A thousand initiatives, two laws that bite
As of early 2026, more than 72 countries have launched over 1,000 artificial-intelligence policy initiatives. The figure impresses until you look closely at what it hides: the vast majority are national strategies, voluntary principles or bills that oblige nothing. The number of jurisdictions with a comprehensive AI law actually in force can be counted on one hand.
This tracker measures exactly that gap —the distance between what a country says it will do with AI and what it can really demand and sanction—. It is the data point that matters to any company deploying AI across several markets: not “does this country have an AI policy?”, but “does this country have a rule that binds me, an authority that applies it, and sanctions that get imposed?”.
The regulatory maturity ladder
Not all “AI regulations” carry the same weight. The tracker orders them on a maturity ladder, because the difference between one rung and the next is the difference between a real compliance risk and a statement of intent.
| Rung | What it means | Examples as of 2026 |
|---|---|---|
| Strategy / voluntary principles | No legal obligation | Japan (AI Promotion Act, non-binding), UAE, Saudi Arabia |
| Bill in progress | Does not yet bind | Brazil (PL 2338), Canada (AIDA) |
| Law passed, not in force | Future obligation | (in transition) |
| Comprehensive law in force | Binds and can sanction | EU (AI Act, phased), South Korea (since Jan-2026) |
| Documented real enforcement | Effective sanctions | EU (art. 5 prohibitions sanctionable) |
The leap between “bill” and “law in force” is what most confuses the market. Brazil passed PL 2338 in the Senate in December 2024 —a risk-based framework closely aligned with the European AI Act—, but the bill still lacks final approval in the Chamber, with uncertain momentum. A country can spend years “regulating AI” without a single enforceable obligation yet existing.
The two models that split the world
When the jurisdictions with effective rules are ordered, two opposing regulatory philosophies emerge, and the rest of the countries orbit between them.
| Model | Logic | Representatives |
|---|---|---|
| Risk-based, rights-centric | Classifies systems by risk, imposes obligations, gives citizens rights | EU (AI Act), South Korea, Brazil (bill) |
| Light-touch / pro-innovation | Self-regulation, no strong sanctions, focus on competing | Japan, UK (sector by sector), US (state patchwork) |
| State control | Prioritizes national interest over individual rights | China (AI content labeling, generative-AI measures) |
South Korea became, with its AI Framework Act in force since January 2026, the world’s second territory —after the EU— with comprehensive AI legislation, and its design mirrors the European high-risk categories. That convergence is revealing: the European model is becoming the global template, the so-called Brussels effect applied to AI. China, by contrast, regulates mostly the labeling of AI-generated content and prioritizes state control. And the United States has no federal law: it operates with a patchwork of state rules —California, Colorado, Texas— that companies must map one by one. That patchwork, and the tension with the federal preemption seeking to override it, is tracked in detail in the US AI patchwork tracker.
The gap that matters: law on the books vs. real enforcement
The tracker’s decisive indicator is not whether a law exists, but whether that law is applied. And there, most countries —even those that have legislated— are in a gray zone. China has several AI regulations in force but, like Brazil, records few public enforcement cases. Japan, by design, has no sanctioning mechanism. Even in the EU, where the Article 5 prohibitions are sanctionable since February 2025, as of this piece’s closing no final sanctions under the AI Act are on record —only open investigations—.
This is the golden question for a multinational compliance team: in which countries is AI regulatory risk real today, and in which is it still theoretical? The answer lies not in the headline “country X regulates AI”, but in the cross-reference of four variables —is there a law?, is it in force?, is there a designated authority?, has a sanction been imposed?— that only a structured tracker can sustain comparably.
Who this profile is for
A comparative AI-regulatory-risk tracker —country, rule status, regulatory model, competent authority, maximum sanction, documented enforcement, cutoff date— answers questions no isolated news item can. Which countries bind me already and which only will? Where does non-compliance have real consequences? Which jurisdictions converge with the European model and which diverge? Where is there high regulatory activity but low implementation?
Each answer has a clear buyer: multinational compliance teams, legaltech, regulatory consultancies, GRC platforms, law firms, funds assessing AI companies’ regulatory exposure. The value lies not in counting countries, but in making comparable, on one grid, the real risk of operating AI in each jurisdiction. Because the structural truth is that, although the rules diverge, every regulator asks the same underlying questions: what AI systems you operate, what risks they carry, what controls you apply, and whether you can prove it. The complexity is in the mapping, not in the principle.
Methodology note
The initiative figures come from specialised trackers (IAPP Global AI Law Tracker, OneTrust, OECD) with a cutoff in early 2026 and are approximate given the speed of regulatory change. A distinction is drawn between strategy/voluntary principles, bill, law passed, law in force and documented real enforcement. The classification of regulatory models is a comparative reading, not a quality judgement. The sanctions cited are legal maximums unless stated otherwise. Diálogo Ciudadano does not provide legal advice; this tracker is informational infrastructure.