When the European Commission published its draft AI Act on April 21, 2021, it landed with the weight of something unprecedented: a legislative attempt to classify every significant AI system by the harm it might cause. The proposal, COM(2021) 206 final, ran to 108 articles and nine annexes. Reporters compared it to GDPR. Industry lobbyists booked flights to Brussels. The document opened with a deceptively simple premise β that some AI is unacceptable, some is high-risk, and most is fine β and then spent the next 80,000 words trying to define those categories precisely enough to actually enforce.
Three years of trilogue negotiations between the Commission, Council, and Parliament followed. By the time the final text cleared the European Parliament on March 13, 2024 β passing 523 to 46 β it had absorbed the shock of ChatGPT's arrival, the rise of foundation models, and sustained pressure from both civil liberties groups and the semiconductor lobby. The Act entered into force on August 1, 2024, with a phased compliance calendar extending to 2027.
The Act's central innovation is its risk-based classification system, which assigns AI systems to one of four tiers. Understanding these tiers is essential because compliance obligations, enforcement powers, and market access all flow from the classification an AI system receives.
Unacceptable Risk (Prohibited): Article 5 bans outright a short list of AI practices deemed incompatible with fundamental rights. These include subliminal manipulation techniques that exploit psychological vulnerabilities, social scoring by public authorities, most real-time remote biometric identification in public spaces, AI that infers emotions in workplaces and educational institutions, and β added in the final negotiations β systems that scrape facial images from the internet to build recognition databases. The last prohibition was a direct response to documented practices by companies including Clearview AI, which had scraped billions of images without consent from social media platforms.
High-Risk: Annex III lists the domains where AI faces the heaviest obligations: biometric categorization, critical infrastructure management, educational credentialing, employment decisions, access to essential private and public services, law enforcement, migration and border control, and administration of justice. High-risk providers must implement conformity assessments, maintain technical documentation, register in an EU database, and ensure human oversight mechanisms. Post-market monitoring is mandatory.
Limited Risk: Systems like chatbots and deepfake generators face transparency obligations β they must disclose their AI nature to users β but no conformity assessment requirements.
Minimal Risk: AI-enabled spam filters, inventory management tools, and video games with AI elements face no specific obligations beyond general EU law.
Between 2020 and 2023, data protection authorities in Italy, France, Greece, and the UK collectively fined Clearview AI over β¬65 million for GDPR violations related to its facial recognition database scraped from public web sources. The EU AI Act's Article 5(1)(e) prohibition on scraping-based facial recognition databases directly codified regulators' existing concern into primary legislation, meaning post-August 2026 violators face AI Act penalties on top of GDPR exposure.
The original 2021 draft did not anticipate general-purpose AI (GPAI) models. ChatGPT's November 2022 launch forced Parliament to add Title VIII during 2023 negotiations. GPAI models β defined as models trained on broad data that can perform a wide range of tasks β now face their own obligations: technical documentation, copyright compliance summaries, and adherence to EU codes of conduct. Models with "systemic risk" (those trained with more than 10Β²β΅ FLOPs of compute, a threshold derived from frontier model estimates) face additional requirements including adversarial testing and incident reporting to the AI Office.
The 10Β²β΅ FLOP threshold was explicitly set to capture models like GPT-4 and Gemini Ultra while excluding smaller open-source systems. Critics noted that as compute efficiency improves, capable models may fall below the threshold; the Act allows the Commission to update the threshold by delegated act.
Enforcement is split. The newly created EU AI Office β established within the Commission in February 2024, before the Act even formally passed β has exclusive supervisory authority over GPAI model providers regardless of where they are headquartered. For high-risk AI systems, enforcement falls to national competent authorities in each member state, mirroring the GDPR's decentralized Data Protection Authority model. Maximum fines are β¬35 million or 7% of global annual turnover for prohibited practices; β¬15 million or 3% for other violations; β¬7.5 million or 1.5% for providing incorrect information.
Conformity Assessment: The process by which a high-risk AI provider verifies that its system meets Act requirements before market placement β either self-assessment or third-party audit depending on the risk category.
Notified Body: An accredited third-party organization authorized to conduct conformity assessments. The EU is still building out the notified body ecosystem for AI.
CE Marking: High-risk AI systems that pass conformity assessment will carry CE marking, integrating AI compliance with the EU's existing product safety infrastructure.
You are advising organizations on how the EU AI Act classifies their AI systems. Use the four-tier framework (Unacceptable, High-Risk, Limited Risk, Minimal Risk) to analyze the scenarios below. The AI tutor will respond to your classifications and explain the legal reasoning under the Act.
