Tag: state ai laws

  • AI Legislation Tracker: Free Tools Compared for Research Offices

    An AI legislation tracker is a curated, continuously updated resource that monitors the progress of artificial intelligence bills, statutes and regulations across jurisdictions. For research offices, three free options cover the ground a paid GRC subscription would otherwise charge for: the IAPP’s US State AI Governance Legislation Tracker for state-level bills, White & Case’s AI Watch for a global regulatory sweep, and the AI Act Explorer for line-by-line navigation of the EU AI Act. Used together, they give research administrators enough coverage to flag compliance and procurement risk without a dedicated legal-intelligence budget.

    An AI legislation tracker is a legal-intelligence tool — usually maintained by a law firm, professional association, or legislature — that indexes AI-related bills and regulations by jurisdiction, status and topic so non-specialists can monitor change without reading primary legislative text. For a research office, that means catching a new state disclosure requirement or an EU AI Act compliance deadline before it lands in an audit finding.

    Table of contents

    What is an AI legislation tracker, and why does a research office need one?

    Research offices sit at the intersection of three regulatory pressures: institutional AI-use policy, funder terms and conditions, and the AI laws of every jurisdiction in which their institution operates, procures software or receives funding. No single regulator publishes a consolidated feed of all three, which is why legal-intelligence trackers — built by law firms and associations to serve their own clients — have become the de facto public monitoring layer for everyone else.

    Three gaps make this monitoring hard for a research office specifically. First, state-level fragmentation in the US: MultiState.ai reported tracking 1,561 AI-related bills across 45 states in early 2026, and a bill’s status can change between a legislative session’s opening and a grant’s renewal date. Second, phased EU obligations: the AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 but applies in stages — prohibited-practice provisions since 2 February 2025, general-purpose AI model obligations since 2 August 2025, and the bulk of high-risk system obligations from 2 August 2026. Third, procurement-clause drift: institutional purchasing teams increasingly need to know whether a vendor’s AI tool falls under a “high-risk” classification before a contract is signed, not after.

    Comparing the free trackers: IAPP, White & Case AI Watch and the AI Act Explorer

    Each of the three core tools covers a different layer of the regulatory stack. None requires a paid subscription for the baseline tracker view, though firms use them as client-development tools, so update cadence and depth of legal commentary vary.

    Tool Publisher Geographic scope Best use for a research office Cost
    US State AI Governance Legislation Tracker IAPP US state legislatures Flagging new state disclosure/consumer-protection bills affecting AI-assisted research tools Free
    AI Watch: Global Regulatory Tracker White & Case US, EU, UK, China and other core markets Cross-jurisdiction horizon-scanning for institutions with international partners Free
    AI Act Explorer Future of Life Institute (artificialintelligenceact.eu) European Union Locating the exact article/annex governing a specific AI use case before procurement sign-off Free
    Artificial Intelligence Legislation Database National Conference of State Legislatures (NCSL) US state legislatures Official-source cross-check against law-firm trackers, filterable by policy topic Free
    OECD.AI Policy Navigator OECD 80+ countries and international bodies Global baseline for institutions with funders or partners outside the US/EU Free

    Two law-firm trackers rarely agree exactly on bill status, since each applies its own inclusion criteria — the IAPP chart, for example, deliberately excludes government-only AI bills to focus on rules affecting private-sector organisations. A research office should treat the NCSL database as the authoritative cross-check whenever a law-firm tracker and an internal compliance log disagree, since NCSL draws directly from legislative records rather than curated commentary.

    How to monitor AI law without a paid GRC subscription

    A practical monitoring routine needs three components: a jurisdiction list, a check cadence, and an escalation trigger. Map the institution’s actual footprint — states where staff or partner sites are located, countries with active funder relationships, and any EU-based collaborators — against the five tools above, rather than trying to watch all 45+ US states with active bills at once.

    • Set a monthly review of the IAPP tracker and NCSL database for the institution’s home state plus any state with a satellite campus or major subcontractor.
    • Set a quarterly review of White & Case AI Watch for jurisdictions tied to international grant or publishing partners.
    • Check the AI Act Explorer whenever procuring or renewing an AI-enabled research tool from an EU-based or EU-selling vendor, since Article 53 transparency obligations for general-purpose AI providers already apply.
    • Escalate to institutional counsel the moment a tracked bill moves from “introduced” to “enacted” in a jurisdiction on the footprint list — status changes, not initial filings, are the actionable signal.

    This cadence substitutes staff time for the subscription cost of a commercial GRC platform. It will not catch everything a paid legal-intelligence service would, but it closes the gap between “no monitoring” and “monitoring proportionate to institutional risk,” which is the realistic target for most research offices.

    Which AI rules actually affect grant compliance and procurement

    Not every tracked bill is relevant to a research office. The ones that matter cluster into two categories: funder-facing disclosure requirements and vendor/procurement obligations. On the funder side, publishers already require disclosure of generative-AI use in manuscript preparation under guidance from bodies such as ICMJE and COPE — a policy layer that sits alongside, not inside, the legislative trackers above, and one research offices should monitor through authorship policy channels rather than a legislation tracker.

    On the procurement side, the EU AI Act’s general-purpose AI model obligations — applicable since 2 August 2025 — require providers to maintain technical documentation and, for systemic-risk models, conduct model evaluations; institutions procuring AI research tools from in-scope vendors should expect updated contract terms reflecting this. Separately, under Article 57 of Regulation (EU) 2024/1689, each EU member state must establish at least one national AI regulatory sandbox operational by 2 August 2026 — a detail the AI Act Explorer surfaces clearly but general news coverage rarely mentions, and one that matters to institutions running EU-based pilot deployments of AI research tools.

