Comparing Global AI Regulations: What the US, UK, EU, and Türkiye Are Doing Now

Regulators worldwide are racing to craft legal frameworks for artificial intelligence. Artificial intelligence (AI) continues to advance at breakneck speed, prompting a wave of new laws, regulatory proposals, and compliance initiatives in late 2025. Between September and December 2025, the United States, European Union, United Kingdom, and Türkiye each took notable – and very different – steps to govern AI. This period saw everything from risk-based regulatory frameworks and regulatory sandboxes to draft legislation targeting deepfakes and biased algorithms. Legal professionals, corporate compliance officers, and AI developers face a rapidly evolving patchwork of legal and regulatory compliance obligations. In this article, we compare and contrast these jurisdictions’ approaches – highlighting which measures are binding law versus proposals, how they address AI misuse risks, and what compliance burdens and business impacts to expect. Each region’s trajectory is unique, yet common themes emerge around transparency, accountability, and balancing innovation with safety. Below we delve into the 2025 developments in the US, EU, UK, and Türkiye, followed by a comparative analysis of their regulatory models and future outlook.

United States: Patchwork State Laws and Emerging Federal Framework

State-Level Legislation – Narrow Focus, High Volume: AI has captured US state lawmakers’ attention in 2025. By the end of the year, legislators in all 50 states had introduced over 1,000 AI-related bills, though only about 11% became law. States found the most success with targeted laws addressing specific risks rather than broad AI frameworks. Deepfake regulations led the pack: out of 1,080 bills introduced nationwide, 301 targeted deepfakes and 68 were enacted, many creating criminal or civil penalties for malicious AI-generated media (especially non-consensual sexual deepfakes). A related trend is “digital replica” laws in states like Arkansas, Montana, Pennsylvania, and Utah to protect individuals’ likeness from AI-generated impersonation without consent. States are also experimenting with sector-specific AI rules. For example, insurance regulators in some states now require human review of AI-driven coverage denials or ban AI chatbots from acting as therapists. In housing, a few jurisdictions moved to prohibit algorithmic rent-setting due to bias and collusion concerns (though a Colorado ban was vetoed). These piecemeal laws reflect a “narrow but tangible” approach – addressing immediate harms like deepfake fraud, biased algorithms, or unsafe AI advice – while avoiding overly broad mandates that might stifle innovation.

Notable Late-2025 State Enactments: Several significant state AI bills reached the finish line in 2025. In California, AB 489 was signed into law, prohibiting AI systems from misleading consumers with medical advice or services by using titles that imply a licensed healthcare professional. This law aims to prevent deceptive practices like chatbots posing as “Dr. AI” or issuing diagnostic reports that a patient might mistake for a physician’s guidance. In New York, lawmakers passed the RAISE Act (Responsible AI Safety Act) – landmark legislation to restrict “frontier” AI models that pose an unreasonable risk of catastrophic harm. The RAISE Act would ban large developers from deploying advanced generative AI systems without written safety and security protocols, essentially pulling the emergency brake on extremely powerful AI until proper guardrails are in place. As of December 2025, the bill sat on Governor Hochul’s desk awaiting signature. And in Pennsylvania, the legislature advanced a bipartisan “Safeguarding Adolescents from Exploitative Chatbots” Act to protect minors from harmful AI interactions. The bill (SB 1090) would require any AI chatbot likely to be used by teens to implement content safeguards and duty-of-care features – for example, filtering sexual content, providing suicide-prevention resources, and even reminding users to take breaks every 3 hours of continuous use. These state laws, while narrow in scope, illustrate the practical compliance steps companies must take: labeling AI outputs clearly, building in usage limits and content filters, and avoiding any representation that an AI is a human professional. Corporate legal teams are developing AI compliance solutions to track such varied requirements across jurisdictions.

Patchwork Compliance Challenges: The divergence in state laws means companies face a complex compliance landscape. AI developers and deployers must conduct careful legal and regulatory compliance reviews state-by-state. For instance, a generative AI app might be legal in one state but unlawful in another if it lacks required deepfake watermarks or fails to include mandated safety features for minors. We have already seen corporate legal compliance programs scrambling to inventory where new disclosure rules, compliance audits, or risk assessments are needed. A Colorado law establishing broad AI transparency and accountability measures was postponed until June 30, 2026 to give businesses more time to prepare, underscoring the implementation burden. In many cases, existing laws also apply: an AI tool that discriminates in hiring or lending can trigger liability under federal civil rights laws, and an autonomous vehicle AI that causes an accident faces traditional product liability and negligence standards. Compliance officers must therefore ensure AI systems undergo rigorous risk management testing for bias, safety, and reliability, even beyond what any specific AI statute might require. This decentralized, multi-layered regime puts the onus on companies to self-regulate in anticipation of both explicit AI laws and general laws that implicitly cover AI behavior.

Federal Activity – Toward a Unified Framework? At the federal level, the US still has no comprehensive AI law or single regulator, but late 2025 brought signs of an emerging framework. The Trump Administration, in office as of January 2025, has signaled a more hands-off, innovation-first philosophy toward AI governance. In November 2025, it came to light that the White House is preparing a sweeping Executive Order on AI aimed at asserting federal leadership and preempting conflicting state regulations. According to press reports, this draft executive order would establish a national AI policy framework and even a federal task force to review state AI laws, with authority to challenge state provisions that conflict with federal priorities or First Amendment protections. In parallel, Republican leaders in Congress have pushed legislative preemption: on November 17, House leaders discussed attaching a federal ban on state AI laws to must-pass legislation (the National Defense Authorization Act). This came after an earlier summer attempt by Senator Ted Cruz to impose a 10-year moratorium on state AI regulations – a proposal that was ultimately stripped out of a budget bill after a 99-1 Senate vote against it. Nonetheless, momentum is building in D.C. to supersede the state-by-state patchwork with a uniform approach. Proponents argue a clear federal baseline would prevent “overregulation” by states that could derail AI-driven economic growth. Indeed, the largest tech firms and AI developers are lobbying hard for federal preemption coupled with light-touch rules, seeking a more permissive legal environment for AI development nationwide.

Proposed Federal Oversight and Sandbox Initiatives: While no federal AI law passed in 2025, multiple proposals point to what a future regime might include. Senator Cruz’s September 2025 “American Leadership in AI” legislative framework envisioned not only preempting state laws but also creating a “SANDBOX Act” to let AI companies obtain temporary exemptions from federal regulations that impede AI innovation. The sandbox concept – allowing AI pilots under regulator supervision and suspended rules – echoes ideas being tried abroad (and in some US states for fintech). On the Democratic side, earlier efforts like the “Algorithmic Accountability Act” have been reintroduced, focusing on requiring impact assessments for AI systems that affect consumers’ rights (e.g. in lending or employment). Additionally, federal agencies are wielding existing powers: the Federal Trade Commission (FTC) has warned it will treat biased or deceptive AI outputs as unfair business practices under the FTC Act, and the Equal Employment Opportunity Commission (EEOC) is scrutinizing AI hiring tools for disparate impact on protected classes. The National Institute of Standards and Technology (NIST) released an AI Risk Management Framework (1.0 in early 2023), which, while voluntary, has become a de facto benchmark for AI compliance and governance programs. Many companies are aligning their AI development with the NIST framework’s guidelines (on transparency, bias mitigation, accountability, etc.) as a way to demonstrate “reasonable” practices in the face of potential regulation. This patchwork of agency guidance and voluntary standards is essentially filling in for law – at least until Congress or the President formalizes rules.

Risks Addressed and Compliance Implications: American discourse on AI risks in late 2025 ranges from the here-and-now (fraudulent deepfakes, data privacy, algorithmic bias) to the futuristic (AI “superintelligence” concerns). The regulations enacted mirror the immediate concerns. Deepfake laws aim to curb AI-driven disinformation, electoral interference, and defamation by requiring content disclosures or criminalizing malicious uses. For businesses, this means implementing technical measures to watermark or label AI-generated media and having rapid takedown response plans for harmful fake content. Consumer protection laws like California’s AB 489 reflect fears of AI endangering health or finances through misrepresentation – companies must ensure their AI health apps and advisors include prominent disclaimers and do not imply credentials they lack. Bias and discrimination are being tackled both through general civil rights enforcement and new laws (e.g. Texas’s 2025 law focusing on AI use in government services); compliance officers should thus subject AI models to fairness testing and documentation, especially in hiring, credit, insurance, housing, and government contracting contexts. Child safety is another priority (witness the PA chatbot bill) – AI systems likely to interact with minors may need additional filters, age gating, and human oversight. While the U.S. has not adopted a formal risk-tiered model like the EU, there is an implicit risk-based mindset: “high-risk” AI applications (medical, financial, critical infrastructure, etc.) are attracting more regulatory scrutiny, whereas low-risk uses remain largely unregulated aside from voluntary ethical AI best practices.

For companies and developers, the key compliance implication is that AI governance can’t be one-size-fits-all in the U.S. They need to map out relevant laws by jurisdiction and sector, ensure corporate compliance policies address each, and stay agile to adapt to new rules. Documentation and internal AI audits are becoming standard – many firms are establishing AI oversight committees to pre-review new AI deployments for legal and ethical risks. Until a federal law imposes uniform requirements (if that ever happens), compliance risk management in the U.S. will remain a complex exercise in multi-jurisdictional awareness. The late-2025 push for federal preemption suggests relief may come by way of a single national standard – but whether that standard will be stringent or lax is still an open question. In the meantime, the consequences of AI misuse are being dealt with via existing legal avenues: companies have already faced FTC investigations for AI-related privacy breaches and class-action lawsuits for things like AI algorithm bias and false advertising. This legal exposure creates a strong incentive for proactive compliance even absent a comprehensive federal AI statute.

