In 1844, Samuel Morse sent the first long-distance telegraph message from Washington to Baltimore, and within a decade the technology had outrun every existing legal framework governing communications, commerce, and privacy. Britain passed the Electric Telegraph Act in 1863 β nineteen years after the fact. The United States took until 1866. In the interim, stock traders in New York and London found ways to use the wire to front-run prices; newspapers published dispatches of uncertain provenance; and governments discovered, with considerable alarm, that a private company now controlled a nervous system they had not built and could not easily inspect.
That pattern β technology arrives, actors profit and sometimes harm, lawmakers scramble β is repeating with artificial intelligence, compressed into years rather than decades. The European Union adopted its AI Act in March 2024, the first comprehensive binding AI law anywhere in the world. The United States issued Executive Order 14110 on AI safety in October 2023, then partly rescinded it in January 2025. China published its Generative AI Measures in August 2023. Three major jurisdictions, three different theories of what the problem even is.
This course maps that contested terrain. It covers the EU AI Act's risk tiers, the US executive and legislative landscape, China's domestic approach, and the emerging international coordination bodies trying to prevent regulatory fragmentation. It will not tell you what the law will be in five years β no one can. What it will give you is the conceptual vocabulary and historical grounding to read new developments as they arrive and to reason about them with more precision than the headlines allow.
If you finish every module, here's who you become:
On 21 April 2021, the European Commission released a 108-page proposal that would take three years to become law. Its architects β led by Commission Executive Vice-President Margrethe Vestager and Internal Market Commissioner Thierry Breton β deliberately avoided defining AI by its technical architecture. Instead, they asked a simpler question: what harm can this system cause, and to whom? The result was a four-tier risk pyramid that would reshape how companies worldwide design, document, and deploy AI systems.
The proposal triggered intense lobbying. Between 2021 and 2023, more than 600 organisations registered positions with the EU institutions on the AI Act β more than on the General Data Protection Regulation. The emergent complication was generative AI: ChatGPT launched in November 2022, mid-negotiation, and negotiators had to retrofit foundation-model rules into a framework that had not anticipated them. The final text, adopted by the European Parliament on 13 March 2024 by a vote of 523 to 46, ran to 459 articles.
The EU AI Act organises AI systems into four risk categories, each carrying distinct obligations. Unacceptable risk systems are outright banned: social scoring by governments, real-time biometric surveillance in public spaces (with narrow law-enforcement exceptions), and AI that exploits psychological vulnerabilities. These provisions entered into force six months after the Act's publication, in February 2025.
High-risk systems β covering critical infrastructure, educational assessment, employment screening, credit scoring, biometric identification, and administration of justice β must satisfy conformity assessments before deployment, maintain technical documentation, ensure human oversight, and register in an EU database. Annex III of the Act lists eight categories of high-risk use cases that carry the heaviest pre-market obligations. A CV-screening tool used by a large employer, for example, falls into this category.
Limited-risk systems, principally chatbots and deepfake generators, face transparency requirements only: users must be informed they are interacting with AI. Minimal-risk systems β spam filters, AI in video games β face no mandatory requirements under the Act, though codes of practice may apply.
The AI Act's biometric categorisation prohibition entered into force on 2 August 2026 for high-risk systems, but the ban on unacceptable-risk systems applied from 2 February 2025 β making it the earliest binding provision of the regulation to take effect.
Title III of the final Act, added in response to the generative AI surge of 2022β2023, creates a distinct category: General Purpose AI (GPAI) models. Providers of GPAI models must maintain technical documentation, comply with EU copyright law, and publish summaries of training data. Models trained with more than 10^25 floating point operations β a threshold that currently captures GPT-4, Claude 3, and Gemini Ultra class systems β face additional systemic risk obligations including adversarial testing and incident reporting.
This distinction matters commercially. OpenAI, Google DeepMind, Anthropic, and Meta all fall within the GPAI rules' scope when deploying in the EU. The European AI Office, established in February 2024 within the Commission, serves as the designated supervisor for GPAI compliance β the first EU-level AI regulator with direct enforcement authority.