    In the US, state consumer-protection style AI bills increasingly impose obligations on “deployers” as well as developers — meaning an institution using a third-party AI tool, not just the vendor that built it, can carry compliance obligations. This is the single most consequential fact a research office should extract from the state trackers: deployer obligations mean procurement due diligence, not just vendor selection, is now a compliance function.

    Common questions research administrators ask

    Are there any regulations on AI?

    Yes. There is no comprehensive federal AI statute in the United States, but individual US states have enacted targeted laws, the European Union’s AI Act (Regulation (EU) 2024/1689) is in force with phased obligations through 2027, and dozens of other jurisdictions maintain sector-specific or principles-based AI policy frameworks tracked by the OECD.

    Does Europe have AI regulations?

    Yes. The EU AI Act is the first comprehensive AI-specific legal framework, entering into force on 1 August 2024. Prohibited-practice rules applied from February 2025, general-purpose AI model obligations from August 2025, and most high-risk system requirements apply from August 2026 onward.

    Where are the AI regulations?

    AI rules are distributed across national statutes, EU regulation, and US state legislatures rather than one source — which is precisely why trackers such as IAPP’s state chart, White & Case’s AI Watch, and the AI Act Explorer exist: each consolidates one layer of a fragmented, multi-jurisdiction landscape into a single reference point.

    The regulatory landscape a research office must monitor will keep expanding rather than consolidating: more US states are expected to move bills from “introduced” to “enacted” through 2026 and 2027, and the EU AI Act’s remaining compliance deadlines run to August 2027. A footprint-mapped, tiered-cadence monitoring routine built on these five free trackers is a realistic, sustainable substitute for a paid GRC subscription — provided it is reviewed and re-scoped as the institution’s own AI use, partnerships and procurement expand.

  • AI Research, Innovation, and Accountability Act: What Research Offices Need to Know

    The AI Research, Innovation, and Accountability Act (AIRIA, S.3312) was a bipartisan US Senate bill that would have created federal risk tiers, transparency reporting, and certification duties for high-impact AI systems. It cleared the Senate Commerce Committee in July 2024 but died when the 118th Congress adjourned in January 2025. Its framework has not disappeared, however: near-identical risk-tier and disclosure ideas now surface in state AI statutes, in federal agency guidance, and in follow-on bills before the 119th Congress — several of which already touch how NIH and NSF handle AI in grant review.

    AIRIA is a defined legislative proposal, not a law currently in force: it is the bill that proposed classifying AI systems as “high-impact” or “critical-impact” and tasking the National Institute of Standards and Technology (NIST) with testing, evaluation, validation, and verification standards for the highest-risk category.

    What is the AI Research, Innovation, and Accountability Act?

    The AI Research, Innovation, and Accountability Act is a US Senate bill introduced on 15 November 2023 by Senators John Thune (R-SD), Amy Klobuchar (D-MN), Roger Wicker (R-MS), John Hickenlooper (D-CO), Shelley Moore Capito (R-WV), and Ben Ray Luján (D-NM). It proposed a risk-based federal framework rather than blanket rules for all AI.

    Core provisions included:

    • A two-tier risk classification for “high-impact” and “critical-impact” AI systems used in consequential decisions.
    • Mandatory transparency reports and risk assessments from developers and deployers of the highest-risk systems.
    • A NIST-led programme to develop testing, evaluation, validation, and verification (TEVV) standards.
    • A certification and enforcement structure housed at the Department of Commerce.
    • A consumer-education and industry working-group mandate to support voluntary compliance ahead of formal rules.

    Unlike the EU’s comprehensive AI Act, AIRIA targeted only the highest-risk use cases and left most research and low-risk commercial AI activity outside its scope.

    What happened to AIRIA in Congress?

    AIRIA advanced further than most AI bills of its era but still did not become law. The Senate Committee on Commerce, Science, and Transportation ordered it reported on 31 July 2024, and the Congressional Budget Office published a cost estimate on 6 December 2024. Under standard congressional procedure, any bill not enacted before a Congress ends is considered dead; AIRIA lapsed with the close of the 118th Congress on 3 January 2025 and was not carried forward automatically.

    That is not the end of the story. Several bills before the 119th Congress (2025–2026) reuse AIRIA’s building blocks — including the AI Accountability Act (H.R.1694), which directs a federal study of AI accountability measures, and the Future of Artificial Intelligence Innovation Act of 2026 (S.3952), which revives the NIST standards-and-evaluation mandate AIRIA proposed. None of these has replicated AIRIA in full, but the pattern is consistent: risk tiers, NIST-run testing standards, and disclosure duties keep reappearing in federal drafting, which is why the original bill remains a useful reference text even though it never passed.

    How does AIRIA interact with NIH and NSF grant compliance?

    AIRIA itself never reached the funding agencies, but the compliance gap it targeted — undisclosed or unaccountable AI use in high-stakes review processes — is already being filled through agency policy rather than statute. Research offices do not need AIRIA to pass to feel its logic in practice.

    • NIH issued NOT-OD-23-149, prohibiting NIH scientific peer reviewers from uploading grant application or critique content into generative AI tools, to protect peer-review confidentiality and integrity.
    • NSF issued a parallel notice on 14 December 2023 barring reviewers from entering proposal or review information into non-approved generative AI tools, with corresponding updates folded into the Proposal & Award Policies and Procedures Guide (PAPPG).
    • OMB Memorandum M-24-10, issued 28 March 2024, requires every CFO Act agency — including the parent departments of NIH and NSF — to designate a Chief AI Officer, convene an AI governance board, inventory AI use cases annually, and publish compliance plans.

    Research administrators should read AIRIA less as a future obligation and more as the missing statutory layer above rules that funders have already implemented administratively. If AIRIA-style provisions are eventually enacted, they would most plausibly formalise — not replace — the NIH and NSF confidentiality prohibitions and the OMB governance-board model that are already operating today.