On October 30, 2023, President Biden signed Executive Order 14110 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. At 111 pages, it was the most detailed AI governance directive ever issued by a sitting US president. It directed the National Institute of Standards and Technology to develop AI safety standards, required developers of the most powerful models to share safety test results with the federal government before public release, established the AI Safety Institute within NIST, and instructed more than a dozen agencies to produce AI risk assessments within 90 and 180 days. The White House called it "the strongest set of actions any government in the world has ever taken on AI safety."
On January 20, 2025, President Trump signed an executive order rescinding EO 14110 entirely. The AI Safety Institute was subsequently renamed the AI Safety and Security Board and its leadership replaced. The episode illustrated the central structural fact of US AI governance: executive orders are powerful but impermanent β they can be undone the moment a new administration takes office.
Three months before EO 14110, the Biden White House extracted voluntary safety commitments from seven leading AI companies: Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI. The commitments covered three areas: safety (sharing information about AI risks with governments and civil society), security (investing in cybersecurity and protecting proprietary models), and trust (developing technical mechanisms for users to know when AI-generated content is AI-generated). Adobe, Apple, IBM, NVIDIA, Palantir, Salesforce, Scale AI, and Stability AI joined an expanded commitment in September 2023.
The key word is "voluntary." These commitments created no legally enforceable obligations. No penalty attached to non-compliance. Critics noted that without statutory backing, the commitments functioned more as reputational signals than regulatory constraints. Proponents argued that moving quickly through voluntary mechanisms let governance keep pace with technology while Congress remained gridlocked.
In August 2023, the Federal Trade Commission launched a market study under Section 6(b) of the FTC Act, issuing compulsory orders to five AI companies (Alphabet, Amazon, Anthropic, Microsoft, and OpenAI) demanding information about their investments and partnerships with AI developers. This represented the FTC's attempt to apply existing consumer protection and antitrust authority to AI without new legislation. In January 2024, the FTC also opened an investigation into cloud-AI partnerships, signaling that existing statutory authority β not new AI-specific law β was the near-term enforcement lever in the United States.
The most operationally significant US AI governance instrument is not an executive order but a voluntary framework: the NIST AI Risk Management Framework (AI RMF 1.0), published January 26, 2023. Developed through an extensive multi-stakeholder process including over 240 organizations, the AI RMF organizes risk management around four functions: GOVERN (organizational accountability), MAP (context and risk identification), MEASURE (analysis and assessment), and RESPOND (prioritizing and acting on risk). Unlike the EU Act, the framework makes no compliance mandatory. It functions as a professional standard that agencies and companies can voluntarily adopt and that may inform procurement requirements.
The framework's influence has grown through procurement channels: multiple federal agencies have made AI RMF alignment a requirement for AI vendors seeking government contracts, effectively creating a de facto mandatory standard for that market segment without requiring Congressional action.
The absence of a federal AI statute does not mean AI is unregulated in the United States. A complex lattice of sectoral rules applies to AI when it operates in regulated domains. The Equal Credit Opportunity Act covers algorithmic lending decisions. The Fair Housing Act covers AI-driven housing recommendations. The HIPAA framework governs AI processing health data. The FDA has cleared over 950 AI-enabled medical devices as of 2024. The SEC has scrutinized AI in investment advice. The CFPB has issued guidance on AI in credit decisions. EEOC has published guidance on AI in employment screening.
This sectoral lattice produces uneven coverage: AI in a heavily regulated sector (healthcare, finance) faces more constraints than identical AI technology deployed in an unregulated context. Critics argue this creates regulatory arbitrage opportunities. Defenders note it allows domain experts β not generalist AI regulators β to set standards in complex technical fields.
In the absence of federal legislation, states have moved independently. Colorado enacted SB 24-205 in May 2024, covering AI in high-stakes decisions, becoming the first US state with a comprehensive AI law modeled loosely on the EU Act's approach. California's legislature passed AB 2013 (AI training data transparency) and SB 1047 (frontier AI safety requirements) in 2024; Governor Newsom signed the former and vetoed the latter. By early 2025, over 40 states had introduced AI-related legislation, creating a fragmented compliance environment that many companies argue makes federal preemption legislation more urgent.
In the US, AI governance is fragmented across executive orders, voluntary frameworks, sector-specific laws, and state rules. You are a policy analyst advising organizations on what actually governs their AI deployments. Use this lab to practice identifying which legal instruments apply β and which leave gaps.
On August 15, 2023, China's Measures for the Management of Generative Artificial Intelligence Services entered into force β making China the first major jurisdiction to enact regulations specifically targeting generative AI services. The rules, issued jointly by the Cyberspace Administration of China and six other regulators, required that generative AI content reflect "core socialist values," prohibited content that subverted state power or undermined national unity, and required providers to label AI-generated content. Foreign companies offering generative AI services in China needed security assessments. The contrast with the EU Act's fundamental-rights orientation was stark: where Brussels worried about AI harming individuals, Beijing worried about AI destabilizing institutions.
