Back to blog

Saturday, December 16, 1916

AI Regulations & Compliance: What Developers Need to Know in 2026

Posted by

PR

PromptGenius

@promptgenius

cover

AI regulation isn't coming — it's here. The EU AI Act entered force in 2024, with enforcement phasing in through 2026-2027. US regulation is fragmented but accumulating through executive orders, state laws, and agency actions. For developers building products that use AI — which in 2026 means nearly everyone — compliance is shifting from "legal team's problem" to "something I need to understand before I ship."

This guide covers what applies to developers, not what applies to AI labs. If you're training foundation models, you need a lawyer. If you're building a SaaS product that calls an LLM API, this is for you.

The EU AI Act

The EU AI Act is the most comprehensive AI regulation in the world. It applies to any company that places AI systems on the EU market — meaning if you have EU users, it applies to you, regardless of where your company is incorporated.

Risk Categories

The Act classifies AI systems into four risk tiers:

Risk LevelExamplesRequirements
UnacceptableSocial scoring, real-time biometric surveillance in public, emotion recognition at workBanned entirely. Do not build these.
HighAI in hiring, credit scoring, medical diagnosis, law enforcement, critical infrastructureMandatory risk assessment, human oversight, transparency, accuracy reporting, documentation
LimitedChatbots, emotion recognition, deepfake generationTransparency: users must know they're interacting with AI
MinimalAI in video games, spam filters, inventory managementNo specific requirements, but voluntary codes of conduct encouraged

What Applies to Most Developers

The vast majority of AI features in SaaS products fall into limited or minimal risk. Your chatbot needs to disclose it's a chatbot. Your AI-generated content doesn't need a risk assessment — but it does need to be labeled as AI-generated.

Limited risk (most common for SaaS):

  • Chatbots and virtual assistants: must disclose they're AI. Users must know they're not talking to a human.
  • AI-generated images, audio, video: must be labeled as artificially generated.
  • Emotion recognition systems: must inform users their emotions are being analyzed.

Practical compliance: If your product has a chatbot, add "This is an AI assistant" to the UI. If your product generates images, include a label or metadata indicating AI generation. These are low-effort, high-ROI compliance steps.

High-Risk: When You Need to Pay Attention

Your product might be high-risk if AI makes or substantially influences decisions about:

  • Employment: AI screening resumes, scoring candidates, making hiring recommendations
  • Credit and financial services: AI determining loan eligibility, credit limits, insurance premiums
  • Healthcare: AI assisting with diagnosis, treatment recommendations, triage
  • Education: AI determining admission, assessing student performance
  • Law enforcement: AI used in investigations, risk assessment, evidence analysis
  • Critical infrastructure: AI managing power grids, traffic systems, water supplies

If your product falls into any of these categories, you need:

  1. A conformity assessment before deployment
  2. Risk management system documentation
  3. Data governance and training data documentation
  4. Technical documentation of the system's design and operation
  5. Record-keeping of system logs and decisions
  6. Transparency — users must be informed and can request explanations
  7. Human oversight — meaningful human review of AI decisions
  8. Accuracy, robustness, and cybersecurity standards

This is not a checklist you can handle casually. If you're building a high-risk AI system in the EU, you need a compliance officer or external legal counsel.

General-Purpose AI Rules

The EU AI Act also regulates general-purpose AI models — the foundation models (GPT, Claude, Gemini) that developers build on top of. If you're using a model from a major provider through their API, the provider handles this compliance. If you're fine-tuning or deploying your own model, the rules may apply to you.

What providers must do (relevant because it flows down to you):

  • Publish a summary of training data used
  • Implement a copyright compliance policy (respect opt-outs from rights holders)
  • Provide technical documentation to downstream developers (that's you)
  • Report energy consumption

This means API documentation is becoming compliance documentation. When OpenAI or Anthropic updates their model cards and transparency reports, read them. They contain information you may need for your own compliance.

Enforcement Timeline

DateWhat Happens
February 2025Prohibited practices banned (unacceptable risk systems)
August 2025General-purpose AI rules apply
August 2026Most obligations apply (high-risk systems, limited risk transparency)
August 2027High-risk systems in specific sectors (medical devices, machinery)

If you're building in mid-2026: Limited risk transparency rules are active now. High-risk rules go live in August 2026. You have a few months. Start the compliance process if you haven't.

