The AI Governance Index

Providers, deployers, importers and distributors placing AI on the EU market or whose output is used in the EU — including non-EU companies (extraterritorial).

Four-tier risk pyramid (unacceptable / high / limited-transparency / minimal) plus a separate two-level GPAI regime.

Up to €35M or 7% of global turnover for prohibited practices; up to €15M or 3% for most other breaches; lower caps for SMEs.

• 2024-08-01 — Entered into force
• 2025-02-02 — Prohibited practices + AI-literacy duties apply
• 2025-08-02 — GPAI model obligations, governance and penalties apply
• 2026-08-02 — Original date for high-risk (Annex III) + Art. 50 transparency (high-risk being deferred via Digital Omnibus)
• 2027-12-02 — Proposed deferred date for standalone high-risk (Digital Omnibus — not yet adopted)

Any controller or processor handling personal data of people in the EU, including via AI (extraterritorial).

Risk-based accountability — heightened duties triggered when processing is likely high-risk to individuals.

Up to €20M or 4% of global turnover for the most serious infringements.

• 2018-05-25 — Became applicable

Signatory/ratifying states (binds states, not companies directly); signed by the EU, US, UK and others.

Principles-and-outcomes based, with mandatory iterative risk/impact management.

No fines — enforced via international monitoring and each Party's domestic measures.

• 2024-09-05 — Opened for signature
• 2025-11-01 — Entered into force

Providers and deployers of AI operating in Spain, mirroring the EU AI Act's scope.

Follows the EU AI Act risk model, enforced nationally by AESIA, with added content-transparency emphasis.

Mirrors EU AI Act tiers (up to €35M / 7% for prohibited practices); softened for SMEs/startups.

• 2023-08-22 — AESIA created (Royal Decree 729/2023)
• 2026-05-26 — Council of Ministers approved the draft Organic Law

Providers, deployers and users of AI in Italy, layered on the directly-applicable EU AI Act.

Adopts the EU AI Act risk model and adds national sector and criminal-law overlays.

Criminal penalties for AI-enabled offences (imprisonment 1–5 years) plus EU AI Act fines enforced by ACN.

• 2025-09-23 — Enacted as Law 132/2025
• 2025-10-10 — Entered into force

Providers and deployers of AI in France under the EU AI Act, with sector-specific oversight.

EU AI Act risk model, enforced through a distributed/sectoral national structure.

EU AI Act fines once the national framework is adopted; CNIL can already levy GDPR fines (up to €20M / 4%).

• 2025-02 — France hosted the AI Action Summit, Paris
• 2026 — National competent-authority designation still pending

Providers and deployers of AI in Germany under the EU AI Act, coordinated centrally by the Bundesnetzagentur.

EU AI Act risk model via a hybrid central-plus-sectoral supervisory structure.

EU AI Act fine ranges (up to €35M / 7% for prohibitions) once KI-MIG is adopted.

• 2026-02-11 — Federal Cabinet adopted the draft KI-MIG
• 2026 — Bundestag/Bundesrat approval pending

Organisations developing or deploying AI in the UK, regulated through existing sector regimes.

Context-specific and principles-based — risk managed by sector regulators, not fixed statutory tiers.

No dedicated AI fines; enforcement via sector regimes (e.g., ICO up to £17.5M or 4% under UK GDPR).

• 2023-03 — Pro-innovation White Paper (five principles)
• 2025-02-14 — AI Safety Institute renamed AI Security Institute
• 2026-05 — 'Regulating for Growth Bill' announced (not yet enacted)

Directly binds federal agencies and contractors; indirectly pressures states and the AI industry.

Pro-innovation / deregulatory — minimises mandatory risk controls in favour of voluntary, market-led governance.

No statutory penalties; leverage via funding conditions, procurement terms and DOJ litigation.

• 2025-01-23 — EO 14179 rescinds Biden EO 14110
• 2025-07-23 — America's AI Action Plan released
• 2025-12-11 — EO 14365 — state-law preemption push + DOJ AI Litigation Task Force

Any organisation that designs, develops, deploys or uses AI — adoption is voluntary.

Voluntary, context-based lifecycle risk management (Govern/Map/Measure/Manage).

None — voluntary framework.