This was not China's first AI-specific regulation. The CAC had already enacted rules on algorithmic recommendations (March 2022), deep synthesis (deepfakes) (January 2023), and internet information services more broadly. By mid-2023, China had more AI-specific enacted regulations than any other jurisdiction β a fact that surprised Western observers who had assumed democratic governments would move faster on digital regulation.
China's Provisions on the Management of Algorithmic Recommendations, effective March 1, 2022, were the world's first national regulation specifically targeting recommendation algorithms. They applied to any internet information service using algorithms to push content, products, or services to users. Key requirements included: users must be able to opt out of personalized recommendations; providers cannot use algorithms to induce users into addiction; pricing algorithms cannot discriminate between new and returning customers; and large platforms must disclose their recommendation logic to regulators through an algorithm filing and registration system β effectively a public registry of major algorithmic systems.
The algorithm registration system, administered by the CAC, is genuinely novel. By early 2024, over 3,000 algorithms had been registered, including those used by Alibaba, Tencent, ByteDance, and Baidu. The registry requires disclosure of algorithm purpose, training data types, application scope, and risk assessment. Nothing equivalent exists in the EU or US.
ByteDance registered TikTok's (Douyin's) recommendation algorithm with the CAC registry under the 2022 rules, providing one of the first instances of a major platform's core ranking algorithm being formally disclosed to a national regulator. In the US, the same algorithm was the subject of Congressional concern about data sovereignty and influence but faced no equivalent disclosure requirement β a gap that US legislators have pointed to in debates over TikTok legislation and social media algorithm transparency bills.
The August 2023 Generative AI Measures established five categories of obligations for providers:
1. Content Standards: Generated content must not violate core socialist values, must not discriminate by ethnicity, gender, or religion, and must not infringe intellectual property. Providers bear liability for content generated on their platforms.
2. Labeling: AI-generated content must be labeled, and providers must implement technical measures to trace content back to the generating model β creating a technical provenance requirement ahead of similar EU requirements.
3. Training Data: Training data must comply with IP law and must not contain content prohibited under Chinese law. Providers generating synthetic training data must ensure it does not contain prohibited content.
4. Security Assessment: Services with significant public opinion influence or social mobilization capacity must complete a security assessment with the CAC before launch β a pre-approval requirement with no EU or US equivalent for generative AI.
5. User Verification: Users must register with their real-name credentials, integrating generative AI into China's existing internet real-name system.
Understanding China's AI governance requires recognizing that it pursues objectives partly different from Western frameworks. The EU Act's primary stated aim is protecting fundamental rights and safety β individual-protective. The US frameworks emphasize innovation competitiveness alongside safety. China's framework explicitly adds social stability and Party authority as governance objectives, reflected in content requirements and real-name registration.
At the same time, China's framework shares some concerns with Western regulators: IP protection, data quality for training, content provenance, and algorithmic transparency (for regulators if not users). The algorithm registration system is arguably more operationally ambitious than anything in the EU Act or US frameworks. Scholars have noted that China's AI governance, while authoritarian in some dimensions, is also more specific β it enacts regulations targeting particular AI capabilities rather than creating horizontal risk classification frameworks.
AI governance scholars have identified a recurring tension: governments simultaneously want AI to be (1) safe for individuals, (2) beneficial for national competitiveness, and (3) controllable for state purposes. These goals can conflict. Heavy safety regulation may impede competitiveness. Competitiveness pressure may weaken safety rules. State control requirements may undermine individual privacy. Different jurisdictions resolve this trilemma differently β the EU prioritizes (1), the US tilts toward (2), and China explicitly pursues all three with (3) as a non-negotiable baseline.
You are a global compliance officer at a company deploying AI systems across the EU, US, and China. For any given AI system, the regulatory treatment can differ dramatically across jurisdictions. Use this lab to compare how the three frameworks treat specific AI use cases and identify which creates the most onerous compliance requirements.
On November 1β2, 2023, 28 countries and the EU gathered at Bletchley Park β the site where Alan Turing's team cracked the Enigma cipher during World War II β for the first AI Safety Summit. The symbolism was pointed. Britain's government chose the location deliberately: a place where mathematics and governance had once intersected to shape history. The summit produced the Bletchley Declaration, signed by all 28 nations including the United States, China, and the EU, acknowledging that frontier AI poses potentially catastrophic risks and that international cooperation was necessary. That China and the US signed the same document on the same day was itself diplomatically significant. That the declaration created no binding obligations, no enforcement mechanism, and no institutional follow-through was equally significant.
