I assumed the EU AI Act was the regulation I needed to understand for my clients. One framework, one set of deadlines, one compliance checklist. Then three conversations in the same week broke that assumption apart. A healthcare prospect asked about HIPAA AI provisions I hadn't tracked. A fintech team wanted to know if the SEC's 2026 examination priorities applied to their trading models. And a state government RFP referenced three state-level AI laws I'd never read.

I wasn't behind on one regulation. I was behind on five.

That is the core problem this post maps out. AI compliance has not converged into a single framework. It has fragmented across industries, jurisdictions, and risk tiers. Organizations preparing for one regulation are exposed on four other fronts they haven't scoped.

What AI Regulations Apply to Your Business in 2026?

0 AI bills introduced across 45 US states
0 state AI laws enacted in 2025 alone
0 US states introduced healthcare AI bills in 2025
0 + FTC AI enforcement cases in 2025

There is no single "AI law." The compliance picture splits into five distinct layers, and most organizations are only tracking one or two of them.

The Five-Layer AI Compliance Stack01International RegulationsEU AI Act (risk tiers, penalties up to 7% of revenue) · UK AI Safety Institute · Canada AIDA02US Federal MandatesWhite House AI Policy Framework · DOJ AI Compliance Guidance · FTC AI-Washing Enforcement · SEC AI Exam Priorities03State and Local Laws1,561 bills in 45 states · Colorado AI Act · Illinois AI employment law · Texas TRAIGA · California AB 48904Industry-Specific RulesHIPAA AI provisions · FDA AI/ML guidance · SEC adviser anti-fraud · Fair lending requirements · FERPA/COPPA05Voluntary FrameworksNIST AI Risk Management Framework · ISO/IEC 42001 · Industry self-regulation · Internal governance policiesMost organizations track Layer 1 or 2. Enforcement is hitting hardest at Layers 3 and 4.

The White House released its National Policy Framework for Artificial Intelligence on March 20, 2026. The framework calls federal preemption "a central pillar of any effective national AI policy," arguing that fragmented state laws "create compliance uncertainty and raise costs for companies operating across state lines." But until Congress acts, organizations face all five layers simultaneously.

The EU AI Act Timeline: Key Compliance Deadlines Through 2028

The EU AI Act is not one deadline. It is a phased rollout that has already shifted once and may shift again.

In March 2026, the European Parliament voted 569-45 to delay the high-risk system obligations through the Digital Omnibus regulation. Under Parliament's position (still pending trilogue with the Council), standalone high-risk AI systems would face a December 2, 2027 deadline instead of August 2, 2026. Embedded-product AI systems (think: medical devices with AI components) would get until August 2, 2028.

Feb 2, 2025

Prohibited AI Practices

Social scoring, real-time biometric surveillance, and manipulative AI systems banned. Already in effect.

Aug 2, 2025

General-Purpose AI (GPAI)

Transparency and documentation requirements for foundation model providers. Already in effect.

Dec 2, 2027

Standalone High-Risk AI

Full conformity assessment, risk management, and human oversight for standalone high-risk systems. Delayed from Aug 2026.

Aug 2, 2028

Embedded High-Risk AI

AI components in regulated products (medical devices, vehicles, industrial equipment). Delayed from Aug 2026.

The penalty structure is three-tiered and scaled to revenue, not flat fines. This is the part most executives underestimate.

Prohibited PracticesEUR 35Mor7% global turnoverwhichever is higherHigh-Risk NoncomplianceEUR 15Mor3% global turnoverwhichever is higherIncorrect InformationEUR 7.5Mor1% global turnoverwhichever is higher

General-purpose AI transparency obligations took effect in August 2025. The high-risk system penalties above haven't even kicked in yet, and the timeline has already shifted once. Planning around a single deadline is planning to be surprised.

AI Compliance Requirements by Industry

This is where the "one regulation" mindset falls apart. A healthcare organization, a fintech firm, and a government agency all face the EU AI Act. But the layer beneath it is completely different for each.

