AI Regulation and Governance

01. What It Is

AI governance refers to the rules, norms, and institutions that determine how AI systems are developed, deployed, and audited. It ranges from hard law (statutes and regulations with legal penalties) to soft law (voluntary frameworks, principles, standards) to technical standards (benchmarks, evaluation protocols). As of June 2026, the EU has the only comprehensive statutory framework in force. Most other jurisdictions rely on a mix of existing sector law, executive guidance, and voluntary commitments.

02. Why It Matters

Ungoverned AI deployment creates concrete harms: biased automated decisions in hiring, lending, and criminal justice; manipulation through recommender systems; privacy erosion through mass surveillance; and safety risks from systems used in critical infrastructure. Governance frameworks try to allocate responsibility, require disclosure, mandate testing, and give affected people recourse. They also shape the competitive landscape: the EU AI Act applies extraterritorially to any provider whose systems affect EU residents, meaning US and Chinese companies must comply.

03. Current State

EU AI Act (Regulation EU 2024/1689)

The AI Act entered into force on August 1, 2024. It uses a risk-tiered structure:

Unacceptable risk (prohibited):
These practices are banned entirely. Key examples include AI-powered social scoring by governments, real-time remote biometric identification in public spaces (with narrow law enforcement exceptions), subliminal manipulation techniques that bypass conscious decision-making, and exploitation of vulnerabilities of specific groups (children, people with disabilities). As of May 2026, the EU agreed to expand prohibitions to include "nudification" apps. The prohibition provisions applied from February 2, 2025.

High risk:
AI systems in critical infrastructure, education, employment, essential services (credit, insurance), law enforcement, migration, and justice. These require conformity assessments, bias testing, human oversight mechanisms, technical documentation, and registration in an EU database before deployment. High-risk obligations apply to new systems from August 2, 2026, and to existing systems deployed before that date from August 2, 2027. As of late 2025 and early 2026, these dates may slip: the Commission's proposed "Digital Omnibus" package would defer the high-risk obligations (provisionally to around December 2027 for the underlying framework and August 2028 for application), pending formal adoption by the co-legislators. The statutory dates above remain in force unless and until that change is adopted.

Limited risk:
Chatbots and AI-generated content require transparency disclosures. Users must be informed they are interacting with AI. Providers of systems that generate synthetic content must mark it detectably. These transparency obligations applied from August 2, 2026.

Minimal risk:
AI for spam filters, video games, and similar applications faces no mandatory requirements under the Act.

General purpose AI (GPAI) and foundation models:
This tier covers models like GPT-4, Gemini, and Claude that can be applied to many tasks. All GPAI providers must provide technical documentation and cooperate with authorities. Providers of models trained with more than 10^25 FLOPs (a rough proxy for frontier-scale models) face additional requirements: systemic risk assessments, adversarial testing (red-teaming), incident reporting, and cybersecurity measures. These GPAI obligations applied from August 2, 2025. As of June 2026, the Commission was consulting on draft guidelines for GPAI classification.

The European AI Office, created within the Commission, oversees GPAI model compliance and coordinates enforcement across member states. In June 2026, the Commission announced independent expert support for AI Act enforcement.

An "AI Pact" launched alongside the Act invited companies to voluntarily adopt key obligations ahead of the legal deadlines. Many large providers signed.

US approach

The US has no comprehensive federal AI law as of June 2026.

The Biden administration's Executive Order 14110 (October 2023) required safety testing and disclosure for frontier AI models, directing NIST to develop standards. President Trump revoked EO 14110 on January 20, 2025, and signed a new executive order removing "barriers to American leadership in artificial intelligence," emphasizing competitiveness and deregulation.

The primary federal instrument is now the NIST AI Risk Management Framework (AI RMF 1.0), published January 2023. It is voluntary and provides a structured approach organized around four functions: Govern, Map, Measure, and Manage. NIST has a nonregulatory mission; it develops guidance that organizations may adopt. The White House "Winning the Race: America's AI Action Plan" released July 2025 named NIST in numerous recommended actions.