Fines under the AI Act are calibrated to the tier of violation. Placing a prohibited AI system on the market can attract fines of up to β¬35 million or 7% of global annual turnover, whichever is higher. Violations of high-risk obligations carry up to β¬15 million or 3% of turnover. Supplying incorrect information to authorities carries up to β¬7.5 million or 1.5% of turnover.
The penalty structure is deliberately steeper than GDPR's maximum of 4% of turnover for the most severe violations β a signal that the EU regards certain AI harms as more serious than data protection breaches. Whether these penalties will be enforced at scale depends on national market surveillance authorities, whose capacity varies substantially across member states.
Any company deploying AI in the EU β regardless of where it is headquartered β must comply with the AI Act. A US insurer using an algorithmic underwriting tool for EU customers is subject to its high-risk provisions. The Act's extraterritorial reach mirrors the GDPR's and is already shaping product decisions in Silicon Valley and Shenzhen.
You will describe AI deployment scenarios and classify them under the EU AI Act's risk tiers. The lab assistant will challenge your reasoning, flag misclassifications, and explain edge cases β including how the same system can fall into different tiers depending on its deployment context.
Complete at least three substantive exchanges to finish this lab.
On 30 October 2023, President Biden signed Executive Order 14110 β "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence" β the most comprehensive federal AI directive the United States had issued. It ran to 111 pages in the Federal Register, directed more than fifty federal agencies to take specific actions, and gave the National Institute of Standards and Technology ninety days to produce safety guidelines for frontier models. Fifteen months later, on 20 January 2025, the incoming Trump administration rescinded it on its first day in office. No replacement legislation had passed Congress.
That whipsaw captures the structural challenge of US AI governance: a constitutional system that gives the executive branch broad but reversible authority, a Congress that has been unable to pass major technology legislation since the Communications Decency Act of 1996, and a patchwork of sectoral regulators β the FTC, FDA, SEC, CFPB β each applying their existing statutory authority to AI in their domains without central coordination.
EO 14110 contained several substantive requirements. Under the Defense Production Act, developers of frontier AI models β defined as those trained above a computational threshold of 10^26 operations β were required to report safety test results to the federal government before public deployment. The Order directed NIST to develop an AI Safety Institute (now renamed the AI Safety and Security Board under the Trump administration), and instructed the Department of Homeland Security to assess AI risks to critical infrastructure.
The Order also required federal agencies to designate a Chief AI Officer and produce inventories of their AI use cases. By the end of 2024, agencies had filed more than 1,700 AI use-case entries in the federal AI use-case inventory β the first systematic accounting of AI deployment across the executive branch.
Congress has not passed a comprehensive AI governance statute. The CHIPS and Science Act of 2022 allocated $52.9 billion to semiconductor manufacturing and $200 billion for scientific research, including AI β a competitiveness measure rather than a governance one. The National AI Initiative Act of 2020 established coordination mechanisms among federal AI research programs but imposed no restrictions on private actors.
Multiple bills have been introduced. The Algorithmic Accountability Act has been reintroduced in successive Congresses since 2019 without passage. The AI Foundation Model Transparency Act, introduced in 2023, would require model cards and training data disclosures for large models; it has not advanced beyond committee. The Senate's bipartisan AI roadmap, published in May 2024, called for $32 billion in AI investment and sector-specific regulation β but produced no legislation before the 118th Congress ended.
In the absence of federal legislation, states have moved. California's AB 2013 (2024) requires disclosure of training data for generative AI. Colorado's SB 205 (2024) creates consumer protections against algorithmic discrimination in high-stakes decisions. Illinois's BIPA (Biometric Information Privacy Act, 2008) has been used in hundreds of AI-related lawsuits. Texas's CAPAI Act, enacted in 2025, applies risk-management requirements to high-risk AI systems β closely mirroring the EU framework.