Forward Trajectory (US): Entering 2026, all eyes are on Washington for clearer direction. The draft White House Executive Order (expected in early 2026) could impose at least some baseline requirements – for example, it might direct federal agencies to set AI procurement standards or develop sector-specific guidelines, and it may attempt to invalidate state laws deemed overly restrictive. However, an executive order can only go so far; durable change would require legislation. There is bipartisan acknowledgment that certain AI applications (like autonomous vehicles or AI in warfare) may need federal oversight, but consensus on broad AI legislation remains elusive. Given the Trump Administration’s emphasis on not hindering innovation, any federal AI law in the near term may lean toward light-touch regulation (focused on transparency, reporting, and liability limits) combined with aggressive preemption of state rules. For businesses, this could actually simplify compliance – replacing 50 different regimes with one set of federal AI standards. But if the federal standards are weak, states (and consumer advocacy groups) could push back, potentially setting up legal battles over federal vs. state authority. We may also see more industry self-regulation: in July 2025, several leading AI companies pledged voluntary commitments (on testing AI for safety, sharing best practices, etc.), and such AI governance codes of conduct might expand while formal laws lag. Overall, the U.S. appears headed toward a model that leverages existing laws and sectoral oversight (by agencies like the FDA, FAA, FTC, etc.) supplemented by a new federal coordination mechanism – rather than an all-encompassing “AI Act.” AI developers should prepare for increased oversight in critical sectors (health, finance, transportation), continued enforcement of general laws (privacy, discrimination, product safety) on AI use, and the possibility that by late 2026 a national AI commission or regulatory body could emerge. In short, the U.S. approach will likely remain a flexible, evolving patchwork, requiring vigilant monitoring by compliance officers and tech attorneys to ensure legal compliance as the rules solidify.

European Union: Pioneering a Comprehensive Risk-Based Regime

EU AI Act – The World’s First Broad AI Law: The European Union has set the global benchmark by finalizing the Artificial Intelligence Act – a sweeping regulation that establishes harmonized rules for the development, marketing, and use of AI across the EU. The AI Act (formally Regulation (EU) 2024/1689) was approved by the European Parliament in March 2024 and green-lit by the Council in May 2024. It is the world’s first comprehensive legal framework on AI, covering the entire lifecycle of AI systems from design to deployment. The Act’s overarching goal is to ensure trustworthy, human-centric AI: it seeks to foster innovation in AI while safeguarding fundamental rights, user safety, and data privacy. To achieve this, the EU has adopted a “risk-based” regulatory model. As the AI Act’s architects put it, the higher the risk an AI system poses, the stricter the requirements it must meet. This tiered approach sorts AI applications into risk categories:

• Unacceptable Risk AI – Banned outright: The Act prohibits certain AI uses that are deemed egregiously harmful to human rights or safety. Banned practices include social scoring of individuals by governments, AI that exploits vulnerable populations (like toys encouraging dangerous behavior by children), and real-time biometric surveillance in public (with narrow exceptions). EU Member States must phase out any prohibited systems within 6 months of the law’s effective date.
• High-Risk AI – Tightly Regulated: AI systems that significantly impact safety or fundamental rights are classed as “high-risk.” This covers AI in areas such as medical devices, hiring and HR, critical infrastructure control, creditworthiness evaluation, education (like exam-scoring AI), law enforcement, and more. Providers of high-risk AI must comply with extensive technical and operational requirements to ensure safety, accuracy, fairness, and transparency. These include performing risk assessments, using high-quality training data to minimize bias, enabling human oversight, ensuring traceability of decisions (audit logs), and meeting cybersecurity and robustness standards. High-risk AI systems will also have to undergo conformity assessments (similar to a certification) and be registered in an EU database before market release. Importantly, certain public sector users of high-risk AI must conduct fundamental rights impact assessments prior to deployment. The compliance burden here is substantial – effectively a full AI compliance audit and documentation regime. However, the Act builds in support for innovation via regulatory sandboxes run by regulators to let companies test high-risk AI under supervision and guidance, something many Member States are now setting up.
• Limited Risk (Transparency obligations): Some AI systems aren’t banned or high-risk but still merit transparency duties. For example, chatbots or deepfake generators must clearly disclose to users that they are AI-generated or AI-driven, so users are not duped into thinking they are interacting with a human. Similarly, AI-generated content like synthetic images or videos may need watermarks or notices (the Act’s final text included a mandate to label AI deepfakes, unless used in permitted research or security contexts). These measures directly target the risk of AI-enabled deception, misinformation, and erosion of trust. Providers of such AI can otherwise operate freely but have to implement these transparency features.
• Minimal or Low Risk: All other AI systems (the vast majority, including most business and consumer applications) are largely unregulated by the Act. The EU purposely avoided overregulating benign uses like AI in video games or spam filters. For low-risk tools, the Act encourages voluntary codes of conduct and adherence to ethical AI best practices, but there are no hard requirements. This keeps innovation friction low in areas where risks are minimal.

Late-2025 Developments – Deadline Extensions and “Omnibus” Amendments: While the AI Act’s core structure had been settled by mid-2024, the end of 2025 brought significant new proposals to adjust its implementation. On November 19, 2025, the European Commission unveiled a “Digital Omnibus” package of amendments aimed at simplifying AI and digital regulations. Chief among these is a plan to delay the AI Act’s high-risk obligations by roughly 16 months. Originally, the stringent requirements for high-risk AI were expected to apply by August 2026, given the Act’s anticipated 24-month implementation period. The Commission has proposed pushing that deadline out to December 2027 for certain sensitive high-risk uses. This means AI in sectors like biometrics, energy grids, healthcare, and credit scoring would get extra time before full compliance is mandatory. The rationale is to wait until harmonized standards and guidance are in place and to give industry (especially startups and small firms) more breathing room to prepare. Alongside the delay, the AI Omnibus proposal would loosen some compliance burdens: for example, it would exempt narrowly purposed AI systems used in high-risk areas from the requirement to register in the EU AI database, if they are only used internally or for limited “procedural” tasks. The Commission also floated tweaks to make the AI Act more innovation-friendly, such as allowing AI developers to process personal data under a “legitimate interests” legal ground for AI training – a clarification meant to reconcile the AI Act with data protection rules. Additionally, the Omnibus would permit AI providers to process sensitive personal data (e.g. race, health data) if necessary to detect and correct algorithmic bias, subject to safeguards. This amendment acknowledges that preventing discrimination may require using protected class data in testing to ensure an AI isn’t biased – an activity that GDPR would normally restrict. Other proposed changes include simplifying cookie consent (under e-Privacy rules) and clarifying when data is truly “anonymous” (and thus usable for AI without triggering GDPR).

These late-2025 proposals have sparked intense debate. Industry groups like Siemens and SAP welcomed the delay and called it a “step in the right direction” for keeping Europe competitive. They argued that without adjustments, the AI Act’s strict rules could leave European AI lagging behind the U.S. and Asia in the global “AI arms race”. On the other hand, digital rights activists blasted the omnibus as “the biggest rollback of EU digital rights in history”, accusing Brussels of caving to Big Tech pressure. Civil society groups like noyb warned that allowing widespread use of personal data for AI would undermine privacy, and delaying high-risk safeguards to 2027 leaves Europeans exposed to unchecked AI harms for an extra year. The Commission defended the omnibus as “regulatory decluttering” – not deregulation, but making rules more workable for businesses while keeping core EU principles intact. It emphasized that Europe must streamline compliance to avoid losing more ground in tech innovation. As of Dec 2025, these amendments are proposals only: they must go through the EU’s legislative process (approval by the European Parliament and Council). Observers expect intense negotiations into 2026, and the final changes may be narrower than initially proposed. Nonetheless, it appears likely that the timeline for full AI Act enforcement will be extended, giving companies until late 2027 to meet the most onerous requirements. Businesses should not be complacent, however – many obligations could still kick in by 2026 or 2027, and preparation takes time.

Binding Law vs. Guidance: It’s important to distinguish which EU AI measures are already binding and which are forthcoming. As of 2025, the AI Act is adopted law (expected to be published in the EU Official Journal imminently, if not already). However, its provisions are mostly not yet in effect; there is a built-in grace period (initially 24 months) for implementation. Some obligations might apply sooner – for instance, the EU is giving providers of prohibited AI systems six months from the effective date to cease those uses. But for high-risk systems, the compliance deadline was expected in 2026 and now might shift to 2027 pending the Omnibus changes. In the interim, the EU has rolled out non-binding guidance and voluntary frameworks to bridge the gap. Notably, the European Commission endorsed a voluntary Code of Conduct on General Purpose AI in July 2025, urging major AI developers (like OpenAI, Google, Meta) to proactively implement the spirit of the AI Act ahead of legal enforcement. This code covers measures like model testing, information sharing with regulators, and mechanisms to address misuse. Several companies signaled commitment to follow these guidelines as a show of good faith (and to shape the standards that will later become mandatory). Additionally, EU regulators are working on harmonized technical standards for AI (via CEN/CENELEC and ETSI) to support the Act – compliance with these standards will give AI providers a presumption of conformity with the law. The Commission has also been active in issuing sectoral AI guidelines (for example, draft guidance on AI in medical devices and an updated Coordinated Plan on AI to align Member State policies). While these are not binding, they lay out what regulators expect “AI best practice” to look like, which savvy companies treat as de facto requirements.

