AI Regulation Worldwide

The European Union AI Act

The EU AI Act, which entered into force in August 2024 with phased implementation through 2027, is the world's first comprehensive legal framework specifically designed for artificial intelligence. Its core mechanism is risk-based classification. AI systems are categorized into four risk tiers, with regulatory obligations scaling with risk level. This approach attempts to balance innovation with protection: low-risk applications face minimal regulation while high-risk applications face substantial requirements.

Unacceptable risk systems are banned outright. These include AI systems that manipulate human behavior to circumvent free will (subliminal manipulation), government social scoring systems that evaluate citizens based on social behavior or personal characteristics, real-time remote biometric identification in public spaces (with narrow exceptions for law enforcement in cases involving missing children, imminent terrorist threats, or serious criminal suspects), and AI systems that exploit vulnerabilities of specific groups (children, disabled persons) to distort behavior. The ban on social scoring was specifically motivated by concerns about practices observed in China's social credit system experiments.

High-risk systems face the most detailed regulatory requirements. The category includes AI used in critical infrastructure (energy, transport, water), education (determining access or outcomes), employment (recruiting, screening, evaluating workers), essential services (credit scoring, insurance pricing, emergency services dispatch), law enforcement (risk assessment, evidence evaluation, crime prediction), migration and border control (visa processing, asylum application assessment), and the administration of justice (sentencing assistance, case prioritization). High-risk system providers must implement risk management systems, data governance practices, technical documentation, record-keeping, transparency measures, human oversight mechanisms, accuracy standards, robustness requirements, and cybersecurity protections.

General-purpose AI models, including large language models like GPT-4 and Claude, have their own obligations under the Act. All GPAI model providers must maintain technical documentation, provide information to downstream deployers, comply with EU copyright law, and publish a summary of training data content. Models with "systemic risk" (defined as models trained with more than 10^25 FLOPs of compute, or designated by the Commission based on capability assessment) face additional obligations: model evaluations, adversarial testing, incident tracking and reporting, and adequate cybersecurity protections. Violations can result in fines of up to 35 million euros or 7% of global annual turnover, whichever is higher.

The United States Approach

The United States has not enacted comprehensive federal AI legislation as of 2026, instead relying on a combination of executive orders, sector-specific regulation through existing agencies, and state-level laws. This approach reflects both the political difficulty of passing comprehensive technology legislation through Congress and a philosophical preference for innovation-friendly, sector-specific regulation over broad horizontal mandates.

Executive orders have established the federal government's AI governance framework. Executive Order 14110, signed in October 2023, required safety testing and reporting for the most powerful AI models, established AI safety standards for federal procurement, directed agencies to address AI's risks to consumers and workers, and created frameworks for responsible AI use by the federal government. Subsequent executive orders have addressed specific applications including AI in healthcare, national security, and government services. Executive orders are binding on federal agencies but do not directly regulate private sector companies, limiting their scope.

Existing regulatory agencies apply their current authority to AI applications within their jurisdiction. The FDA regulates AI-enabled medical devices through its existing premarket review process, having authorized over 500 AI-enabled devices by 2025. The FTC uses its consumer protection authority to pursue companies that make deceptive claims about AI capabilities or deploy AI in ways that cause consumer harm. The SEC regulates AI use in financial services, including algorithmic trading, robo-advisors, and AI-driven investment decisions. The EEOC has issued guidance on AI-related employment discrimination under existing civil rights law. The CFPB addresses AI in consumer lending under the Equal Credit Opportunity Act and Fair Housing Act.

State-level legislation is creating a patchwork of AI-specific laws. Colorado enacted the Colorado Artificial Intelligence Act in 2024, requiring developers and deployers of high-risk AI systems to use reasonable care to avoid algorithmic discrimination. Several states have passed laws specifically addressing AI-generated deepfakes, particularly non-consensual intimate imagery and election-related disinformation. Multiple states have enacted or proposed laws governing AI in hiring, requiring employers to notify candidates when AI tools are used in employment decisions and, in some cases, requiring bias audits. This state-by-state approach creates compliance complexity for companies operating nationally but provides a laboratory for policy experimentation.

China's Targeted Regulations

China has taken an application-specific approach, enacting separate regulations for distinct AI technologies rather than a single comprehensive framework. The Algorithmic Recommendation Management Provisions, effective March 2022, regulate the recommendation algorithms used by social media platforms, e-commerce sites, and news aggregators. They require that users be able to opt out of personalized recommendations, that algorithmic systems not be used to unfairly set prices based on user profiling, and that recommendation systems promote positive content aligned with "socialist core values."

