one million dollars per day for noncompliance. The draft bill also includes a three-year preemption of state AI laws specifically regulating AI model development, drawing criticism from civil society, AI safety advocates, and labor groups.
"The Trump administration is deciding company by company who gets access to the newest AI model. No law. No process. No oversight. Just appointees in Washington deciding who is in and who is out," stated Rep. Lori Trahan, arguing that the imposition of export controls underscored the need for durable federal congressional standards.
Rep. Lori Trahan, U.S. House of Representatives (D-MA)
The practical difficulty in 2026 is that a single AI system can fall under the EU AI Act because it touches the EU market, under US state laws because of where its users live, and under evolving US federal policy at the same time. Compliance is no longer a checklist against one rulebook; it is the ability to satisfy several rulebooks with one well-governed program, and to show your work when any of them asks.
Organizations operating across borders generally plan to the strictest applicable standard, then map down. The EU sets the binding global benchmark, while the US picture remains unsettled, with federal and state authority actively in tension. This creates both complexity and opportunity: companies that build robust compliance infrastructure now will be better positioned to adapt as the regulatory landscape continues to shift.