AI Regulation Enters Enforcement: Business Law Implications of the EU AI Act and U.S. Developments
By Vanguard Law & Governance Unit with the work of Margrethe Vestager, Anu Bradford, Daniel J. Solove, Ryan Calo, and Cary Coglianese.

The Compliance Era Begins

Artificial intelligence is moving from experimentation to enforcement. For the last several years, companies treated AI governance as an emerging risk category: important, but often secondary to product speed, model performance, and market adoption. Legal teams monitored draft rules. Boards received periodic briefings. Technology leaders developed internal guidelines. Business units tested generative AI, automated decision systems, and AI-assisted workflows with varying levels of oversight.

That phase is ending.

The EU AI Act has entered its implementation cycle. Certain prohibited AI practices and AI literacy obligations began applying in February 2025. Governance rules and obligations for general-purpose AI models began applying in August 2025. The broader framework becomes progressively more consequential as companies move toward application dates for high-risk systems, including rules that will apply from December 2027 for certain high-risk areas such as biometrics, critical infrastructure, education, employment, migration, asylum, and border control, and from August 2028 for AI systems embedded in regulated products. The European Commission has also moved to simplify and sequence implementation through the AI omnibus process, while reinforcing the role of the AI Office and related governance mechanisms.

The United States is moving differently. Rather than one comprehensive federal AI statute, companies face a combination of federal policy shifts, agency guidance, state laws, sector-specific enforcement, and voluntary standards. The federal government has emphasized AI leadership, innovation, national security, and reduced regulatory barriers. At the same time, states such as Colorado have created direct obligations for developers and deployers of high-risk AI systems, especially where AI is used in consequential decisions and may create algorithmic discrimination risk.

The result is not regulatory clarity. It is regulatory layering.

For executives, this creates a new business law problem. AI risk is no longer only a question of ethics, cybersecurity, or product quality. It is now a question of compliance architecture, liability allocation, vendor governance, board oversight, and strategic positioning. Companies that continue treating AI as a series of isolated technology deployments will face rising legal exposure. Companies that build governance into the AI lifecycle will have a stronger basis for compliance, investor confidence, customer trust, and operational resilience.

What Changed

The central change is that AI regulation is becoming operational. The law is no longer aimed only at speculative future harms. It is beginning to impose concrete duties on companies that develop, deploy, procure, integrate, or rely on AI systems.

The EU AI Act is the most important example because it creates a risk-based legal framework. Some AI practices are prohibited. Other systems are treated as high-risk and subject to requirements involving risk management, data governance, technical documentation, recordkeeping, transparency, human oversight, accuracy, robustness, and cybersecurity. General-purpose AI model providers face their own obligations, including transparency and copyright-related duties, with additional expectations for models that create systemic risk.

This structure matters because it moves AI compliance away from broad principles and toward evidence. It is no longer enough for a company to say that it uses AI responsibly. It must be able to show what systems it uses, how those systems are classified, who is responsible for them, what risks were assessed, what data was used, what controls exist, how humans remain involved, and how incidents are handled.

The U.S. environment is less centralized but no less important. Colorado’s AI law requires developers and deployers of high-risk AI systems to use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination. It also creates expectations around impact assessments, risk management programs, consumer notice, correction rights, appeal rights, public disclosures, and attorney general enforcement. Even where federal law is less prescriptive, state law is beginning to impose operational obligations that resemble parts of the EU model.

The practical implication is clear: companies cannot wait for a single U.S. federal AI law before building AI governance. The regulatory system is already arriving through multiple channels.

The New Liability Map

AI liability is different from traditional software liability because AI systems are often dynamic, probabilistic, data-dependent, and deeply embedded in business decisions. A defective software tool may fail in a predictable way. An AI system may produce biased outputs, hallucinated information, discriminatory rankings, unsafe recommendations, opaque decisions, or unexpected behavior after deployment. The legal risk depends not only on what the system was designed to do, but also on how it was trained, tested, monitored, updated, and used by humans.

