The AI police arrive in August. Is your company ready?

Companies are racing down the AI superhighway at 100 mph, but new rules of the road are going into effect and the cost of a speeding ticket could be hefty.

On August 2, in the first wave of meaningful AI oversight since the EU’s GDPR in 2018 and the California Consumer Privacy Act in 2020, two regulations will go into effect: the EU AI Act’s transparency and penalty provisions and California’s SB 942 watermarking mandate. A third set, from the state of Colorado, was also set to go into effect in July, but after revisions will now be enforced as of January 2027.

“You can’t govern AI you don’t know you’re running,” says Jason Aloia, VP of product management at Freshworks. “For many mid-market organizations, AI is already embedded across SaaS vendors, employee workflows, and the platforms employees use every day, often without centralized inventory or operational oversight. That’s why compliance starts with visibility. Organizations need a clear understanding of where AI is being used, what data and actions it can access. From there, the right guardrails and governance ensure it operates safely within policy.”

With their attention focused on rolling out new AI initiatives, mid-market businesses may be overlooking their real exposure—so-called “shadow AI,” unsanctioned tools spread throughout the organization. Or, the AI is just newly baked into vendor solutions they’ve had in place forever. And as companies modernize their AI-powered service offerings at breakneck speed, thorough governance often gets lost in the shuffle.

“Mid-market and small businesses are so resource-strapped they don’t know what they don’t know,” says Wendy Turner-Williams, chief data architecture and intelligence officer at SymphraAI, an enterprise AI risk management platform. “But they are just as responsible as any large business.”

Here’s what companies need to know and do to prepare for coming regulations in August, as well as future regulations sure to come.

EU AI Act: General-Purpose AI (GPAI) transparency reporting

For IT leaders whose vendor stacks touch European customers or employees, the EU AI Act is the regulation that matters most. First proposed by the European Commission in 2021, it was adopted by the EU Council in 2024. Enforcement of its key provisions have been staggered between February 2025 and August 2027.

What to do: The EU AI Act’s GPAI rules are all about lifecycle control — ensuring that AI products are governed from development through deployment. Ryan Carrier, executive director of ForHumanity, a nonprofit advisory on AI audit frameworks, advises working through the Act’s core articles (Articles 9 through 17) systematically; these cover risk management, data governance, record-keeping, and quality management. Thankfully, he notes, the Act provides explicit risk-classification guidelines, outlining what constitutes prohibited, high-risk, limited-risk, and minimal-risk AI.

For most mid-market companies, the operative question is whether their vendor stack is compliant and whether they can document it. Ideally, Carrier says, companies should ensure that vendors are aligned with NIST AI RMF or ISO 42001. ForHumanity also offers a resource for robust certification guidelines.

Does it have teeth? The August 2 deadline lands at the start of Europe’s summer shutdown, meaning “August 3rd isn't going to hit and suddenly there’s going to be thousands of enforcement agents out there,” says Carrier. But the strict enforcement around GDPR has shown that the EU’s appetite for enforcement is real. Fines have surpassed €5.88 billion across more than 2,200 cases, with Meta’s €1.2 billion penalty in 2023 the largest single fine to date. Eight of the ten biggest fines have hit U.S.-based companies.

Read also: Don’t ban shadow AI. Bring it into the light. 

California SB 942 - AI Transparency Act

SB 942 started as a response to deepfakes—AI-generated images and video designed to deceive. But its requirements reach well beyond fake political ads. Formally known as the AI Transparency Act, the bill was introduced in the California Senate in January 2024 and signed into law by Gov. Gavin Newsom that September. Any generative AI system with more than a million monthly users in California must now watermark its output and provide free detection tools. Just as importantly, any organization deploying those systems has compliance obligations of its own.

What to do: For deployers, compliance starts with knowing what generative AI is in use across the organization and whether each tool's provider meets SB 942's watermarking and detection requirements. That means auditing not just sanctioned platforms but the shadow AI employees have adopted on their own and verifying that vendors can demonstrate compliance, not just claim it.

Turner-Williams recommends starting with a full audit of all AI across the organization, an especially urgent task given the rampant use of shadow AI by employees. The challenge is not just in knowing where AI is in use, but how it is being used in each instance. “You actually need to understand what you’re generating on a detailed level, and it could change from interaction to interaction,” she warns.

Does it have teeth? The $5,000-per-day penalties can snowball fast—a single non-compliant provider could face six-figure liability within weeks. While the primary legal obligation falls on large AI providers rather than deployers, organizations using non-compliant generative AI tools carry downstream exposure.

As of late 2025, California has pursued CCPA enforcement rigorously, reporting hundreds of investigations and enforcement actions in progress. That said, Gov. Gavin Newsom’s own SB 942 signing statement flagged implementation concerns and called for follow-up legislation before the law takes effect in August.

Beyond the compliance checklist

Whether or not California and the EU rush to enforce on day one, more regulations are on the way and smart companies would do well to put in place a robust accountability infrastructure to prepare for it. 

Carrier says the best first step is to assemble an AI regulatory group to guide policy. “You have to have the right experts in the room,” he advises. “Somebody who understands impact to fairness, somebody who understands model data—and then you combine them with the legal team to figure out what compliance looks like.”

Once those policies are in place, companies should take inventory of all of the AI they use, classifying it by decision type, conducting regular risk assessment, and putting consistent and robust documentation practices in place.

In the near-term, that means taking a close look at the regulations of New York’s RAISE Act, which takes effect January 2027. It creates upstream accountability for AI developers whose tools are already widely in use and downstream liability for anyone using their AI, which means CIOs will need to ensure vendors have strong governance and remain in compliance.

Also on the horizon is Colorado’s AI Act. The law targets algorithmic bias in “consequential decisions” impacting Coloradans and was set to go into effect in June 2026, but after revisions will now be enforced as of January 2027. Enforcement of the EU AI Act’s product-embedded rules follows in December 2027.

The specific requirements will vary by jurisdiction, but the direction is clear: The age of invisible AI is over. The path ahead, as Turner-Williams puts it, is set: “Fairness, control, and visibility are now required—and that’s not going to change.”