For two years, AI regulation was mostly a conversation about principles. High-risk classification, transparency requirements, human oversight mandates. Organizations talked about compliance the way they talked about climate risk: as a future problem worth monitoring.
2026 changed that calculus. The EU AI Act is now in its enforcement phase, which means actual fines for actual violations at actual companies. The US has not enacted federal legislation, but sector-specific rules from financial regulators, healthcare agencies, and labor authorities are creating a patchwork of enforceable obligations. China's AI governance framework has been in force longer and continues to set the global pace in some categories.
The result is that AI governance has become a present-tense engineering and legal problem, not a future one.
What Enforcement Actually Looks Like
The most immediate effect of enforcement has been on documentation practices. High-risk AI systems under the EU framework must maintain detailed technical documentation including training data provenance, model capability and limitation assessments, and risk mitigation measures. This documentation must be updated continuously, not produced once at launch.
For teams that treated documentation as a checkbox exercise, the new requirements are a significant operational burden. For teams that already maintained rigorous documentation for internal quality purposes, the overhead is manageable but not trivial.
Conformity assessments, required for certain high-risk applications, have created a new cottage industry of AI auditors. The quality of these assessments varies considerably, which has led to a secondary market for "audit shopping" that some regulators are beginning to scrutinize.
The Sectors Feeling It Most
Financial services and healthcare are the sectors where enforcement has been most consequential. Credit scoring, insurance underwriting, clinical decision support, and diagnostic AI all fall into high-risk categories with explicit documentation, testing, and human oversight requirements.
The practical effect has been slower deployment cycles and more rigorous pre-launch evaluation requirements. Teams that previously shipped beta features to production are now running extended validation periods that feel conservative but reflect genuine risk in high-stakes domains.
Employment-related AI has also received significant attention, particularly hiring and monitoring systems. Several high-profile cases of algorithmic discrimination have created legal exposure that is driving more conservative adoption practices in HR technology.
The Global Fragmentation Problem
Perhaps the most significant practical challenge is regulatory fragmentation. Organizations operating globally face the EU framework, potentially divergent US federal requirements, sector-specific rules in multiple jurisdictions, and the Chinese AI governance framework for operations in China.
The compliance overhead of managing different requirements across jurisdictions has become a meaningful cost center. Organizations are increasingly building governance frameworks that target the most stringent applicable standard, rather than managing a different compliance posture for each jurisdiction.
The Honest Assessment
Regulation is real and consequential, but it is also manageable for teams that build compliance into their development process rather than treating it as a post-launch problem. The organizations struggling most are those that treated AI governance as optional for years and are now retrofitting compliance onto systems that were not designed with it in mind. Teams that invested early in documentation infrastructure, evaluation frameworks, and governance processes are finding that the overhead, while real, does not fundamentally impede their ability to ship.