The Federal Trade Commission has applied its Section 5 unfair or deceptive practices authority to AI. In January 2023, the FTC published guidelines warning that AI-generated endorsements and synthetic reviews violate existing law. In September 2024, the FTC settled with DoNotPay β a company marketing AI legal services β for making unsubstantiated claims about its AI's capabilities, the first such action against a consumer AI product.
The Food and Drug Administration has a more structured approach: it has cleared more than 950 AI/ML-enabled medical devices as of 2024, applying its existing 510(k) and De Novo pathways. In April 2023, FDA published a framework for marketing submissions of AI/ML-based software as a medical device, establishing how manufacturers can propose predetermined change control plans β allowing models to update post-clearance within defined bounds.
The Consumer Financial Protection Bureau, in a 2022 circular, confirmed that the Equal Credit Opportunity Act requires lenders to give specific reasons for adverse credit decisions even when those decisions are made by algorithmic models β a significant constraint on black-box underwriting in the US mortgage and credit markets.
The EU AI Act is a horizontal regulation applying across all sectors. US AI regulation is vertical β each sector applies its own existing rules, with the result that a healthcare AI faces FDA scrutiny, a financial AI faces CFPB rules, and a hiring AI faces EEOC guidance, with no single framework unifying them. Both approaches have defenders. Sectoral regulation allows expertise; horizontal regulation allows consistency.
The US has no single AI regulator. For each scenario you describe, identify which federal agency or statute applies β FTC, FDA, CFPB, EEOC, SEC, or another body β and explain the legal hook. The assistant will assess your mapping and introduce complications such as overlapping jurisdiction or regulatory gaps.
Complete at least three substantive exchanges to finish this lab.
When the Cyberspace Administration of China published its Interim Measures for the Management of Generative Artificial Intelligence Services on 13 July 2023 β effective 15 August β it became the first major jurisdiction to impose binding rules specifically on generative AI. The measures arrived eight months before the EU AI Act's parliamentary vote, and months before any comparable US federal action. They required providers to submit security assessments before launch, label AI-generated content, and ensure outputs "embody core socialist values" β a requirement with no counterpart in Western frameworks and one that drew immediate attention from companies seeking to operate in the Chinese market.
This was not China's first AI regulation. It was the third in a sequence that had begun in 2021. Each rule addressed a specific technology or risk: recommendation algorithms in 2021, deepfakes in 2022, generative AI in 2023. The approach was deliberate β targeted rules issued quickly, tested against deployment realities, then revised β rather than the years-long horizontal rulemaking the EU undertook. The tradeoff was coherence: by 2024, China had four overlapping AI regulatory instruments with no single coordinating statute.
China's AI governance rests on a series of regulations issued by the Cyberspace Administration of China (CAC), sometimes in coordination with the National Development and Reform Commission and the Ministry of Industry and Information Technology. The four principal instruments are:
Provisions on the Management of Algorithmic Recommendations (effective March 2022) β Applied to recommendation systems on platforms like Douyin (TikTok's Chinese version), Weibo, and Baidu. Providers must label algorithmically recommended content, allow users to opt out of profiling, and avoid using algorithms to engage in "improper commercial marketing" or induce addiction in minors.
Provisions on the Management of Deep Synthesis Technology (effective January 2023) β Targeted synthetic media, requiring watermarking of AI-generated content and prohibiting deepfakes that "endanger national security" or spread disinformation. This is the Chinese provision closest in spirit to the EU AI Act's transparency requirements for limited-risk systems.
Interim Measures for Generative AI Services (effective August 2023) β Required pre-launch security assessments for generative AI services available to the Chinese public, prohibited outputs contradicting "socialist core values," and mandated that providers verify user identity and maintain logs of prompts and outputs for six months.
Draft AI Law (circulated 2024) β China has been drafting a more comprehensive AI law since at least 2023. A draft circulated in 2024 contemplates a risk classification system with some similarities to the EU framework, though with distinct provisions for national security and state-directed AI development.
