Regulation Watch: What's Coming for Opaque AI
A working summary of the regulatory landscape relevant to AI opacity in 2026, jurisdiction by jurisdiction. The EU AI Act implementation, MAS guidance, the UK AI Safety Institute, the US fragmentation, and what each of them actually requires in writing.
The single most common request from readers of this publication is for a working summary of the regulatory landscape relevant to AI opacity. We have resisted publishing one, because the landscape has been moving fast enough that any snapshot we wrote was inaccurate within a quarter. The landscape is no longer moving that fast. The basic shape has settled. The implementation work is now the work that matters.
What follows is jurisdiction by jurisdiction. Each section is written from published material only. Where a regulator’s position is still emerging, we have said so and have not invented one. Where we have linked, we have linked to the primary regulatory document. The publication will revise this piece as the relevant instruments are updated; the version below reflects the position as of late spring 2026.
European Union — the AI Act, in the implementation phase
The European Union’s AI Act, formally Regulation (EU) 2024/1689, entered into force in August 2024. The Act’s obligations have been phasing in since. The provisions on prohibited practices took effect first; the rules on general-purpose AI models followed; the obligations on high-risk systems are now in the active implementation window, with most of the substantive deadlines in 2026 and 2027.
The Act’s relevance to opacity is not a single article. It is the cumulative effect of three sets of obligations. First, the high-risk-system requirements at Article 11 onwards specify that providers must maintain technical documentation sufficient for a competent authority to assess the system’s compliance — including documentation of the system’s design, capabilities, limitations, and the logging mechanisms that support traceability. Second, Article 12 requires automatic recording of events during operation, on a definition of “logs” that the standardisation work under CEN-CENELEC JTC 21 is now pinning down. Third, Articles 26 and 27 place obligations on deployers (the operators of high-risk systems), including monitoring obligations that are functionally impossible without an audit log the deployer can read.
The European Commission’s AI Office is the central institutional venue. The Office has been publishing guidance and code-of-practice work for general-purpose model providers, and the harmonised standards being developed by CEN-CENELEC will, when finalised, provide presumption of conformity for systems that implement them. The publication’s reading is that the harmonised standards will be the document procurement teams reference, not the Act itself. The standards are not yet finalised. The drafts that have been published indicate that orchestration-level logging and component-level versioning are heading toward being requirements rather than recommendations.
What the AI Act does not do is mandate model-level interpretability. That distinction is important. The Act is a documentation, logging, and risk-management instrument. It is concerned with whether the operator can demonstrate, after the fact, that the system was operated as documented, not with whether the model’s internal computations are individually explainable.
United Kingdom — the AI Safety Institute and the contextual approach
The United Kingdom’s approach has been deliberately distinct from the EU’s. The government’s published position is a “pro-innovation” framework that relies on existing sector regulators applying cross-cutting principles, rather than a single horizontal AI law. The principles published in the 2023 white paper and subsequent material — safety, transparency, fairness, accountability, contestability — do not by themselves create obligations; they direct how the sector regulators are expected to write rules within their existing remits.
The institutional venue worth tracking is the UK AI Safety Institute, established in late 2023. The Institute publishes evaluation reports and methodological papers on frontier model capabilities and on the evaluation methodology itself. The Institute is not a regulator. It is an evaluator. The distinction matters: the Institute publishes findings, and those findings inform the policy positions of the sector regulators and the government, but the Institute itself does not impose obligations.
The published material from the Institute relevant to opacity has been the methodology work — how do you evaluate a frontier model under conditions that simulate deployment, what can you reliably claim from such evaluations, what cannot be claimed, and where are the evaluators themselves operating under their own opacity constraints (proprietary model access, time-limited evaluation windows, model versions that update during the evaluation). This is honest work and it is unusually candid about its own limitations. The publication’s view is that the Institute’s published methodology will, indirectly, shape the audit primitives the sector regulators eventually require.