    How does AIRIA compare with state AI laws and the EU AI Act?

    Research institutions rarely operate under one AI framework. Multi-state university systems, international co-investigators, and federally funded projects with EU partners are simultaneously exposed to federal inaction, an unsettled state landscape, and a phased EU regime.

    Framework Jurisdiction Status as of July 2026 Relevance to research offices
    AIRIA (S.3312) US federal (Senate) Died with the 118th Congress, 3 Jan 2025; ideas recur in newer bills Reference model for future federal risk-tier and disclosure rules
    OMB M-24-10 US federal (executive) In effect since 28 Mar 2024 Directly governs how NIH, NSF, and other agencies use AI internally
    NIH / NSF AI notices US federal agency policy In effect since Jun–Dec 2023 Bars generative AI use in peer review of grant applications
    Colorado AI Act (SB 24-205) US state Repealed by SB 26-189 (14 May 2026); never took effect Cautionary example — comprehensive state AI law can collapse before compliance deadlines
    Texas TRAIGA US state In effect 1 Jan 2026 Intent-based liability model; applies to any AI system touching Texas residents
    EU AI Act European Union Phased in Aug 2024–Aug 2026 Relevant to Horizon Europe co-investigators and EU-based research partners

    The Colorado reversal is the clearest recent signal: SB 24-205 was the first comprehensive US state AI law, but Colorado Governor Jared Polis signed its full replacement, SB 26-189, on 14 May 2026 — meaning the original statute never actually took effect. State AI law is moving fast and is not stable enough to treat any single statute as a durable compliance target.

    Common questions research administrators ask

    What is the AI Research, Innovation, and Accountability Act?

    It is a 2023 US Senate bill (S.3312) that proposed risk-tiered federal oversight of “high-impact” and “critical-impact” AI systems, including NIST-led testing standards and mandatory transparency reporting. It advanced through Senate Commerce Committee review in 2024 but was never enacted.

    What is the AI legislation situation in 2026?

    No single comprehensive federal AI statute exists in the United States as of mid-2026. Oversight instead comes from a patchwork of agency guidance (OMB M-24-10, NIH and NSF notices), a shifting set of state statutes (Texas TRAIGA in effect, Colorado’s law repealed and replaced), and several competing federal bills still in committee.

    What are the seven principles referenced in AI regulatory frameworks?

    Frameworks such as the EU AI Act commonly cite human agency and oversight, technical robustness and safety, privacy and data governance, transparency, non-discrimination and fairness, societal and environmental wellbeing, and accountability. AIRIA did not adopt this exact list but pursued the same accountability and transparency goals through US-specific risk tiers.

    Why research offices should track this now

    Waiting for a federal AI bill to pass before building internal AI-use policy is the wrong sequencing. NIH and NSF already enforce confidentiality rules on generative AI in peer review, OMB already requires agency AI governance boards, and state rules are changing faster than any single institution can absorb reactively — Colorado’s reversal took less than two years from enactment to repeal.

    Research offices should treat AIRIA as a design template, not a deadline. Institutions that map their existing AI-use disclosure practices against AIRIA’s risk-tier and TEVV concepts now will be positioned to adapt quickly if a successor bill — whether H.R.1694, S.3952, or a future proposal — advances further than AIRIA did. The direction of travel across federal agency guidance, state law, and the EU AI Act is consistent even where the US federal statute itself has stalled: more disclosure, more documented risk assessment, and more named institutional accountability for AI used in decisions that affect people’s funding, careers, and research records.

    For related compliance context, see CASRAI’s research administration resources and the CASRAI Dictionary for definitions of adjacent governance and compliance terms.

  • State AI Laws Create a Patchwork for Consortia

    State AI laws are the individual statutes and regulations that US states — rather than the US Congress — have enacted to govern the development, deployment and disclosure of artificial intelligence, and by mid-2026 more than 45 states have introduced such legislation with no unifying federal framework in place. For research consortia and shared-service research offices that span multiple states, this means the same AI-assisted grant-writing tool, chatbot, or automated screening system can be lawful in one member campus’s state and restricted or unlawful in another’s.

    A state AI law is a statute enacted by an individual US state legislature — as distinct from federal legislation — that regulates how artificial intelligence systems are developed, deployed, disclosed, or audited within that state’s jurisdiction.

    What Are State AI Laws, and How Many States Have Passed Them?

    State AI laws cover a wide range of obligations: algorithmic-discrimination audits, generative-AI content disclosure, “high-risk” system impact assessments, and rules on AI use in employment and consumer decisions. According to the National Conference of State Legislatures (NCSL), in the 2025 legislative session all 50 states, Puerto Rico, the Virgin Islands, and Washington, DC introduced AI-related legislation — a volume that state legislative trackers report continued to accelerate into 2026, with well over a thousand AI-related bills introduced nationwide.

    No two states have adopted the same definitions, thresholds, or enforcement mechanisms. A tool classified as “high-risk automated decision-making” in one state’s statute may fall entirely outside another state’s scope, or be captured under a different label altogether.

    How Do California, Colorado, and Texas AI Laws Compare?

    Three states illustrate how far the approaches diverge. California took effect on 1 January 2026 with two distinct statutes: the Transparency in Frontier AI Act (SB 53), which imposes safety and transparency reporting duties on developers of large-scale frontier models, and the AI Transparency Act (SB 942), which requires disclosure when content is AI-generated. Colorado enacted the first comprehensive state AI statute, the Colorado AI Act (SB 24-205), which took effect in June 2026 and requires developers and deployers of high-risk AI systems to complete impact assessments and provide consumer disclosures; a subsequent amendment, SB 26-189, narrowed that scope to automated decision-making technology, with a revised effective date of 1 January 2027. Texas, by contrast, passed the Texas Responsible AI Governance Act (TRAIGA), which favours an industry self-governance framework over Colorado’s impact-assessment model.

