Your legal team just flagged three regulatory deadlines in the next 90 days. Your AI policy document is polished, approved, and completely insufficient.
The Problem
Most organisations built AI governance programs around documentation. They wrote policies, formed committees, and declared themselves responsible. Regulators and enterprise procurement teams no longer care. They want evidence: logs, test results, audit trails, and vendor contracts with teeth. The gap between “we have a policy” and “we can prove our controls work” is where legal exposure lives right now. Only one in five companies operates with a mature AI governance model. The other four are about to find out what that costs.
What the Deadlines Actually Require
The core shift is this: regulators now require organisations to demonstrate that their AI systems behave as intended, that risks were assessed before deployment, and that corrective mechanisms exist when something goes wrong. This is not a documentation exercise. It is an operational one.
Colorado becomes the first U.S. state to enforce this standard on June 30, 2026, under its AI Act. Any company deploying “high-risk” AI systems that affect consequential decisions for Colorado residents, think credit, employment, housing, and insurance, must conduct impact assessments and disclose AI use to affected individuals. Non-compliance creates direct legal exposure under Colorado state law.
Two days after August 1, on August 2, 2026, the EU AI Act’s requirements for high-risk systems come into force. Organisations selling into European markets or running AI systems that touch EU residents face mandatory conformity assessments, human oversight requirements, and registration obligations. Market access is the leverage here, not just fines. Adding to the complexity, the White House issued a federal preemption blueprint in March 2026 that signals eventual federal standards but creates immediate uncertainty about which rules govern which systems in which jurisdictions. You are navigating three partially overlapping frameworks simultaneously, and “we’re waiting to see how it shakes out” is not a defensible posture.
Policy vs. Evidence: The Governance Gap
| Governance Dimension | Having a Policy | Having Evidence of Controls |
|---|---|---|
| Bias and Fairness Testing | Policy states models must be tested for bias before deployment | Documented test results, methodology, pass/fail criteria, and sign-off on file for each model |
| Audit Logging | Policy requires AI decisions to be logged | Tamper-evident logs retained per regulatory timeline, queryable within defined SLA |
| Vendor and Third-Party Oversight | Policy requires vendors to confirm AI compliance | Contracts include specific audit rights, vendor attestations reviewed annually, gap findings tracked |
| Incident Response | Policy defines an AI incident escalation path | Tabletop exercise completed in last 12 months, incident register active, regulatory notification timelines documented |
| Impact Assessments | Policy mandates assessments for high-risk use cases | Completed assessments stored per system, version-controlled, linked to deployment approvals |
What Ready Actually Looks Like
A financial services firm operating across the EU and several U.S. states does not have one AI policy. It has a system inventory: every AI model in production, classified by risk level, mapped to applicable regulations, and owned by a named business accountable. For each high-risk system, a completed impact assessment sits in a shared repository, linked to the deployment decision record. Bias testing results are stored alongside model documentation, not in a separate compliance folder nobody updates. Vendor agreements include explicit audit rights and compliance attestations that renew annually. When the legal team receives a regulatory inquiry, they can pull a coherent evidence package in hours, not weeks. That is not theoretical. That is table stakes for enterprise procurement in 2026.
The organisations getting this right made one important decision early: they treated AI governance as an operational discipline, not a compliance project. The CISO, CTO, and General Counsel share accountability. Governance is embedded in the model deployment pipeline, not bolted on after launch. Evidence is generated automatically where possible, reviewed by humans where it matters.
The Question to Bring to Your Team
Can you produce, within 48 hours, a complete evidence package for your highest-risk AI system that demonstrates bias testing was done, decisions are logged, vendor oversight is active, and an impact assessment is current? If the honest answer is no, that is the conversation to have this week.