The AI landscape doesn't move in one direction — it lurches. Some techniques leap from experiment to table stakes in a single quarter; others stall against regulatory walls, technical ceilings, or organisational inertia that no amount of hype can dislodge. Knowing which is which is the hard part. The State of Play cuts through the noise with a rigorously maintained index of AI techniques across every major business domain — classified by maturity, evidenced by real-world adoption, and updated daily so you always know where you stand relative to the field. Stop guessing. Start knowing.
A daily newsletter distilling the past two weeks of movement in a domain or two — delivered to your inbox while the index updates in the background.
Each dot marks the weighted maturity of practices within a domain — hover for a brief summary, click for more detail
Ensuring AI systems comply with emerging regulations including the EU AI Act, and other jurisdiction-specific requirements. Includes regulatory mapping and compliance gap assessment; distinct from acceptable use policies which govern internal rather than regulatory requirements.
AI regulatory compliance is defined by enforcement moving from promise to practice—with critical unpreparedness remaining. The practice sits at the intersection of regulatory acceleration (EU high-risk deadline August 2026, first US federal AI law March 2026, 136+ state bills enacted), matured tooling (platforms now reliably parse complex regulatory text and generate conformity documentation), and organizational underperformance (only 25% of enterprises have implemented governance, 83% lack AI inventories, 97% unprepared across major markets). The core tension: regulations now carry real penalties (EU €35M/7% revenue, US 4% revenue, state-level per-violation scaling), enforcement infrastructure is operationalizing (Finland activated market surveillance, Italy imposed interim measures, EU Commission opened antitrust proceedings), yet most organizations still cannot classify their AI systems under deadlines they cannot move. This remains firmly bleeding-edge—the cost of non-compliance is now quantifiable, the tooling works, and the window to prepare is closing.
Regulatory infrastructure has moved from blueprints to operations. The EU AI Office published compliance infrastructure serving 150k+ users monthly (artificialintelligenceact.eu with AI Compliance Checker tool). Finland activated full market surveillance (January 2026), and the Italian AGCM imposed interim measures on Meta—the first EU member state enforcement. The EU Commission issued formal Statement of Objections against Meta (February 2026). Yet critical readiness gaps remain: only 8 of 27 EU Member States have designated enforcement authorities (deadline was August 2025), and technical harmonized standards critical for demonstrating compliance are not expected until end-2026, leaving the August 2026 high-risk deadline without necessary benchmarks. The U.S. pivoted to federal action: the AI Accountability Act (passed Senate 67-33, March 2026) mandates third-party bias audits, public disclosure, and grievance mechanisms for AI systems affecting 10K+ people annually in hiring, credit, healthcare, and criminal justice; penalties reach 4% of annual revenue (Google: ~$14B, Microsoft: ~$16B exposure), with 18-month compliance window (September 2027). State-level enforcement already began: NYC DCWP enforcement (though initial audit showed 75% of AI complaints misrouted). Colorado, California, Illinois, and Texas enforcement timelines create overlapping obligations with per-violation and per-consumer penalty scaling.
Organizational readiness remains the critical barrier despite accelerating tool adoption. Meta-analysis of governance maturity shows only 25% of enterprises have fully implemented governance, 27% incorporated it into board charters, 97% of breach victims lacked proper access controls. Stanford HAI's 2026 AI Index documents mainstream framework adoption accelerating (ISO/IEC 42001 at 36%, NIST AI RMF at 33%, organizations with no responsible AI policy declining to 11% from 24%), yet 88% of organizations using AI cannot demonstrate regulatory readiness in enterprise processes with compliance constraints—benchmark performance does not translate to operational compliance. Compliance maturity baseline: 58% of compliance professionals operate at Basic/Dependent levels (manual, spreadsheet-driven), 16% at Advanced; projected to 35% Advanced within 12 months, signalling rapid adoption acceleration. RegTech market surpassed $19B with 23% CAGR; AI-powered compliance tools reduce costs 30-50% (avg $1.3M annually) and cut onboarding 60%+, with ~30% of banking professionals now reporting AI use for compliance. Leading banks achieved 50% reduction in compliance review time through production deployments. Compliance economics are quantifiable: €200-500k initial investment for defensible quality-management systems; transaction repricing now captures compliance cost (€180M deal repriced down €7M for documentation gaps, €90M HR carve-out withdrawn entirely for non-compliance, €35M minority stake earning 1.5–2x revenue premium for strong governance). However, structural barriers remain: over 50% of organizations lack systematic AI inventories, evidence-production cost for post-hoc compliance is 6-12 weeks of forensic engineering, and systems deployed before December 2027 avoid compliance obligations "unless substantially modified," creating perverse incentive for "race to deploy" high-risk systems before deadline. The August 2026 high-risk deadline proceeds without complete technical standards (expected end-2026) and with only 8 of 27 EU Member States having designated enforcement authorities.