    Jurisdiction Key statute Core mechanism Effective date
    California SB 53 (Transparency in Frontier AI Act); SB 942 (AI Transparency Act) Frontier-model safety reporting; AI-generated content disclosure 1 January 2026
    Colorado Colorado AI Act (SB 24-205), amended by SB 26-189 Impact assessments for automated decision-making technology 1 January 2027 (as amended)
    Texas Texas Responsible AI Governance Act (TRAIGA) Industry self-governance framework Enacted 2025
    Federal Executive Order, “Ensuring a National Policy Framework for Artificial Intelligence” Directs agencies to identify and challenge state AI laws seen as burdensome 11 December 2025 (signed)

    Is the Federal Government Trying to Preempt State AI Laws?

    Yes — but not yet through legislation that has passed Congress. On 11 December 2025, the White House signed an executive order, “Ensuring a National Policy Framework for Artificial Intelligence,” directing federal agencies to identify state AI laws that require models to alter their truthful outputs or that otherwise obstruct a national AI policy. The order instructs agencies to evaluate funding and litigation levers against such state statutes, but an executive order cannot itself repeal state law: only Congress or the courts can do that, and no comprehensive federal AI statute analogous to the EU AI Act has been enacted.

    Until preemption legislation clears Congress — proposals exist but none has passed as of mid-2026 — state AI laws remain, in the words of one large law firm’s 2026 tracker, “the primary source of compliance obligations” for organisations operating in the United States.

    Why Is the Patchwork a Problem for Multi-Campus Research Consortia?

    Multi-state research consortia, shared-service research offices, and multi-site funded studies do not choose a single home jurisdiction the way a single-campus institution does. A consortium spanning California, Colorado, Texas, and a fourth state must reconcile at least three incompatible disclosure and assessment regimes simultaneously — and update that reconciliation as amendments such as Colorado’s SB 26-189 shift scope and effective dates mid-cycle.

    This creates specific friction points for research administration:

    • AI-assisted grant writing and proposal development may trigger content-disclosure duties in California but not in a partner state, complicating a single consortium-wide authorship and disclosure policy.
    • Automated screening or scoring tools used in participant recruitment, peer review triage, or research-integrity checks can qualify as “high-risk automated decision-making” in Colorado while sitting outside any equivalent category in Texas.
    • Shared IT and data infrastructure hosted in one state does not exempt a consortium from a partner campus’s home-state obligations when researchers in that state are end users of the system.
    • Vendor contracts for AI writing, transcription, or analysis tools need jurisdiction-by-jurisdiction compliance riders rather than a single boilerplate clause.

    Research offices increasingly need to disclose AI involvement in scholarly outputs regardless of state law, aligning with journal and funder expectations. Where AI tools contribute to drafting, structured contributor role taxonomies used in authorship disclosure — the model CASRAI originated in 2014 and which NISO now stewards as ANSI/NISO Z39.104-2022 — offer one consistent way to record human-versus-tool contribution that sits independently of any single state’s transparency statute.

    Answer-First Q&A

    How many US states have introduced AI legislation in 2026?

    By the 2025 legislative session, all 50 states, Puerto Rico, the Virgin Islands, and Washington, DC had introduced AI-related legislation, according to the National Conference of State Legislatures. State legislative trackers report the volume of AI-related bills continued to climb through early 2026, spanning dozens of states with no sign of consolidation.

    Does the federal executive order override state AI laws?

    No. The December 2025 executive order directs federal agencies to identify and challenge state AI laws it views as obstructive, but an executive order cannot repeal state statute. Only an act of Congress or a binding court ruling can preempt state AI law, and no such federal AI statute has been enacted as of mid-2026.

    What is the Colorado AI Act’s current status?

    The original Colorado AI Act (SB 24-205) required impact assessments for high-risk AI systems. It was subsequently narrowed by SB 26-189 to focus specifically on automated decision-making technology, with a revised effective date of 1 January 2027, replacing the earlier June 2026 start date.

    What should a multi-state research consortium put in its AI-use policy?

    A consortium policy should map every member campus’s home-state AI statute, flag tools that trigger disclosure or impact-assessment duties in any one jurisdiction, and apply the strictest applicable standard consortium-wide rather than negotiating exceptions state by state.

    Implications for Shared-Service Research Offices

    Shared-service research offices — the units that run grants administration, research integrity, and compliance for several campuses at once — cannot rely on a single state’s AI statute as their reference point. The practical implication is that AI-use policy for a multi-campus consortium must be built to the strictest state standard among its members, then adjusted downward only where a specific campus’s home-state law is demonstrably more permissive and the consortium is willing to operate two policy tiers. Bodies such as NCURA and EARMA increasingly field member questions on exactly this cross-jurisdictional friction, reflecting how quickly the patchwork has become an operational, not just a legal, concern.

    Consortium agreements and vendor contracts should each name which state-law regime governs AI tool use for that workflow, rather than assuming the lead institution’s state law applies uniformly to every partner.

    Outlook

    Absent a federal AI statute, the state-by-state pattern set by California, Colorado, and Texas is likely to keep expanding rather than converging in the near term. Consortia that govern to the strictest applicable state standard, and document AI contribution through structured, framework-neutral disclosure practices, will adapt faster as more states legislate and as amendments such as SB 26-189 continue to shift effective dates and scope. Treat this as a standing monitoring task, not a one-time policy update — state statutes are already being amended within their first year in force.

  • Council of Europe AI Treaty: A Second Track

    The Council of Europe AI treaty — formally the Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law — is the first legally binding international treaty on artificial intelligence. Opened for signature on 5 September 2024 and designated CETS No. 225, it runs alongside, not inside, the EU AI Act, and it applies across the Council of Europe’s 46 member states plus a growing list of non-European signatories, including the United States.

