CASRAI Dictionary

Tag: AI regulation

  • EU AI Act: Prohibited AI Practices Take Effect Feb 2025

    On 2 February 2025, the first substantive obligations of the European Union’s Artificial Intelligence Act began to apply. Six months after the Regulation entered into force on 1 August 2024, two early provisions switched on: the prohibitions on certain AI practices set out in Article 5, and the AI-literacy duty in Article 4. This article describes what changed on that date. It is a news explainer, not legal advice.

    What Article 5 prohibits

    Article 5 lists categories of AI use that the EU considers incompatible with fundamental rights and Union values, and therefore bans from the EU market. According to the published text of the Regulation, the prohibited practices include:

    • Manipulative or deceptive techniques that materially distort behaviour and cause significant harm.
    • Exploitation of vulnerabilities linked to age, disability or a specific social or economic situation.
    • Social scoring by public or private actors leading to detrimental or disproportionate treatment.
    • Individual criminal-risk prediction based solely on profiling or personality traits.
    • Untargeted scraping of facial images from the internet or CCTV to build facial-recognition databases.
    • Emotion recognition in workplaces and educational institutions, subject to narrow exceptions.
    • Biometric categorisation inferring sensitive attributes such as race, political views or sexual orientation.
    • Real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes, subject to limited, authorised exceptions.

    These are bright-line prohibitions rather than risk-managed permissions. For a fuller treatment of how the Act’s tiers fit together, see our pillar overview of the EU AI Act.

    The AI-literacy duty in Article 4

    Alongside the bans, Article 4 introduced an obligation that applies far more broadly. Providers and deployers of AI systems must take measures to ensure, to their best extent, a sufficient level of AI literacy among staff and others operating systems on their behalf. The duty is framed proportionately: organisations must consider the technical knowledge, experience and training of the people involved, the context of use, and the individuals or groups the system is used on.

    Unlike Article 5, the literacy duty is not limited to high-risk or prohibited systems. The European Commission has published questions and answers describing how the obligation is intended to operate. The terminology around AI systems, providers and deployers is defined in the Regulation itself; readers new to these distinctions may find our dictionary useful.

    Why this date mattered

    The 2 February 2025 milestone was the first point at which any part of the AI Act created direct, applicable obligations. It signalled the start of phased application that continues across subsequent years. The dates were fixed relative to entry into force: prohibitions and literacy at six months, general-purpose AI obligations at twelve months, and the bulk of high-risk requirements later still.

    Scope and reach

    The AI Act applies to providers placing systems on the EU market and to deployers using them within the Union, regardless of where the provider is established. This extraterritorial reach means organisations outside the EU can fall within scope where their systems are used in the Union. The Regulation positions itself as a product-safety-style framework layered on top of existing rights protections rather than a replacement for them.

    How it relates to wider AI governance

    The EU’s approach is binding law, but it sits within a broader landscape of voluntary frameworks that organisations use to structure internal governance. Many map their controls against instruments such as the NIST AI Risk Management Framework or the management-system standard ISO/IEC 42001. These do not satisfy EU legal obligations on their own, but they are widely referenced when firms operationalise principles such as risk assessment and human oversight.

    The exceptions that shape the bans

    Several of the Article 5 prohibitions are not absolute but carry carefully bounded carve-outs, and the detail matters. The ban on real-time remote biometric identification in public spaces for law enforcement, for example, is subject to narrow exceptions for specified objectives such as searching for certain victims of crime, preventing a substantial and imminent threat to life, or locating suspects of serious offences — and those uses are themselves wrapped in authorisation and safeguard conditions. Similarly, the emotion-recognition prohibition focuses on workplace and educational settings while leaving room for limited medical or safety purposes. Understanding the bans therefore means reading the qualifications alongside the headline category, which is one reason the Commission has issued supplementary guidance.

