In 2023, when the European Union finalised its landmark AI Act, the legislation was widely described as a template that other jurisdictions would follow. Two years later, that prediction has proven only partially correct. Major economies have indeed moved to regulate artificial intelligence, but the resulting frameworks differ from each other — and from the EU model — in ways that have material implications for how businesses deploy AI globally. The fragmentation is not accidental; it reflects genuinely different political, economic, and cultural approaches to the question of how artificial intelligence should be governed. For multinational businesses, the practical consequence is that AI compliance has become a multi-jurisdictional exercise resembling data protection regulation a decade ago, and managing it requires explicit strategy rather than reactive response.
The European Union AI Act
The EU AI Act remains the most comprehensive AI regulation in force globally. Its key innovation is a risk-based classification system that categorises AI applications into four tiers — unacceptable risk, high risk, limited risk, and minimal risk — with regulatory obligations scaled to the risk level. Unacceptable risk applications, including social scoring systems and certain forms of biometric categorisation, are prohibited entirely. High-risk applications, which include AI used in employment, education, credit decisions, law enforcement, and critical infrastructure, must satisfy detailed requirements for risk assessment, data quality, transparency, human oversight, and post-market monitoring.
The compliance burden for high-risk AI systems is substantial. Companies must produce technical documentation describing the system, its training data, its testing methodology, and its limitations. They must implement quality management systems, conduct conformity assessments, and register the system in an EU database. They must monitor performance after deployment and report serious incidents to authorities. The costs of compliance vary widely depending on the system, but estimates from leading European law firms suggest 100,000 to 500,000 euros per high-risk system as a typical range for initial compliance, plus ongoing monitoring costs.
Generative AI and foundation models receive special treatment under the Act. Providers of general-purpose AI systems must meet transparency obligations, including disclosing summaries of copyrighted training data. The most powerful foundation models — those classified as systemic risk — face additional requirements including model evaluations, cybersecurity assessments, and incident reporting. These provisions are still being interpreted by the EU AI Office, the new regulatory body responsible for enforcement, and the precise compliance expectations are emerging through guidance and enforcement actions.
China’s Generative AI Framework
China has taken a different approach, prioritising operational supervision over comprehensive risk classification. The Interim Measures for the Management of Generative Artificial Intelligence Services, which took effect in 2023, require providers of generative AI services to register with the Cyberspace Administration of China, implement content moderation systems, and ensure outputs align with Chinese values and laws. Algorithm filing requirements, which apply to recommendation systems and many AI applications, require companies to provide detailed information about their algorithms to the regulator.
The Chinese framework operates within a broader context of data localisation requirements, security review obligations, and content regulations that significantly affect how AI businesses operate in China. Foreign companies offering AI services in China face additional compliance complexity related to data export restrictions and the operational requirement to host certain data and AI processing within China. The practical effect is that many global AI companies operate parallel infrastructure for China — a separate model deployment, a separate compliance framework, and often separate teams.
The United States: Federal Patchwork and State Action
US federal AI regulation has been characterised by executive action rather than comprehensive legislation. The Biden administration’s October 2023 executive order on AI imposed significant requirements on developers of the most powerful AI models, including reporting on model training, red-team safety testing, and infrastructure security. The Trump administration’s subsequent rescission of that executive order in early 2025 left the federal regulatory landscape less defined, although certain agency-level requirements — including FTC enforcement of AI in consumer applications and FDA regulation of AI medical devices — have continued and in some areas intensified.
State-level AI regulation has filled some of the federal gap, particularly in California. The California AI Transparency Act requires disclosure when AI is used in significant consumer-facing applications. Other state laws address specific applications — Illinois’s regulation of AI in hiring, New York City’s automated employment decision tool law, Colorado’s AI Act addressing high-risk consumer applications. The result is a patchwork that companies operating across multiple states must navigate, with the patchwork resembling US privacy regulation in its fragmentation and operational complexity.
Asia-Pacific: Diverse Approaches
The Asia-Pacific region exhibits the most diverse approaches to AI regulation among major economies. Singapore has pursued a principle-based framework through its Model AI Governance Framework, which provides guidance rather than binding rules and emphasises industry self-regulation. Singapore’s approach has been influential in Southeast Asia, where multiple jurisdictions have adopted similar non-binding frameworks.
