AI Policy in 2026: The US and EU Frameworks Product Teams Need

AI policy is no longer a forward-looking concern — it is an active operational constraint. In the United States, a new executive order reversed the previous administration’s safety-centered approach, and a second order moved to preempt a growing patchwork of state laws. In the European Union, the world’s first comprehensive AI regulation ↗ is entering full application in August 2026. Organizations building or deploying AI products face binding obligations on one side of the Atlantic and a shifting but consequential federal framework on the other.

This guide covers the two dominant policy regimes, what each one requires, and the concrete steps AI product and GRC teams need to take before the next major deadlines.

The US Federal Landscape: From Safety-First to Innovation-First

The Biden administration’s Executive Order 14110 ↗ (October 2023) established a comprehensive federal AI safety regime: mandatory safety testing for frontier models, red-teaming requirements, and new reporting thresholds under the Defense Production Act. That order was revoked on January 23, 2025.

Its replacement, Executive Order 14179 — “Removing Barriers to American Leadership in Artificial Intelligence” ↗, reoriented federal AI policy around economic competitiveness and national security, explicitly directing agencies to revise any guidance flowing from the prior order. The Office of Management and Budget’s memos M-24-10 and M-24-18 — which had imposed procurement and use requirements on federal agencies — were flagged for revision within 60 days.

A second order issued in December 2025 went further: it directed federal agencies to treat state AI laws that burden interstate commerce as candidates for preemption, signaling that the administration intends to establish a single federal lane for AI regulation rather than allowing each state to create its own regime. The practical effect for product teams is that state-level AI liability bills — several of which had already passed or advanced in California, Colorado, and Texas — face legal challenges on preemption grounds.

NIST AI RMF: The De Facto American Standard

With federal statute largely absent, the NIST AI Risk Management Framework 1.0 ↗ (released January 26, 2023) has become the closest thing the United States has to an enforceable baseline. It is formally voluntary, but that distinction shrinks quickly in practice: federal contractors are expected to align with it, enterprise procurement teams use it as a due-diligence checklist, and the FTC has cited analogous risk-management principles in AI-adjacent enforcement actions.

The RMF organizes AI governance around four core functions:

• Govern — establish accountability structures, policies, and oversight for AI risk at the organizational level
• Map — document the context and identify risks for a specific AI system or use case
• Measure — analyze and track risks with quantitative and qualitative methods, including bias testing and performance benchmarking
• Manage — allocate resources to treat identified risks, document residual risk, and respond to incidents

NIST released a Generative AI Profile in July 2024 extending the framework to LLM-specific risks such as hallucination, data provenance, and prompt manipulation. In April 2026, a concept note was published for a Critical Infrastructure AI Profile, aimed at operators in energy, finance, and healthcare. Neither profile is mandatory, but both are becoming standard reference documents in contract negotiations and regulatory examinations.

For teams managing model deployment pipelines, LLMOps.report ↗ covers how organizations are operationalizing RMF-aligned controls inside CI/CD workflows.

The EU AI Act: The World’s Strictest Binding Framework

Regulation (EU) 2024/1689 ↗ entered into force on August 1, 2024. Its compliance calendar has been running since then:

• February 2, 2025: Eight prohibited AI practices became enforceable. These include social scoring by public or private entities, emotion recognition in workplaces and schools, real-time remote biometric identification by law enforcement in publicly accessible spaces (with narrow exceptions), and AI-enabled predictive policing based solely on profiling.
• August 2, 2025: Obligations for providers of general-purpose AI (GPAI) models became applicable. Organizations releasing foundation models in the EU — whether open or closed — must provide technical documentation, publish training data summaries, and comply with copyright law.
• August 2, 2026: Full application of high-risk AI obligations. Any AI system affecting employment decisions, credit access, education, critical infrastructure, law enforcement, or the administration of justice must meet the Act’s requirements before being placed on the EU market or put into service.

What High-Risk Designation Means in Practice

Articles 8–15 of the Act specify what providers of high-risk AI systems must do. The requirements include: risk management systems that run throughout the product lifecycle; data governance controls ensuring training and test datasets are relevant, representative, and free of known errors; activity logging sufficient to enable post-hoc audits; detailed technical documentation for regulators; human oversight mechanisms that allow operators to intervene or halt the system; and accuracy, robustness, and cybersecurity standards.

Before placing a high-risk system on the EU market, providers must complete a conformity assessment, prepare an EU declaration of conformity, affix CE marking, and register the system in a public EU database maintained by the European AI Office.

Deployers — organizations that put high-risk AI systems to use — carry their own obligations under Article 26: they must assign trained human oversight personnel, ensure input data remains relevant, conduct ongoing monitoring, and report serious incidents to national market surveillance authorities.

Penalties scale with severity. Violations of prohibited-practice rules carry fines up to EUR 35 million or 7 percent of global annual worldwide turnover, whichever is higher. Violations of high-risk system obligations carry fines up to EUR 15 million or 3 percent of turnover.

For teams building safety controls and guardrails to satisfy these obligations, guardml.io ↗ tracks the tooling landscape — content filters, output monitors, and RASP-style runtime controls that map to EU AI Act technical requirements.

What AI Product Teams Should Do This Quarter

Audit your inventory. Identify every AI system your organization provides or deploys. Classify each against the EU AI Act’s risk tiers and against NIST RMF’s intended-use mapping. Both exercises require the same underlying asset inventory — do them together.

Close documentation gaps before August 2026. High-risk system providers who have not completed technical documentation and conformity assessment will be in violation the moment full applicability arrives. Retroactive remediation after a market surveillance inquiry is significantly more expensive than building documentation now.

Treat NIST alignment as a procurement prerequisite. Even without federal statute, enterprise and government buyers are writing NIST AI RMF alignment into vendor questionnaires and contract requirements. The Govern and Map functions in particular translate directly to standard trust documentation like SOC 2 Type II reports.

Track the state-law preemption fight. The December 2025 executive order creates legal uncertainty for state AI liability bills, but does not immediately nullify them. California AB 2013 (AI training data transparency), Colorado SB 205 (algorithmic discrimination in consequential decisions), and similar measures remain in force unless successfully challenged in court. Monitor litigation and maintain parallel compliance tracks until the federal preemption posture is settled.

Align incident response to dual regimes. The EU AI Act’s serious-incident reporting requirements — particularly for high-risk systems — have no precise US analog under current federal law. But the FTC’s existing authority over unfair or deceptive practices applies to AI systems that cause harm, meaning a serious incident could trigger obligations on both sides of the Atlantic simultaneously. Incident response plans should specify notification thresholds for both EU market surveillance authorities and the FTC.

Sources

• Removing Barriers to American Leadership in Artificial Intelligence — Federal Register ↗ — Full text of Executive Order 14179, signed January 23, 2025, revoking the Biden AI safety order.
• AI Risk Management Framework — NIST ↗ — Official NIST page for AI RMF 1.0, including the Generative AI Profile and supporting resources.
• AI Act — Shaping Europe’s Digital Future (European Commission) ↗ — European Commission’s primary AI Act page, covering the regulation text, timeline, and governance structure.
• Ensuring a National Policy Framework for Artificial Intelligence — White House ↗ — December 2025 executive order directing federal agencies to address state laws that may obstruct a unified national AI policy.

---

→ This post is part of the AI Policy & Regulation Hub — the complete resource index for AI regulation coverage on NeuralWatch.