AI Regulation: A Global Framework Without a Global Regulator

The moment we are in

Artificial-intelligence regulation is in a period of simultaneous convergence and divergence. Governments around the world agree that AI needs rules. They disagree on what those rules should say, who should enforce them, and how fast they should move. For companies developing or deploying AI across multiple jurisdictions, the result is a compliance puzzle with no single solution.

The EU AI Act: the benchmark

The EU AI Act, which entered into force in 2024 with phased implementation through 2027, is the most comprehensive AI-specific regulation in the world. It classifies AI systems by risk level — unacceptable, high, limited, and minimal — and imposes requirements calibrated to each tier. High-risk systems, which include those used in critical infrastructure, education, employment, and law enforcement, face the heaviest obligations: risk management, data governance, transparency, human oversight, and accuracy.

The Act has extraterritorial reach. Any company that places an AI system on the EU market or whose AI system’s output is used in the EU is potentially subject to it. For global companies, the EU AI Act is the de facto starting point for AI-compliance strategy.

The US: sectoral and executive-driven

The United States has not enacted a comprehensive AI law. Instead, the regulatory landscape is a patchwork of executive orders, agency guidance, and existing sectoral laws applied to AI. The White House Executive Order on AI (October 2023) directed federal agencies to develop AI standards and guidance. The NIST AI Risk Management Framework provides a voluntary taxonomy. Federal Trade Commission enforcement under Section 5 of the FTC Act has signalled that existing consumer-protection and anti-discrimination rules apply to AI.

The direction of travel is clear — more regulation, more agency attention — but the architecture is still under construction. Companies should watch the FTC, the EEOC, and the CFPB, all of which have signalled AI-enforcement priorities.

China: generative AI and content control

China has moved faster than any other major jurisdiction to regulate generative AI specifically. The 2023 Interim Measures on Generative AI impose content-moderation, data-training, and filing requirements on publicly available generative-AI services. The Cyberspace Administration of China (CAC) is the primary regulator, and enforcement has been active. For companies operating in China or with Chinese-language AI products, compliance with the CAC regime is mandatory and enforcement risk is real.

Other jurisdictions: a growing patchwork

Brazil’s AI Bill, Canada’s Artificial Intelligence and Data Act (AIDA), the UK’s pro-innovation approach (sectoral regulators applying existing law with central coordination), and various Asian and Latin American proposals add further complexity. The common threads — transparency, risk assessment, human oversight, and accountability — are visible across jurisdictions, but the specific requirements differ enough that a single global compliance framework is not yet attainable.

How to build a strategy

The companies that are managing AI compliance most effectively are doing four things: (1) mapping their AI systems and classifying them by risk level, using the EU AI Act as the organising framework; (2) monitoring regulatory developments in every jurisdiction where they operate or sell; (3) building AI-governance structures that involve legal, compliance, engineering, and the business; and (4) documenting everything — training data, model decisions, risk assessments, human-review processes — because regulators will ask.

This article is provided for general information only. It is not legal advice and does not create an attorney-client relationship.