The US Regulatory Landscape

Unlike the EU, the US has no single comprehensive AI law. Regulation comes from multiple sources:

Federal Executive Orders

The Biden administration's AI executive order (October 2023) established requirements for federal agencies using AI and directed NIST to develop AI risk management frameworks. A subsequent executive order in early 2025 maintained most provisions while shifting emphasis from mandatory requirements to voluntary standards.

What applies to private companies:

  • Companies developing dual-use foundation models must report training runs, safety test results, and ownership information to the federal government
  • Federal contractors using AI must comply with NIST's AI Risk Management Framework
  • Federal agencies procuring AI systems must require conformity assessments from vendors

In practice: If you sell to the US government, you need NIST RMF compliance. If you don't, the federal requirements are lighter — but state laws may catch you.

State-Level Laws

States are moving faster than the federal government. Key state AI laws:

California: Multiple bills regulating AI in hiring, automated decision-making, and data privacy. The California Privacy Protection Agency has rulemaking authority over automated decision-making technology. If you have California users, watch this space closely.

Colorado: The Colorado AI Act (effective February 2026) requires developers of high-risk AI systems to use reasonable care to protect consumers from algorithmic discrimination. It's the closest thing to the EU AI Act at the state level.

New York: New York City's Local Law 144 requires bias audits for AI hiring tools. It's been in effect since July 2023 and has become the template for other cities.

Illinois, Connecticut, Texas: All have active AI legislation in various stages, focused on deepfakes, AI in hiring, and consumer protection.

The practical reality: If your product serves US users, you need to comply with the strictest state law for each feature. In practice, that means designing for EU AI Act compliance and handling US-specific requirements as variations on that baseline.

The legal status of AI training on copyrighted data is unsettled, but the practical implications for developers are clearer than the legal ones:

Training: If you're fine-tuning a model on your own data, you own the copyright questions. If you're using an API from a major provider, the provider's terms of service include indemnification for copyright claims in most cases.

Outputs: AI-generated code is generally not copyrightable in the US — the Copyright Office has consistently ruled that AI-generated works lack human authorship. However, human-authored work that uses AI as a tool (like a developer who writes significant portions of code and uses AI for completions) may be copyrightable. The line is fuzzy and currently being litigated.

Practical guidance:

  • Don't use AI to generate entire works you intend to copyright. A co-authored approach (human writing the structure, AI filling in sections, human reviewing and editing) is safer.
  • If you're a SaaS company, your terms of service should address AI-generated content — both what you produce and what users input.
  • Don't train models on data you don't have rights to. The safest path is to only train on data you own, have licensed, or that is explicitly in the public domain.

GDPR and AI

GDPR applies to AI systems that process personal data of EU residents. The intersection creates specific challenges:

Automated Decision-Making

GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects. If your AI system makes decisions about people — denying a loan, rejecting a job application, flagging a fraud alert — without meaningful human involvement, you need:

  • Explicit consent from the data subject
  • The ability to provide meaningful information about the logic involved
  • Human intervention capability

Transparency

GDPR requires that data subjects know how their data is processed. When an AI system is involved, this means explaining:

  • That AI is being used
  • What data the AI uses
  • What decisions the AI makes or influences
  • How to contest those decisions

Data Minimization

GDPR requires that only the minimum necessary personal data is processed. When sending data to an LLM API:

  • Strip personal data from prompts unless it's essential to the task
  • Use API providers that commit to not training on your data (OpenAI API, Anthropic API — check the current terms)
  • Don't send customer data to consumer chatbots (ChatGPT web interface, Claude web interface) — these may train on your inputs

Practical GDPR Compliance for AI Products

Checklist:
- [ ] Privacy policy discloses AI use and data processing
- [ ] Users can opt out of AI processing of their data
- [ ] Personal data stripped from prompts before sending to LLM APIs
- [ ] Using API endpoints with data processing agreements (DPAs) in place
- [ ] NOT using consumer chatbot interfaces for customer data
- [ ] Automated decisions have human review option
- [ ] Data retention policy covers LLM API logs and conversations

Open Source and AI Regulation

The EU AI Act has specific provisions for open source AI. The key distinction:

Open source models (released under a license allowing free use, modification, and distribution, with publicly available weights and architecture) are partially exempt from the Act's requirements for general-purpose AI models. They still need to comply with transparency and documentation requirements, but they're exempt from some of the more burdensome obligations.