— FDA's first warning letter with dedicated AI section (Purolea Cosmetics, April 2026) establishes binding compliance requirement: AI-generated regulatory documents require human expert review and sign-off; AI is assistive tool only, not substitute for quality unit accountability under 21 CFR 211.22(c).
— EU Commission's May 19 draft guidelines define high-risk classification (use as safety component in regulated products, or eight Annex III use cases: biometrics, education, employment, law enforcement, etc.); Digital Omnibus delays Annex III from August 2 to December 2, 2027; new prohibitions on non-consensual intimate imagery and CSAM effective December 2026.
— Multi-jurisdictional tracker: EU high-risk enforcement August 2, 2026; China anthropomorphic AI rules July 15, 2026; agentic AI governance gaps documented—74% of agent deployments rolled back due to PII exposure, OAuth credential sprawl, undefined runtime permissions; multiple frameworks published identifying consistent failure modes.
— FDA's updated draft guidance mandates AI-enabled medical device compliance with lifecycle approach, algorithm description, data provenance, real-world performance monitoring, and aligns with HIPAA/cybersecurity/patient safety regulations; enforcement applies to all manufacturers seeking 510(k) clearance or de novo classification.
— FDA operationalized binding compliance for AI/ML SaMD (Predetermined Change Control Plans, transparency on training data demographics, post-market surveillance); CMS Transitional Coverage pathway active; EU AI Act healthcare provisions entered first enforcement phase; no generative AI cleared for diagnostic tasks as of Q2 2026.
— Commission's May 19 draft guidelines clarify Article 6(3) exemption is narrow and applies only to preparatory/procedural tasks that don't materially influence outcomes; GDPR profiling is automatic high-risk disqualifier; registration and documented assessment required; consultation closes June 23, 2026.
— FTC enforcement action (Cox Media Group, May 21, 2026) establishes binding substantiation standard for AI capability claims under Operation AI Comply (12+ cases through May 2026); applies Section 5 standard requiring 'competent and reliable evidence' before publication; four claim patterns trigger enforcement with named penalties from $18M to $930K.
— PDPSpectra analysis of August 2, 2026 enforcement: conformity assessments and post-market monitoring mandatory; fines €35M or 7% turnover for prohibited systems, €15M or 3% for high-risk non-compliance; three supervisory layers across EU, member states, and sectoral regulators; compliance gap identified: engineering teams report 60-70% alignment with MLOps practices but documentation discipline is gap.
2024-Q2: EU AI Act approved (May) and entry into force scheduled for August 2024; compliance deadlines pushed to February 2025. Corporate readiness survey found only 40% of leaders confident in compliance capability. Risk-based framework established with penalties up to €35M, but legal analyses noted definitional gaps and overregulation concerns.
2024-Q3: EU AI Act entered into force (August 1). Regulatory maturity accelerated: FTC launched enforcement actions ("Operation AI Comply"), vendor tooling achieved 227% ROI metrics, technical deployments in high-risk domains demonstrated feasibility. However, Deloitte survey showed only 18% of European leaders prepared for risk and governance; startup compliance costs and innovation concerns remained barriers. Fragmented global landscape with U.S. enforcement, EU regulation, and UK deliberation.
2024-Q4: U.S. regulatory enforcement formalized through DOJ compliance program updates (October) and FTC actions. Corporate compliance adoption remained immature despite vendor tooling maturity: ACA/NSCP survey showed only 37% of financial firms deployed AI, 12% had risk frameworks, 92% lacked third-party policies. Broader surveys revealed 58% organization GenAI adoption but only 59-79% with controls; 81% financial institutions felt adoption pressure without governance. Critical limiting factor shifted from regulation clarity to organizational maturity and governance adoption.
2025-Q1: EU AI Act's first enforcement deadline (Feb 2, 2025) activated prohibited systems ban; platform providers updated contracts and developed Codes of Conduct. U.S. state-level regulation exploded: 136 bills enacted (California, Colorado, Illinois, NYC all active or effective in 2026), creating cascading compliance burden across jurisdictions. Only 8% of organizations achieved mature AI governance programs (Compliance Week survey), and 76.9% of compliance teams still relied on manual processes (Regology survey). Regulatory velocity accelerated while organizational readiness stalled—widening compliance gap with enforcement deadlines now enforceable.