Under the Generative AI Measures, any service provider offering generative AI to Chinese users must complete a security assessment filed with the CAC before launch. By the end of 2023, the CAC had approved more than a dozen models β including Baidu's Ernie Bot, Alibaba's Tongyi Qianwen, and iFlytek's Spark. Foreign providers face a structural obstacle: the assessment requires disclosing model architecture and training methodology to Chinese regulators, a disclosure most Western providers are unwilling to make.
China's AI governance operates within a different political economy than either the EU or US frameworks. The government is simultaneously a regulator, a major funder, and in some cases a direct customer of AI systems. The New Generation AI Development Plan (2017) set targets for China to become the world leader in AI by 2030, with state investment targets of 1 trillion yuan by that date.
This dual role creates tension. Stringent pre-launch assessments can slow the domestic AI industry that the state is trying to advance. The CAC has handled this by applying the security assessment requirement primarily to consumer-facing services, leaving enterprise and government-procurement AI deployments under lighter-touch review. The result is a regulatory architecture that constrains foreign access and shapes public-facing AI content while preserving operational space for domestic industrial deployment.
The intersection of Chinese AI governance and Western regulatory concern crystallised in the 2023β2024 legislative process around TikTok. In April 2024, the US Congress passed the Protecting Americans from Foreign Adversary Controlled Applications Act, giving ByteDance 270 days to divest TikTok or face a US operating ban. The Supreme Court upheld the statute in January 2025.
The TikTok case illustrates how AI governance is becoming entangled with national security architecture. TikTok's recommendation algorithm β technically a high-precision content-ranking AI β was the proximate concern. Congressional testimony focused not on algorithmic harm in the conventional sense but on data flows, potential for content manipulation, and the applicability of Chinese law (including the 2017 National Intelligence Law) to ByteDance's data assets.
China's approach to AI governance β rapid targeted rules, state promotion alongside regulation, content constraints tied to political values β diverges fundamentally from both the EU's rights-based horizontal framework and the US's market-oriented sectoral approach. Companies operating globally must navigate all three simultaneously, and the requirements are sometimes mutually incompatible.
Regulatory arbitrage β deploying AI in whichever jurisdiction imposes the fewest constraints β is a real phenomenon. In this lab, describe an AI product or system and analyse how it would be treated under all three frameworks simultaneously. The assistant will help you identify conflicts, gaps, and genuine compliance challenges for multinational operators.
Complete at least three substantive exchanges to finish this lab.
On 1β2 November 2023, representatives from 28 countries β including the United States, China, the European Union, and the United Kingdom β gathered at Bletchley Park, the Second World War codebreaking site, for the first AI Safety Summit. The choice of venue was deliberate: Bletchley's wartime history of technical ingenuity deployed under existential pressure was the intended frame. The summit produced the Bletchley Declaration, signed by all 28 participating governments, acknowledging that "frontier AI" poses potentially catastrophic risks and committing to a shared process of safety evaluation. It was the first time China and the United States had co-signed a joint AI governance document.
The Declaration contained no binding obligations. Critics noted that agreeing risks exist is not the same as agreeing what to do about them. Supporters argued that the mere fact of joint acknowledgement by geopolitical rivals represented meaningful progress. A second summit followed in Seoul in May 2024, producing the Seoul Ministerial Statement and a commitment to establish international AI Safety Institutes that would coordinate on model evaluations. A third summit was held in Paris in February 2025, where the AI Action Summit focused more heavily on applications and economic opportunity than on frontier risk.
Before the summit process, the most established international AI governance framework was the OECD AI Principles, adopted in May 2019 and revised in 2024. The principles were the first intergovernmental standard on AI, endorsed by all 38 OECD members and subsequently adopted by G20 leaders. They identify five values-based principles: inclusive growth and sustainable development; human-centred values and fairness; transparency and explainability; robustness, security, and safety; and accountability.
The OECD Principles are non-binding. They serve as a normative reference point that many national frameworks explicitly cite β the EU AI Act, the US NIST AI Risk Management Framework, and Canada's Directive on Automated Decision-Making all reference or align with OECD terminology. This soft-law anchoring function is their primary practical value: by establishing shared vocabulary, they reduce the cost of mutual recognition between different national regimes.