Crucially, the EU AI Act has extraterritorial reach. Any AI system provider or deployer outside the EU will be subject to the Act if their systems’ outputs are used in the EU. In other words, if you sell or operate an AI system in Europe, you must comply regardless of where your company is based. This is similar to the GDPR’s global scope and is driving multinational companies to adopt EU AI Act compliance as a global baseline. Many organizations are leaning towards implementing EU-aligned AI compliance programs company-wide (much as they did for GDPR privacy controls) instead of maintaining separate processes just for Europe. This strategy minimizes the chance of non-compliance in the EU and often sets a high standard that covers or exceeds requirements in other jurisdictions.

Compliance Requirements and Business Impact: Companies developing or deploying AI in Europe face a robust compliance regimen under the AI Act. Those in the “high-risk” category will shoulder the heaviest load. They must establish comprehensive risk management systems for their AI: identifying foreseeable risks, mitigating them, and documenting the entire process. Training data governance is a key focus – firms have to ensure their datasets are relevant, representative, free of unacceptable bias, and processed in line with EU privacy laws. In fact, using discriminatory datasets is explicitly prohibited and considered a breach of data protection obligations. This forces companies to invest in better data curation, bias auditing, and possibly to drop problematic third-party data sources. High-risk AI providers also need to generate detailed technical documentation and logs to enable traceability of AI decision-making. Such records might be requested by regulators or used to explain AI outputs to affected users. Another significant requirement is to implement human oversight measures – meaning systems should be designed so that human operators can monitor them and intervene or override, when necessary, especially if the AI behaves unexpectedly. The Act further mandates transparency with users: users must be informed that they are interacting with AI and given general information on how it works, what data it uses, etc. If an AI system makes an adverse decision about a person (say, denying a loan), that person should have the right to an explanation and the ability to contest the decision – dovetailing with existing GDPR and consumer protection rights.

Enforcement and penalties under the AI Act will be vigorous. Each Member State will designate authorities (likely consumer protection or digital regulators) to supervise compliance, backed by a new European AI Office/Board to coordinate oversight. Penalties can reach €30 million or 6% of global annual turnover (whichever is higher) for the most serious violations (e.g. deploying banned AI or failing to comply with high-risk obligations) – on par with GDPR fines. Lesser breaches (like not labeling AI-generated content) carry fines up to €10 million or 2% of turnover. These tough penalties make AI a board-level compliance issue for companies, not just an IT issue. We can expect to see the rise of AI compliance officers and cross-functional AI risk committees within firms, much as data protection officers became standard after GDPR. Legal compliance audits specific to AI – reviewing algorithm design, training data, output testing, etc. – will become routine, either internally or via outside counsel/consultants. In terms of business strategy, some companies might decide to avoid offering high-risk AI systems in the EU, focusing on lower-risk applications to dodge the regulatory overhead. Others, however, see the AI Act as an opportunity: by investing in compliance early, they could earn a reputation for trustworthy AI and gain an edge in markets where customers care about ethical AI. The Act also levels the playing field by requiring even imported AI systems to meet EU standards, preventing overseas providers from undercutting EU providers on safety or ethics.

Addressing AI Misuse and Risks: The EU’s regulatory approach is explicitly risk-driven, targeting concrete dangers associated with AI. Bias and discrimination are addressed through multiple layers: training data controls, transparency to users, and an upcoming AI Liability Directive (still in draft) that will make it easier for individuals to sue for harms caused by AI, including discrimination. The Liability Directive, once passed, will introduce concepts like a “presumption of causality” if a provider fails to log AI activity – incentivizing thorough record-keeping. Privacy is reinforced by integrating AI governance with GDPR; the Digital Omnibus proposals clarify lawful bases for AI data processing to ensure privacy rights aren’t overridden. Safety and product compliance are central for high-risk AI: for example, an AI that controls a surgical robot or drive an autonomous car will need to meet functional safety standards (the Act dovetails with existing product safety laws and likely will involve Notified Body assessments). Transparency and accountability tackle misinformation and autonomy concerns – the logic being that if users know they are dealing with AI and can understand its logic, they can act accordingly and hold someone accountable. The Act even promotes AI literacy in Member States to help the public navigate AI outputs. While the EU is less vocal about doomsday “AGI” scenarios than some countries, it did include a review clause: the Commission will monitor emerging “exceptionally high-risk” AI (like advanced general AI) and can update the rules if needed. In late 2025, the EU also signed onto the Council of Europe’s Convention on AI – an international treaty on AI, human rights, and rule of law – which will create another forum to manage AI risks globally. This underscores that the EU sees AI governance as an ongoing process, not a one-off law.

Forward Trajectory (EU): The EU is firmly on course to implement the AI Act and related digital regulations by the middle of this decade. Assuming the Act is published in late 2024, many of its provisions will become binding by 2026, with full effect possibly by 2027 if the extension is approved. Between now and then, we’ll see a flurry of activity: the creation of standardized compliance guidelines, the formation of national supervisory authorities, and companies conducting gap analyses to ensure their AI products meet EU requirements. We can expect some “early enforcement” once the law is live – similar to how GDPR saw a few high-profile fines early on. That means AI providers should not wait; they should be adapting their processes now (documentation, bias testing, etc.) in anticipation. The Commission’s adjustment proposals suggest a bit more flexibility and industry collaboration going forward. Small and mid-size enterprises (SMEs), for instance, may get some compliance relief and support (the Omnibus would extend certain exemptions to slightly larger “SMCs” as well). The EU might also channel funding into AI compliance sandboxes to help startups innovate safely. Another area to watch is the AI Liability Directive: expected to be finalized in 2025 or 2026, it will complement the AI Act by smoothing legal redress for AI-caused harms. This could come into force by 2028, further solidifying the EU’s comprehensive approach (regulation ex-ante via the AI Act, and accountability ex-post via liability rules). The interplay between the EU and US approaches will also be significant. If the US goes for a lighter regulatory touch, EU businesses may worry about competitiveness – the Commission’s late-2025 pivot to ease some rules shows it is sensitive to this. Nonetheless, European regulators are unlikely to fundamentally dilute their commitment to AI ethics and safety, which are rooted in the EU Charter of Fundamental Rights. We may see transatlantic cooperation in areas like AI R&D funding and setting technical standards, even if the legal regimes differ. For AI developers globally, the EU will remain the gold-standard to meet: much like with GDPR, being “EU AI Act compliant” could become a selling point and a de facto global standard for AI quality and governance. Companies that align with the EU’s risk-based model (e.g. implementing thorough AI impact assessments, documentation, and transparency measures) will not only avoid EU penalties but also be well-positioned as other jurisdictions follow suit. In summary, the EU is moving steadily ahead with a rigorous AI compliance framework, tempered slightly by recent adjustments, and its focus is now shifting to practical implementation, standardization, and international coordination to ensure AI develops in a safe, rights-respecting manner.

United Kingdom: Principles-Based Oversight with an Eye on Innovation

“Light-Touch” Framework and Sectoral Guidance: In contrast to the EU’s heavy statute, the United Kingdom has so far chosen a flexible, non-statutory approach to AI regulation. Following Brexit, the UK is free from the EU AI Act and has charted its own course. The UK government’s AI Regulation White Paper (published March 2023) explicitly rejected a single comprehensive AI law, opting instead for a principles-based framework applied by existing sector-specific regulators. The guiding philosophy is that rigid legislation could quickly become obsolete given rapid AI advances, whereas empowering regulators to issue tailored rules and guidance offers “critical adaptability” as AI evolves. The White Paper outlined five overarching AI principles – safety, security & robustness; transparency & explainability; fairness (non-discrimination); accountability & governance; and contestability & redress – which all regulators should use when interpreting and enforcing laws in their domains. Throughout 2024 and 2025, regulators from various sectors responded by publishing AI strategy updates aligning with these principles. For example, the Financial Conduct Authority (FCA) detailed plans for an AI “Digital Sandbox” to support fintech innovation and indicated it will work with the UK’s Digital Regulation Cooperation Forum on a pilot AI oversight program. The Information Commissioner’s Office (ICO) set priority areas for AI and data protection, focusing on issues like foundation models, emotion recognition, and biometrics under existing privacy laws. The Competition and Markets Authority (CMA) conducted a review of AI foundational models to assess implications for competition and consumer protection. And Ofcom (communications regulator) outlined how AI impacts its realms of online safety, broadcasting, and telecom, highlighting risks of synthetic media and personalized content algorithms. These efforts show the UK leveraging its sectoral oversight structure – essentially augmenting current laws (like data protection, consumer law, equality law, etc.) with AI-specific interpretation where needed. Crucially, for now these regulators’ AI pronouncements are guidance and principles, not new binding rules. The government signaled it would review this initial phase and consider making the principles legally binding on regulators later (by creating a statutory duty for regulators to “have due regard” to the AI principles). That review was expected after a year of implementation – i.e. around end of 2024 or 2025 – and indeed we’ve started to see movement toward more concrete measures.