2025-Q2: Conformity assessment deadline (August 2026) approaches as Future of Privacy Forum publishes implementation roadmap; compliance professionals identify regulatory change pace and implementation complexity as primary barriers. FinTech sector reports 62% of AI-using firms face data and implementation challenges despite two-thirds already deploying AI. AI adoption continues rising (72% enterprise adoption) while governance maturity stalls; regulatory requirements become more complex faster than organizations can respond. Compliance automation adoption accelerates but manual processes remain dominant, indicating slow digital transformation despite regulatory enforcement.
2025-Q3: EU AI Act's GPAI enforcement phase activated (Aug 2, 2025) with provider documentation and risk assessment obligations. GPAI Code of Practice published but fractured industry consensus: Meta refused to sign citing legal uncertainty; harmonized technical standards delayed to 2026. Enterprise adoption of compliance tools accelerated (76% using AI for regulatory monitoring) but organizational governance maturity remained low. Startup and investor resistance intensified with open letters requesting two-year pause; consultant-led framework deployments (e.g., CGI manufacturer case) demonstrated feasibility but remained rare. Implementation ambiguities persisted: definitional gaps, standards delays, and lack of legal certainty created a compliance readiness crisis despite regulatory enforcement deadlines.
2025-Q4: EU Commission published Digital Omnibus proposal (Nov 19, 2025) with compliance simplifications: extended deadlines to December 2027 for high-risk systems, grace periods for legacy AI, reduced registration requirements. Organizational AI adoption reached 78% (up from 55% in 2023), with empirical evidence showing AI-driven compliance improves performance; however, only 55% of organizations implemented tools despite 100% addressing digital strategy. Compliance tool vendors matured (OneTrust IDC leader, RegScale Gartner Cool Vendor, Leidos partnerships). Critical barrier shifted from regulatory clarity to organizational implementation capacity: €52k+ annual costs, time constraints cited by 47% of compliance teams, and governance maturity gaps persisting despite tool availability.
2026-Jan: EU AI Act enforcement activated: Finland became first member state to launch market surveillance (January 1), and EU Commission rejected a two-year enforcement moratorium, cementing August 2026 conformity assessment deadline. Financial services firms showed 94% investment intent increase, yet only 32% had formal governance programs. Critical compliance gap emerged: 60% of AI systems operated outside IT visibility and 40% had unclear risk classification, predicting widespread deadline failures despite enforcement momentum.
2026-Feb: Financial services adoption metrics clarified: 31.8% of institutions achieved mature AI compliance programs while 94% planned increased investment, confirming adoption-readiness gap. Compliance professionals showed 59.3% using AI but only 61.2% with formal risk review, highlighting governance maturity lag. Regulatory analysis revealed uneven coverage of malicious AI use in EU AI Act and ongoing implementation ambiguities. U.S. FTC signaled reduced regulatory appetite while state fragmentation created stacked enforcement exposure. Critical barrier remained inventory and classification capability within August 2026 deadline despite vendor ecosystem maturity.
2026-Apr (15): Enforcement transition from preparation to operations. EU AI Office operational infrastructure (150k+ users monthly on artificialintelligenceact.eu). Finland activated market surveillance; Italy AGCM imposed interim measures on Meta; EU Commission issued Statement of Objections against Meta. Critical readiness gap documented: only 8/27 EU Member States designated enforcement authorities (deadline August 2025); technical standards delayed to end-2026, leaving August 2026 deadline without benchmarks. First US federal AI law passed: AI Accountability Act (Senate 67-33, March 2026) mandates bias audits, public disclosure, 10K+ threshold; penalties 4% annual revenue; deadline September 2027. State enforcement operationalizing (Colorado June 30, NYC DCWP December 2025). Organizational readiness metrics worsened: only 25% of enterprises have full governance, 27% board-integrated, 3% comprehensive frameworks, 97% of breaches lacked access controls. Structural loophole identified: non-retroactive application + delayed deadline creates incentive for "race to deploy" high-risk systems before December 2027. RegTech ecosystem reached maturity (LLM quality threshold, regulatory volume critical mass, real enforcement converged) with quantified vendor ROI (false-positive reduction 50–80%, FTE burden reduction 50–70%). Case study deployments demonstrate feasibility (PROTOS AI Agency, Greece: three production systems with DOKIMASIA.AI platform). Sector-specific enforcement timeline emerging (White House guidance for healthcare/finance/legal by Q4 2026). Critical barrier remained organizational inventory and classification capability within progressively clarified but fragmented multi-jurisdictional deadlines.
