Global AI Risk & Regulation — Digest
TL;DR
The regulatory landscape has fractured decisively into three competing models, and the US federal government is actively suppressing one of them. The EU continues narrowing its risk-based framework while accelerating enforcement, but has punted critical AI safety rules for industrial machinery to 2028. The US has pivoted entirely away from risk-based regulation — the DOJ's AI Litigation Task Force successfully repealed Colorado's risk-based law and is now targeting Connecticut and California — while South Korea has charted a lighter-touch "high-impact" path that trades regulatory clarity for startup-friendly compliance. The liability question that matters most — who bears responsibility when an AI system fails — remains unsettled in every jurisdiction, but Italy's Court of Pistoia and the UK's product safety overhaul are beginning to sketch the answer: deployers remain liable even when they use AI, and human oversight cannot be automated away. Enterprises now need three parallel compliance architectures, not one.
The US Is Actively Blocking Risk-Based Regulation in Favor of Disclosure-and-Rights
Federal intervention in state AI law has moved from passive to aggressive, and it is working. The DOJ's AI Litigation Task Force, established under Executive Order 14365 in December 2025, successfully challenged Colorado's risk-based AI Act and forced its repeal in May 2026.
Colorado's original law, modeled on the EU's framework, imposed affirmative duties of care, mandatory algorithmic impact assessments, and comprehensive risk management programs. The DOJ and xAI sued on First Amendment, Fourteenth Amendment, and Commerce Clause grounds. Rather than fight the case to trial, Colorado's legislature capitulated and passed Senate Bill 189, which repeals the entire risk-based regime and replaces it with a disclosure-and-rights model focused on automated decision-making technology. The new law requires developers to provide technical documentation and deployers to give notice and allow meaningful human review, but strips away the substantive risk management obligations.+3
"No contractual provision that would shield a developer or deployer from liability for off-label use of AI tools will be effective." — Colorado AI Act Repeal
+3
This was not a negotiated compromise between industry and states. It was federal preemption by litigation. The Task Force's mandate is explicit: challenge "onerous" state AI laws that conflict with maintaining US AI dominance through a "minimally burdensome national framework." The message to other states is clear: risk-based regulation will be met with constitutional litigation.
Connecticut's newly passed Senate Bill 5 and California's finalized CPPA regulations are now widely expected to be the Task Force's next primary targets+3, particularly because Connecticut mandates synthetic media provenance and chatbot restrictions, and California requires pre-use notices, opt-outs, and annual risk assessment filings. For multinationals, this means the US is not converging toward the EU model — it is actively diverging from it, and the federal government is using litigation to enforce that divergence.
What to watch: Whether the DOJ AI Litigation Task Force targets California's CPPA regulations next. If it does, the pattern will confirm that the federal strategy is to suppress all state-level risk-based and substantive AI safety rules, not just Colorado's.
EU Enforcement Accelerates While Critical Safety Rules Remain Unfinished
The EU's regulatory framework is tightening enforcement faster than the underlying rules can keep up, creating immediate compliance pressure while leaving critical gaps unresolved. The May 2026 AI Omnibus agreement resolved a structural problem by moving AI embedded in machinery out of dual-compliance with the AI Act, but this carve-out created a new one: the delegated acts that would specify AI-specific safety requirements within the Machinery Regulation aren't due until August 2028.
"Where sector-specific legislation regulates AI functions (aviation, medical devices, financial services), companies will no longer face parallel assessments under both regimes." — EU AI Omnibus Agreement
This creates a 24-month window of legal uncertainty for industrial enterprises. The EU also narrowed the high-risk scope so that only systems whose failure creates genuine health or safety risks face the heaviest obligations, and extended compliance deadlines for Annex 3 systems (employment, education, health insurance) to December 2027. These are genuine concessions to industry — but they don't resolve the core enforcement uncertainty. The European Commission published draft high-risk classification guidelines in May 2026, but these are non-binding interpretations. The first major EU enforcement action will define the boundary in practice, and enterprises won't know where that line actually sits until it's crossed.