    The Framework Convention is a treaty under public international law, not an EU regulation: it creates binding obligations for the states that ratify it, each of which must transpose those obligations into domestic law. That structure makes it a second, parallel governance track for any research institution operating in a Council of Europe member state that sits outside the European Union — the United Kingdom, Switzerland, Norway, Ukraine, Türkiye, and more than a dozen others.

    What is the Council of Europe AI treaty?

    The Framework Convention was negotiated by the Council of Europe’s Committee on Artificial Intelligence (CAI), successor to the ad hoc committee (CAHAI) that began scoping work in 2019. It was drafted by the Council of Europe’s 46 member states with observer states Canada, Japan, Mexico, the Holy See and the United States, plus the European Union and non-member states including Australia, Argentina, Costa Rica, Israel, Peru and Uruguay.

    According to the Council of Europe, 68 representatives from civil society, academia and industry contributed to the drafting. The treaty sets out principles AI systems must respect: human dignity, equality and non-discrimination, privacy and data protection, transparency and oversight, accountability, safe innovation, and remedies for people affected by AI-driven decisions.

    • Deliberately technology-neutral, so the text does not require revision each time a new AI architecture emerges.
    • Applies to AI systems used by public authorities (including private actors acting on their behalf) and by private-sector actors.
    • Excludes national defence matters and most research and development activity, with one important exception (see below).
    • Monitored by a Conference of the Parties, which reviews implementation and facilitates stakeholder hearings.

    Who has signed and ratified it?

    The treaty opened for signature on 5 September 2024. Early signatories included the European Union, the United Kingdom and the United States, alongside several Council of Europe member states. Since then, further states — including Bosnia and Herzegovina, North Macedonia, the Republic of Moldova and San Marino — have signed or moved toward ratification, per the Council of Europe’s treaty tracking page.

    A pivotal step came on 15 May 2026, when the European Union formally ratified the Framework Convention, according to the Council of Europe’s Artificial Intelligence Portal. Ratification does not fold the treaty into EU law; the two instruments remain distinct tracks the Union has committed to enforcing in a complementary way.

    Because the Council of Europe has 46 member states — nearly double the EU’s 27 — a large bloc of countries with binding obligations under this treaty will never be covered by the EU AI Act at all: the UK, Switzerland, Norway, Iceland, Ukraine, Türkiye, Armenia, Georgia, Azerbaijan and the Western Balkan states listed above.

    How does it differ from the EU AI Act?

    The EU AI Act (Regulation (EU) 2024/1689) is directly applicable law inside the EU and EEA, built on a tiered risk-classification system with technical and conformity obligations. The Framework Convention is a different instrument: a human-rights treaty setting baseline principles for ratifying states to implement through domestic legislation, not a self-executing regulatory code.

    Dimension Council of Europe AI treaty EU AI Act
    Legal form International treaty (CETS No. 225) Directly applicable EU regulation
    Territorial reach 46 Council of Europe member states + non-European signatories (US, others) 27 EU member states + EEA
    Approach Principles-based human-rights baseline Risk-tiered technical compliance regime
    Enforcement Domestic implementing law per ratifying state; Conference of the Parties oversight National market-surveillance authorities + EU AI Office
    R&D treatment Excluded, except where testing may interfere with rights/democracy/rule of law Research exemption with narrower conditions

    Legal trackers such as White & Case’s AI Watch note the Framework Convention requires each signatory to ensure remedies are available to those affected by AI systems — an obligation that exists independently of whatever risk category the EU AI Act would assign to the same system.

    Does it apply to research and development?

    This is the detail research institutions most often miss. The Framework Convention does not apply to research and development activities — except when testing of an AI system may interfere with human rights, democracy or the rule of law. The carve-out is narrower than it looks: once a prototype moves from the lab into testing that touches real people’s data or opportunities, the exception can lapse and obligations on transparency, accountability and remedy attach.

    For universities, research funders and multinational consortia, this means AI-enabled research tools — automated peer-review triage, algorithmic grant scoring, participant-recruitment models, predictive analytics on patient or student data — are not automatically outside scope simply because they originate in a research setting. Institutions in non-EU Council of Europe states cannot assume “the EU AI Act doesn’t apply to us” settles the matter; the Framework Convention raises a parallel, sometimes broader, compliance question the moment R&D testing touches real-world rights.

    Frequently asked questions

    What is the Council of Europe AI treaty?

    The Council of Europe AI treaty is the Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law, opened for signature on 5 September 2024. It is the first legally binding international treaty requiring signatory states to govern the full lifecycle of AI systems in line with human rights, democratic values and the rule of law.

    Which countries have signed the Council of Europe AI treaty?

    Early signatories included the European Union, United Kingdom and United States, joined since by further Council of Europe member states including Bosnia and Herzegovina, North Macedonia, the Republic of Moldova and San Marino. The EU formally ratified the treaty on 15 May 2026, per the Council of Europe’s official portal.

    Is the Council of Europe AI treaty the same as the EU AI Act?

    No. The EU AI Act is a directly applicable EU regulation limited to the EU/EEA. The Council of Europe treaty is a separate international human-rights instrument spanning 46 member states plus non-European signatories, enforced through each state’s own domestic implementing legislation.

    Does the treaty regulate university and funder AI tools?

    Generally research and development is excluded, but the exclusion lifts once AI testing could affect real people’s rights — for example, algorithmic grant scoring or predictive analytics on participant data. Institutions should not assume research-labelled AI tools sit permanently outside the treaty’s reach.