Singapore — MAS and the FEAT-to-Veritas trajectory
Singapore’s Monetary Authority has been one of the more substantive non-EU regulators in this space. The published guidance traces back to the 2018 FEAT principles (Fairness, Ethics, Accountability, Transparency) and continues through the Veritas initiative, which has produced toolkits intended to help financial institutions assess their AI systems against the FEAT principles in operational terms.
The MAS position is sector-specific — it applies to financial institutions under MAS supervision, not to AI broadly — but the published toolkits are substantive. They specify, for example, what fairness assessment means for a credit-decisioning system, what documentation an institution should produce, and how the institution should evidence ongoing monitoring. The publication’s view is that the MAS toolkits are the most operationally useful regulatory artefact for AI auditability published by any non-EU regulator at the time of writing. They are technical, they are specific, and they assume the institution will engage their own technical staff in producing the evidence.
The MAS position on generative and agentic systems specifically has been more cautious. Published material acknowledges that the FEAT toolkits were developed primarily for traditional predictive models, and that adaptation is in progress. We will track and write about that adaptation as it is published.
United States — fragmentation, sector by sector
There is no horizontal US AI law. The publication’s view is that there is unlikely to be one within the publication horizon of this piece. What exists is a federation of regulatory positions: NIST’s AI Risk Management Framework as a voluntary methodology; FTC enforcement under existing consumer-protection authority; CFPB and federal banking-agency expectations under existing financial-services authority; EEOC guidance on AI in employment decisions; FDA’s evolving stance on AI-as-medical-device; and a growing patchwork of state-level laws, of which the California, Colorado, and New York AI-related instruments have been the most substantively relevant.
The pattern across the US fragmentation is consistent: each sector regulator is applying its existing tools, with sector-specific guidance, against AI systems in its remit. The financial regulators have moved fastest because they have the most developed model-risk-management tradition to extend; SR 11-7, the Federal Reserve’s model-risk-management guidance from 2011, has been the de facto reference document for how regulated US financial institutions document and validate their AI systems, including agentic systems, even though the guidance pre-dates the current technology.
The publication’s view is that US compliance practice has been shaped less by AI-specific regulation than by the existing model-risk and operational-risk regimes, applied to AI by analogy. This is workable for traditional ML models and increasingly stretched for agentic systems. The agencies have not yet published agentic-specific guidance; the publication expects them to begin doing so before the end of the current implementation cycle.
Other jurisdictions worth tracking briefly
Brazil’s LGPD has been the basis for emerging AI-specific guidance from the national data protection authority. Canada’s proposed Artificial Intelligence and Data Act has been the subject of substantial revision and remains in legislative process. Japan’s METI has been publishing voluntary guidelines under a soft-law approach. Australia’s published response to the 2023 consultation has indicated a sector-specific direction with a possible cross-cutting overlay.
We will write a separate Regulation Watch piece on the non-EU non-US landscape when the implementation activity in those jurisdictions reaches a coherent enough state to summarise without distortion.
What an operator should actually do now
The publication’s view, for an operator reading the regulatory landscape in 2026, is that the binding constraint is no longer the law. The law is now substantially written. The binding constraint is the operator’s own engineering position. An operator whose stack supports the audit primitives — versioning, logging, replay, policy enforcement at the orchestration layer, decision provenance — is positioned to satisfy any of the regulatory regimes above with engineering work that is essentially the same engineering work in each jurisdiction. An operator whose stack does not support those primitives is doing per-regulator remediation work, in parallel, against deadlines that are now firm.
This is the structural reason the auditability question we keep coming back to has moved from a policy question to a procurement question. The policy work is largely done. The implementation work is the work that is left. The implementation work is engineering.
Editorial note. This piece deliberately does not include direct quotes from named regulators, officials, or institutional staff. The publication’s policy is to characterise regulatory positions only from published documents, and to link to those documents rather than to paraphrase them. We have followed that policy here. Where a position is still emerging, we have said so; where a published document is the source, we have named it and pointed to the document. We will update.