Late-2025 Shift – Toward Targeted Legislation and AI Sandboxes: In the second half of 2024 and into 2025, the UK’s stance began evolving as AI advancements (especially generative AI) accelerated. In the King’s Speech on 17 July 2024, the UK government announced it would introduce an “AI Bill” – a legislative proposal that “places requirements on those developing the most powerful AI models”. This marked a deviation from the earlier purely non-statutory approach. The intent, widely interpreted, was to focus on frontier AI systems (very advanced general AI or foundation models) and ensure they are developed with appropriate safety measures. It was clear that any such AI Bill would be far narrower in scope than the EU AI Act, zeroing in on future high-risk AI (sometimes described by officials as “AGI” or Artificial General Intelligence) rather than regulating all AI in use. However, as of December 2025, that AI Bill had not yet materialized. Political factors (including a pending general election and shifting ministerial priorities) contributed to delays. Reports indicated the government was deciding whether to include the AI Bill in the Spring 2026 King’s Speech (which lays out the legislative agenda). In the meantime, the focus of UK policymaking shifted towards innovation and national security, aligning somewhat with the pro-innovation stance of the U.S. under Trump.

A major development in 2025 was the launch of the UK’s AI regulatory sandbox initiative. On 21 October 2025, the Department for Science, Innovation and Technology (DSIT) released a “Blueprint for AI Regulation” and opened a consultation on establishing a UK AI “Growth Lab”. The Growth Lab is essentially a cross-sector regulatory sandbox program for AI. Under this proposal, companies would be allowed to test AI innovations in real-world conditions with certain regulatory requirements lifted or modified temporarily. The idea is to identify specific rules (in finance, healthcare, transport, etc.) that impede beneficial AI deployments and waive or adjust them in sandbox trials – all under close oversight by regulators. These sandbox pilots would run for a limited time and with pre-defined safeguards (e.g. immediate shutdown if risks manifest, and perhaps insurance or bonding in case of harm). If successful, the insights from the sandbox could lead to permanent regulatory reforms, whether updated guidance or even amendments to laws, to better accommodate AI in those sectors. The consultation asked stakeholders which regulatory barriers should be prioritized and how to structure the sandbox. It remains open until January 2, 2026, after which the government will refine its approach. To facilitate this innovation agenda, the UK has a Regulatory Innovation Office (RIO) (established in 2024) that ensures regulators collaborate on emerging tech; RIO’s one-year-on report (Oct 2025) highlighted progress in sectors like healthcare and drones and promised to expand to more sectors soon.

In summary, by end of 2025 the UK is blending its initial “soft law” framework with new initiatives that pave the way for possible “hard law” in specific areas. The likely scenario is that the UK will enact narrower legislation in 2026 – possibly enabling the AI sandbox legally (since some statutory changes might be needed to empower regulators to waive requirements), and imposing certain obligations on developers of “future AI” (like advanced general models) to ensure safety. For example, the government’s chief scientific advisor Patrick Vallance suggested regulation might target “future AI” (AGI) rather than current generative models. This indicates any forthcoming AI Act (UK) would be limited to extreme cases like autonomous self-learning systems, with current use cases mostly handled by sectoral rules.

Current Legal Status – Binding vs. Non-Binding: As of 2025, no new AI-specific law is in force in the UK. Everything rests on existing laws and the voluntary adoption of the government’s AI principles. The Office for Artificial Intelligence (a cross-government unit) serves as a central coordinator – monitoring AI risks across the economy, evaluating how the framework is working, and promoting interoperability with other countries’ AI rules. But the White Paper principles themselves are not statutory, and regulators only have a political expectation (not a legal duty yet) to follow them. That said, some existing UK laws already incidentally cover AI impacts. For instance, the Equality Act 2010 prohibits discrimination by automated systems just as by humans, so a biased hiring AI could lead to liability. The UK GDPR and Data Protection Act apply to personal data used in AI, meaning requirements like fairness, purpose limitation, and the new “UK GDPR 2.0” (the Data Protection and Digital Information Act passed in 2025) need consideration when building AI models. The Product Safety regime could apply if AI is embedded in consumer products, and the Online Safety Act 2023 will put duties on online services (some of which involve AI content recommendation algorithms) to manage harmful content. Thus, while there isn’t an “AI Act”, companies in the UK aren’t operating in a lawless vacuum – general compliance duties (data privacy, consumer protection, safety, competition, etc.) all extend to AI usage. The UK government’s approach has been to clarify and supplement these duties through guidance rather than write entirely new offenses or requirements for AI. For example, the ICO has released detailed guidance on AI and Data Protection, explaining how to do DPIAs (Data Protection Impact Assessments) for AI and how to address issues like automated decision-making under Article 22 of GDPR in an AI context. Likewise, the CMA’s 2023 report on AI foundation models proposed principles to ensure competition isn’t harmed by big AI players (like ensuring new entrants access to key AI inputs). These guidance do not have the force of law, but regulators could enforce underlying laws by referencing the guidance as what compliance “looks like”.

Compliance Implications in Practice: For businesses and developers, the UK’s agile approach means less prescriptive bureaucracy upfront but potentially more uncertainty. There is no checklist like the EU’s to tick off; instead, companies must exercise judgment in applying broad principles. This can actually be challenging – figuring out what “fairness” or “transparency” means for a specific AI system is not straightforward. Many UK companies are therefore adopting a proactive self-regulation stance, mirroring best practices from frameworks like the EU’s and NIST’s. Corporate compliance officers in UK firms are creating AI ethics committees to review new AI deployments, much as if the EU Act applied, in order to ensure they won’t run afoul of any regulator’s expectations or public opinion. The benefit in the UK is that if a company’s AI system is novel and potentially beneficial, regulators are more likely to work with the company to manage risks rather than punish it – especially with the sandbox incoming. This “regulatory sandbox” culture is well-established in UK fintech and may expand to AI across sectors, giving companies a channel to propose how to meet safety goals in flexible ways.

Concretely, what should a business deploying AI in the UK do now? First, map which regulators oversee your AI use. If you’re in healthcare using AI for diagnostics, engage early with the Medicines and Healthcare products Regulatory Agency (MHRA) or NHSx guidelines. If you’re in finance using AI for trading or credit decisions, follow the FCA’s guidance and possibly participate in their Digital Sandbox. For any consumer-facing AI, ensure compliance with consumer protection law (which the Competition and Markets Authority might enforce) – e.g. avoid misleading AI-generated content or unfair contract terms related to AI outputs. Second, follow the five principles: document how your AI is safe (robust to attacks/errors), explainable (at least at a basic level to users), fair/non-biased (test on diverse data), accountable (human oversight and clear responsibility assignment), and contestable (make it easy for users to flag issues or opt out of automated decisions). While not legally required yet, demonstrating adherence to these principles will go a long way if a regulator comes knocking. Third, maintain strong data governance. The ICO has not been shy about enforcing data laws in AI contexts – e.g. it fined Clearview AI for scraping images for facial recognition. If your AI uses personal data, ensure you have a lawful basis, minimize data, and conduct impact assessments. Also watch for the upcoming UK data reforms: the Data Protection (DPA) changes in 2025 might slightly loosen certain provisions (the “legitimate interests” use might be expanded, similar to the EU’s omnibus idea), but core principles remain. Fourth, be prepared for future mandatory rules on advanced AI. If you are developing cutting-edge AI models (the kinds of systems that approach human-level understanding or decision-making), anticipate that the UK may impose specific obligations – possibly a licensing regime or mandatory safety testing – in the next year or two for these. The government’s active role in global AI safety (hosting the AI Safety Summit at Bletchley Park in Nov 2023, and planning more) suggests it is particularly concerned about frontier AI risk (e.g. biosecurity threats, autonomous weapons, etc.). A UK “AGI safety institute” or similar oversight body could emerge to scrutinize the most advanced projects.

Risks and Misuse – UK Perspective: The UK’s public discourse on AI risks mirrors many global concerns, but with a nuanced emphasis on balancing innovation. The White Paper and subsequent statements frequently note the risk of over-regulation chilling AI development, hence the cautious approach. Still, the UK acknowledges key AI misuse risks: bias and discrimination (for instance, if AI in recruitment rejects qualified minority candidates – existing equality law covers this, and the government has funded research into algorithmic bias mitigation); misinformation and deepfakes (the Online Safety Act and election laws can handle some aspects, and broadcast standards already prohibit misleading deepfake material on TV, for example). The UK has not passed a dedicated deepfake law akin to some U.S. states, but it did criminalize some harmful online communications generally, which could include distributing malicious deepfakes. Privacy and surveillance are definitely on the radar – the UK is keen on AI-enabled policing tools but also aware of surveillance overreach (London’s Metropolitan Police trials of facial recognition have been controversial and are being cautiously expanded with oversight). Cybersecurity of AI is another risk: the National Cyber Security Centre (NCSC) in 2025 issued guidance on adversarial attacks to machine learning systems, urging organizations to secure their AI supply chains. And when it comes to existential risks or extreme misuse (like AI being used to design bioweapons or autonomous drones), the UK is taking a role in convening international discussions rather than legislating domestically right now. The Bletchley Park summit launched initiatives to collaboratively research frontier AI safety and establish early warning systems for AI biohazards. Domestically, we might see defense or security directives on AI (outside public view) to ensure any AI used in critical infrastructure or defense is thoroughly vetted.

Forward Trajectory (UK): Going into 2026, the UK is at an inflection point – having laid the groundwork with principles and now deciding how much harder its regulatory touch should become. If the Conservative government remains in power, one can expect continuity of the pro-innovation line with some calibrated interventions for high-risk AI. If a Labour government comes in (a possibility depending on elections due by 2025), they may be inclined to strengthen consumer and worker protections in AI, potentially giving the AI Bill broader scope (for example, focusing not just on AGI but also ensuring accountability in AI that impacts jobs, wages, etc.). Regardless of politics, it is likely the UK will implement the AI sandbox (Growth Lab) in 2026 – which would be a major step, effectively creating a controlled environment to experiment with AI under lighter rules but heavy scrutiny. Legislation might be needed to remove any legal barriers for sandbox trials (for instance, temporarily exempting a healthcare AI from certain NHS regulations during testing). So an “AI (Regulation) Act” in 2026 could mainly serve to authorize sandboxes and impose minimal duties on frontier AI developers. We may also see the UK formalize the requirement for regulators to consider the AI principles – turning the soft guidance into a “duty of due regard” via legislation, which was foreshadowed in the White Paper response.