Regulatory layers: HIPAA Security Rule revisions (AI-specific ePHI provisions on HHS agenda for May 2026) · State disclosure laws effective January 1, 2026: Texas TRAIGA requires written disclosure of AI use in diagnosis and treatment; California AB 489 prohibits AI from implying healthcare licensure; Illinois restricts AI from making independent therapeutic decisions without licensed professional review (Wellness and Oversight for Psychological Resources Act, August 2025) · HHS nondiscrimination requirements for patient care decision support · 250+ healthcare AI bills across 47 states by mid-2025 · EU AI Act classifies healthcare AI as high-risk

What this means: A healthcare organization deploying an AI clinical decision support tool must comply with federal HIPAA rules, state-specific disclosure mandates that vary by location, nondiscrimination testing requirements, and potentially EU high-risk AI conformity assessments. Five regulatory layers, five different compliance teams.

Key deadline: State healthcare AI disclosure laws already in effect (Jan 2026). HIPAA AI revisions expected May 2026.
Regulatory layers: SEC 2026 examination priorities explicitly target AI: examiners are scrutinizing AI claims to combat 'AI washing' and evaluating supervision policies for AI in trading and fraud prevention · State AG enforcement: Massachusetts AG secured a $2.5 million settlement over AI lending models causing disparate impact on Black, Hispanic, and non-citizen applicants · Fair lending requirements apply to AI underwriting and credit decisions · FTC pursuing AI-washing cases against firms overstating AI capabilities · EU AI Act classifies creditworthiness AI as high-risk

What this means: A fintech firm using AI for credit scoring faces federal securities regulation, state consumer protection enforcement, fair lending compliance, FTC truth-in-advertising scrutiny, and EU AI Act high-risk obligations if they operate in Europe. The SEC alone isn't the problem. The convergence is.

Key deadline: SEC 2026 exam cycle already underway. Colorado AI Act (covering financial services AI) effective June 2026.
Regulatory layers: White House National AI Policy Framework (March 2026) sets legislative recommendations for federal AI use · OMB guidance on federal agency AI governance · State-level procurement requirements increasingly mandate AI transparency and bias testing · FedRAMP considerations for cloud-hosted AI in government systems · EU AI Act classifies government AI (law enforcement, border control, public benefits) as high-risk

What this means: Government agencies face a unique tension: the federal framework pushes preemption of state laws for private sector AI, but government's own AI use is subject to both federal mandates and state-specific procurement rules. Procurement teams must evaluate AI vendors against compliance requirements that vary by agency, jurisdiction, and use case.

Key deadline: OMB AI governance requirements for federal agencies already in effect. State procurement AI requirements expanding throughout 2026.

The pattern across all three industries is the same: no single compliance checklist covers everything. Each sector faces a unique intersection of international, federal, state, and industry-specific requirements. The organizations that understand this layered reality move faster than those still searching for a universal framework. I wrote about a similar pattern in education technology, where LMS products face FERPA, COPPA, WCAG, and SCORM requirements simultaneously.

Enforcement Is Already Here

Skip the hypotheticals. Regulators are enforcing AI compliance today, and most of these cases used existing laws rather than AI-specific legislation.

AI Enforcement Actions: 2025-2026FTC202512+ AI-Washing Enforcement CasesDoNotPay ($193K settlement), Air AI ($18M judgment, largely suspended). Used existing consumer protection statutes.Pennsylvania AGMay 2025Housing Safety SettlementAI platform contributed to unsafe housing conditions. Enforced via existing consumer protection law.Massachusetts AGJul 2025$2.5M Lending DiscriminationEarnest Operations: AI underwriting models caused disparate impact on Black, Hispanic, and non-citizen applicants.DOJAug 2025First Healthcare AI Fraud CaseTroy Health, Inc.: AI platform facilitated fraudulent Medicare enrollment. First DOJ case involving AI-facilitated misconduct.SEC2026AI Exam Priorities in EffectExaminers scrutinizing AI claims ("AI washing") and supervision policies for AI in trading and fraud prevention.Most actions used existing statutes, not AI-specific legislation.