2026-Apr: August 2026 EU AI Act high-risk deadline sharpens compliance pressure for US enterprises with EU market exposure, with Holland & Knight confirming non-retroactivity creates strategic incentive for accelerated deployment before enforcement. RegTech market surpassed $19B (23% CAGR); AI-powered compliance solutions deliver 30-50% cost reductions and 60%+ onboarding acceleration, with leading banks achieving 50% compliance review time reduction—confirming tools have crossed the economic viability threshold. Organizational maturity remains the binding constraint: Stanford HAI 2026 AI Index finds 88% of organizations use AI but benchmark improvements do not translate to regulatory readiness, with ISO/IEC 42001 adoption at only 36% and NIST AI RMF at 33% despite declining share with no responsible AI policy. Compliance maturity survey (500+ professionals) shows 58% at Basic/Dependent level with only 16% Advanced, though 74% plan new investment—indicating rapid acceleration ahead rather than current readiness.
2026-May (7-27): Regulatory timeline turbulence: EU Parliament and Council agreed May 7 Digital Omnibus amendments—deferring high-risk deadline 16 months (August 2, 2026 → December 2, 2027)—citing infrastructure gaps (technical harmonized standards not complete until end-2026, only 8 of 27 Member States designated enforcement authorities). Critical analysis documents industry lobbying campaign (Siemens €1B investment threat, Chancellor Merz intervention) driving postponement and identifying enforcement precedent risk. U.S. deployment evidence: GSA published formal AI Compliance Plan with three-tier governance (Tier 1: chatbot, Tier 2: API, Tier 3: embedded), deployed under OMB M-25-21/M-25-22 alignment, demonstrating federal-scale compliance implementation. Organizational readiness at critical juncture: 78% of enterprises unprepared 90 days before August 2 deadline (83% lack AI inventory, 74% lack governance owner, 61% lack documentation process); 40-65% of employees use unapproved AI tools (40M violations documented Q1 2026); shadow AI linked to 1 in 5 data breaches with $670k additional cost. Analyst assessment (Applied AI for Enterprise Radar Q1 2026) identifies governance layer (AI Security, Governance, Auditability, Red-Teaming) as 'defining risk'—all categories at Trial, none at Adopt—despite Foundation Models and Infrastructure at Adopt, confirming infrastructure-governance lag. Regulatory infrastructure continues operationalizing: EU AI Office published official transparency guidance (Articles 50) effective August 2, 2026 (user notification, watermarking, deepfake disclosure requirements). Critical deadline ambiguity remains: high-risk compliance not required until December 2027 but shadow AI breaches accelerating, non-retroactivity creating deployment incentives, and governance maturity improvements lagging regulatory deadlines.
2026-Jun (10): Enforcement transition from framework clarification to operational enforcement action. FDA issued its first dedicated AI warning letter (April 2026, Purolea Cosmetics) establishing that AI-generated regulatory documents require mandatory human expert review and cannot substitute for quality unit accountability—setting binding compliance standard for pharmaceutical AI use. EU Commission published official high-risk classification guidelines (May 19, draft through June 23 consultation), establishing that intended purpose is primary control point and Article 6(3) exemption is narrow (profiling automatically high-risk, material influence test outcome-centric not process-centric). FTC continued Operation AI Comply enforcement: Cox Media Group $930K settlement (May 21, 2026) for false AI capability claims, with 12+ cases resolved through May 2026 establishing substantiation requirement under Section 5 standard. Healthcare regulatory maturity evidenced: FDA operationalized binding compliance for AI/ML SaMD (Predetermined Change Control Plans, training data transparency, post-market surveillance) with no generative AI cleared for diagnostic tasks as of Q2 2026; CMS Transitional Coverage pathway operational. Enterprise AI governance audit readiness worsened: Grant Thornton survey (950 leaders) shows 78% lack confidence passing independent AI governance audit within 90 days, with governance/compliance failures cited as second-highest cause of AI underperformance after business-strategy misalignment. Agentic AI emerges as new governance gap: 74% of agent deployments rolled back due to PII exposure and undefined runtime permissions, with multiple frameworks documenting consistent OAuth/delegation/logging failure modes. ISO 42001 adoption accelerating (76% of enterprises intend adoption within 24 months per CSA survey), establishing standards pathway as de facto compliance requirement ahead of December 2027 high-risk deadline extension."