    Guidelines on the prohibited practices

    Recognising that the bans took effect before every boundary was self-evident, the European Commission published guidelines on the prohibited practices to help interpret Article 5. These materials work through the categories with examples and clarifications, addressing recurring questions such as how to distinguish lawful persuasion from prohibited manipulation, and where everyday biometric features end and prohibited biometric categorisation begins. The guidelines are not themselves binding law — the Regulation’s text governs — but they are an authoritative reference point for organisations interpreting scope.

    What observers noted

    Commentators highlighted that the prohibitions and literacy duty arrived before detailed guidance and harmonised standards for later stages were finalised, leaving organisations to interpret some boundaries using the legislative text and Commission materials. The Commission has continued to publish guidance to clarify scope as later phases approach. Analysts also noted the breadth of the literacy duty relative to the bans: while only a defined set of systems is prohibited, the literacy expectation touches almost any organisation that builds or uses AI, making it the more widely felt of the two early obligations in practice.

    Penalties and enforcement architecture

    The AI Act backs its prohibitions with a tiered penalty structure, and breaches of Article 5 sit at the most serious end, attracting the highest potential fines under the Regulation. Enforcement is allocated to national authorities designated by member states, coordinated at Union level through the European Artificial Intelligence Office and a board of member-state representatives. The phased application dates determine when each obligation becomes enforceable, which is why the February 2025 milestone — switching on the bans and literacy duty — was the first point at which any enforcement exposure under the Act could arise.

    In summary

    The 2 February 2025 date marked the point at which the EU AI Act stopped being purely prospective. Article 5’s prohibitions removed a defined set of AI uses from the EU market, and Article 4’s literacy duty placed a general, proportionate expectation on organisations that build or use AI. The official consolidated timeline is maintained on the European Commission’s digital-strategy site. Readers should treat this as a factual summary of the events and consult qualified advisers for application to their own circumstances.

  • Colorado AI Act: First US State AI Law, and Its Delay

    Colorado’s Senate Bill 24-205, commonly called the Colorado AI Act, was enacted in 2024 as the first comprehensive US state law addressing algorithmic discrimination by high-risk AI systems. Its story is also one of repeated delay: the effective date was pushed back more than once before the framework itself was reshaped. This article describes the law and that timeline. It is news analysis, not legal advice.

    What SB24-205 set out to do

    The original law established duties for developers and deployers of high-risk artificial-intelligence systems — broadly, systems that make, or are a substantial factor in making, a consequential decision affecting access to things such as employment, education, financial services, housing, healthcare, insurance or legal services. Its central obligation was a duty of reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination. The bill text and history are published by the Colorado General Assembly.

    Key obligations in the original text

    As originally drafted, SB24-205 contemplated obligations including:

    • Risk-management practices for deployers of high-risk systems.
    • Impact assessments evaluating the risk of algorithmic discrimination.
    • Consumer notice when a high-risk system is used to make a consequential decision.
    • Opportunities for consumers to be informed about, and in some cases to correct or appeal, adverse decisions.
    • Public disclosures about the types of high-risk systems a developer or deployer handles.

    The structure — distinguishing developers from deployers and centring on consequential decisions — drew comparison with risk-tiered approaches elsewhere, including the EU AI Act, though the Colorado law was narrower and built on a discrimination-protection foundation.

    The deferred effective date

    SB24-205 was originally scheduled to take effect on 1 February 2026. Before that date arrived, the legislature acted to postpone it. According to reporting and the legislative record, a subsequent bill moved the effective date to 30 June 2026, citing the need for more time to refine the framework. The repeated deferral became a notable feature of the law’s history: the first comprehensive US state AI statute spent much of its early life not yet in force.

    Coverage indicated that the framework was subsequently revisited and reshaped through further legislation rather than taking effect in its original form. Because the legislative position continued to evolve, readers should verify the current status directly against the General Assembly’s records rather than rely on any single account.

