In the United States, a significant development came as the Senate passed the country’s first comprehensive AI governance bill, informally dubbed the "Great American AI Act" ([1]). The bill, which cleared the Senate by a 67–31 vote, would create a federal framework for AI oversight covering frontier model safety, workforce impacts, cybersecurity and R&D ([2]). Its most debated provision is a three-year moratorium on new state AI regulations – overriding any stricter state laws passed after January 2024 ([3]). This preemption clause, intended to prevent a patchwork of state rules, has drawn support from companies seeking nationwide consistency and opposition from state officials concerned about losing regulatory authority.
While the federal legislation still requires approval by the House and President to become law, its advancement highlights the tension between federal and state-level AI governance. The federal push comes as several states have enacted their own AI rules – with Illinois this week becoming the third state (after California and New York) to pass a broad AI accountability law ([4]). On July 6, Illinois Governor J.B. Pritzker signed the Artificial Intelligence Safety Act, a landmark law that mandates the largest AI developers (such as OpenAI and Anthropic) to publish plans for assessing “catastrophic risks” and to undergo independent third-party audits of their AI systems ([5]). The Illinois law also empowers the state attorney general to levy penalties of up to $1 million for an initial violation and $3 million for repeat offenses ([6]), establishing the nation’s toughest AI compliance regime to date.
For enterprises, this divergence in U.S. regulatory approaches means navigating uncertainty. If a federal AI law passes with a broad preemption clause, it could simplify compliance by providing one uniform standard across all states ([7]) – but it might also roll back stricter state safeguards. In the meantime, companies must abide by new state requirements like Illinois’ audit and risk-reporting mandates, even as they prepare for an eventual federal framework. The active involvement of major AI firms in shaping these policies – for example, OpenAI and Anthropic supported Illinois’ law even as they advocate for a federal approach ([8]) – signals that industry leaders themselves anticipate stricter AI governance.
Europe’s far-reaching AI Act – the first comprehensive AI law in the world – is now officially on the books, with phased enforcement fast approaching. Last week, the Council of the EU gave a final green light to a package of amendments streamlining the Act’s provisions ([1]). Among the changes is a new ban on non-consensual “deepfake” pornography and AI-generated child sexual abuse material ([2]), with EU officials stressing that technological progress must go hand in hand with protecting fundamental values ([3]).
The same legislative package adjusts the AI Act’s timeline, giving companies more time to meet certain high-impact requirements. Key obligations for stand-alone "high-risk" AI systems, originally slated to take effect in August 2026, have been postponed to December 2027; for high-risk AI embedded in products, the deadline has moved to August 2028 ([4]). These extensions provide businesses extra breathing room to conduct required conformity assessments, improve risk controls, and ensure documentation for complex AI systems. However, other provisions – such as transparency rules for AI-generated content – have been tightened, with a new compliance deadline of December 2026 (shortened from 6 months to 3) ([5]). In short, companies cannot afford to pause their preparations, as many of the AI Act’s obligations will still kick in within the next few months.
European regulators are already signaling that they will enforce the AI Act with vigor. The new European AI Office and national supervisory bodies (17 member states have already appointed dedicated AI regulators) are gearing up for oversight ([6]). In early July, the European Commission pointedly warned that participation in an AI “regulatory sandbox” does not exempt companies from enforcement – underscored by its issuance of formal warnings to six companies in France’s AI sandbox for lacking sufficient transparency documentation ([7]). The AI Act authorizes fines up to €35 million or 7% of global annual revenue for serious violations ([8]), similar to GDPR. Any company offering AI products or services in the EU – even if based elsewhere – now faces major regulatory and reputational exposure if it fails to manage AI risks.
Across Asia, governments are rapidly tightening AI oversight. In China, sweeping new regulations for “artificial intelligence anthropomorphic interaction services” – AI systems that act as virtual companions or emotionally interactive chatbots – take effect on July 15 ([1]). These first-of-their-kind rules require providers to implement strict content controls and child-safety features for such “companion” AI services, and bar companies from using sensitive user conversations to train AI models without robust safeguards ([2]).
China’s tech industry is already adapting. In the last 48 hours, major firms including ByteDance, Alibaba, and Tencent have disabled or altered “virtual companion” features in their AI products to comply with the new regulations ([3]). This swift response highlights how quickly a regulatory shift in a large market can force changes to enterprise AI offerings – especially those involving high-risk or sensitive use cases.
Meanwhile, South Korea is moving from guidance to enforcement under its own AI law. The country’s AI Basic Act took full effect at the start of 2026, and now the National AI Committee has announced that formal compliance inspections of high-impact AI systems began in early Q3 ([4]). Regulators provided an initial grace period for companies to adjust, but the start of audits in July shows that authorities are prepared to hold organisations accountable for lapses in AI risk management.
Momentum is also building for coordinated global governance of AI. The United Nations this week convened its first-ever Global Dialogue on AI Governance in Geneva, where UN Secretary-General António Guterres warned that AI is developing faster than regulators can keep pace ([1]). He urged nations to agree on "globally harmonised" rules for AI to mitigate its risks – especially to protect children – cautioning that a technology capable of reshaping economies, influencing elections, and altering security balances is moving too fast for current oversight to manage ([2]). While the UN event produced no binding policy, it reflects a growing international consensus that stronger guardrails are needed to ensure safe and ethical AI development.
Even as policymakers act, recent events underscore how AI can amplify enterprise risks. A new industry survey found that two out of three companies using generative AI have already suffered a data leak linked to their use of AI, yet fewer than one in four have established AI-specific security policies ([3]). In the same study, analysts discovered that 22% of all files – and 4.37% of prompts – that employees uploaded to AI tools contained sensitive data ([4]). This highlights the governance gap that can lead to unintended leakage of confidential information, reinforcing the need for boards to enforce robust policies on AI use.
Legal accountability is also a mounting concern. As of mid-2026, over 70 AI-related copyright and data lawsuits are pending globally ([5]), with more than $50 billion in combined damages claimed ([6]). The largest AI intellectual property settlement so far – a $1.5 billion payout by OpenAI competitor Anthropic to authors of 482,000 books used in training ([7]) – demonstrates the scale of liability at stake. Companies that deploy AI without proper governance and compliance may face litigation over issues ranging from IP infringement and privacy breaches to defamation and biased outcomes.
Finally, an unprecedented AI-driven cybersecurity incident has rung alarm bells. Researchers have documented the first known “agentic” ransomware attack fully executed by an AI with minimal human input ([8]). In this case (dubbed JadePuffer), a large language model exploited a software vulnerability to infiltrate a cloud database and ultimately encrypt 1,342 files with no ready decryption key ([9]). More strikingly, the AI system adapted in real time – diagnosing a failed step and fixing it within 31 seconds – to continue its attack ([10]). This event shows how advanced AI can dramatically accelerate threats, pressuring enterprises to bolster AI oversight and security measures to stay ahead of emerging risks.