In January 2023, the US National Institute of Standards and Technology released the AI Risk Management Framework (AI RMF 1.0). Unlike a regulation, the RMF is a voluntary guidance document β but it has been widely adopted. EO 14110 directed federal agencies to align their AI procurement and deployment practices with it; multiple Fortune 500 companies have publicly aligned their AI governance programs to it; and NIST has developed sector-specific profiles for healthcare AI and generative AI (Generative AI Profile, published July 2024).
The RMF organises AI risk management into four functions: Govern, Map, Measure, and Manage. The Govern function addresses accountability structures and organisational culture. Map involves identifying AI risks in context. Measure involves evaluating those risks quantitatively or qualitatively. Manage involves responding to assessed risks through mitigation, transfer, or acceptance. The framework's influence on corporate AI governance programs globally has been substantial, even in jurisdictions not subject to US law.
At the G7 summit in Hiroshima in May 2023, leaders launched the Hiroshima AI Process, which produced the International Guiding Principles on AI and a voluntary Code of Conduct for AI developers in October 2023. The Code of Conduct was endorsed by eleven leading AI companies including OpenAI, Google DeepMind, Microsoft, and Anthropic. It covers transparency, incident reporting, information sharing with governments, and red-team testing for frontier models β a set of commitments stronger in specificity than the Bletchley Declaration but still entirely voluntary.
One concrete outcome of the Bletchley and Seoul summits is the emergence of national AI Safety Institutes (AISIs). The UK established the world's first AISI in November 2023; the US followed with its own in February 2024 (subsequently renamed the AI Safety and Security Board). By mid-2024, Japan, Singapore, Canada, France, and South Korea had announced equivalent bodies. At the Seoul summit, these institutes signed an agreement to cooperate on model evaluations β sharing methodologies and coordinating on which frontier models receive safety testing.
The network represents a pragmatic approach to international coordination: rather than treaty-level harmonisation of regulations, which faces serious political obstacles, states agree on shared technical evaluation standards. If the major AI jurisdictions accept common benchmarks for what constitutes a "safe" frontier model, regulatory requirements may converge in practice even without formal legal harmonisation.
Below the governmental level, technical standards bodies are producing specifications that will underpin regulatory compliance. ISO and IEC are jointly developing the ISO/IEC 42001 standard for AI management systems β published in December 2023, it is the first international management system standard specifically for AI. IEEE has published over 25 AI ethics standards including IEEE 7000 (addressing ethical concerns during system design), IEEE 7001 (transparency of autonomous systems), and IEEE 7010 (wellbeing metrics for autonomous systems).
The EU AI Act explicitly references harmonised standards as a compliance pathway for high-risk systems: a manufacturer whose product conforms to relevant EU harmonised standards is presumed to meet the Act's requirements. The European Committee for Standardisation (CEN/CENELEC) was mandated to develop these standards in 2023; the first tranche was expected by 2025. How quickly ISO/IEC 42001 is designated as a harmonised standard under the AI Act will determine how much of compliance becomes a certification exercise rather than a bespoke legal assessment.
International AI governance is converging on a layered architecture: non-binding intergovernmental principles (OECD, G7) provide normative vocabulary; national regulations (EU AI Act, China Measures) provide binding rules; voluntary frameworks (NIST RMF, G7 Code of Conduct) provide operational guidance; and technical standards (ISO/IEC 42001) provide certification pathways. The layers interact but do not yet form a coherent system. Understanding where each instrument sits β and where the gaps remain β is the central practical competency in AI governance work.
International AI governance relies heavily on voluntary instruments, soft law, and technical standards. In this lab, you will explore specific governance scenarios β including areas where no binding international rule exists β and assess what the existing toolkit (OECD Principles, NIST RMF, ISO/IEC 42001, AI Safety Institute network) can and cannot accomplish.
Complete at least three substantive exchanges to finish this lab.