Three Frameworks, One Artifact: US EO, EU AI Act, and Canada

Three regulatory events converged in a single 90-day window in 2026. Understanding how they relate — and where they overlap — is the fastest way to cut through the compliance noise.

THE US AI EXECUTIVE ORDER (June 2, 2026)

Jurisdiction: Federal agencies and their contractors. Core mandate: Document all AI systems in use within 30 days. Establish authorization scope for agentic AI deployments. Participate voluntarily in the Treasury AI Cybersecurity Clearinghouse. Key date: July 2, 2026 — agency hardening deadline. Who it affects beyond government: Any company with federal contracts. The CFAA language around agentic AI authorization creates liability for contractors whose AI agents operate outside documented scope.

THE EU AI ACT (Enforcement: August 2, 2026)

Jurisdiction: Any organization deploying AI in EU markets. Core mandate: Article 11 — complete technical documentation of all AI systems. Article 12 — continuous event logging. Risk-tier classification for all deployed systems. Penalty: Up to €35 million or 7% of global annual revenue. Who it affects: Any organization with EU customers, employees, or operations. Shadow AI — tools employees use without IT sanction — creates deployer liability even when the organization didn't intentionally deploy the tool.

CANADA — THE PATCHWORK (Active, no single deadline)

Jurisdiction: Sector-specific. Active instruments: OSFI E-23 (financial services model risk), Quebec Law 25 (privacy + AI decision documentation), Ontario AI principles (January 2026), Treasury Board Directive on Automated Decision-Making (federal systems). AIDA (Bill C-27) died in Parliament in January 2025 and has not been reintroduced. What replaced it is four overlapping frameworks with no unified compliance date — which creates its own risk: organizations waiting for a single Canadian AI law to organize against are already behind on the sector-specific requirements that are active today.

THE OVERLAP

Strip away the jurisdictional differences and the technical language and all three frameworks require the same starting artifact: a complete inventory of AI systems deployed in your organization, with vendor attribution, user assignment, cost data, and documented authorization scope.

This is not a coincidence. It reflects a shared regulatory insight: you cannot assess risk, assign accountability, or enforce governance on AI systems you haven't identified. The inventory is the foundation. Everything else — risk classification, bias detection, human oversight assignment, incident logging — is built on top of it.

The organizations that will navigate this convergence most efficiently are the ones who build that foundation once and let it serve all three frameworks simultaneously.

One artifact. Three frameworks. Build it now.