Across the US, EU, and UK, AI governance is converging on a practical requirement: prove what you trained on, how you control risk, and how you protect data—on paper and in systems.
This Week in One Paragraph
Policy and regulatory frameworks are increasingly pushing AI teams toward operational transparency and privacy-by-design. California’s Assembly Bill 2013 (2024) focuses on public disclosure about training data used for generative AI systems. Texas’ TRAIGA establishes an AI governance law that prohibits harmful uses and creates a Texas Artificial Intelligence Council to oversee compliance. At the federal level, the American Privacy Rights Act is positioned as a national baseline for individual privacy rights with oversight and enforcement mechanisms. In Europe, the European Commission’s General-Purpose AI Code of Practice is framed as operational guidance to support compliance with the EU AI Act for general-purpose model providers. In the UK, the Data (Use and Access) Act 2025 amends the Data Protection Act 2018 with new provisions around data protection and access. Complementing these legal moves, an OECD report argues that privacy-enhancing technologies (PETs) can enable sharing “trustworthy” AI models while maintaining data protection expectations.
Top Takeaways
- “Transparency” is being translated into concrete artifacts: training-data disclosure, governance councils, codes of practice, and amended data protection regimes.
- US activity is fragmented (state-level AI bills plus a proposed national privacy baseline), which raises the cost of compliance mapping across jurisdictions.
- EU compliance work is moving from statute to implementation guidance; model providers should expect more scrutiny of operational controls, not just policy statements.
- UK changes to data protection and access signal ongoing divergence from EU practice; multinational data teams should treat UK requirements as a separate track.
- PETs are increasingly positioned as an enabling control for model sharing and governance—but only if teams can demonstrate what is protected, from whom, and under what threat model.
Training-data disclosure becomes a compliance deliverable
California Assembly Bill 2013 (2024) is summarized as requiring developers of generative AI systems to publicly disclose information about the data used to train their models. That’s a directional shift from “trust us” to “show your work,” and it lands directly on data lineage, dataset inventory, and documentation practices.
For teams building or fine-tuning generative models, the hard part isn’t only listing sources. It’s maintaining a defensible chain from raw collection through filtering, labeling, deduplication, and augmentation—especially when data is purchased, scraped, licensed, or inherited from prior model iterations. If disclosure obligations are public-facing, the audience includes not just regulators but plaintiffs, journalists, and competitors.
For synthetic data programs, this can cut both ways. Synthetic data can reduce exposure to personal data, but it does not eliminate provenance questions: you still need to document the real data used to generate synthetic datasets (and the controls used to reduce memorization or leakage risk), plus the governance around downstream use.
- Expect “training data disclosure” requests to expand from model providers to enterprises that fine-tune or deploy generative systems, including demands for supplier attestations.
- Watch for procurement clauses that require dataset inventories and lineage evidence as a condition of model or data purchase.
State-level AI governance: prohibitions plus oversight bodies
Texas’ TRAIGA (Texas Responsible Artificial Intelligence Governance Act) is described as regulating AI development and deployment, prohibiting harmful uses, and establishing a Texas Artificial Intelligence Council to oversee compliance. The important operational point is the combination of restrictions (what you can’t do) and governance infrastructure (who will interpret and enforce expectations).
For builders and deployers, oversight councils tend to create a moving target: guidance, interpretations, and enforcement priorities can evolve. That increases the value of internal control frameworks that are legible to external reviewers—risk assessments, model documentation, incident response, and change management—so teams can adapt without rewriting their entire program.
For privacy and compliance teams, the overlap with data governance is immediate. If “harmful uses” include sensitive inferences or discriminatory impacts, then data selection, feature design, and evaluation datasets become compliance-relevant. Synthetic data may be used to test edge cases, but teams should be prepared to justify representativeness and limitations, not just claim privacy benefits.
- More states may follow with AI governance laws that include dedicated oversight bodies, increasing multi-state compliance complexity for nationwide deployments.
- Expect enforcement to hinge on whether organizations can show repeatable processes (reviews, logs, approvals), not just one-time documentation.
A US privacy baseline could change the economics of synthetic data
The American Privacy Rights Act is summarized as aiming to create a national baseline for individual data privacy rights, including mechanisms for oversight, enforcement, and accountability. Even without getting into the fine print, the direction matters: a baseline tends to standardize expectations for collection, use, and sharing, which in turn affects how teams justify data minimization and de-identification strategies.
For synthetic data and privacy engineering, a national baseline can reduce the number of bespoke state-by-state interpretations teams must support. But it can also raise the floor: if enforcement and accountability mechanisms become more consistent, then “privacy theater” becomes riskier. Teams will need measurable claims—what data is used, what can be inferred, and what controls reduce exposure.
Practically, data leads should treat this as a prompt to formalize decision records: why a dataset is needed, why synthetic data is sufficient (or not), and what residual risks remain. Those records are what survive leadership changes, audits, and incident reviews.
- Watch for enterprises to shift from ad hoc de-identification to standardized privacy engineering controls (including synthetic data) that can be defended under a national baseline.
- Expect stronger demands for accountability artifacts: DPIA-like assessments, data maps, and vendor risk reviews tied to privacy rights.
EU and UK: implementation guidance and amended data regimes
In the EU, the European Commission’s General-Purpose AI Code of Practice is positioned as a tool to support compliance with the EU AI Act by providing operational guidance for general-purpose AI model providers. This is the familiar regulatory pattern: legislation sets obligations; codes and guidance translate them into expected practices, documentation, and controls.
In the UK, the Data (Use and Access) Act 2025 is summarized as amending the Data Protection Act 2018 and introducing new provisions for data protection and access. For organizations operating across the EU and UK, that signals continued divergence risk—meaning policies, contracts, and technical controls may need UK-specific adjustments even when teams want a single “GDPR-style” operating model.
Separately, the OECD report on sharing trustworthy AI models with privacy-enhancing technologies emphasizes PETs as a way to share models while maintaining data protection. The key governance implication is that PETs are being framed as operational tools to enable collaboration, not just as niche cryptography. But PETs only help when paired with clear threat models, measurement, and enforceable access controls—otherwise they become another checkbox.
- Expect EU-facing model providers to be asked for code-of-practice-aligned documentation and controls as part of enterprise due diligence.
- Watch for PETs to move from R&D pilots into procurement requirements for model sharing, evaluation, or cross-organization collaboration.