The regulatory perimeter inside which AI agents that act (call tools, modify state, take actions) now have to operate, and the per-decision evidence the regulators ask for.
Every framework below is enforceable today or about to be. Velma evidence is the format both sides expect.
Sorted by soonest deadline first.
AI used in consumer-facing decisions (including lending, insurance, healthcare, employment, and housing) must meet documented governance, impact-assessment, and disclosure obligations enforced by the Texas Attorney General.
Texas joins Colorado as the second comprehensive U.S. state AI law. Penalties are tiered and per-violation.
Generative-AI providers with 1M+ monthly users must offer free AI-detection tools, embed manifest and latent disclosures in generated content, and contractually require licensees to maintain those disclosures.
First U.S. state law mandating watermarking and provenance disclosure on generative AI output.
Employers using AI in recruitment, hiring, promotion, or discharge decisions must provide notice, document non-discrimination testing, and avoid AI use that produces disparate impact.
Brings the second-largest employment market under bias-audit obligations on a fixed deadline.
Large frontier-model developers must publish a safety framework, report critical incidents to the state OES within strict windows, and protect whistleblowers, with civil penalties up to $1M per violation.
First U.S. state law mandating safety-framework disclosure and incident reporting for frontier AI. Anchors the U.S. transparency regime.
Generative-AI developers must publish a documented summary of the data sets used to train their models, including source, ownership, copyright status, and personal-information categories.
First U.S. state law mandating training-data provenance. Procurement teams will demand the same disclosure from vendors.
Developers and deployers of high-risk AI must use reasonable care to protect consumers from algorithmic discrimination, and document governance, impact assessment, and consumer notice.
First U.S. comprehensive AI law. Applies to lending, employment, healthcare, insurance, and government services.
Comprehensive AI regulation covering high-risk AI in lending, healthcare, employment, and public services, with risk classification, governance documentation, and impact assessments enforced by the ANPD.
Largest Latin American market joining the EU/U.S. governance arc. Cross-border vendors face a third major framework.
Anticipated obligations for the largest frontier-AI developers. Safety case, capability evaluation, and incident reporting to a new statutory regulator.
UK is on track to be the third major frontier-AI regulator after the EU and California. Multinational vendors will face a fourth distinct framework.
AI systems and software are treated as products under EU law. Strict-liability for defects, with reversed burden of proof when claimants face technical complexity barriers.
Lending, healthcare, and agentic-AI vendors now carry product-defect liability. Tamper-evident audit evidence is the primary defense.
High-risk AI (credit scoring, healthcare devices, fraud screening, worker management) must ship with documented risk management and regulator-readable evidence.
Original 2 Aug 2026 deadline deferred by the Omnibus VII provisional agreement (May 2026). Standalone systems now in force 2 Dec 2027; embedded systems 2 Aug 2028. Fines up to 7% of global turnover. Deferral confirms the audit-format gap; it does not eliminate it.
Full conformity for the eight Annex III high-risk categories (including credit scoring, employment, education, law enforcement, and democratic processes) alongside Article 9.
Original 2 Aug 2026 deadline deferred by the Omnibus VII provisional agreement. Pulls every adaptive AI product touching one of these surfaces into the formal conformity-assessment process on the new date.
Full conformity for high-risk AI in regulated products under Article 6, and the end of the grandfather window for embedded systems.
Original 2 Aug 2027 deadline deferred to 2 Aug 2028 by the Omnibus VII provisional agreement. The legacy carve-out closes on this date. Every covered system in the field must produce the full evidence package.
The examiner can cite any of these on first request.
Federal agencies must implement minimum AI risk-management practices for safety- and rights-impacting AI uses, and publish AI use-case inventories.
Sets the standard for AI vendors selling into the federal supply chain.
Specifies the AI management system that organizations developing or using AI must establish, maintain, and continually improve, with audit-grade evidence.
Becoming the global procurement baseline. Customers and procurement teams now ask for 42001 conformity evidence.
Establishes state oversight of AI use by Texas agencies and produces recommendations that increasingly shape Texas state procurement and rule-making.
Early signal of how large U.S. states will frame AI procurement and disclosure.
Employers using AEDTs in hiring or promotion must complete annual independent bias audits and notify candidates.
First major jurisdiction to require bias-audit evidence for hiring AI. EEOC technical assistance follows.
Voluntary framework (Govern, Map, Measure, Manage) referenced by federal agencies, state regulators, and OMB as the baseline for AI risk evidence.
Treated as the floor of expectation across U.S. AI examinations and procurement.
Five stages. The evidence artifact. Sealed forecasts at horizon. Isometric DFD-0.
Formal safety models, ODD, assurance cases, reviewer briefs.
How we are set up and why the trust structure matters.
Direct line to the inventor. No demo, no deck.
Thirty minutes. Architecture, not sales. On the regulatory surface you already know.
