AI regulation in 2026 is becoming a global patchwork. An October 2025 watchlist from Atomicmail summarised the state of play: the EU AI Act is live, a proposed Digital Omnibus may delay some high-risk obligations, the US is moving toward federal preemption, and the UK continues to rely on sectoral regulators rather than a dedicated AI statute.
For firms operating across borders, this fragmentation is the central compliance challenge. A model trained in one jurisdiction, hosted in another and sold globally can trigger multiple regimes at once. A checklist approach helps keep the moving parts visible.
European Union
The EU AI Act is the most developed framework. It classifies AI systems by risk, imposes transparency obligations on general-purpose models, and requires conformity assessments for high-risk systems. The August 2026 deadline for high-risk obligations is the key date for most providers.
The proposed Digital Omnibus has raised the possibility of a stop-the-clock delay for some high-risk obligations. Firms should monitor the proposal, but not rely on it. Preparing for the August deadline remains the safer course.
United States
The US lacks a comprehensive federal AI law but has several active fronts: Executive Orders on AI safety and preemption, agency guidance from the FTC and NIST, export controls on advanced models, and a growing number of state-level statutes. Colorado, California and others have enacted AI-specific rules.
Federal preemption is now an explicit policy objective, but it will take time and litigation to determine how far it reaches. In the meantime, national operators must comply with the most restrictive applicable state law.
United Kingdom
The UK has no dedicated AI Bill in force and the anticipated legislation is delayed. Instead, the government is using AI Growth Zones, regulatory sandboxes and existing regulators to manage AI risk. The ICO, FCA, Ofcom, CMA and MHRA are all applying their current powers to AI use cases.
For UK firms, this means compliance is sector-specific and use-case-specific. It also means there is no single UK AI mark or certificate to point to for international customers.
China and other jurisdictions
China has introduced algorithmic recommendation, deep synthesis and generative AI regulations, with a focus on content control, data security and algorithmic filing. Other jurisdictions, including Canada, Brazil, Singapore and Japan, are at various stages of developing AI-specific or adapted frameworks.
How to build a checklist
A practical global AI compliance checklist should cover:
- Jurisdiction of deployment, not just jurisdiction of incorporation.
- Risk classification under the EU AI Act and any local equivalents.
- Sector-specific rules such as financial services, healthcare, recruitment and online safety.
- Data protection obligations, including cross-border transfers and automated decision-making.
- Contractual allocation of liability between providers, deployers and distributors.
- Monitoring for new guidance, enforcement actions and legislative updates.
The bottom line
Global AI regulation is not converging quickly. The EU is leading with a broad statute, the US is pushing federal preemption, and the UK is experimenting with lighter-touch sectoral oversight. Firms that map their exposures jurisdiction by jurisdiction will be better placed to adapt as the rules evolve.