    Why the delays happened

    Public discussion around the postponements centred on implementation concerns: businesses, advocacy groups and officials raised questions about the breadth of definitions such as “consequential decision” and “substantial factor,” the burden of impact assessments, and how the duty of reasonable care would be interpreted. Supporters of delay framed the extra time as an opportunity to align the law with developing practice and to harmonise with parallel efforts elsewhere; critics warned that repeated postponement risked leaving consumers without the protections the law promised. The episode is frequently cited as an illustration of the practical challenges of being first — of writing comprehensive AI rules before consensus on definitions, methods and burdens had settled.

    Its significance regardless of the delays

    Even unimplemented in its initial form, SB24-205 was influential as a template. It demonstrated a US state model built around algorithmic-discrimination risk, developer-versus-deployer duties and impact assessments — concepts that recur across the wider patchwork of US state AI laws. Legislators and advocates in other states studied its drafting closely, and its definitions and mechanisms surfaced in later bills, so its conceptual footprint extended well beyond Colorado regardless of when, or whether, the original text bound anyone. Organisations structuring governance in response often look to voluntary instruments such as the NIST AI RMF and ISO/IEC 42001 to operationalise risk assessment and documentation, although those do not satisfy any specific statutory duty.

    Developers versus deployers

    One of SB24-205’s structural choices was to split duties between two roles. Developers — those who build or substantially modify a high-risk system — were expected to provide deployers with information needed to complete impact assessments and to make public disclosures about the systems they offer. Deployers — those who put a system to use in making consequential decisions — carried obligations around risk management, impact assessment, consumer notice and, in defined circumstances, opportunities for consumers to respond to adverse outcomes. This division mirrors a pattern increasingly common in AI legislation, recognising that the party building a system and the party using it often differ and hold different information.

    The attorney-general enforcement model

    Like several US state AI measures, SB24-205 placed enforcement with the state attorney general rather than creating a private right of action for individuals. The original framework also contemplated affirmative defences or safe-harbour-style provisions tied to following recognised risk-management frameworks and discovering and curing violations — a design intended to reward documented good-faith governance. The precise contours of these provisions were among the elements subject to revision as the law’s timeline shifted, which is a further reason to consult the current statutory text directly.

    Terminology

    The law leans on defined terms — high-risk AI system, consequential decision, algorithmic discrimination, developer and deployer — whose precise statutory meanings drive scope. Readers approaching these for the first time may find plain-language entries in our dictionary a useful companion to the statutory text.

    In summary

    Colorado’s SB24-205 was the first comprehensive US state AI law to target algorithmic discrimination, built around a duty of reasonable care, impact assessments and consumer notice. Its effective date was deferred more than once and the framework was later reshaped, so its current status should be checked against official records. This article is a neutral summary of those developments and not legal advice.

  • Texas TRAIGA and the US State AI-Law Patchwork

    The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), enacted as House Bill 149, took effect on 1 January 2026. It is one of the more comprehensive entries in a rapidly expanding patchwork of US state AI laws, in which different states regulate different aspects of AI in different ways. This article explains TRAIGA’s main features and how state approaches diverge. It is informational and not legal advice.

    What TRAIGA does

    TRAIGA establishes a framework governing the development and deployment of AI systems in Texas. Reported features include:

    • A broad definition of AI systems, covering machine-based systems that infer from inputs how to generate outputs such as content, decisions, predictions or recommendations — not only generative AI.
    • Prohibited uses, including AI developed or deployed for unlawful behavioural manipulation, certain forms of unlawful discrimination, and specified harmful content.
    • Obligations on government entities, such as disclosure to consumers that they are interacting with an AI system, and restrictions on social-scoring and certain biometric uses.
    • A duty for healthcare providers to disclose to patients where AI is used in their care.
    • A regulatory sandbox for testing AI systems and an AI advisory council to inform policy.

    Enforcement is reserved to the Texas Attorney General, with civil penalties and a cure period before action, and the law does not create a private right of action. The statute and analyses are summarised in published legal commentary; the bill itself is available through the Texas Legislature.