Open source systems (applications built on open source models) are not exempt. If you build an AI product using open source models, you're subject to the same rules as any other AI system. The exemption is for the model, not the application.

Liability questions: Open source AI models raise the question of who's responsible when something goes wrong. Current regulatory thinking leans toward: the deployer (the company or developer using the model) is responsible, not the model creator. If you deploy a model, you own the risk, regardless of who trained it.

Compliance Checklist for Developers

What you should do right now, ordered by urgency:

Immediate (this sprint)

  • Privacy policy update: Does your privacy policy disclose AI use? If not, update it.
  • AI disclosure in product: If your product has a chatbot or AI feature, does the UI say "AI"? Add it.
  • API vs consumer interfaces: Are you using API endpoints (data not used for training) or consumer interfaces (data may be used for training)? Confirm. Switch to API if needed.
  • Training data audit: What data are you training or fine-tuning models on? Do you have rights to it? If you don't know, find out.

This quarter

  • Risk classification: Is your AI system limited risk or high risk under the EU AI Act? If you're not sure, consult someone who can answer definitively.
  • GDPR data flow map: Trace every point where personal data touches an AI system. Document it. If you can't explain the flow to a regulator, it's not compliant.
  • Human oversight mechanism: For any AI system that makes or influences decisions about people, do you have a human review path? If not, build one.
  • Vendor DPAs: Do your LLM API providers have signed data processing agreements? Verify. If not, sign them.

This year

  • Conformity assessment: If your system is high-risk under the EU AI Act, start the assessment process. It takes months, not weeks.
  • AI governance policy: Internal document covering: which AI systems you use, what data they process, who's responsible for compliance, how decisions are reviewed.
  • Incident response plan: What happens when your AI system produces a harmful output? Who's notified? How do you fix it? Write it down.
  • State law review: If you have significant US users in California, Colorado, or New York, review state-specific AI requirements.

Regulatory Outlook: What's Coming

EU AI Act enforcement (2026-2027): The first enforcement actions under the EU AI Act will set precedent. Expect early cases to target high-profile AI systems that clearly violate the Act — not borderline cases. The EU tends to make examples before settling into routine enforcement.

US federal legislation: A comprehensive US federal AI law is unlikely before 2027-2028. The regulatory patchwork of state laws will persist, with California and Colorado leading. If you're building for the US market, comply with the strictest applicable state law.

Copyright litigation: The major training data copyright cases (New York Times vs OpenAI, Getty vs Stability AI) are still working through courts. The outcomes will shape what's permissible for model training, but API users of major providers will remain insulated by the providers' terms of service and indemnification agreements.

China and global markets: If your product has Chinese users, China's AI regulations (deep synthesis provisions, algorithmic recommendation regulations) impose separate requirements. If you serve multiple markets, the EU AI Act is the highest bar — comply with it and you're 80% of the way to compliance everywhere else.

AI liability directive (EU, proposed): The EU is working on an AI Liability Directive that would make it easier for individuals to sue for AI-related harm. In practice, this shifts the burden of proof — companies would need to show their AI system was compliant, rather than plaintiffs needing to prove it wasn't. Documentation is your defense. If you can't show how your system works, what data it was trained on, and how decisions are made, you lose by default.

The Bottom Line

If you take one thing from this guide, take this: document everything. The pattern across every regulation — EU, US, state, GDPR — is that documentation is your defense. If you can show what your AI system does, what data it uses, what decisions it makes, and how those decisions can be reviewed, you're compliant with the spirit of every regulation, even if you're not 100% compliant with every letter.

The developers who get in trouble won't be the ones whose AI systems make mistakes. They'll be the ones who can't explain how their AI systems work.

This article provides general information, not legal advice. Consult a lawyer for your specific situation.