Another key aspect is international alignment. The UK is striving to be a global leader in AI governance by coordinating with allies. It spearheaded the creation of the Global Summit on AI Safety and proposed establishing a global expert panel or even an international AI watchdog (analogous to the IPCC for climate). In late 2025, the UK also signed the Council of Europe’s AI Convention alongside the EU and U.S., committing to uphold human rights in AI deployment. We can expect the UK to continue pushing for common international standards or mutual recognition of AI regulations – perhaps seeking a middle ground between the EU’s stringent model and the US’s laissez-faire approach. The UK has already hinted at trying to broker understanding so that, for example, an AI system approved under a future UK regime could be accepted in other countries and vice versa (important for companies like DeepMind or Graphcore that operate internationally).

For businesses, the UK’s path means they should stay engaged with regulators through consultations (like the Growth Lab call for views) and possibly volunteer for sandbox trials to help shape future rules. The relatively cooperative regulatory climate is an opportunity to help craft workable regulations. Companies should also watch for any specific new guidelines from sector regulators – for instance, the UK’s Medicines regulator might soon update rules for AI in diagnostics, or the Bank of England/Prudential Regulation Authority might issue expectations for AI in financial risk modeling. Compliance-wise, UK organizations will likely continue following international best practices (ISO/IEC AI management standards, etc.) to demonstrate due diligence, knowing that if something goes wrong, UK regulators will judge them against those benchmarks even absent a local law.

In essence, the UK is charting a course of “regulated flexibility”. It champions principles over prescriptions, aims to enable innovation via sandboxes, and only plans targeted binding rules where absolutely necessary (e.g., for ultra-high-risk AI). This approach requires maturity from industry – a strong element of corporate self-governance – which many large companies are embracing by instituting AI ethics boards and compliance checks voluntarily. The forward trajectory will likely involve incremental steps: implementing the sandbox in 2026, evaluating its outcomes by 2027, and possibly a fuller review of whether a broader AI Act is needed around that time. If AI technologies remain manageable and industry cooperation is high, the UK might stick with its agile approach. But if there were to be a major AI-related incident or public backlash (say an AI causes serious harm or a scandal about AI misuse breaks out), there could be a faster pivot to stricter regulation. For now, the UK is positioning itself as a “pro-innovation regulation” model – a contrast to the EU – hoping to attract AI businesses to its jurisdiction by offering clarity, support, and a lighter compliance burden, while still protecting the public through general laws and adaptive oversight.

Türkiye: Early Legislative Action and Strict Content Controls

New Draft AI Law – Comprehensive Amendments to Multiple Laws: Among the jurisdictions examined, Türkiye stands out for moving rapidly toward a dedicated AI legal framework in late 2025. On 7 November 2025, a draft law titled the “Bill of Law on Amendments to the Turkish Penal Code and Certain Laws” was submitted to the Grand National Assembly (Parliament) of Türkiye. Commonly referred to as Türkiye’s draft AI law, this legislation (consisting of 11 articles) aims to weave AI-specific rules into several existing statutes, thereby creating a coherent legal framework governing AI – particularly focusing on AI-based content generation, data use, and liability. In essence, rather than a single standalone “AI Act,” Türkiye is updating its Penal Code, internet law, data protection law, electronic communications law, and cybersecurity law to account for AI technologies. The draft introduces a legal definition of “artificial intelligence system” as any software or algorithmic model that processes data with limited or no human intervention to generate outputs, make decisions, or take actions autonomously or semi-autonomously. This broad definition provides the foundation for attaching responsibilities and liabilities to AI developers and users under Turkish law.

A central focus of Türkiye’s approach is combating the legal and security risks of AI-generated content, especially deepfakes and manipulative information online. To that end, the draft law would amend Law No. 5651 (Internet Publications Law) to impose stringent obligations on both content providers and AI developers:

• Deepfake Takedown Requirement: If AI-generated content violates someone’s personal rights or threatens public security, access to that content must be blocked within 6 hours of notice. This is an extraordinarily tight deadline (much faster than typical takedown timelines) and indicates the priority on rapid response to harmful AI content. Both the platform hosting the content (provider) and the AI system’s developer are held jointly liable for ensuring the removal obligation is met. This joint liability is notable – it means an AI developer could be on the hook even for content posted by end-users, a sharp expansion of accountability up the AI supply chain.
• Mandatory AI-Generated Labeling: All AI-generated audio, visual, or textual content that qualifies as deepfake must be clearly labeled with a visible, indelible statement that it is “Generated by Artificial Intelligence”. Failure to label deepfake content is punishable by administrative fines ranging from TRY 500,000 to TRY 5,000,000 (approximately USD 18,000 to $180,000) imposed by the Information and Communication Technologies Authority (ICTA, also known as BTK). If a provider systematically and intentionally violates the labeling rule, authorities can even issue an access ban against that provider’s platform. Essentially, unlabeled deepfake content could get an entire service blocked in Türkiye. This makes compliance with AI content labeling absolutely critical for any AI application that creates realistic media.

These provisions reflect Türkiye’s determination to address disinformation and impersonation risks head-on – a concern heightened by past issues with misinformation on Turkish social media, especially around elections or political events. By requiring both ultra-fast removal and conspicuous labeling, the law seeks to protect individuals from reputational harm and society from destabilizing fake news or propaganda. The joint liability of AI developers also pressures those who create AI tools (like deepfake generators) to build in safeguards (such as automatic watermarking and swift takedown mechanisms) so that their tech cannot be easily misused without consequences.

AI and Criminal Liability – Users and Developers: The draft law amends the Turkish Penal Code (TPC) No. 5237 to clarify how crimes committed via AI are treated. Notably, if a person uses an AI system as an instrument to commit an offense (for example, instructing an AI to generate defamatory or hateful content about someone), that user will be considered the principal offender of the crime. In other words, hiding behind “the AI did it” is not a defense – the human operator is fully accountable for offenses like insult or threats generated by AI. Moreover, if the design or training of the AI system facilitated the commission of the offense, the developer of the AI can have their punishment increased by half. This is a striking provision: it essentially criminalizes reckless or malicious design of AI. For instance, if an AI chatbot was designed with virtually no content moderation and it predictably ends up committing unlawful insults or hate speech, the developer could face enhanced penalties. This creates a strong incentive for AI developers to bake in ethical and legal compliance features (like content filters) to avoid being seen as facilitators of crime. Additionally, the law expands the list of crimes for which platforms can be ordered to remove content or block access under the Internet Law to include those easily perpetrated by AI – it specifically adds offenses such as insult (TPC Art. 125), threats (Art. 106, likely meant by “TPC Article 28” as a reference in the source), and crimes against humanity (Art. 77) when committed via AI. It also clarifies that provisions of the Penal Code apply to AI-based social network providers just as to any other perpetrator. The net effect is closing any loopholes where AI-generated illegal content might not be attributable under old laws – Türkiye is making sure both AI users and creators can be criminally liable.

Data Protection and Non-Discrimination: Türkiye’s draft law also amends Law No. 6698 on the Protection of Personal Data (KVKK) – the local equivalent of GDPR – to embed AI considerations. It introduces an obligation that datasets used to train AI must uphold principles of anonymity, non-discrimination, and lawfulness. Crucially, it states that using discriminatory datasets is explicitly deemed a data security violation. In other words, if an AI is trained on biased data that leads it to make discriminatory decisions (say, a hiring AI trained on data that skews against women or minorities), that in itself violates the data protection law’s security requirements. Under KVKK, data security breaches can attract fines and other sanctions, so this gives the Data Protection Authority (DPA) a direct hook to police AI training practices. It’s a stricter standard than many regimes: not only must AI training data be legally obtained and processed (as per normal privacy rules), but it must also be curated to avoid bias, elevating algorithmic fairness to a legal requirement. Turkey’s DPA has been actively interested in AI; indeed, on 24 November 2025 it published a “Guideline on Generative AI and Data Protection” to orient data controllers on managing AI systems in line with KVKK. The guideline highlights risks like AI “hallucinations,” biased outputs, privacy leaks, and IP violations, and advises on identifying data controllers, ensuring lawful bases for all personal data processing in the AI lifecycle, and preventing unauthorized cross-border data transfers. It essentially tells companies: even if your AI model is not intended to handle personal data, assume it might and apply all privacy principles (transparency, purpose limitation, data minimization, etc.) to AI development and deployment. Also, if anonymized data is used for training, the guideline warns that anonymization itself is processing and companies must prove the data is truly anonymized (since AI can sometimes re-identify patterns). While the DPA guideline is non-binding, it foreshadows how the DPA will enforce KVKK in AI contexts – and the draft law’s amendments will give these expectations the force of law. Compliance-wise, any company building AI in Türkiye will need to perform dataset audits, document how they ensure no prohibited biases, and probably involve multidisciplinary teams (data scientists, ethicists, lawyers) to validate training data selection and preprocessing. It aligns with what global frameworks suggest, but Turkey is among the first to make it a legal mandate.