What to watch: Whether the first wave of EU fines targets transparency violations (easier to prove, lower damages) or substantive safety failures (harder to prove, higher stakes). The answer will signal which compliance investments enterprise legal teams should prioritize.
Deployers Remain Liable for AI-Generated Content — Human Oversight Cannot Be Automated Away
The liability question that matters most — who bears responsibility when an AI system produces harmful output — is beginning to be answered by courts, and the answer is: the deployer, not the developer. Italy's Court of Pistoia issued a landmark ruling on March 19, 2026, holding that using automated generative AI does not exempt an entrepreneur from civil liability or eliminate the duty of human oversight.
The case involved a competitor who used generative AI to create SEO redirects and misleading advertising about sleep products. The defendant argued that because the content was AI-generated without direct human review, there was no "editorial intent" to engage in unfair competition. The court rejected this entirely.
"At least for now, it is not capable of taking any initiative." — Italy Court of Pistoia
The court applied existing Italian civil law — Article 2598 on unfair competition and Legislative Decree 145/2007 on misleading advertising — and held that the deployer remained fully responsible for the outputs because the AI system lacks legal personality. This precedent signals how EU member-state courts will handle the developer/deployer boundary: "the AI did it" is not a valid defense, and enterprises cannot outsource liability by automating decision-making.
The UK's product safety overhaul reinforces this pattern. The March 2026 OPSS consultations explicitly modernize product safety assessment factors to include cybersecurity and AI/ML risks, and mandate that online product offers disclose whether a product uses AI prior to purchase. This represents a regulatory admission that AI-enabled products require heightened human oversight and transparency, not the opposite.
What to watch: Whether the first major EU fine under the AI Act explicitly assigns liability to a developer or a deployer. That precedent will immediately reshape vendor contracts across the market and signal to insurers whether AI-specific coverage products are viable.
What surprised us
-
The machinery regulation gap is worse than the headline suggests. The EU moved AI machinery out of dual-compliance to clean up the rule, but then kicked the actual AI-specific safety requirements to 2028. That's not a delay — it's a structural admission that the AI Act and Machinery Regulation don't actually fit together yet. Industrial enterprises are now in legal purgatory for two years, and the Commission hasn't published guidance on what to do in the interim.
-
The DOJ AI Litigation Task Force is a coordinated federal strategy, not passive regulatory fragmentation. The Task Force successfully blocked Colorado's risk-based law and is now actively pursuing other states. This is aggressive preemption by litigation, and it's working. The fact that Connecticut and California are now in the crosshairs suggests the federal government views risk-based regulation as a threat to US AI competitiveness, not a legitimate policy choice.
-
"The AI did it" is no longer a legal defense anywhere. Italy's Court of Pistoia ruled that deployers remain liable for AI-generated unfair competition even without direct human review. This is the first major civil liability precedent in an EU member state specifically on AI-generated content, and it establishes that human oversight cannot be automated away. Enterprises that rely on fully automated pipelines without a human gatekeeper have created severe, unmitigated legal risk.
-
Insurance is a governance chokepoint, not a lever. A February 2026 Delaware Superior Court ruling held that Meta's liability insurers have no duty to defend the company in social media harm cases because the underlying complaints alleged deliberate conduct, not "accidents." If an AI harm stems from a deliberate design decision, insurers may argue the harm was foreseeable and deny coverage. This creates a perverse incentive: companies may avoid rigorous safety testing to preserve the argument that harms were unforeseeable, or they may conduct testing and create documentation that later proves the harm was foreseeable and therefore uninsured.
Open threads worth a vote
- DOJ AI Litigation Task Force: next state-law targets after Colorado repeal — The Task Force successfully intervened in Colorado and the law was repealed. Connecticut's SB 5 passed; California's CPPA regulations are pending. Which state laws are next? The pattern will reveal the federal strategy: block all state AI laws, or permit disclosure-and-rights frameworks while suppressing risk-based ones?