    Implications and outlook for research institutions

    Research institutions in a Council of Europe member state outside the EU should treat the Framework Convention as an independent compliance track, not a footnote to EU AI Act guidance. Practical steps:

    • Map which AI systems used in research administration, grant assessment or participant-facing services could trigger the treaty’s rights-impact exception once national implementing legislation is adopted.
    • Track ratification status in each jurisdiction where the institution operates, since obligations activate state-by-state, not on a single EU-wide date.
    • Build transparency and remedy mechanisms — notice of AI use, a route to challenge automated decisions — into research-facing AI tools regardless of which regime formally applies yet.

    Globally, the treaty is one entry in a widening, uneven map of AI regulations around the world: the EU’s harmonised regulatory code, the Council of Europe’s rights-based treaty spanning EU and non-EU states, a fragmented patchwork of US state AI laws in the absence of comprehensive federal legislation, and sector-specific rules elsewhere. Institutions tracking several of these regimes at once increasingly need an AI legislation tracker that separates treaty-level from regulation-level instruments, rather than one undifferentiated “AI law” category.

    The Framework Convention will not be the last binding international AI instrument. Its Conference of the Parties is designed to accumulate practice and guidance over time, as other Council of Europe human-rights treaties have. Research institutions that build AI governance around rights-based principles now — not only EU AI Act risk tiers — will be better placed as more states ratify and more domestic implementing laws take effect. CASRAI’s research administration resources track how such cross-border compliance obligations intersect with day-to-day research operations.

  • AI Regulations Around the World: A 4-Jurisdiction Comparison for Research Consortia

    AI regulations around the world diverge sharply in 2026: the EU AI Act is a binding, risk-tiered statute with extraterritorial reach; US oversight is a fragmented state-law patchwork with no federal statute; China runs a registration-and-content-control regime; and the Council of Europe treaty sets shared principles without direct enforcement. No single checklist covers every consortium partner.

    AI regulation is the set of binding statutes, administrative measures and international instruments that govern how artificial intelligence systems may be developed, deployed and used within a given jurisdiction. For a multi-country research consortium, that matters practically: the same AI-assisted analysis tool or generative writing aid can be lawful for one partner and non-compliant for another, purely because of where each institution sits.

    This article maps the four regimes that most often collide in international data-sharing agreements — the EU AI Act, US state AI laws, China’s AI measures, and the Council of Europe’s AI treaty — and identifies where the friction actually occurs, not just what each law says in isolation.

    Contents

    What are the main AI regulatory regimes research consortia must track?

    Four regimes dominate cross-border research collaboration in 2026: the EU’s binding AI Act, a growing set of US state statutes, China’s registration-led administrative measures, and the Council of Europe’s rights-based treaty. Each uses a different legal mechanism, a different geographic trigger, and a different enforcement model, which is precisely why a consortium cannot rely on one partner’s compliance work to cover the group.

    Regime Legal status Geographic reach Compliance approach Relevance to research consortia
    EU AI Act (Regulation (EU) 2024/1689) Binding regulation, directly applicable in all EU member states Extraterritorial: covers providers and deployers outside the EU where an AI system’s output is used within the EU Risk-tiered (unacceptable / high / limited / minimal); high-risk obligations broadly apply from 2 August 2026 A non-EU partner can still be caught if any consortium member deploys the tool’s output in the EU; grant-review and admissions-style AI can fall into Annex III high-risk categories
    US state AI laws No binding federal AI statute; state statutes such as the Colorado AI Act and California’s AI Transparency Act Applies within the enacting state; a December 2025 executive order pushes federal preemption of “burdensome” state rules, but this is contested and unsettled as of mid-2026 Sector- and harm-specific (algorithmic discrimination, transparency, deepfakes) rather than one risk taxonomy A single US institution can trigger several inconsistent duties depending on which state its staff, servers or subcontractors sit in
    China’s AI measures Binding administrative measures enforced by the Cyberspace Administration of China (CAC), now folded into the amended Cybersecurity Law from January 2026 Applies to AI services offered within China; requires algorithm registration with the CAC before deployment Registration- and content-control-led: mandatory labelling of AI-generated content, security assessments, real-name verification Chinese partner institutions typically cannot lawfully run an unregistered foreign AI tool against shared data, creating a hard blocker for joint analysis pipelines
    Council of Europe AI treaty First legally binding international AI treaty (Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law) Open to Council of Europe members and non-member signatories, including the US, UK, Canada and Japan; needs ratification by five signatories, including three Council of Europe states, to enter into force Principles-based: human rights, democracy and rule-of-law safeguards for public- and private-sector AI Offers shared language consortia can cite in data-sharing agreements, but is not self-executing and needs domestic implementing law in each signatory state

    How does the EU AI Act apply to multi-country research?

    The EU AI Act entered into force on 1 August 2024, with obligations phased in over several years. Bans on unacceptable-risk systems and AI-literacy duties applied from 2 February 2025; general-purpose AI obligations followed on 2 August 2025; and high-risk system obligations broadly apply from 2 August 2026, with penalties reaching €35 million or 7% of global annual turnover.

    What consortium leads consistently underestimate is scope. Like the GDPR before it, the Act reaches beyond EU borders: it applies to providers and deployers established outside the Union whenever the output of their AI system is used within it. A US or Asia-based partner running an AI-assisted screening tool that feeds results into an EU-led work package can be pulled into EU obligations even without an EU office. Annex III’s high-risk categories — including systems used in education, employment and essential services — also reach some AI-assisted grant-review and research-integrity screening tools.

    What do US state AI laws mean for consortium partners?

    The United States has no comprehensive federal AI statute in 2026. Instead, regulation is set state by state: Colorado’s AI Act (SB 24-205), the first comprehensive US state AI law, requires reasonable care to prevent algorithmic discrimination in high-risk systems, with implementation delayed to 30 June 2026. California has separately enacted an AI Transparency Act and a frontier-model safety statute.