Obligations for AI Service Providers – Transparency, Verification, Security: Beyond content and data, Türkiye’s draft law adds new duties for AI service providers under Law No. 7545 on Cybersecurity and Law No. 5809 on Electronic Communications. The ICTA (Information and Communication Technologies Authority) is empowered to issue emergency access-blocking orders if AI-generated content threatens public order or election security. This is clearly aimed at preventing AI-enabled election interference or panic (imagine a deepfake that incites violence or spreads false information during an election – ICTA can order it taken down immediately). Non-compliance can result in up to TRY 10 million fines (≈ $360k). More broadly, AI service providers (which would include operators of AI systems, likely both the providers of AI models and those deploying AI in services) must implement a set of five key measures to enhance AI security and trustworthiness:

1. Transparency and Auditability of Training Data – Providers must ensure they can explain what data was used to train the AI and allow for audits. This goes hand-in-hand with the data protection points: companies should maintain documentation on data provenance and cleaning, and potentially be ready to share it with authorities if asked.
2. Content Verification Mechanisms – They should have systems to verify the accuracy of AI outputs and prevent the generation of false/manipulative information. This could mean built-in fact-checking modules, filters to catch likely misinformation, or human review processes for sensitive outputs.
3. Algorithmic Controls to Reduce “AI Hallucinations” – AI hallucinations (confidently incorrect outputs) are recognized as a risk. Providers must try to mitigate this, for instance by fine-tuning models or setting conservative response thresholds. This requirement is relatively novel to see in law – it effectively mandates a level of quality control on AI outputs.
4. Human Oversight for High-Risk Applications – In any high-risk AI usage, human-in-the-loop review is required. So fully automating critical decisions is discouraged; there should be human checkpoints especially where the stakes are high (medicine, legal, etc.).
5. Regular Cybersecurity Tests – AI systems must undergo routine vulnerability testing to ensure they can’t be easily attacked or manipulated. With adversarial attacks on ML (like input manipulations causing AI misbehavior) a known threat, this bakes in a cybersecurity compliance element.

Failing to fulfill these obligations could incur fines up to TRY 5 million (≈ $180k), and in cases of serious violations that threaten public order, ICTA can impose a temporary suspension of operations for the AI service. That could mean shutting down an AI platform in Turkey until fixes are made. Essentially, any AI provider operating in Turkey will need a robust AI governance program: documenting training data, implementing content filtering and validation steps, keeping humans in the loop as needed, and regularly security-testing their AI. These requirements align with international AI ethics principles, but Turkey is taking the step of making them enforceable with penalties.

Compliance and Business Impact in Türkiye: For businesses and AI developers, Türkiye’s proactive stance translates to a rather strict compliance environment compared to many countries at this stage. If the draft law is enacted (which as of Dec 2025 it’s in committee review), companies will have to quickly adapt operations. Some implications:

• AI Content Platforms: Social media companies or any platforms hosting user-generated content will need to upgrade their content moderation systems to detect and label AI-generated media. They must respond to takedown orders within 6 hours – which likely means staffing 24/7 moderation teams and implementing automated removal workflows. They’ll also want indemnities or contractual obligations from AI developers whose tech is used on their platform, since those developers are jointly liable. For example, if a deepfake app posts content on a platform, the platform might seek to hold the app developer accountable for any fines or legal costs.
• AI Developers (especially of Generative AI): They will need to ensure their models themselves can facilitate compliance. That could mean building in watermarking features that automatically tag outputs as AI-generated (to help users comply with labeling laws) or providing APIs that allow platforms to quickly identify AI outputs. Developers might even geo-fence or tailor their products for Turkey – e.g., disabling certain high-risk features for Turkish users if they cannot guarantee compliance. There’s also a risk calculus: developers of controversial AI (like deepfake generators) might decide not to offer their services in Turkey at all to avoid liability.
• Enterprises Using AI: Banks, hospitals, insurers, etc., implementing AI decision systems will need to incorporate human oversight and audit logs, to comply both with this upcoming law and existing regulatory expectations. They’ll also coordinate with ICTA or sector regulators if they want to deploy something innovative that might clash with rules – perhaps leveraging a sandbox approach informally until formal guidance catches up.
• Data Management: Companies must scrutinize their AI training data for biases. This may require employing experts to vet data or using tools to detect bias, and certainly documenting the rationale for data inclusion/exclusion. In procurement, if they buy AI models or datasets from third parties, they’ll need assurances those weren’t compiled in a discriminatory manner – potentially new contract clauses addressing dataset compliance.
• Security and Testing: Regular audits of AI for both output quality and security will become standard. This could spur a local industry of AI assurance services – firms offering to test your AI and certify it meets Turkish requirements (similar to how penetration testing services are common for cybersecurity compliance).

The draft law indicates that “companies using AI should review their technical and operational infrastructure” to meet these obligations and avoid legal and financial sanctions. This is a clear call for setting up comprehensive AI compliance programs. In effect, Turkey is treating certain AI providers somewhat like it treats social media giants under its existing laws (which require content moderation, local representation, etc.), extending that paradigm to AI.

One noteworthy aspect is enforcement: Turkey is known for actively enforcing internet laws (including content blocks and fines). If this AI law passes, we can expect ICTA and the Turkish DPA to enforce it vigorously, particularly on visible issues like unlabeled deepfakes or AI-driven disinformation around elections. Turkey will hold elections in the future where these rules could be tested; companies should prepare well in advance to demonstrate compliance. The law’s fines (max ~10 million TRY) might not be devastating for a big global company, but the threat of being blocked from operating in Turkey is serious for those with a user base there (Turkey has ~85 million people, heavy social media usage, and a growing tech scene).

It’s worth noting Turkey’s approach has some overlap with the EU’s AI Act (e.g., transparency for deepfakes, data governance for bias) but is in many ways more immediately punitive and control-oriented. It doesn’t classify AI by risk levels but rather targets specific issues (deepfakes, insults, election security) with direct prohibitions and fines. This reflects Turkey’s regulatory style in internet matters: ensure tools can’t be used to undermine social order or rights, with quick enforcement when needed. For global companies, compliance with EU’s upcoming rules will cover some Turkish requirements (like bias mitigation and transparency), but Turkey’s 6-hour takedown rule and joint liability for developers go beyond EU demands. Thus, companies will need Turkey-specific compliance strategies. Turkish startups in AI, on the other hand, might find the rules a bit burdensome but also clarity-providing – those that build “compliance by design” into their AI products could have an edge both domestically and in demonstrating their trustworthiness abroad.

Other Developments and Guidelines: Besides the draft law, Turkey has released multiple AI-related guidelines in recent years. The White & Case global tracker notes that various sectors have guidance on AI use. For instance, Turkey’s financial regulators might have guidelines on AI in fintech, and the military or education ministries might have their own strategies. Additionally, Turkey published a National AI Strategy 2021–2025 which set goals like creating an “AI ecosystem,” increasing AI employment, and ethical AI principles, aligning with OECD AI principles. As 2025 ended, we expect Turkey to draft a new AI Strategy for 2026–2030 to continue that momentum, possibly incorporating the regulatory advances. There has also been an interesting regulatory reversal: In late 2023, Turkey had banned AI-created synthetic voices and images in advertising (to protect consumers from being misled by “deepfake” ads), but by late 2025, it reversed that ban, allowing AI-generated human avatars in ads under certain conditions. This suggests that Turkey is calibrating its stance – it doesn’t want to block beneficial commercial uses of AI entirely, as long as they can be done transparently and safely. So, while the law is strict, regulators may still issue clarifications or exemptions for innovative uses that are deemed safe or labeled appropriately. Businesses in media and advertising should stay tuned to advertising authority guidelines to ensure compliance when using AI-generated content in marketing.

Forward Trajectory (Türkiye): Türkiye is on track to become one of the first countries outside Europe with a bespoke AI regulation enshrined in law. The draft bill, having been introduced in mid-2025 and formally submitted in November, could be enacted in 2026 after parliamentary deliberation. If it passes largely intact, implementation might be swift – possibly with a short grace period for companies to adjust (though none is explicitly mentioned yet). The Turkish government will likely issue secondary regulations or communiqués to operationalize some provisions (e.g., specifying how AI content should be labeled, how to submit compliance reports, etc.). The authorities (ICTA, DPA, etc.) might also host workshops or publish Q&A documents to guide industry – Turkey often does this for new tech laws.

In the broader scope, Turkey’s approach aligns with its general internet governance pattern: assertive control to prevent online harms, balanced with support for tech innovation. Turkey’s AI strategy emphasizes becoming a global player in AI and leveraging AI for economic growth. Ensuring AI is “safe and ethical” is part of making it sustainable. So, we can expect Turkey to invest in domestic AI capabilities (R&D programs, AI parks, talent development) while maintaining stringent oversight. By establishing an AI law now, Turkey could position itself as a leader in AI governance among emerging economies, potentially influencing neighbors or other Muslim-majority countries facing similar issues of misinformation and social harmony. Collaboration with the EU is also plausible – Turkey often aligns certain tech regulations with the EU (KVKK was modeled on GDPR, for example). If the EU AI Act and Turkey’s AI law have synergies (which they do on points like bias and transparency), it might ease compliance for companies operating in both jurisdictions.

One challenge will be how Turkey’s rules interplay with open global AI platforms. For example, if an AI model is offered via an API from abroad (like OpenAI’s GPT-4 accessible in Turkey), Turkish law could technically apply to its outputs used in Turkey. Enforcement might mean requiring those providers to have a local representative or partner to handle takedown requests within 6 hours – similar to how social media companies had to appoint local liaisons under other laws. We might see moves in that direction, pressuring big AI vendors to localize compliance.