The first category of liability is regulatory. Under the EU AI Act, prohibited practices and high-risk obligations carry significant enforcement consequences. Administrative fines can reach substantial levels, including up to €35 million or 7% of worldwide annual turnover for violations involving prohibited AI practices. For multinational companies, that level of exposure makes AI compliance a board-level risk.

The second category is discrimination and employment risk. AI tools used in hiring, promotion, compensation, workforce management, education, credit, housing, insurance, and access to services can produce disparate impacts or discriminatory outcomes. In the United States, this risk may arise under federal civil rights law, state consumer protection statutes, employment law, and emerging AI-specific legislation. A company using AI to screen candidates, rank employees, price insurance, assess creditworthiness, or determine customer eligibility may be liable even if the system was supplied by a vendor.

The third category is consumer protection and unfair practices risk. Regulators are likely to scrutinize AI systems that mislead consumers, overstate capabilities, conceal material limitations, manipulate choices, or make consequential decisions without adequate disclosure. AI marketing claims are especially sensitive. A company that describes an AI system as objective, unbiased, autonomous, secure, or compliant must be able to substantiate those claims.

The fourth category is product and professional liability. AI systems used in healthcare, financial services, transportation, legal services, engineering, and safety-critical operations may create risk if their outputs are relied upon without appropriate validation or human oversight. The more consequential the decision, the more important it becomes to define who reviews the AI output, what standards apply, and when human intervention is required.

The fifth category is contractual liability. Many companies are using AI through vendors, cloud providers, enterprise platforms, and embedded software tools. That creates risk around indemnification, audit rights, data rights, confidentiality, model training, cybersecurity, intellectual property, performance warranties, and regulatory cooperation. AI governance is therefore not only an internal compliance issue. It is also a contracting issue.

The sixth category is governance liability. Boards that fail to understand material AI risks may face questions about oversight. As AI becomes embedded in strategy, operations, customer interaction, and employee decision-making, directors will need evidence that the company has an adequate governance structure. AI risk will increasingly resemble cybersecurity risk: technical in execution, but strategic in consequence.

Cross-Border Risk: The Same System, Different Legal Worlds

A multinational company may deploy the same AI tool across multiple jurisdictions and encounter different legal consequences in each one. This is the central cross-border challenge.

Consider a global employer using an AI-assisted hiring platform. In the European Union, the system may fall within high-risk categories if it is used for recruitment, selection, or employment-related decisions. That triggers obligations around risk management, data governance, transparency, human oversight, technical documentation, and monitoring. In Colorado, the same system may be treated as a high-risk AI system if it is a substantial factor in a consequential employment decision, requiring reasonable care to prevent algorithmic discrimination, impact assessments, notices, correction mechanisms, and appeal opportunities. In other U.S. states, the company may face privacy, employment, biometric, or consumer protection requirements.

The tool may be identical. The compliance obligations are not.

A similar problem arises in financial services. An AI credit model may implicate EU high-risk obligations, U.S. fair lending rules, state consumer protection laws, model risk management expectations, data privacy requirements, and vendor oversight duties. A bank or fintech company cannot assume that because the model performs well statistically, it is legally safe. Performance, explainability, fairness, documentation, and governance must be evaluated together.

Healthcare creates another layer of complexity. AI tools used for triage, clinical decision support, diagnostics, insurance authorization, or patient communication may trigger medical device rules, health privacy law, professional standards, product liability concerns, and AI-specific obligations. A model that appears useful in a pilot may become legally fragile when deployed at scale without validation, monitoring, and human oversight.

These cross-border examples show why AI governance cannot sit only inside the technology function. The legal classification of an AI system depends on use case, jurisdiction, affected persons, sector, data inputs, output consequences, and human involvement. Only a multidisciplinary process can evaluate that properly.

The Board’s AI Question

Boards do not need to become model engineers. But they do need to ask better questions.

The most important board question is not, “Are we using AI?” Most companies are. The better question is, “Where is AI making or materially influencing consequential decisions?”