    A December 2025 executive order directed federal agencies to challenge state AI laws viewed as inconsistent with a lighter-touch national standard, but as of mid-2026 that preemption push is unsettled and existing state statutes remain in force. For a consortium, a single US institution’s obligations can shift depending on which state its staff, infrastructure or subcontractors sit in — and may change again if preemption litigation succeeds.

    How does China regulate AI differently?

    China’s approach is registration-led and content-focused rather than risk-tiered. The Cyberspace Administration of China requires algorithm registration and security assessment before many AI services can be deployed. The Measures for Labelling AI-Generated and Synthetic Content took effect in September 2025, three national standards on generative AI security took effect on 1 November 2025, and AI governance obligations were folded into the amended Cybersecurity Law from January 2026.

    For research consortia, this is a structurally different problem from the EU or US: it is not primarily about disclosure or risk assessment, but whether a given AI tool may operate against Chinese-held data at all. An unregistered foreign analysis tool cannot lawfully be applied to a Chinese partner’s data set, regardless of how compliant it is elsewhere.

    What does the Council of Europe AI treaty add?

    The Council of Europe’s Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law is the first legally binding international treaty on AI. It opened for signature in September 2024, and early signatories include the European Union, the United States, the United Kingdom, Canada and Japan. It requires ratification by five signatories, including three Council of Europe member states, to enter into force.

    Unlike the EU AI Act, the treaty does not create a detailed compliance regime of its own; it sets human-rights and rule-of-law principles that signatory states must implement through domestic law. For a consortium, it functions less as a rulebook and more as shared vocabulary — a reference point agreements can cite when partners disagree on baseline AI safeguards, even where no national statute yet covers a given use case.

    Where do multi-jurisdiction consortia hit compliance friction?

    The practical friction is rarely about any one regime being stricter than another — it is about the regimes using incompatible triggers. The EU AI Act asks “where is the output used?” US state law asks “which state is the deployer in?” China asks “is this algorithm registered?” The Council of Europe treaty asks “has this state ratified and implemented it?”

    • Data-sharing agreements drafted for one jurisdiction’s risk taxonomy often fail to address another partner’s registration or transparency duties.
    • AI-assisted research tools — plagiarism and integrity screening, generative drafting aids, automated peer-review triage — can simultaneously be “limited risk” in the EU, unregulated in one US state, and require CAC registration in China.
    • Consent and disclosure language for AI use in participant-facing materials rarely satisfies all four regimes’ transparency requirements at once.
    • Governing-law clauses in consortium agreements need to specify which partner’s AI-use obligations apply to shared infrastructure, not just which partner “owns” the data.

    UKRI, Horizon Europe consortia and cOAlition S-aligned funders increasingly expect applicants to describe how AI tools are governed across all partner sites, not only the lead institution’s — making this mapping exercise a funding-eligibility question, not only a legal one.

    Answer-first Q&A

    Are there any global AI regulations?

    No single binding global AI law exists. The Council of Europe’s Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law, opened for signature in September 2024, is the first legally binding international AI treaty, but it needs ratification by five signatories, including three Council of Europe states, before it takes effect.

    Which countries have the most AI regulations?

    The European Union has the most comprehensive statutory AI framework via the EU AI Act, while the United States has the largest volume of measures once state activity is counted. In the 2025 legislative session, all 50 states introduced AI bills and 38 enacted measures, per the National Conference of State Legislatures.

    Which countries have no AI-specific restrictions?

    Several jurisdictions, including the United Arab Emirates and Saudi Arabia, rely on voluntary principles and sector guidance rather than a dedicated AI statute, though both run active national AI strategies and are expected to formalise binding rules as adoption accelerates. Partners based there face fewer AI-specific duties, but other data laws still apply.

    What should multi-country consortia do next?

    No convergence toward a single global AI standard is likely before 2027. The EU AI Act’s high-risk obligations continue phasing in through 2026 and 2027, US preemption litigation remains unresolved, China’s registration regime keeps expanding, and Council of Europe ratifications will accumulate gradually. Consortium agreements that hard-code today’s rules will need scheduled review clauses, not one-off sign-off.

    Research administration teams should treat AI-use disclosure as a standing agenda item in consortium governance, map each partner institution against the table above at project start, and build AI-tool review into existing data-sharing and research administration workflows rather than a separate compliance track.

  • Deemed Export Rule and AI Research Compliance

    The deemed export rule treats the release of export-controlled technology or source code to a foreign national inside the United States as if it were an export to that person’s home country, even though nothing crosses a physical border. For AI research groups, this means that giving a foreign-national graduate student or postdoc access to certain model weights, training code, or restricted technical data can itself require a federal export licence.

    A deemed export is any release of “technology” or “technical data” — controlled under the Export Administration Regulations (EAR) or the International Traffic in Arms Regulations (ITAR) — to a foreign person physically present in the United States. The doctrine is old; its application to frontier AI systems is new, and it now collides with university research practice.

    What is the deemed export rule?

    Under 15 CFR 734.13(b) of the EAR, releasing controlled technology or source code to a foreign person in the United States is “deemed” to be an export to that person’s country of nationality. The Bureau of Industry and Security (BIS), the Commerce Department agency administering the EAR, names universities and high-technology research institutions as typical deemed-export-licence users, alongside biochemical, medical and computer-sector organisations.

    A “release” can occur through conversation, email, or lab access that lets a foreign national read or modify controlled source code — no shipment is required. Permanent residents, US citizens, and “protected individuals” under US immigration law are exempt; most international graduate students and postdocs on visas are not.

    How the fundamental research exclusion applies to AI research

    Most university AI research avoids deemed export licensing through the fundamental research exclusion at 15 CFR 734.8. Fundamental research is basic or applied research in science and engineering where the resulting information is ordinarily published and shared broadly, with no restrictions on foreign-national participation and no government-imposed access controls.

