Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

AI regulation · 19 pages

AI regulation & law

Answer-first explainers of what the major AI laws actually say — the EU AI Act and its risk tiers, GPAI obligations, and the emerging US state patchwork — neutral and definitional, never legal advice.

Browse the topic

All 19 ai regulation & law pages

Definition

EU AI Act

The EU AI Act is Regulation (EU) 2024/1689, the first comprehensive horizontal law governing artificial intelligence in the European Union. It classifies AI systems by risk — prohibited, high-risk, limited-risk and minimal-risk — and attaches obligations accordingly. It entered into force on 1 August 2024 and applies in phases, with most provisions becoming applicable through 2026.

Definition

General-purpose AI (GPAI)

GPAI stands for general-purpose AI: AI models that can competently perform a wide range of distinct tasks and be integrated into many different applications. Under the EU AI Act, providers of GPAI models carry transparency and technical-documentation duties, and models judged to pose systemic risk face additional obligations. A GPAI Code of Practice supports compliance.

Definition

AI literacy

AI literacy is the set of skills, knowledge and understanding that enables people to use AI systems appropriately and to grasp their opportunities, risks and possible harms. Under Article 4 of the EU AI Act, providers and deployers must take measures to ensure a sufficient level of AI literacy among their staff and others operating AI on their behalf, applying from February 2025.

Definition

CE marking

CE marking is the conformity marking that signals a product complies with the applicable requirements of EU law. Under the EU AI Act, a high-risk AI system must undergo conformity assessment and bear the CE marking before it is placed on the market or put into service, indicating that the provider claims it meets the Act’s requirements.

Definition

Colorado AI Act

The Colorado AI Act (Senate Bill 24-205), enacted in 2024, is the first comprehensive US state law regulating artificial intelligence. It targets algorithmic discrimination by developers and deployers of high-risk AI systems used in consequential decisions — such as employment, housing, lending and healthcare — through duties of reasonable care. Its effective date has been the subject of amendment.

Definition

NYC Local Law 144

NYC Local Law 144 is a New York City law regulating automated employment decision tools (AEDTs). It requires employers and employment agencies using an AEDT to have it independently bias-audited within the prior year, to publish a summary of the results, and to notify candidates. Enforcement of the law began in July 2023.

Definition

Texas TRAIGA

TRAIGA is the Texas Responsible Artificial Intelligence Governance Act (House Bill 149), a state AI law taking effect in January 2026. It centres on prohibited uses of AI — such as intentional manipulation or unlawful discrimination — and on governing the use of AI by Texas government agencies, rather than imposing the broad risk-tier obligations seen in the EU AI Act.

Definition

Shadow AI

Shadow AI is the unsanctioned use of artificial intelligence tools by employees without the oversight of an organisation’s IT, security or governance functions. It mirrors the older concept of shadow IT and is treated as a governance risk because ungoverned AI use can expose sensitive data, bypass policy controls and produce decisions that are neither documented nor reviewed.

Definition

AI watermarking

AI watermarking is the embedding of detectable signals or provenance markers in AI-generated content — such as images, audio, video or text — to indicate that it was produced or altered by AI. Approaches range from imperceptible statistical signals to provenance metadata standards such as C2PA content credentials. It features in EU AI Act transparency provisions and in US policy.

Definition

Prohibited AI practices

Prohibited AI practices are the uses of AI banned outright under Article 5 of the EU AI Act because they pose an unacceptable risk. They include certain manipulative or exploitative systems, social scoring by public authorities, untargeted scraping of facial images, and specified biometric uses. These prohibitions are among the first provisions to apply, from February 2025.

Definition

High-risk AI system

A high-risk AI system, under the EU AI Act, is an AI system used in sensitive domains listed in Annex III — such as employment, education, essential services, biometrics, law enforcement and critical infrastructure — or that acts as a safety component of a regulated product. These systems face the strictest requirements, including risk management, data governance, human oversight and conformity assessment.

Guide

US AI laws by state

US AI laws by state describe the patchwork of state and city measures that, in the absence of a comprehensive federal AI statute, regulate different aspects of artificial intelligence. Colorado enacted the first comprehensive state AI law; New York City regulates hiring tools; Texas, Utah and Illinois address specific uses. Each targets distinct concerns rather than forming a single national framework.

Comparison

EU AI Act vs US AI regulation

The key difference is structure. The EU AI Act is a single comprehensive, binding, horizontal regulation that classifies AI by risk tier across the whole Union. US AI regulation is a patchwork of sectoral rules, state and city laws and voluntary federal frameworks such as the NIST AI RMF, with no comprehensive federal AI statute. One is harmonised; the other is fragmented.

Definition

Conformity assessment

Conformity assessment is the process of verifying that a high-risk AI system meets the EU AI Act’s requirements before it is placed on the market or put into service. Depending on the system, this is done either through internal self-assessment by the provider or, in certain cases, by an independent third party known as a notified body. A successful assessment supports the EU declaration of conformity and CE marking. This describes the regulatory procedure; it is not legal advice on any specific product.

Definition

Notified body

A notified body is an accredited, independent organisation designated by an EU member state to perform third-party conformity assessments of certain high-risk AI systems under the EU AI Act. Where the regulation requires external assessment, the notified body evaluates the system and its documentation against the Act’s requirements before it can be placed on the market. Notified bodies are designated and overseen by national notifying authorities, and the concept is carried over from the EU’s wider product-safety framework. This describes the regulatory role, not legal advice.

Definition

AI Act timeline

The AI Act timeline is the phased schedule by which the EU AI Act’s obligations become applicable. The regulation entered into force on 1 August 2024, but its rules apply in stages: prohibited practices and AI literacy duties from February 2025, general-purpose AI (GPAI) obligations from August 2025, and most remaining provisions, including the core high-risk requirements, from August 2026, with certain rules following in 2027. The phasing gives providers and authorities time to prepare. This is a description of the schedule, not legal advice.

Definition

EU AI Office

The EU AI Office is a body within the European Commission established to oversee general-purpose AI (GPAI) models and to coordinate the implementation and enforcement of the EU AI Act across the Union. It supervises GPAI providers, supports the development of codes of practice and guidance, fosters consistency among national authorities, and contributes to international cooperation on AI. It works alongside national market-surveillance authorities and advisory bodies created by the Act. This describes its institutional role, not legal advice.

Definition

Systemic-risk AI

Systemic-risk AI is, under the EU AI Act, the category of general-purpose AI (GPAI) models with high-impact capabilities whose reach could have significant effects across the Union. The Act presumes systemic risk where a model’s training compute exceeds a defined threshold, and such models carry additional obligations — for example model evaluation, systemic-risk assessment and mitigation, incident reporting and cybersecurity. The AI Office supervises these models. This describes the regulatory classification and its consequences, not legal advice on any model.

Definition

AI regulatory sandbox

An AI regulatory sandbox is a controlled environment, established by a competent authority, in which innovative AI systems can be developed, trained, tested and validated under regulatory supervision before they are placed on the market. The EU AI Act requires member states to set up at least one national AI sandbox and provides the framework for them from Article 57 onwards. Sandboxes aim to support innovation, legal certainty and learning for both providers and regulators. This describes the mechanism, not legal advice.

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →