June 9, 2026 · 9 min read

The AI Rulebook Just Fractured

Look at where we are in June 2026 and tell me there's a single answer to “what are the AI rules.”

Colorado's Consumer Protections for Artificial Intelligence Act takes effect June 30, putting real obligations on anyone deploying high-risk AI in employment, healthcare, financial services, education, housing, and legal decisions. Across the Atlantic, the EU is staffing up independent expert support to ENFORCE its AI Act. And in Washington, the White House just issued an executive order pushing the opposite direction — stripping constraints to accelerate AI innovation, while openly feuding with states over who gets to set the rules at all.

Tighten here. Loosen there. Enforce over here. Preempt over there. There is no longer ONE rulebook. There's a fractured map, and the lines are moving while you read this.

If you're waiting for the regulatory dust to settle before you build your governance, let me save you the suspense. It's not going to settle. Governing through that uncertainty IS the job now.

Stop Waiting for Clarity That Isn't Coming

I hear it constantly. “We'll formalize our AI governance once the regulations are clear.” That sentence is a trap. It sounds prudent. It's actually paralysis wearing a suit.

The regimes are diverging, not converging. A federal administration loosening while a state tightens while a foreign market enforces is not a phase. It's the operating environment. Leaders who wait for one clean standard will wait until an enforcement action makes the decision for them.

Here's the reframe. Your governance framework should not be built to satisfy a specific law. It should be built to satisfy the PRINCIPLES that every serious regime keeps converging on, no matter how they differ on the details: know what your AI systems do, know where the high-risk ones are, document your decisions, keep a human accountable, and be able to explain yourself when someone asks. Build to those principles and you're ninety percent compliant with whatever rule lands next.

“High-Risk” Is the Word That Should Stop You Cold

Read Colorado's list again: employment, healthcare, financial services, education, housing, legal services. The regulators didn't pick those at random. Those are the domains where an AI decision changes a human life — who gets hired, who gets the loan, who gets the apartment, who gets the diagnosis.

So the first question for any leader is not “are we compliant.” It's “do we even KNOW which of our AI systems are making high-risk decisions?” In most organizations, the honest answer is no. A resume-screening tool quietly bought by HR. A credit-adjacent model in a product team. A triage assistant in customer ops. Each one a high-risk system that nobody flagged because nobody was looking.

You cannot govern what you haven't inventoried. Step one is always the same: find every AI system touching a high-stakes decision, before a regulator finds it for you. I walk through how to build that oversight from scratch — without strangling the innovation you're trying to protect — in The Sentinel Leader: The Executive's Playbook for Governing AI. The whole premise of that book is that governance done right doesn't slow you down. It's what lets you move fast without flying blind.

Govern to the Strictest Room You Operate In

When the rules conflict, leaders ask me which one to follow. Wrong question. You don't pick a regime. You pick a STANDARD — and you set it to the strictest market you actually operate in.

If you serve Colorado residents and EU citizens, the loosest federal posture in the world doesn't help you. You're still on the hook for the strictest rule that applies to any customer you touch. Trying to run a different governance standard for every jurisdiction is how you end up with no standard at all. Build one framework to the high-water mark, then you're covered everywhere beneath it.

This matters most in the regulated industries, where the stakes and the scrutiny are highest. Banking is the sharpest example — you cannot choose between deploying AI and satisfying your regulator. You have to do both, at once, and prove it. That specific tightrope is why I wrote How to Deploy AI in Your Bank Without Breaking Regulations, because “move fast and break things” is a firing offense when the thing you break is a compliance requirement.

Policy on Paper Is Not Governance

Here's the failure I see more than any other. A company hears about a new AI law, panics, and produces a beautiful policy document. Values. Principles. Commitments. Then it files the document and changes NOTHING about how decisions actually get made.

A regulator does not care about your policy PDF. They care whether the human who deployed the high-risk model can show what it does, who approved it, what it was tested against, and who to call when it goes wrong. Governance is not what you wrote down. It's what happens in the room when a real decision gets made under real pressure.

The fractured rulebook is not your problem to solve. It's your environment to operate in. The companies that win the next two years won't be the ones that guessed which regulator would prevail. They'll be the ones who built governance solid enough that it barely mattered which one did.