< Back

Policy and Regulatory Frameworks


The EU AI Act

  • First comprehensive AI regulation in the world
  • Adopted by European Parliament in March 2024; entered into force August 2024
  • Risk-based approach to AI regulation
  • Focuses on transparency, safety, and fundamental rights
  • “Brussels Effect”: Influence on other jurisdictions, including Colorado

EU AI Act: Risk Categories

The Act classifies AI systems based on risk level:

  • Unacceptable Risk: Banned outright (e.g., social scoring, manipulative AI) — now enforced
  • High Risk: Strict requirements (e.g., critical infrastructure, education, hiring) — rules coming Aug 2026
  • Limited Risk: Transparency obligations (e.g., chatbots, emotion recognition)
  • Minimal Risk: Minimal regulation (most AI applications)

EU AI Act: High-Risk Use Cases

The following AI applications are considered high-risk and subject to strict requirements:

  • Biometrics: Remote identification systems, categorization systems, emotion recognition
  • Critical Infrastructure: Safety components for traffic, utilities, digital infrastructure
  • Education: Systems determining access to education, evaluating outcomes, monitoring tests
  • Employment: Recruitment tools, task allocation, performance monitoring, promotion/termination

EU AI Act: High-Risk Use Cases

  • Essential Services: Eligibility assessment for benefits, credit scoring, insurance pricing
  • Law Enforcement: Crime risk assessment, evidence reliability evaluation, profiling
  • Migration & Border Control: Risk assessments, application examination, identification
  • Justice & Democracy: Legal interpretation, dispute resolution, election influence

EU AI Act: What must you do if you’re ‘high-risk’?

  • Establish a risk management system throughout the lifecycle
  • Implement data governance - test for representativeness in datasets; “to the best extent possible”, free of errors
  • Create detailed technical documentation for others to determine compliance and risk
  • Design systems for automatic record-keeping of risk-relevant events
  • Provide clear instructions for use to downstream deployers
  • Enable human oversight in system design
  • Ensure appropriate accuracy, robustness, and cybersecurity
  • Establish a quality management system for compliance

EU AI Act: Foundation Model Requirements

Special provisions for general-purpose AI models (GPAIs) — active since August 2, 2025:

  • Technical documentation and risk assessments
  • Copyright compliance for training data
  • Energy efficiency reporting
  • Stricter rules for “systemic risk” models (“when the cumulative amount of compute used for its training is greater than $10^25$ floating point operations”)

“Free and open licence GPAI model providers only need to comply with copyright and publish the training data summary, unless they present a systemic risk.”


US Regulatory Contrast: A Very Different Direction

While the EU rolled out the AI Act, the US took a sharp turn:

  • January 20, 2025: Trump rescinds Biden’s AI Executive Order (EO 14110) — Day 1 of new administration
  • January 23, 2025: EO 14179 — “Removing Barriers to American Leadership in AI”
    • Deregulation framing; emphasizes competitiveness over risk mitigation
    • Directs agencies to review and revise policies that restrict AI development
  • July 2025: “Winning the Race: America’s AI Action Plan” released
  • December 11, 2025: New EO challenging state-level AI laws

US: Institutional Shifts

Key changes inside the federal government:

  • NIST AI Safety Institute → renamed Center for AI Standards and Innovation (CAISI) (June 2025)
    • Mission shift: from safety-first to “pro-innovation, pro-science”
    • Focus narrows to voluntary standards, national security evaluations, and industry partnerships
  • Biden-era AI reporting requirements for frontier models: rescinded
  • AI Safety Institute had been conducting safety evaluations of frontier models before public release — status of that program now uncertain

US: The State Law Battle

With no federal law, states stepped in — and the federal government pushed back:

  • December 11, 2025: Trump EO directs DOJ to form “AI Litigation Task Force” to challenge state AI laws in court
  • July 2025: Senate budget bill included a proposed 10-year moratorium on all state AI regulation
    • Senate voted 99–1 to strip the moratorium from the bill (July 1, 2025)
    • The final “One Big Beautiful Bill Act” (signed July 4) includes no restrictions on state AI laws
  • EO preemption attempts face legal limits: only Congress can constitutionally preempt state law

State-Level AI: The New Regulatory Frontier

In the absence of federal law, states have become the primary regulatory arena:

  • Illinois: HB 3773 — prohibits AI discrimination in employment (amends Human Rights Act)
  • California: Transparency in Frontier AI Act — frontier model risk frameworks, safety incident reporting
  • Texas: Responsible AI Governance Act (RAIGA) — consumer protections, AI sandbox program | Jan 1, 2026 |
  • Colorado: SB 24-205 → repealed and replaced by SB 26-189 (transparency/disclosure approach)

Over 40 states introduced AI legislation in 2025.


Colorado AI Act: SB 24-205 (Original)

Colorado was the first state to pass comprehensive AI legislation (signed May 2024):

  • Modeled on the EU AI Act’s risk-based approach
  • Covered “high-risk” AI systems in consequential decisions (employment, housing, credit, education, healthcare)
  • Required: impact assessments, anti-discrimination duty of care, risk management programs, consumer notices, developer documentation

Original effective date Feb 2026 → delayed to June 30, 2026. Then repealed-and-replaced on May 14, 2026.


SB 26-189: The Replacement

  • SB 24-205 was singled out by a Trump EO (Dec 2025); DOJ formed an AI Litigation Task Force to challenge state AI laws.
  • xAI sued Colorado in federal court (Apr 2026) challenging constitutionality; DOJ moved to intervene in support.

Effective January 1, 2027.

Fundamental shift: from risk management/prevention to transparency/disclosure.

Structure for managing and pre-emptively mitigated risk is much smaller; more burden on disclosing automated decision making, explaining potential adverse outcomes, remedying adverse effects and providing consumer rights to human review


Discussion

  • What are the potential positive impacts of the EU AI Act?
  • What are the potential concerns with the EU AI Act?
  • Who benefits from the EU approach? Who benefits from the US approach?
  • Who is at risk under each model?

Lab: AI Policy Framework

Lab Details


References