Sector regulators are filling the gap: the FTC applies consumer protection law to deceptive AI, the CFPB applies fair lending rules to credit algorithms, the EEOC has issued guidance on AI in hiring, and the FDA regulates AI-based medical devices. Some states are more active. Colorado enacted a comprehensive AI liability law. California has passed various AI bills including requirements on training data disclosures and automated decision systems. Illinois requires employers to notify job applicants when AI is used in screening.

China

China has enacted several targeted rules:

Algorithmic Recommendation Regulation (effective March 2022): Requires transparency in recommendation algorithms, prohibits targeting users with addictive content based on personal characteristics, and mandates opt-out options.

Deep Synthesis Regulation (effective January 2023): Governs deepfakes and synthetic media. Requires watermarking of AI-generated content and prohibits use to spread disinformation.

Generative AI Regulation (effective August 2023): Requires security assessments before deployment, content filtering to align with "socialist core values," clear labeling of AI-generated content, and data provenance records. Applies to services offered to the Chinese public.

China's approach is sector-specific and enforced by the Cyberspace Administration of China (CAC). It prioritizes content control and social stability alongside safety.

International frameworks

OECD AI Principles (2019, updated):
The first intergovernmental standard on AI. Forty-six countries have adhered, including all G7 members. Five principles: inclusive growth, human-centred values, transparency, robustness/security/safety, and accountability. G20 members including China endorsed these principles at the 2019 Osaka summit.

Council of Europe AI Treaty (2024):
The first binding international treaty on AI, adopted in May 2024 and opened for signature on 5 September 2024. Focuses on human rights, democracy, and rule of law. Signatories include EU member states, the US, UK, and others.

Hiroshima AI Process:
G7-initiated in 2023. Produced voluntary guiding principles and a code of conduct for advanced AI developers. In May 2026, OECD launched a streamlined reporting framework to help SMEs participate.

04. Key Terms

Provider vs. deployer. The EU AI Act distinguishes providers (who develop or place AI on the market) from deployers (who use AI in their operations). Both have obligations, with providers bearing more.

Conformity assessment:
A formal evaluation (internal or third-party) that a high-risk AI system meets requirements before deployment.

CE marking:
High-risk AI systems in the EU require a CE mark as evidence of compliance, analogous to product safety marking.

Systemic risk:
Under the AI Act, GPAI models with compute above 10^25 FLOPs are presumed to pose systemic risk and face the heaviest regulatory requirements.

AI RMF:
NIST's AI Risk Management Framework. Voluntary in the US but increasingly cited by regulators globally as a reference.

05. Examples and Cases

The COMPAS recidivism algorithm and facial recognition deployments by US law enforcement agencies prompted calls for regulation. The EU Act's prohibition on real-time biometric surveillance in public spaces addresses exactly these use cases.

Clearview AI, which scraped billions of face images from the internet, has been fined by EU data protection authorities under GDPR. The AI Act adds another layer of scrutiny for biometric AI.

Generative AI companies including OpenAI, Google, and Anthropic signed the EU AI Pact ahead of legal deadlines. Several have published frontier safety frameworks (see also model cards, system cards).

06. Common Pitfalls and Misconceptions

"The EU AI Act only applies to EU companies."
It applies to any provider whose AI system affects EU residents, regardless of where the provider is based. A US company with EU customers must comply.

"Prohibited AI is banned globally."
Only in the EU and countries with similar rules. Social scoring systems banned in the EU remain legal and deployed in China.

"Voluntary frameworks are toothless."
The NIST AI RMF is voluntary federally, but sector regulators can incorporate it into enforcement expectations. FTC and CFPB enforcement actions have cited NIST-aligned practices.

"The GPAI tier only applies to GPT-scale models."
The 10^25 FLOP threshold is a presumption of systemic risk, not a definition of GPAI. Smaller general-purpose models still have documentation and cooperation obligations.