The Bletchley process continued. A second summit was held in Seoul in May 2024, producing the Seoul Declaration and establishing an International Network of AI Safety Institutes β with the US, UK, EU, and others committing to create or designate national AI safety institutes that would cooperate on frontier model evaluation. A third summit followed in Paris in February 2025, at which the United States signed the final communiquΓ© only after reservations about language on AI governance multilateralism.
Parallel to the Bletchley process, the G7 launched the Hiroshima AI Process at its May 2023 summit in Japan. The process produced two significant outputs in October 2023: the Hiroshima AI Guiding Principles and a Code of Conduct for organizations developing advanced AI systems. The eleven principles covered safety, security, transparency, accountability, explainability, and responsible information sharing. The Code of Conduct was addressed specifically to developers of frontier AI systems and included commitments to publish transparency reports, enable post-deployment monitoring, and report significant vulnerabilities to governments.
Like the Bletchley Declaration, the Hiroshima instruments are politically significant but legally non-binding. Their practical effect depends on whether signatory governments incorporate the principles into domestic regulation. The EU explicitly cited the Hiroshima Principles as consistent with its AI Act approach. Japan, which hosted the process, subsequently enacted AI governance guidelines through its Digital Agency. The US government endorsed the principles as consistent with EO 14110 β the executive order that was later rescinded.
In December 2023, ISO and IEC jointly published ISO/IEC 42001:2023, the first international standard for AI management systems. Structured like ISO 9001 (quality management) and ISO 27001 (information security), it provides a certifiable framework for organizations to demonstrate responsible AI governance. Within six months, certification bodies in 30 countries were offering ISO 42001 audits. Critically, the EU AI Act's implementation guidance explicitly references ISO/IEC 42001 as a tool organizations can use to demonstrate compliance with GPAI code of conduct requirements β creating a direct pathway from voluntary international standard to legally relevant compliance evidence.
The OECD Principles on AI, adopted in May 2019 and updated in 2024, were the first intergovernmental AI governance instrument. Forty-two countries (all 38 OECD members plus Argentina, Brazil, Colombia, and Romania) endorsed them. The five principles cover: inclusive growth and sustainable development; human-centred values and fairness; transparency and explainability; robustness, security, and safety; and accountability. The OECD also maintains the AI Policy Observatory (OECD.AI), which tracks over 1,000 AI policy initiatives across 70 jurisdictions and is widely used by researchers and policymakers as the definitive comparative database.
The OECD principles have significant regulatory shadow despite being non-binding: the EU AI Act's recitals explicitly cite OECD AI principles as foundational. The NIST AI RMF was developed with reference to them. Multiple national AI strategies β including Canada's Pan-Canadian AI Strategy, Singapore's Model AI Governance Framework, and India's National AI Strategy β cite them as reference points. The principles function as a shared vocabulary even when enforcement is national.
Three technical standards bodies are shaping AI governance below the legislative level:
IEEE: The IEEE Standards Association's P7000 series addresses ethically aligned AI design. IEEE P7001 (Transparency), P7002 (Data Privacy), P7003 (Algorithmic Bias), and P7010 (Wellbeing Metrics) are active standards. IEEE also publishes the Ethically Aligned Design framework, widely referenced in corporate AI ethics programs.
ISO/IEC JTC 1/SC 42: The joint ISO/IEC subcommittee on AI has produced a growing family of standards including ISO/IEC 22989 (AI concepts and terminology), 23053 (framework for AI using ML), 24029 (robustness assessment), and the pivotal ISO/IEC 42001 management system standard. SC 42 is the primary venue where technical definitions that will eventually appear in regulations are worked out.
ITU: The International Telecommunication Union has focused on AI standards for telecommunications and developing-world contexts. Its AI for Good platform and Focus Group on AI for Health have produced technical reports and standards that influence national regulators in countries that lack independent AI standard-setting capacity.
A 2024 analysis by the International Chamber of Commerce estimated that a multinational company operating AI systems across the EU, US, UK, China, India, and Canada would need to comply with at least 11 distinct regulatory frameworks by 2026, with compliance costs potentially exceeding $10 million annually for large AI deployments. The analysis identified mutual recognition agreements β treaties where jurisdictions accept each other's compliance determinations β as the most promising mechanism for reducing fragmentation, but noted that no AI-specific mutual recognition treaties existed as of publication.
You are advising a multinational AI company on how to use international standards and multilateral frameworks to reduce compliance burden across jurisdictions. The key insight: ISO/IEC 42001 certification, OECD AI Principles alignment, and Hiroshima Code of Conduct adherence can create compliance synergies across the EU, US, and other markets. Use this lab to develop practical multi-jurisdictional strategies.