• 2023-01-26 — AI RMF 1.0 published
• 2024-07-26 — Generative AI Profile (AI 600-1) released

Developers and deployers of covered ADMT used in consequential decisions affecting Colorado consumers.

Narrowed from EU-style 'high-risk' management to a targeted notice/transparency-and-rights model.

Enforced by the Colorado AG as a deceptive trade practice; no private right of action.

• 2024-05-17 — SB 24-205 signed (original Act)
• 2026-05-14 — SB 26-189 repeals & replaces the Act
• 2027-01-01 — Replacement ADMT law takes effect

GenAI developers and large 'covered providers' serving Californians; frontier developers above compute/revenue thresholds (SB 53).

Targeted/transparency-first: input transparency, output disclosure, and frontier-risk safety reporting.

Civil penalties enforced by the California AG (SB 53 up to ~$1M per violation for frontier-safety breaches).

• 2024-09-28 — AB 2013 signed
• 2025-09-29 — SB 53 (frontier AI) signed
• 2026-01-01 — AB 2013, SB 942 and SB 53 take effect

Texas state agencies (broad duties) and any business engaging in the specifically prohibited uses.

Intent-based prohibitions on defined harmful uses plus government-use governance.

AG-enforced civil penalties (roughly $10k–$200k per violation; $2k–$40k/day continuing); no private right of action.

• 2025-06-22 — HB 149 signed
• 2026-01-01 — Takes effect

Persons/businesses using generative AI in consumer transactions and regulated occupations in Utah.

Disclosure-based, tiered to 'high-risk' interactions — light-touch.

Administrative fines (up to ~$2,500 per violation) plus AG enforcement.

• 2024-05-01 — SB 149 takes effect
• 2025-05-07 — 2025 amendments take effect

Entities handling Illinois biometric data (BIPA); employers using AI in employment decisions (HB 3773).

Rights-based consent regime (BIPA) plus an effects-based anti-discrimination/notice rule (HB 3773).

BIPA: $1,000 (negligent) / $5,000 (intentional) statutory damages per person; HB 3773 via Human Rights Act remedies.

• 2024-08-09 — HB 3773 signed
• 2026-01-01 — HB 3773 AI-in-employment provisions take effect

Employers and employment agencies using AEDTs to screen NYC candidates/employees.

Mandatory bias-audit and transparency obligation focused on disparate impact in hiring.

Civil penalties up to $500 (first) and $500–$1,500 (subsequent); each day a separate violation.

• 2023-07-05 — Enforcement begins
• 2025-12-02 — State Comptroller audit finds enforcement 'ineffective'

Voluntary Code — signatory AI developers; Directive — Canadian federal institutions. No general binding private-sector duty.

Soft-law / risk-based via impact assessments; no enforceable national statutory regime after AIDA's demise.

None for the Code; the Directive is enforced administratively within government. A replacement framework is awaited.

• 2023-09 — Voluntary Code of Conduct on advanced generative AI launched
• 2025-01-06 — Prorogation kills Bill C-27 / AIDA

Developers, suppliers and operators of AI offered or used in Brazil (scope to be finalised).

Risk-based, modelled on the EU AI Act — tiered duties with outright prohibition of excessive-risk systems.

Proposed administrative fines (reported up to ~R$50M per infraction) — not yet in force.

• 2024-12-10 — Federal Senate approves the bill
• 2025-03-17 — Sent to Chamber of Deputies (still under review)

Providers offering generative AI services to the public within mainland China.

Obligation-and-security-led oversight tied to service provision (not an EU-style risk taxonomy).

Warnings, rectification orders, service suspension and fines under the measures and underlying laws.

• 2023-08-15 — Effective

Internet information service providers and content platforms generating/disseminating AI content in China.

Transparency/provenance-by-default across all AI-generated content.

Rectification orders, fines and suspension under the labelling and generative-AI/deep-synthesis rules.

• 2025-09-01 — Effective (with mandatory standard GB 45438-2025)

Providers of deep-synthesis and recommendation services (and their users) operating in China.

Targeted conduct regulation of synthetic media and recommender systems, with a registry overlay.

Warnings, rectification orders, fines and service suspension.

• 2022-03-01 — Algorithm Recommendation Provisions effective
• 2023-01-10 — Deep Synthesis Provisions effective

AI developers, providers and deployers affecting Korean users — including foreign companies (extraterritorial).