    The exclusion is conditional, not automatic. It fails where:

    • Results are restricted for proprietary or commercial reasons, such as a sponsorship agreement with a publication-delay clause.
    • The funding agreement imposes access or dissemination controls, which some defence-adjacent AI grants do.
    • The activity involves direct transfer of a controlled item — hardware, software, or source code — rather than an exchange of research information.

    Information already publicly available, including open-access papers and public code repositories, is separately exempt from EAR licensing.

    When AI models, weights and training infrastructure trigger a deemed export

    Using a publicly available AI chatbot or API is not, by itself, a release of controlled technology. Risk rises when a foreign national gains access to model architecture details, training methodologies, or model weights covered by an Export Control Classification Number (ECCN) on the Commerce Control List, or to advanced computing hardware BIS has specifically controlled.

    BIS tightened advanced-computing controls in its October 2022 Interim Final Rule, amended October 2023, then went further in January 2025 with a Framework for Artificial Intelligence Diffusion rule that, for the first time, extended export-control treatment to certain closed-weight AI model parameters, not only training hardware. Disclosing weights, architecture specifications, or training-cluster configuration for a covered model to a foreign-national researcher can itself be a release event.

    Much of this tightening is explicitly framed around china ai regulation concerns — restricting frontier compute and model know-how flowing to entities on the BIS Entity List. Nationality alone does not create liability; nationality plus access to a controlled item, combined with funding or sponsor restrictions, does.

    US deemed export rules vs the EU AI Act research exemption

    Institutions with EU partnerships increasingly ask how the US doctrine compares with the European approach. The EU AI Act — Regulation (EU) 2024/1689 — takes a structurally different route: rather than controlling technology transfer by nationality, it excludes AI systems and models developed and used exclusively for scientific research from most of the Act’s obligations, under Article 2(6) and Article 2(8).

    Aspect US deemed export rule EU AI Act research exemption
    Governing instrument EAR, 15 CFR 734.13(b) and 734.8 Regulation (EU) 2024/1689, Art. 2(6) & 2(8)
    What triggers the rule Release of controlled technology to a foreign person Placing an AI system on the market or into service
    Exclusion basis Fundamental research intended for open publication Research and development activity, prior to market placement
    Administering body Bureau of Industry and Security (Commerce Dept.) National market surveillance authorities / EU AI Office
    Nationality relevant? Yes — central to the rule No — exemption is activity-based, not person-based

    The distinction matters for compliance design: a US export control office manages deemed exports as a personnel and access-control question, while an EU research-exemption assessment is a product-lifecycle question. A model built for fundamental research at a US university may fall outside the AI Act exemption once deployed commercially — the two frameworks do not map onto each other cleanly.

    Compliance steps for universities with foreign national researchers

    Export control officers, research administrators, and AI lab principal investigators need a shared workflow before granting foreign nationals lab or system access:

    1. Screen every incoming foreign national against the BIS Entity List and the Treasury Denied Persons List before granting technical access.
    2. Classify the technology, dataset, or model against the Commerce Control List to determine whether an ECCN applies.
    3. Document the fundamental research exclusion in writing at project inception — funding terms, publication plans, and sponsor restrictions.
    4. Restrict access to controlled weights or training infrastructure until the export control office confirms licence status.
    5. Certify deemed export status accurately on Form I-129 for H-1B, H-1B1, L-1, and O-1A hires, as USCIS requires.
    6. Use the NIST AI Risk Management Framework to document AI system risk tiers internally — a defensible record, though not itself an export-control exemption.

    Treat this as distinct from state ai laws, such as Colorado’s and California’s AI transparency statutes, which govern AI deployment to end users, not technology transfer to foreign persons — a university can comply with one and still be exposed under the other. Guidance from the Center for AI Standards and Innovation (CAISI), the Commerce Department body that succeeded the original AI Security Institute at NIST, can inform risk-evaluation methodology, though it is not itself an export-control determination. See CASRAI’s research administration resources for broader governance context.

    Frequently asked questions

    What are the criteria for a deemed export?

    A deemed export occurs when controlled technology or source code is released to a foreign person inside the United States. The criteria: the item sits on the Commerce Control List or US Munitions List, the recipient is not a citizen, permanent resident, or protected individual, and no exclusion applies.

    How can a university determine whether an activity is a deemed export?

    A university’s export control office classifies the technology against its ECCN or USML category, checks whether the fundamental research exclusion applies, and confirms the researcher’s immigration status. If the technology is controlled, the researcher is a foreign person, and no exclusion fits, a licence is required before access.

    Who is exempt from the deemed export rule?

    US citizens, lawful permanent residents, and individuals granted protected individual status under US immigration law are exempt from deemed export licensing regardless of the technology involved. Most international students and postdocs on visas do not qualify for this exemption and depend instead on the fundamental research exclusion.

    Does using a publicly available AI model trigger a deemed export?

    No. Interacting with a publicly available AI model — a public API, chatbot, or open-weight release with no access restrictions — is not a controlled release under the EAR. Risk arises only when a foreign national gains access to restricted model weights, proprietary architecture details, or controlled training infrastructure not available to the public.

    Implications and outlook

    Export control offices built their playbooks around physical items and classified research; AI weights and training infrastructure do not fit that playbook cleanly. As BIS extends ECCN coverage into software and model parameters, universities running foreign-national-staffed AI labs face rising documentation burden even where no licence is ultimately required.

    Expect continued divergence between the deemed export regime, EU AI Act research-exemption practice, and state ai laws — three separate compliance tracks addressing different questions. Research administrators who map these tracks now, rather than after an incident, will be better placed as controls continue to tighten.