Overall, Türkiye appears to be heading toward a future of strict, risk-focused AI regulation tightly integrated with its content and data control frameworks. Businesses and developers should view Turkey as a market where AI compliance is not optional but a fundamental requirement – much like cybersecurity or tax compliance. The forward trajectory likely involves refining this regulatory framework as AI tech evolves: e.g., adding new offenses if novel AI harms arise, updating labeling standards as deepfake tech gets more sophisticated, and adjusting thresholds (like fine amounts or timeline requirements) based on how effective they prove. If the law achieves its aims of reducing AI misuse without unduly hindering innovation, it could become a model for other jurisdictions that prioritize social stability and rights protection in the face of AI. Companies that navigate Turkish AI compliance successfully will not only avoid penalties but may gain reputational benefits, since they’ll essentially be adhering to one of the tougher standards out there.

Comparing Regulatory Approaches and Compliance Outlook

The late-2025 developments in the US, EU, UK, and Türkiye reveal divergent strategies to govern AI, each shaped by different legal cultures and policy priorities. Below we compare key dimensions of their approaches:

1. Regulatory Scope: Comprehensive vs. Targeted – The EU clearly leads with a comprehensive, horizontal law (the AI Act) that covers virtually all AI systems under a unified framework. It is akin to GDPR in applying broadly across industries with few exceptions, using a risk gradation to tailor requirements. Türkiye, while not a single law, is also pursuing a broad-scope strategy by amending multiple fundamental laws (internet, penal, data protection, etc.) to comprehensively address AI from content to data to liability. In effect, Turkey is ensuring AI is accounted for throughout its legal system – a wide net approach. The US and UK have so far favored targeted interventions: the US by letting states and agencies handle specific issues (deepfakes, sectoral AI in healthcare, etc.), and possibly crafting a narrow federal framework focusing on specific “risky” uses (e.g. frontier models). The UK by design decided against an omnibus AI law, opting instead to insert AI principles into sector-specific regulatory regimes. The result is that compliance for businesses is centralized under one law in the EU (and likely in Türkiye once passed), whereas in the US and UK it’s decentralized – companies must parse multiple laws and guidelines depending on context. For example, a company offering an AI hiring tool in the EU will look mainly to the AI Act (plus existing labor laws), whereas in the US they might need to check federal EEOC rules, a patchwork of state fair hiring AI laws, and any FTC guidance on unfair algorithms. From a corporate compliance perspective, the EU’s single rulebook provides clarity but with high upfront effort, while the US/UK patchwork offers flexibility but demands careful monitoring of many sources. Türkiye’s route, once finalized, will be more like the EU’s in providing a clear set of do’s and don’ts across the board (especially for content and data practices), although likely more prescriptive in those domains.

2. Binding Law vs. Soft Law: Another clear contrast is the reliance on hard law versus soft guidance. The EU and Türkiye are codifying binding rules with enforcement teeth (fines, bans, liability). The UK has thus far leaned on non-binding guidance and voluntary compliance with principles, though it signals some binding measures may come for specific cases. The US is somewhere in between: no single binding law yet, but many binding state laws and existing federal statutes being applied to AI implicitly (and an Executive Order, which is a form of “soft law” for agencies, is expected). For AI developers, this means certainty vs. flexibility trade-offs. In the EU/Turkey, you know exactly what standards you must meet (transparency, risk assessment, etc.) and you can be penalized if you don’t. In the US/UK, you have more leeway to innovate without a specific checklist, but you also face uncertainty – you might suddenly be subject to a new state law or an ex-post enforcement action if your AI causes harm under a general law (for instance, being sued for negligence because there was no AI-specific safety regulation to follow). Over time, both the US and UK may evolve toward more binding elements: the US through federal preemption legislation establishing a “floor” of AI rules (even if minimal), and the UK through the anticipated AI Bill focusing on advanced AI. By contrast, the EU’s challenge is implementing and refining the binding rules it already has (with the Omnibus amendments fine-tuning them), and Türkiye’s challenge will be how strictly and effectively it can enforce its new AI provisions once in force.

3. Risk-Based Regulation vs. Precautionary vs. Pro-Innovation: The EU’s risk-based model stands out: it explicitly calibrates obligations to the level of risk. High-risk uses face heavy compliance, low-risk uses are largely free. This reflects a precautionary yet proportionate ethos – don’t stop AI innovation, but reign it in where it could do harm. Türkiye’s approach, while not labeling “levels” of AI risk, effectively zeroes in on what Turkey perceives as high-risk scenarios for its society – deepfakes (risk to truth and public order), biased AI (risk to fairness), and autonomous decision-making in crime and content (risk to rights and security). It is precautionary and somewhat restrictive, especially on content: Turkey is not shy about requiring prior labeling and quick suppression of dangerous outputs. The UK’s approach is explicitly pro-innovation and “agile.” It prioritizes flexibility and fostering growth, assuming that existing laws suffice for now for most AI harms and that regulators can intervene case-by-case if something egregious occurs. It’s a more laissez-faire, wait-and-see strategy – precaution only for the extreme frontier cases, otherwise encourage experimentation (hence the sandbox idea). The US approach is a mix: traditionally pro-innovation, with regulators like the FTC and courts stepping in only after harm occurs (a more reactive model rooted in liability and enforcement rather than ex-ante controls). However, certain states have taken a more precautionary line on narrow issues (like requiring human review in insurance decisions, or mandating impact assessments in procurement). Compared to the EU, the US still lacks the notion of classifying and precertifying AI systems by risk. For businesses, a risk-based regime like the EU’s means significant upfront compliance for designated “high-risk” products (which can slow time-to-market but potentially reduce catastrophic failures), whereas a pro-innovation regime like the UK’s or US’s means you can deploy quicker, but you must self-police carefully to avoid later legal or reputational fallout. Interestingly, all jurisdictions share some common risk concerns: bias/discrimination and deepfakes are universally recognized issues; they just address them differently (EU via documentation and transparency requirements, US via targeted laws and general civil rights enforcement, UK via guidance and existing law, Turkey via criminalizing and labeling obligations). “Human-in-the-loop” oversight is valued in EU, UK, and Turkey – mandated in EU (for certain high-risk) and Turkey (for high-risk uses), and recommended in UK guidance as best practice. So, while philosophies differ, on specific best practices (transparency, bias mitigation, human oversight, security testing), there is convergence.

4. Enforcement Mechanisms and Penalties: The EU and Türkiye both back their rules with strong enforcement. The EU will leverage regulators with power to levy huge fines (up to 6% of global turnover) and even pull products off the market (cease and desist orders for non-compliant AI). It also has mechanisms like conformity assessments that act as gatekeepers (no CE mark, no market access for high-risk AI). Türkiye similarly provides for hefty fines (up to TRY 10M) and crucially the ability to block services or suspend operations for serious violations – a remedy Turkey has used in other internet contexts. The threat of blocking is perhaps even more draconian than fines, as it can cut off business entirely from Turkish users until fixed. The US, by contrast, will rely on existing enforcement: e.g., FTC can fine companies for unfair practices (penalties can be large if through consent decrees), and state attorneys general can bring actions under consumer protection laws. But there’s no unified “AI authority” yet – enforcement is piecemeal and after the fact. The UK currently has no AI-specific penalties; enforcement is through general laws (like ICO could fine for misuse of personal data by an AI, CMA could act if an AI practice harms competition). If and when the UK introduces an AI Bill, it’s unclear what penalties it might carry – possibly more around ensuring safety of frontier AI (e.g., fines for deploying a dangerous AGI without safeguards). For companies, this means EU and Turkish regulators will likely demand demonstrable compliance up front, and non-compliance could be met with swift punitive action. In the US and UK, the immediate risk of a large fine is lower unless your AI triggers an existing law violation, but that is a big “unless” – e.g., if your AI system causes a major data breach or a discriminatory outcome, you could face multi-million dollar liabilities via lawsuits or regulatory fines under those existing frameworks. There’s also the matter of litigation: the US has an active class-action system, so if an AI product harms consumers, even absent AI-specific law, companies might get sued for fraud, product liability, etc. The EU’s forthcoming AI liability rules will make litigation easier there too. So enforcement is both regulatory and civil in each area, with varying intensity.

5. Sandbox and Safe Harbor Provisions: Both the UK and US (via some proposals) are explicitly embracing regulatory sandboxes for AI – controlled environments to test innovations with legal flexibility. The UK’s planned AI Growth Lab is a prime example, aiming to use supervised trials to inform eventual rules and perhaps even to temporarily exempt participants from strict compliance. In the US, Senator Cruz’s “SANDBOX Act” idea similarly wanted to allow companies to request waivers of certain regulations impeding AI development, although how that would work federally is speculative at this point. The EU AI Act contains a provision encouraging Member States to set up sandboxes to help SMEs and startups innovate under regulatory supervision, so the concept exists there too, albeit within the structure of the Act (some Member States like Spain are indeed launching AI sandboxes ahead of the Act enforcement). Türkiye’s law as written does not mention sandboxes; Turkey’s style is more command-and-control. However, Turkey could implement pilot programs or leniency periods under the radar if needed – but given Turkey’s urgency on content control, they might not lean on sandbox concepts much, except possibly in specific sectors (for example, Turkey might allow a sandbox for AI in healthcare devices under oversight of the Health Ministry, but this would be separate from the main law we discussed). For AI developers, sandboxes offer an opportunity to engage regulators early and shape best practices. Companies that participate can demonstrate good faith and possibly influence pragmatic solutions (e.g., a sandbox might reveal that a certain strict rule can be relaxed without harm, saving everyone compliance costs). On the other hand, outside of sandboxes, safe harbor provisions (like immunity if you follow a code of conduct) are not yet common. The EU Act doesn’t give immunity, but compliance with harmonized standards acts as a safe harbor in practice (presumption of conformity). The US may consider liability shields for AI (there were discussions akin to Section 230 immunity for AI outputs, but nothing concrete yet). The UK could potentially incorporate safe harbors in any future AI law (for example, if a company follows certain government-approved guidelines, it might get lighter treatment in enforcement). As of now, though, companies cannot bank on safe harbors except to the extent of following recognized standards (ISO AI standards, NIST framework) which could serve as a defense that they took responsible steps.

