The economic case for AI cost governance is compelling on its own terms. Rising spend, falling efficiency, compounding agentic workloads, and unrealized ROI are sufficient reasons for the CFO to intervene. But they are reasons that permit deliberation. The regulatory case does not. The enforcement calendar is already running — and in several jurisdictions, enforcement has already begun.

The European Framework: Already in Force

The EU AI Act (Regulation 2024/1689)¹ entered into force on August 1, 2024. It is not a forthcoming regulation. It is law.

Article 5 prohibitions on the most harmful AI applications became enforceable on February 2, 2025. Fines reach 35 million euros or 7 percent of total worldwide annual turnover, whichever is higher. The Italian data protection authority fined OpenAI 15 million euros in December 2024 for ChatGPT GDPR violations — a preview of the enforcement posture regulators are prepared to take.

General-purpose AI model obligations became applicable on August 2, 2025. These apply to the developers of foundation models — OpenAI, Anthropic, Google DeepMind, Meta, and their peers — and require training data transparency, copyright policy publication, and technical documentation. These requirements shape what AI vendors can contractually commit to regarding no-training clauses and model change notification.

High-risk AI system requirements take effect August 2, 2026. These apply to AI systems used for employment decisions, access to essential private services including credit scoring, education and vocational training, and administration of justice. For any enterprise using AI in hiring, credit decisioning, or benefits administration — across any of the 27 EU member states — August 2, 2026 is a nine-month implementation deadline, not a planning horizon.

The EU Data Act (Regulation 2023/2854)² became applicable September 12, 2025. Its cloud-switching regime applies regardless of where the cloud provider is established. Contracts must permit a maximum two-month notice period, a 30-day data retrieval window on exit, and full data erasure. Article 29 requires switching fees to be reduced to cost-incurred from September 2025 and eliminated entirely by January 12, 2027. Google, AWS, and Microsoft all eliminated exit egress fees in early 2024 — all under this regulatory pressure.

The United States: Fragmented but Operational

The US regulatory environment for AI is more contested than Europe’s — politically, legally, and jurisdictionally. But the compliance obligations it creates are operational, and they cannot be dismissed pending the outcome of federal preemption litigation that will take years to resolve.

Texas TRAIGA (HB 149)³ took effect January 1, 2026. It prohibits seven specific AI practices through an intent-based liability framework. Civil penalties run from $10,000 to $200,000 per violation per day after a 60-day cure period. TRAIGA provides a formal safe harbor for organizations that have implemented the NIST AI Risk Management Framework — a safe harbor that is only available to organizations that have already done the governance work.

California SB 53 (TFAIA)⁴, also effective January 1, 2026, targets frontier AI developers — specifically organizations training models above 10²⁶ FLOPs and large frontier developers with more than $500 million in revenue. Requirements cascade to enterprise buyers through vendor contractual obligations: published Frontier AI Frameworks, 15-day critical-safety-incident reporting, and whistleblower protections.

Colorado’s AI Act (SB 24-205)⁵ — the first comprehensive US state AI law — is expected to take effect June 30, 2026. Its impact-based algorithmic discrimination liability framework applies to high-risk AI systems affecting Colorado residents. Illinois’s amendments to the Human Rights Act extend anti-discrimination obligations to AI-assisted employment decisions. New York’s Local Law 144 requires annual independent bias audits for automated employment decision tools.

For Financial Institutions: SR 11-7 Has No Opt-Out

For financial services organizations, the binding constraint is not state AI law but the Federal Reserve and OCC’s model risk management guidance SR 11-7, confirmed by OCC Bulletin 2026-13⁶ to apply explicitly to LLMs and generative AI. The three-pillar framework — conceptual soundness, ongoing monitoring, and outcomes analysis — applies to foundation-model API dependencies regardless of vendor opacity. A bank cannot exempt a deployed LLM from model inventory, independent validation, or board-level reporting simply because the underlying model is a third-party black box.

Wolters Kluwer’s Q1 2026 survey⁷ of financial institutions documents the gap: only 26.4 percent express confidence in their AI compliance readiness. 58.8 percent cite lack of regulatory clarity as the single biggest barrier to advancing their AI strategy. The regulatory clarity they have been waiting for has largely arrived. The gap is now in implementation, not in the rules.

The Federal Preemption Question — and Why It Doesn’t Change the Calculus

On December 11, 2025, President Trump signed Executive Order 14365⁸, directing the DOJ to establish an AI Litigation Task Force to challenge state AI laws. The EO explicitly named Colorado’s AI Act and is widely read as targeting Texas, California, Illinois, and New York laws. However, the EO does not independently preempt state law. Only Congress can do that. Congress rejected AI preemption language twice in 2025. The state laws effective January 1, 2026 are in force. Organizations that defer compliance pending the outcome of preemption litigation are accepting enforcement risk for the duration of that litigation.

The FTC⁹ pivoted in late 2025 from categorical AI enforcement toward misrepresentation-specific enforcement, setting aside the Rytr consent order under the Trump AI Action Plan. For enterprise organizations, this means the FTC’s AI enforcement focus has narrowed, not disappeared. Accurate representation of AI capabilities to customers and buyers remains an enforcement priority.

The No-Training Clause: Policy Versus Commitment

Every major AI vendor — Anthropic, OpenAI, Google, Microsoft — now commits in writing that enterprise customer data will not be used to train their models without explicit consent. The compliance question is whether these commitments exist at the binding legal level or only at the policy level. A policy statement in a terms-of-service document is not the same as an irrevocable clause in a signed data processing agreement. A policy can be updated unilaterally; a signed DPA commitment requires negotiation to change.

Consumer-tier access may also operate under different terms. Since October 2025, Anthropic’s consumer plans train by default unless explicitly opted out. Organizations where employees access AI tools through consumer accounts are not covered by enterprise no-training commitments, regardless of what those enterprise commitments say.

Four Actions for the Finance and Legal Organization

Map AI deployments against applicable regulatory frameworks before the next enforcement cycle. Cure period provisions and NIST AI RMF safe harbors are only accessible to organizations that have inventoried their AI deployments before enforcement reaches them.

Audit vendor contractual commitments, not vendor policy statements. No-training clauses, data residency commitments, and incident reporting provisions belong in signed DPAs. The legal standard is the DPA language, not the marketing materials.

Use the EU Data Act switching calendar as negotiating leverage now. Full elimination of cloud switching fees arrives January 2027. Every AI and cloud contract renewed in 2026 without exit protections is a contract renewed when the leverage was highest and not used.

For financial services: build the LLM model risk management framework before the next examination cycle. SR 11-7 applies to LLMs. OCC has confirmed this in writing. Organizations deploying LLMs in credit, fraud, AML, or customer service without a documented model inventory and validation approach are carrying examination risk on every deployment in production.

This is the final data-driven post in the series. Post 7 — the conclusion — covers the architectural answer to the inference cost problem: the compute-once delivery model, the cost reduction case, and why the organizations that win the AI economics race will be the ones that redesign delivery, not just governance.

GUUT  ·  Gutenberg 2.0 for digital data and knowledge sharing  ·  guutit.com  ·  © 2026 All rights reserved.