Risk-based, centred on 'high-impact AI' in sensitive domains plus generative-AI transparency.

Administrative fines up to KRW 30M (~USD 20k) for specified violations — modest vs. the EU AI Act.

• 2025-01-21 — Promulgated
• 2026-01-22 — Effective
• 2027-01 — End of ~1-year penalty grace period (approx.)

Primarily the national government, research institutions and businesses, as a coordination framework.

Innovation-first soft law: no risk tiers and no penalties; risks managed via guidance and existing laws.

None — enforcement relies on guidance, cooperation and existing sectoral laws.

• 2025-06-04 — Most provisions effective
• 2025-09-01 — AI Strategy HQ / Basic Plan provisions effective

Organisations across the economy that develop or deploy AI (voluntary adoption).

Voluntary, risk-management-based good practice; mandatory guardrails were proposed but shelved.

N/A — voluntary (existing laws and sector regulators still apply).

• 2024-09-05 — Voluntary AI Safety Standard released
• 2025-12-02 — National AI Plan declines mandatory guardrails / no AI Act

Organisations developing/deploying AI — voluntary, but a de facto benchmark in procurement.

Voluntary, risk-proportionate, testing-and-assurance-led.

N/A — voluntary (PDPA still applies to data aspects).

• 2024-05-30 — Model Framework for Generative AI launched
• 2025-02 — Global AI Assurance Pilot

AI developers, deployers and platforms in India (guidance; binding effect via underlying laws).

Risk-based and phased, pro-innovation with graduated/voluntary measures.

N/A for the guidelines — enforcement flows from existing statutes (IT Act, DPDP Act).

• 2025-11-05 — India AI Governance Guidelines released

Governments and AI actors in adhering countries — guidance, not law.

Values-based, risk-aware lifecycle guidance (non-tiered).

N/A — voluntary.

• 2019-05-22 — Adopted
• 2024-05-03 — Updated

Organisations developing the most advanced AI systems (frontier/foundation models) — voluntary.

Voluntary lifecycle risk management for advanced AI.

N/A — voluntary.

• 2023-10-30 — Code of Conduct issued
• 2025-02-07 — OECD HAIP Reporting Framework launched

UNESCO member states (and, through them, AI actors) — guidance for national policy.

Human-rights-based ethics framework with proportionality and impact-assessment tools.

N/A — voluntary.

• 2021-11-23 — Adopted by 193 member states

Any organisation that develops, provides or uses AI products or services, regardless of size or sector.

Risk-based, lifecycle-oriented Plan-Do-Check-Act management system.

N/A — voluntary standard (non-conformance means loss/denial of certification).

• 2023-12-18 — Published (first edition)
• 2024 — First accredited certifications issued

Organisations that develop, produce, deploy or use AI systems, services or products.

ISO 31000-aligned, lifecycle-based AI risk management.

N/A — voluntary guidance standard.

• 2023-02 — Published (first edition)

Organisations developing or deploying AI that want a structured impact-assessment method.

Impact-focused — evaluate societal/individual harms throughout the lifecycle.

N/A — voluntary guidance standard.

• 2025 — Published (first edition)

Any organisation wanting to protect information assets; broadly applicable across sectors.

Risk-based ISMS — identify, treat and monitor information-security risks.

N/A — voluntary standard.

• 2022-10-25 — ISO/IEC 27001:2022 published
• 2025-10-31 — End of transition from the 2013 edition

Manufacturers of AI/ML-enabled medical devices marketed in the US.

Risk-based premarket review plus a lifecycle model allowing controlled, pre-specified change.

FDA enforcement (warning letters, recalls, seizure, injunctions, civil penalties) for unauthorised marketing.

• 2024-12-03 — Final PCCP guidance published
• 2025-01 — Draft AI lifecycle-management guidance

Banks and supervised financial institutions using quantitative models (incl. AI/ML) in decisions.

Principles-based, risk-tiered model risk management across the model lifecycle.

Guidance, not a rule — deficiencies can lead to supervisory findings and safety-and-soundness enforcement.

• 2011-04-04 — SR 11-7 issued
• 2026-04-17 — SR 11-7 rescinded; revised interagency guidance issued