Japan has taken a hybrid approach, combining principle-based guidance with mandatory rules in specific high-risk applications. The Japanese AI Strategy Council coordinates across ministries on AI governance, and sector-specific regulations apply to AI in financial services, healthcare, and certain employment contexts. The approach reflects Japan’s preference for principle-based regulation supplemented by sector-specific rules.
South Korea passed comprehensive AI legislation in 2024 that takes effect in 2026. The Korean AI Basic Act creates a risk-based framework similar in structure to the EU AI Act, with prohibitions on certain applications and detailed compliance requirements for high-risk systems. The legislation positions South Korea as the second major jurisdiction with comprehensive risk-based AI regulation, and its implementation will be closely watched as a test of whether the EU-style approach can work in a different economic and political context.
India’s Emerging Framework
India has not enacted comprehensive AI legislation but has issued a series of advisories and is developing a framework through its Ministry of Electronics and Information Technology. The 2024 advisory requiring social media platforms and AI service providers to obtain explicit government approval before deploying generative AI was widely criticised and was subsequently softened, but it signalled regulatory attention to AI deployment. The Digital Personal Data Protection Act, which addresses the personal data dimension of AI systems, applies broadly to AI processing of personal data and creates compliance obligations that intersect with AI-specific requirements that may emerge.
India’s approach reflects a desire to support AI innovation while managing specific risks, particularly around misinformation, deepfakes, and election integrity. The government’s IndiaAI Mission, launched in 2024, includes significant funding for domestic AI infrastructure and capability development alongside its regulatory considerations. For businesses deploying AI in India, the regulatory environment is best characterised as evolving rather than settled, requiring active engagement with regulatory developments.
Cross-Cutting Compliance Themes
Despite the differences in regulatory approach across jurisdictions, several themes recur and define what businesses should prioritise in their AI governance programmes. Transparency about AI use — informing customers, employees, and other affected parties that AI is being used in decisions or interactions that affect them — appears in most major frameworks and is becoming a baseline expectation across jurisdictions. Risk assessment for high-impact AI applications, documentation of training data and model performance, and clear human oversight mechanisms are similarly widespread requirements with varying degrees of formality.
Bias testing and fair outcomes monitoring are increasingly common requirements, particularly for AI used in employment, lending, and other consequential decisions. The technical methods for bias testing vary, and regulators have not converged on specific standards, but the obligation to assess and mitigate biased outcomes is becoming widely established. Companies that have built bias testing into their AI development processes are better positioned for compliance across multiple jurisdictions than companies that treat bias as a public relations issue rather than an engineering discipline.
Incident reporting requirements are an emerging area of convergence. Multiple frameworks now require reporting of serious incidents involving AI systems — failures, harmful outcomes, security breaches affecting AI infrastructure. The specific reporting timeframes and channels vary, but the general requirement to maintain visibility into AI system performance and to escalate significant issues is becoming common ground across jurisdictions.
Building Global AI Governance Capability
For businesses operating across multiple jurisdictions, the practical implication is that AI governance must be designed as a multi-jurisdictional capability from the outset. The data protection regulation experience of the past decade offers a useful template: companies that built compliance capability anchored to the most rigorous applicable framework — typically GDPR — and adapted for variations in other jurisdictions have managed compliance more effectively than companies that tried to develop separate frameworks for each market.
The same approach is increasingly applied to AI. The EU AI Act, despite its costs, provides the most detailed compliance framework and can serve as the baseline against which compliance in other jurisdictions is assessed. Companies that build EU AI Act compliance as their default standard, with documented variations for jurisdictions with materially different requirements, are typically better positioned than those that try to build compliance jurisdiction by jurisdiction.
The era of AI as an unregulated frontier has ended. The frameworks now in place — and those emerging across additional jurisdictions — will shape how AI is deployed commercially for the next decade. Businesses that engage with these rules deliberately, building governance capability that can adapt as the rules evolve, will deploy AI more confidently and capture its benefits more fully than those that treat regulation as a friction to be minimised.