That distinction changes the governance conversation. AI used to summarize internal documents may create confidentiality and accuracy risk. AI used to decide who receives credit, employment, insurance, healthcare access, housing, education opportunities, or government services creates a different order of legal exposure. Boards should insist on an inventory that separates low-risk productivity tools from systems that affect rights, opportunities, safety, pricing, eligibility, or access.

The second board question is, “Who owns AI risk?” If ownership is spread casually across IT, legal, compliance, product, HR, and business units, accountability will be weak. A serious company should define clear responsibility for AI governance, including executive sponsorship, legal review, technical validation, procurement controls, incident response, and board reporting.

The third question is, “What evidence would we produce if challenged?” This is the enforcement question. Regulators and plaintiffs will not evaluate AI governance by company values statements. They will look for records: inventories, risk assessments, impact assessments, testing results, model documentation, vendor agreements, incident logs, approval records, consumer notices, training materials, and board minutes.

The fourth question is, “Are we building compliance into deployment or adding it afterward?” Retrofitted AI governance is expensive and often incomplete. The best time to assess legal risk is before a system is purchased, trained, customized, integrated, or released. Once a tool becomes embedded in business operations, withdrawal becomes difficult.

The fifth question is, “Can governance accelerate adoption rather than slow it?” This is where many executives misunderstand the issue. Strong governance does not necessarily block innovation. Poor governance does. When employees do not know what tools are approved, what data may be used, what outputs require review, or who signs off on deployment, innovation becomes fragmented and risky. A clear governance model allows responsible adoption to scale.

The AI Governance Operating Model

Companies should move from AI principles to an AI operating model. The model should have five components.

First, build a live AI inventory. Every material AI system should be cataloged by business unit, vendor, purpose, jurisdiction, data inputs, affected stakeholders, decision impact, human oversight, and risk classification. The inventory should include both internally developed systems and third-party tools. It should also include embedded AI features inside enterprise software, because many companies are adopting AI without realizing it.

Second, classify systems by legal and operational risk. A chatbot that helps employees draft emails does not require the same controls as a system that screens job applicants or flags insurance claims. Classification should consider whether the system affects employment, credit, education, housing, healthcare, insurance, law enforcement, biometrics, critical infrastructure, consumer rights, or safety.

Third, require pre-deployment review for high-risk use cases. Before a high-risk system is deployed, the company should complete a legal and technical assessment. That assessment should examine data quality, bias risk, accuracy, explainability, cybersecurity, human oversight, vendor documentation, consumer notice, appeal mechanisms, and monitoring plans.

Fourth, manage vendors as part of the control environment. Many AI failures will occur because companies rely too heavily on vendor assurances. Contracts should address documentation access, audit rights, data use restrictions, model changes, incident notification, regulatory cooperation, indemnity, subcontractors, cybersecurity, and restrictions on using customer data for model training.

Fifth, monitor systems after deployment. AI risk does not end at launch. Models can drift. Data can change. Users can misuse outputs. Vendors can update systems. Business teams can expand use beyond the original purpose. Companies need post-deployment monitoring, periodic review, incident escalation, and sunset procedures.

This operating model does not require bureaucracy for every tool. It requires proportionality. Low-risk systems should move quickly. High-risk systems should move deliberately. The mistake is treating all AI as either harmless experimentation or existential risk. The legal system is moving toward a middle position: risk-based governance.

Compliance as Competitive Differentiation

Many executives view AI regulation as a burden. That is understandable. The EU AI Act and emerging U.S. rules will require documentation, process, controls, and legal review. Some deployments will slow. Some vendor relationships will need renegotiation. Some systems may be withdrawn or redesigned.

But compliance can also become a competitive advantage.

Customers increasingly want assurance that AI systems are safe, reliable, fair, secure, and explainable. Enterprise buyers will ask more detailed questions before purchasing AI-enabled products. Regulated industries will demand stronger documentation from vendors. Investors will scrutinize whether AI growth is supported by credible risk controls. Employees will want clarity on how AI affects work, evaluation, and opportunity.

A company that can demonstrate disciplined AI governance may move faster in high-trust markets. It can sell into regulated sectors more effectively. It can reduce friction in procurement. It can respond to regulators with evidence rather than improvisation. It can attract customers that cannot afford AI uncertainty.

