The regulatory landscape is fragmenting along regional lines rather than converging.

Global AI Risk & Regulation — Digest

TL;DR

The regulatory landscape is fragmenting along regional lines rather than converging. The EU continues to lead with enforcement (50 fines totaling ~€250M by Q1 2026), while Asia-Pacific frameworks like South Korea's are taking structurally different approaches to risk classification. Meanwhile, a critical compliance gap is opening in industrial AI: the EU's machinery regulation framework won't have its AI-specific safety rules finalized until August 2028, leaving enterprises in legal limbo for two years.

EU Enforcement Tightening While Rules Remain Incomplete

The EU's AI Act is moving from rule-writing to enforcement faster than the underlying regulatory machinery can keep up. Fines are already flowing — 50 enforcement actions totaling approximately €250 million are projected by Q1 2026 — but the specific companies, sectors, and violation patterns remain opaque at the enterprise level.

The real compliance hazard is structural: the EU shifted AI-enabled machinery from dual-compliance (AI Act + Machinery Regulation) to sector-specific-law paramountcy in the Digital Omnibus, but the delegated acts that would actually specify AI safety requirements within the Machinery Regulation aren't due until August 2028. For industrial and manufacturing enterprises, this creates a 24-month window where the legal framework is incomplete.

"High-impact" vs. "high-risk" framework and liability implications" — the enforcement signal is clear, but the technical requirements for compliance remain in draft.

What to watch: Whether the first wave of EU fines targets transparency violations (easier to prove, lower damages) or substantive safety failures (harder to prove, higher stakes). The answer will signal which compliance investments enterprise legal teams should prioritize.

Asia-Pacific Divergence: South Korea Charts a Different Path

South Korea's new AI law uses a "high-impact" vs. "high-risk" classification framework that differs materially from the EU's approach, potentially lowering compliance costs for enterprises operating across both jurisdictions but creating a new fragmentation problem: enterprises now need parallel compliance architectures.

This isn't convergence toward a global standard. It's the opposite. A company deploying the same AI system in Seoul and Frankfurt now faces two different liability regimes, two different risk thresholds, and two different enforcement postures. The South Korean framework hasn't been fully analyzed in English-language enterprise guidance yet, which means multinational risk teams are flying partially blind.

What to watch: Whether the South Korean framework's lower compliance burden becomes a competitive advantage for APAC-headquartered AI vendors, or whether EU enterprises simply absorb the dual-compliance cost as a market-access fee.

Developer vs. Deployer Liability: Still Unsettled

The regulatory question that matters most for enterprise risk — who bears liability when an AI system fails in production — remains unanswered across all major jurisdictions. The EU's framework hints at shared liability, but the specific allocation between model developers and enterprises deploying those models hasn't been tested in enforcement or litigation yet.

This matters because it determines whether your compliance spend is on your own systems or on auditing your vendors. The absence of clear precedent means enterprises are currently writing their own liability allocation into contracts, which creates a patchwork of risk transfer that won't survive the first major incident.

What to watch: The first major EU fine or court decision that explicitly assigns liability to either a developer or a deployer. That precedent will immediately reshape vendor contracts across the market.

What surprised us

• The machinery regulation gap is worse than the headline suggests. The EU moved AI machinery out of dual-compliance to clean up the rule, but then kicked the actual AI-specific safety requirements to 2028. That's not a delay — it's a structural admission that the AI Act and Machinery Regulation don't actually fit together yet. Industrial enterprises are now in legal purgatory for two years.

• South Korea's framework might be a template, not an outlier. If other APAC jurisdictions adopt a similar "high-impact" model, the EU's risk-based approach could end up being the outlier, not the standard. That would invert the usual assumption that Europe leads and others follow.

• Enforcement is outpacing guidance. 50 fines by Q1 2026 is aggressive, but the lack of public detail on which companies, which sectors, which violations means enterprises are learning compliance through litigation, not regulation. That's expensive and inefficient.

Open threads worth a vote

• South Korea AI law: "high-impact" vs. "high-risk" framework and liability implications — The full comparative analysis of how South Korea's framework differs from the EU model hasn't been surfaced. For multinational enterprises, this is the key to understanding whether dual-compliance is necessary or whether the frameworks are close enough to share architecture.

• Specific AI enforcement actions: EU fines details and SEC AI-washing cases — The €250M fine projection is a headline number, but enterprise risk teams need the granular data: which companies, which sectors, which specific violations triggered enforcement. Without it, compliance priorities are guesswork.

• EU Machinery Regulation AI transition gap: enterprise compliance uncertainty 2026-2028 — This gap is a live risk for any enterprise deploying AI in industrial or manufacturing contexts. Tracking how regulators, vendors, and enterprises are navigating this uncertainty will determine whether the gap closes through guidance, delegated acts, or litigation.