6. Developer vs. User Responsibilities: A notable comparative point is who in the AI value chain is held responsible. The EU AI Act puts primary compliance duty on the providers of AI systems (developers or those putting them on the market) and also duties on deployers/users in some cases (e.g., if you are a company using a high-risk AI internally, you have to monitor and control its use). It also covers importers and distributors. The US approach so far has been more end-user focused (if you use AI and break a law – e.g., violate consumer protection – you’re liable; if you provide AI and, say, negligently design it, you could be liable under product liability to users). But we haven’t seen much US law targeting AI developers specifically with compliance obligations (except maybe the proposed NY RAISE Act which targets “large model developers” and would require them to do safety tests). The UK at present isn’t imposing much on either specifically, but likely any future law on frontier AI will target developers of powerful AI (as implied by “those developing the most powerful models” in the King’s Speech). Türkiye’s draft law interestingly splits responsibilities between developers and users: developers can be liable (for crimes, or for failing to implement security measures) and users can be liable (for directing AI to do bad things). Turkey also holds service providers (deployers) liable for content and takedowns. So it’s a shared model – cast a wide net so no one falls through accountability gaps. This is somewhat analogous to how the EU will make both providers and users share some responsibilities for high-risk AI. For companies, this means in places like EU and Turkey, due diligence both up and down the supply chain is needed: AI providers must design responsibly and also vet how clients use their tech; AI users must select reputable, compliant tools and use them in sanctioned ways. In the US, if you’re an AI vendor, you mostly worry about being sued if your product fails or causes harm under general tort law (no mandated compliance process), and if you’re a user, you worry about being the one regulators will chase if the AI’s use violates something. The UK’s approach encourages a collaborative ethos – regulators have said they want developers to embed the principles and users to follow guidance, but it’s voluntary. Over time, however, expect convergence towards developer obligations: globally, there’s a realization that AI creators have the best position to mitigate risks before deployment. The EU Act epitomizes that by putting obligations like risk assessments on developers. The US may eventually impose more on developers too (even a light regime could include requiring large AI model developers to register or share safety test results, etc., as in some pending bills).

7. Addressing AI Misuse and Societal Risks: Each jurisdiction, in its own way, is grappling with fears of AI misuse – whether misinformation, bias, or loss of control. The EU’s answer: a regulatory framework to embed “trustworthy AI” principles (ethics, fairness, oversight) into the AI lifecycle. The belief is that by design and documentation requirements, many risks can be reduced before harm happens. The US’s answer: patch legal gaps as misuse cases arise (e.g., when deepfakes became an issue, states passed deepfake laws; when algorithmic bias in lending surfaced, agencies reminded everyone that Equal Credit laws apply to AI). It’s reactive and piecemeal, trusting existing law and market forces except in egregious new cases. The UK’s answer: articulate high-level principles and trust companies and regulators to do the right thing under existing powers, intervening specifically if needed (e.g., focusing on “future AI” that could seriously threaten safety or national security). The Türkiye’s answer: proactively extend current strict laws (on content, crime, data) to control AI outputs and inputs – essentially a heavy governance from the start to prevent misuse like disinformation, hate, election meddling, and biased decision-making. Notably, Turkey even introduced controls against AI “hallucinations” and mandates content verification, showing a deep concern with AI’s capacity to generate falsehoods.

8. Future Direction and International Influence: Looking forward, each jurisdiction’s approach may influence others. The EU AI Act is likely to become a global reference point (as GDPR did) – already, other countries (like Brazil, Canada, India) are debating AI laws and looking to the EU model for inspiration or lessons. The EU’s insistence on fundamentals (human oversight, transparency, non-discrimination) might set a normative baseline. The US’s approach, especially if it results in federal legislation, will provide a counter-model emphasizing innovation and possibly voluntary compliance (complemented by liability for bad actors). Countries aligned with the US on free-market values might prefer that lighter approach. The UK is trying to position as a bridge – its agile, principle-based regulation could appeal to countries that want AI governance without heavy bureaucracy, and if the UK sandbox is successful, it might export that concept internationally. Already the G7’s Hiroshima AI Process (mid-2023) echoed some of the UK’s ideas on collaborative governance and shared principles. Türkiye’s model might resonate with countries that have similar priorities around content control, political stability, and moral oversight of tech – for example, some other non-Western countries could follow suit in requiring AI outputs to respect local laws and values, under threat of bans. China, notably, has its own strict AI regulations focusing on content moderation and alignment with socialist values. While Turkey and China differ politically, their regulatory instincts on AI-generated content labeling and swift removal of harmful content have parallels. So we could see a splintering: an EU-led bloc with risk-based but rights-focused AI laws; a US-led bloc with industry-friendly frameworks; and a China/Turkey style with tight content and security controls, each influencing different regions.

For companies operating globally, the forward trajectory suggests they should prepare for compliance with the most stringent regime where they operate. Often this will be the EU’s requirements (given size of market and strictness). Indeed, many are already gearing up for EU AI Act compliance as a baseline. Adaptations then can be made for local quirks: e.g., in Turkey add an ability to tag all AI content and respond to takedown orders fast; in the US, ensure alignment with NIST and be ready to defend AI decisions in court with documentation but enjoy relative freedom to innovate in low-risk areas; in the UK, engage proactively with regulators or sandboxes to shape rules and demonstrate low-risk.

Another common direction is the increasing call for AI accountability and audits. The EU explicitly requires conformity assessments; the US and UK, through soft mechanisms, are encouraging independent audits of AI systems (the US FTC even hinted that lack of diligence in AI could be seen as negligence). We expect auditability to become a norm – in the EU by law, in the US/UK by best practice possibly leading to law. Türkiye’s inclusion of auditability of training data likewise implies regulators may audit AI systems. So technical and documentation capabilities for AI explainability and auditing will be a key compliance investment for companies worldwide.

In terms of AI misuse consequences: all jurisdictions are concerned about AI safety (physical and societal). The differences are in timing and method of addressing them. The EU and Türkiye are more preventive (set rules to avoid certain outcomes – like biased AI decisions or misinformation proliferation). The US and UK are a bit more wait-and-see (let innovation proceed, catch the truly bad actors or outcomes through existing law). This could mean in the next couple of years, fewer AI-related fines or injunctions in the US/UK compared to EU/Turkey, but if a disaster occurs (say, a widely reported AI failure causing harm), the US/UK might rush to tighten up. The EU and Turkey hope to mitigate such disasters by demanding risk mitigations now.

In summary, each jurisdiction’s 2025 moves underscore their regulatory DNA: the EU doubling down on ethical AI through detailed rules and extended timelines; the US juggling innovation and emerging consensus on baseline rules (with a tug-of-war between federal and state powers); the UK championing flexible, principle-led governance and global leadership through convening summits and sandboxes; and Türkiye asserting control early to guard against AI’s societal downsides while still aiming to benefit from AI’s economic upsides.

For organizations operating across these regions, compliance strategies must be jurisdiction-specific yet integrated. It would be prudent to implement the strictest common requirements (for instance, bias audits, transparency disclosures, record-keeping) across all AI systems – this ensures a base level of compliance globally. Then, tailor regional policies: e.g., for EU and Turkey, formal compliance checklists and possibly appointing AI compliance officers; for US, a monitoring brief for new state laws and a robust incident response plan (since litigation risk is higher); for UK, active engagement with regulators and adoption of the voluntary codes to pre-empt any future mandatory rules. Corporate training programs should raise awareness of these differing obligations for teams working on AI.

Finally, as AI technology progresses (e.g., new GPT-5 level models, AI in autonomous vehicles, etc.), regulations will iterate. We expect a continued theme into 2026-2027 of international dialogue – the G7, OECD, UNESCO, and bilateral talks (US-EU Trade and Tech Council on AI, etc.) – aiming to find some harmonization or at least interoperability between regimes. For example, discussions on AI standards for safety and evaluation could yield results that let compliance in one jurisdiction count as partial compliance in another (similar to how ISO security certs are recognized multiple places). The forward trajectory is that AI governance will mature quickly: by end of 2026, the EU AI Act will be in force, the US may have an AI oversight framework, the UK likely a functioning sandbox and possibly an AI Act for frontier AI, and Turkey an enforced AI law. AI developers and users should thus treat 2025–2026 as the window to build strong compliance foundations – those who do will navigate the coming rules with relative ease, while those who do not may find themselves scrambling when the regulatory net tightens. The differences in each jurisdiction’s approach are significant, but not irreconcilable – they each emphasize trust, transparency, and accountability in their own way. By heeding all these emerging laws and guidelines, businesses can not only avoid legal pitfalls but also earn the trust of consumers and partners in the age of AI.