Everyone wrote AI safety laws. No one is enforcing them. The EU AI Act, the U.S. Executive Order framework, the G7 code of conduct — all on the books. The agencies tasked with policing them are understaffed, underfunded, and in at least one case, still looking for office space.
The European AI Office was allocated 140 staff to oversee roughly 8,000 high-risk systems operating in the Union by mid-2026. The U.S. AI Safety Institute has issued three non-binding reports. The pattern writes itself: legislation is photogenic, enforcement is not, and by the time a regulator is competent enough to investigate, the next generation of models has already made the law’s definitions obsolete.
The most effective AI regulation in 2026 isn’t coming from a commission. It’s coming from cloud providers who decide, in their terms of service, what models can and cannot run on their hardware.