The Deep Synthesis Management Provisions, effective January 2023, regulate deepfakes and other AI-generated or AI-manipulated content. They require that providers of deep synthesis services obtain real-name registration from users, add labels to synthetic content, maintain logs of synthetic content generation, and prevent the creation of content that threatens national security, disturbs social order, or infringes on others' rights. These provisions are the most specific deepfake regulations enacted by any major jurisdiction.

The Interim Measures for the Management of Generative AI Services, effective August 2023, regulate large language models and other generative AI applications. They require that generative AI training data be legally obtained and not infringe intellectual property, that outputs reflect "socialist core values" and not contain content that undermines state power or national unity, that providers implement content filtering and user complaint mechanisms, and that services undergo security assessments before public deployment. The regulations apply to public-facing generative AI services developed or operated in China.

China's regulatory approach is notable for its specificity and speed. Regulations have been enacted and implemented within months of new AI applications becoming widely available, in contrast to the EU's multi-year legislative process. However, the regulations serve a dual purpose: protecting consumers and maintaining state control over information flows. The requirement that AI outputs align with "socialist core values" embeds censorship obligations into the regulatory framework, creating a model that is unlikely to be adopted by democratic governments but that may influence other authoritarian regimes developing their own AI governance approaches.

International Coordination

International AI governance remains in an early, voluntary stage. The OECD AI Principles, adopted in May 2019 and endorsed by 46 countries, established five principles: AI should benefit people and the planet, AI systems should be designed in a way that respects the rule of law and democratic values, AI systems should be transparent and responsible disclosure should be ensured, AI systems should be robust and secure, and organizations and individuals developing AI should be held accountable. These principles provide shared vocabulary and direction but lack enforcement mechanisms.

The G7's Hiroshima AI Process, launched in 2023, produced an International Code of Conduct for Organizations Developing Advanced AI Systems. The code includes 11 commitments: identifying and mitigating risks, reporting capabilities and limitations, investing in cybersecurity, developing content authentication mechanisms, pursuing research on societal risks, developing and deploying AI to address global challenges, implementing governance and risk management, fostering responsible information sharing, developing AI literacy, and contributing to international standards. Compliance is voluntary and self-reported.

The UK hosted the first global AI Safety Summit at Bletchley Park in November 2023, producing the Bletchley Declaration signed by 28 countries including the U.S., China, and the EU. The declaration acknowledged the potential for "serious, even catastrophic, harm" from frontier AI and committed signatories to cooperate on AI safety research and risk assessment. Subsequent summits in Seoul and Paris have continued this dialogue, though concrete binding commitments remain limited.

The fundamental challenge of international AI governance is that AI is a dual-use technology developed primarily by private companies in a small number of countries but deployed globally. The United States and China, the two leading AI powers, have fundamentally different values regarding freedom of expression, surveillance, and state control of technology. European values prioritize individual rights and precautionary regulation. Developing countries, which may experience AI's impacts without having influenced its development, have limited voice in governance discussions. Achieving meaningful international coordination on AI governance will require resolving or managing these value differences, which are among the deepest geopolitical divides of the current era.

Challenges in Regulating a Moving Target

AI regulation faces a fundamental timing problem. Legislative processes operate on timescales of years, while AI capabilities advance on timescales of months. The EU AI Act was proposed in April 2021, before GPT-3.5 demonstrated the capabilities of large language models to the general public. By the time the Act entered into force in August 2024, the technology landscape had been transformed by GPT-4, Claude, Gemini, Stable Diffusion, and dozens of other systems that the original proposal did not contemplate. The Act was amended during the legislative process to add provisions for general-purpose AI models, but this reactive adaptation illustrates the difficulty of writing durable regulations for rapidly evolving technology.

Definition challenges compound the timing problem. Terms like "AI system," "high risk," and "general purpose" must be defined precisely enough to be enforceable but broadly enough to capture future applications. The EU AI Act defines an AI system as "a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments." This definition is deliberately broad, but its application to specific borderline cases, whether a complex spreadsheet formula qualifies as AI, for instance, remains subject to interpretation.

Enforcement is the ultimate test of any regulatory framework. The EU AI Act assigns enforcement responsibility to national authorities in each member state, with the European AI Office providing coordination and oversight for general-purpose AI models. The effectiveness of enforcement will depend on whether these authorities have the technical expertise to audit AI systems, the resources to investigate complaints, and the political will to impose significant penalties on powerful technology companies. Early evidence suggests that enforcement capacity varies dramatically across member states, with smaller countries lacking the specialized personnel needed to evaluate complex AI systems.