This is especially important for companies building AI products. In the coming years, the market will distinguish between companies that merely claim responsible AI and companies that can operationalize it. Model cards, testing protocols, transparency reports, audit trails, evaluation results, security controls, and human oversight processes will become commercial assets.

The same logic applies internally. A company with clear AI rules can deploy tools more confidently. Employees know what is allowed. Business units know when review is required. Legal teams can prioritize material risk rather than policing every experiment. Governance becomes a scaling mechanism.

The Innovation Trap

The most common objection to AI regulation is that it will slow innovation. That concern is real but incomplete. Regulation can slow deployment, especially where compliance expectations are unclear or excessive. But unmanaged AI also slows innovation by creating failures, litigation, customer distrust, employee resistance, and executive hesitation.

The real innovation trap is not governance. It is ungoverned experimentation that later becomes impossible to scale.

Many companies are already in this position. Business units have adopted AI tools without central approval. Employees are using public generative AI systems with sensitive data. Vendors are adding AI features to existing software contracts. HR teams are testing automated screening tools. Marketing teams are using AI-generated content. Customer service teams are deploying chatbots. Legal, compliance, and security teams often discover these systems after they are already in use.

This creates shadow AI risk. It also undermines the company’s ability to innovate responsibly.

The solution is not to ban AI. It is to create a pathway for approval. Companies should establish clear categories: permitted low-risk use, restricted use requiring review, prohibited use, and high-risk use requiring formal governance. The more practical the pathway, the less likely employees are to route around it.

What Executives Should Do Now

Executives should begin with an AI legal exposure review. This should not be a theoretical ethics exercise. It should identify actual systems in use, pending deployments, vendor relationships, affected jurisdictions, high-risk use cases, and gaps in documentation. The review should be led jointly by legal, compliance, technology, security, data, HR, procurement, and business leadership.

Second, companies should create an AI governance committee with real authority. The committee should not exist merely to discuss principles. It should approve high-risk deployments, review vendor controls, monitor regulatory developments, oversee incident response, and report to the board.

Third, companies should update procurement. No business unit should be able to buy or activate a material AI system without legal and technical review. Vendor contracts should be revised to address AI-specific risk.

Fourth, companies should train employees. AI literacy is becoming a legal and operational requirement, not a cultural preference. Employees need to know when AI may be used, what data may be entered, how outputs should be reviewed, and when escalation is required.

Fifth, companies should prepare documentation before they need it. In enforcement, the company with contemporaneous records will be in a stronger position than the company trying to reconstruct its reasoning after a problem occurs.

Finally, boards should add AI governance to the regular risk agenda. AI should not appear only during innovation presentations. It should be reviewed as part of enterprise risk, legal compliance, cybersecurity, workforce strategy, product development, and customer trust.

The Strategic Meaning of Enforcement

The enforcement era of AI regulation will not be defined by one law. It will be defined by the interaction of many laws, standards, regulators, courts, contracts, and market expectations. The EU AI Act creates the most comprehensive risk-based structure. U.S. federal policy remains more fragmented and innovation-oriented. State laws are beginning to fill the gap. Voluntary frameworks such as NIST’s AI Risk Management Framework provide practical tools, even where they are not legally mandatory.

For business leaders, the direction is clear. AI governance is becoming part of corporate governance. Legal safeguards are no longer optional guardrails placed around innovation after the fact. They are conditions for sustainable deployment.

The companies that struggle will be those that treat AI regulation as a compliance department problem. The companies that benefit will be those that integrate legal risk management into product design, procurement, workforce strategy, customer engagement, and board oversight.

AI is no longer merely a technology issue. It is a business law issue. It determines who is accountable, what evidence exists, which jurisdictions apply, how customers are protected, how employees are affected, and whether the company can defend its decisions when systems fail.

The next phase of AI competition will not reward the fastest adopters alone. It will reward the companies that can adopt quickly, govern intelligently, and prove that their systems deserve trust.