The Massachusetts AG settlement is instructive. Earnest Operations didn't violate an AI-specific law. The AG used existing consumer protection and fair lending statutes to penalize algorithmic discrimination in AI underwriting models. The DOJ similarly updated its Evaluation of Corporate Compliance Programs in September 2024 to specifically address AI risks. Federal prosecutors now evaluate whether companies have assessed AI's impact on criminal law compliance.

What does this mean for organizations waiting for "AI-specific" legislation before acting? The enforcement is already happening with laws already on the books. Waiting is not a strategy. The gap between "we'll deal with it later" and "we should have dealt with it sooner" collapses fast.

How Much Does AI Compliance Cost?

$ 0 M global AI governance platform spending in 2026
$ 0 B+ projected by 2030 (Gartner)
0 % CAGR for AI governance market through 2036
$ 0 B projected governance market by 2036

Gartner's February 2026 analysis projects AI governance platform spending will more than double from $492 million in 2026 to over $1 billion by 2030. Separately, Future Market Insights estimates the broader enterprise AI governance market at $2.20 billion in 2025, growing to $11.05 billion by 2036 at a 15.8% CAGR.

Those numbers represent what organizations are choosing to spend. The alternative is worse. Compare the cost of a governance platform against a $2.5 million state AG settlement or a penalty calculated as a percentage of your global revenue under the EU AI Act. Compliance costs compound across layers, but so do penalty exposures.

Here's the part that catches most leaders off guard: AI models targeting regulated sectors carry meaningful cost and timeline premiums for compliance testing, documentation, and conformity assessment. That premium is not optional. It is the cost of operating in healthcare, financial services, or government. Planning for it beats discovering it mid-project.

Building an AI Governance Framework

There is a reasonable counter-argument to the thesis of this post. NIST's AI Risk Management Framework and ISO/IEC 42001 (the first certifiable AI management system standard) share significant structural overlap. Organizations that implement both can create a single governance backbone that addresses multiple regulations through sector-specific "profiles."

On April 7, 2026, NIST published a concept note initiating development of an AI RMF Profile for trustworthy AI in critical infrastructure. That's the right direction. A unified foundation is the correct starting point.

So why isn't it enough? ISO 42001 is not an approved harmonized standard for EU AI Act conformity. The NIST AI RMF is voluntary, not prescriptive, and it does not set risk tolerance levels. Those tolerances differ sharply between a hospital deploying clinical AI and a fintech firm running credit models. A single governance approach gives you the foundation. The five layers described above give you the map of what still needs customization on top of it.

1

Inventory your AI systems

Catalog every AI tool, model, and automated decision system in use. Include vendor AI and shadow AI.

2

Classify by risk tier

Map each system against the EU AI Act risk tiers: prohibited, high-risk, limited risk, minimal risk.

3

Map applicable regulations

For each system, identify which of the five compliance layers apply based on your industry, jurisdiction, and use case.

4

Conduct impact assessments

Run algorithmic impact assessments for high-risk systems. Document bias testing, data provenance, and human oversight plans.

5

Build documentation and audit trails

Compliance without documentation is not compliance. Record decisions, testing results, and governance processes.

6

Monitor continuously

Regulations shift. The EU AI Act timeline has already changed once. Build review cycles, not one-time audits.

Important

Where to start: If you have not yet inventoried the AI systems in your organization, that is step one. You cannot assess compliance risk for systems you don't know exist. Shadow AI, third-party vendor AI, and automated decision tools all count.

What Comes Next

None of this simplifies on its own. Federal preemption may reduce state-level fragmentation over time, but industry-specific requirements and international regulations will keep layering. The organizations that treat AI governance as a five-layer problem today will adapt faster than those still searching for a single checklist.

The AI Readiness Assessment can help you identify which compliance dimensions need attention first, and where your current governance structure has gaps. Fifteen minutes of structured evaluation now saves months of reactive scrambling when enforcement reaches your industry.