    Scope and reach

    TRAIGA is reported to apply broadly: to those conducting business in Texas, offering products or services to Texas residents, or developing or deploying AI systems in the state. That framing can pull in out-of-state organisations whose systems reach Texas residents, a common feature of state-level technology laws. As enacted, the law was described as a pared-back version of earlier, more expansive drafts, with some of the broadest proposed duties narrowed before passage. This trajectory — an ambitious initial proposal trimmed during the legislative process — is itself characteristic of how several state AI bills have moved from introduction to law.

    The patchwork problem

    TRAIGA’s significance is amplified by its context. In the absence of a single comprehensive federal AI statute, US states have moved at different speeds and along different conceptual lines. The result is a patchwork in which the same AI system can face materially different rules depending on where it is used. Broad themes include:

    • Comprehensive risk frameworks. The Colorado AI Act (SB24-205) pioneered a developer-and-deployer model centred on algorithmic discrimination in consequential decisions, though its effective date was repeatedly deferred.
    • Targeted use-case rules. NYC Local Law 144 regulates a single use — automated employment decision tools — through mandatory bias audits and disclosure.
    • Transparency and disclosure laws. Several states have enacted measures focused on disclosing AI-generated content, chatbots or deepfakes, themes we follow under generative-AI disclosure.
    • Broad governance statutes. TRAIGA itself blends prohibited-use rules, government-specific duties, sectoral disclosure and a sandbox.

    For a structured comparison of these regimes, see our overview of US AI laws by state.

    What differs state to state

    The divergence runs along several axes. States differ on who is regulated (developers, deployers, government, specific sectors), on what triggers obligations (consequential decisions, employment screening, content generation, biometric use), on core mechanisms (impact assessments, bias audits, consumer notices, prohibited-use lists), and on enforcement (attorney-general action versus, in some cases, other routes). Even shared concepts like “high-risk” or “consequential decision” can carry different statutory meanings. This variability is the defining operational challenge of the patchwork.

    The sandbox and advisory council

    Two features distinguish TRAIGA from purely prohibitive approaches. The regulatory sandbox is intended to let participants develop and test AI systems under a relaxed regulatory posture, with the aim of encouraging innovation while gathering information about emerging uses. The AI advisory council is positioned to inform the legislature and state agencies on AI policy, the use of AI within government, and improvements to the sandbox. Together these reflect a model that pairs enforcement with structured experimentation and ongoing policy review — an approach that contrasts with measures focused solely on prohibitions or audits.

    Federal-state tension

    The patchwork exists against a backdrop of debate about whether AI should be governed primarily at the federal or state level. Proposals to limit or pre-empt state AI regulation have surfaced in national policy discussions, and the outcome of that debate would directly affect how durable individual state laws prove to be. For organisations, this adds a layer of uncertainty: the rules in force today reflect a particular moment in an unsettled allocation of authority, and the balance between state initiative and federal coordination remains an open question that could reshape the landscape.

    How organisations respond

    Faced with multiple overlapping regimes, many organisations build a governance baseline using voluntary frameworks and then layer state-specific obligations on top. The NIST AI RMF is frequently used to structure risk management, and ISO/IEC 42001 to provide an auditable management system; international comparisons are also drawn with the EU AI Act. None of these substitutes for a given state’s legal requirements, but they offer common scaffolding across jurisdictions. Readers encountering terms such as deployer, consequential decision or regulatory sandbox may find our dictionary helpful.

    In summary

    TRAIGA, effective 1 January 2026, adds a broad governance statute to a US state AI-law patchwork that already spans comprehensive risk frameworks, targeted use-case rules and transparency measures. The practical consequence is divergence: scope, triggers, mechanisms and enforcement vary by state. This article is a neutral overview, not legal advice; organisations should consult qualified counsel and the relevant statutes for their own circumstances.