Lesson 8 · 11 min

Policy framework — EU AI Act, US AI bill of rights, customer audits

The regulation that's actually in force in 2026 and the customer-procurement checklist your sales team will face. What you need to document, when, and at what cost.

What's in force

EU AI Act (enforcement began Q1 2026) is the binding framework for any feature with EU users.

Four relevant tiers:

Prohibited AI (social scoring, real-time public-space biometric ID without warrant) — don't ship these.
High-risk AI (credit scoring, hiring, education grading, critical infrastructure) — heavy compliance: documented risk assessment, conformity assessment, post-market monitoring, registration in the EU database.
Limited-risk AI (chatbots, content generation) — transparency obligations: disclose AI involvement, label AI-generated content.
Minimal-risk AI (everything else) — voluntary code of conduct.

US — no federal AI Act yet; state-level patchwork (Colorado AI Act, NYC Local Law 144 for hiring tools). The federal AI Bill of Rights is non-binding guidance but procurement teams cite it.

UK — pro-innovation, sectoral approach. ICO guidance on AI + GDPR is the practical floor.