Regulatory Pulse
The regulatory clock doesn’t pause while you plan
Dated, concise updates on US state AI legislation, NIST AI RMF guidance, and sector-specific rules, with the EU AI Act included where it’s shaping what US regulators do next. Every entry links to the primary source.
Build your regulatory digest
Choose the topics that affect you and how often you want them. Preview exactly what you’ll get, then subscribe. No newsletters, just the updates in your scope and why they matter.
- US State Law
June 30, 2026
Colorado AI Act (SB 24-205) requirements take effect
Colorado's AI Act, the US state law most closely modeled on the EU AI Act's risk-tiering approach, now requires developers and deployers of high-risk AI systems to use reasonable care against algorithmic discrimination, conduct impact assessments, and disclose AI interactions to consumers. It covers employment, education, financial services, healthcare, housing, and legal decisions. The effective date was pushed back twice from an original February 2025 target while lawmakers worked through amendments, so organizations operating in Colorado or serving Colorado residents should confirm they're working from the enrolled text below rather than an earlier draft.
- NIST
February 2026
Financial Services AI Risk Management Framework released
The US Treasury and a coalition of more than 100 financial institutions released a Financial Services AI RMF: a sector-specific profile that expands NIST's AI RMF with roughly 230 control objectives tailored to banking and financial services, plus a shared AI lexicon. Firms already mapped to NIST's core GOVERN, MAP, MEASURE, and RESPOND functions have a head start translating those controls into the new profile's more granular requirements.
- EU AI Act
August 2, 2026
High-risk system obligations begin to phase in
Annex III high-risk system obligations under the EU AI Act, covering conformity assessment, technical documentation, and post-market monitoring, start becoming applicable on a staggered schedule. This matters most directly to organizations with EU-facing operations, but the underlying risk classification approach (prohibited, high-risk, limited, minimal) is the same structure several US state laws have adopted, so it's a useful preview of where US requirements are trending.
- EU AI Act
August 2, 2025
General-purpose AI model obligations enter force
Articles 53 to 55 of the EU AI Act, covering transparency, adversarial testing, and incident reporting for providers of general-purpose AI models, became fully applicable. Organizations deploying foundation models (GPT, Claude, Gemini, Llama derivatives, and similar) as part of EU-facing products now need up-to-date technical documentation and a process for cooperating with supervisory requests. Worth tracking even for US-only teams: model documentation expectations like these tend to show up in US procurement and vendor-risk questionnaires within a year or two.
- EU AI Act
February 2, 2025
Prohibited AI practices ban takes effect
Chapter II of the EU AI Act, prohibiting real-time remote biometric identification in public spaces, social scoring, and certain subliminal manipulation techniques, became enforceable: the first substantive compliance deadline under the Act. Organizations that had already completed a risk-tiering exercise had clarity on which use cases required immediate retirement or redesign, the same discipline US state laws now ask for under a different name.
- Sector
June 5, 2024
SEC risk alert: AI use by broker-dealers and investment advisers
The SEC's Division of Examinations published a risk alert reminding registered investment advisers and broker-dealers that existing supervisory and recordkeeping obligations apply when AI tools assist in producing investment advice, portfolio analysis, or client communications. Firms without a documented AI use policy and model inventory face heightened examination risk, and the SEC has separately brought enforcement actions against firms for overstating their AI capabilities to clients (so-called AI washing).
- US State Law
September 2024
California SB 1047 (vetoed): lessons for AI governance programs
California Governor Newsom vetoed SB 1047, which would have required developers of large AI models to implement safety protocols and whistleblower protections. The bill didn't pass, but the legislative debate surfaced requirements, model audits, incident reporting, shutdown mechanisms, that are highly likely to reappear in future state or federal legislation. Organizations with a documented incident response process and model audit trail are better positioned for whatever comes next.
Read the bill history and veto message (California Legislative Information)→
- EU AI Act
August 1, 2024
EU AI Act enters into force
The EU AI Act officially entered into force, starting a staggered multi-year timeline for its various obligations. For US organizations without EU-facing operations, the direct impact is limited, but the Act has become the reference point regulators and legislators cite when drafting new US rules, so its risk categories (prohibited, high-risk, limited, minimal) are worth understanding on their own merits.
Stay current without monitoring everything yourself
One email per major milestone. Unsubscribe any time.