How the world is starting to govern AI

For most of its history, artificial intelligence was governed by almost nothing in particular. It was a research field and then an industry, subject to the general laws that apply to any technology but to few rules of its own. That has changed quickly. In the space of a few years, governments and international bodies have moved from broad statements of principle toward binding rules, and the outline of a genuine governance landscape is now visible.

This article is a map of that landscape: what the main approaches are, what they cover, what they leave out, and why the differences between them matter. It is written for the non-specialist who wants to understand the shape of AI regulation without tracking every clause of every proposal.

Three broad approaches

Strip away the detail and most efforts to govern artificial intelligence fall into one of three families. Understanding the families makes the specifics far easier to follow.

The risk-based approach

The most influential model sorts AI applications by how much harm they could cause and applies heavier rules to higher-risk uses. A system that filters spam is left largely alone; a system used in medical diagnosis, credit decisions, or law enforcement faces strict requirements for testing, documentation, transparency, and human oversight; and a small set of uses considered unacceptable are prohibited outright. The appeal of this approach is proportionality: it concentrates regulatory effort where the stakes are highest rather than treating all AI the same.

The European Union's AI Act is the most prominent example of this model and the most comprehensive AI law enacted to date. Its influence extends well beyond Europe, both because many organisations operating internationally choose to meet its standard everywhere and because other jurisdictions are studying it as a template.

The principles-and-guidance approach

A second family relies on voluntary frameworks, standards, and guidance rather than binding law. Bodies such as national standards institutes and international organisations have produced detailed, well-regarded frameworks for managing AI risk that organisations can adopt by choice. This approach is faster to produce and more flexible than legislation, and it can establish good practice ahead of any law. Its limitation is equally clear: voluntary measures bind only those who choose to be bound, and the organisations least inclined to constrain themselves are often the ones whose behaviour most needs constraining.

The sectoral approach

A third model declines to regulate "AI" as a category and instead applies existing, domain-specific rules to AI within each sector — medical-device regulators overseeing diagnostic AI, financial regulators overseeing automated lending, and so on. The strength of this approach is that it builds on regulators who already understand the stakes in their field. Its weakness is that AI systems frequently cut across sectors, and risks that fall between established regulators can go unaddressed.

In practice, most jurisdictions are assembling some combination of all three: binding rules for the highest-stakes uses, voluntary standards to fill the gaps and move quickly, and sector regulators applying their existing authority. The mix differs from place to place, and that variation is itself one of the defining features of the current moment.

What the rules tend to require

Beneath the differences, a common core of obligations recurs across serious governance efforts. Recognising this core helps you read any specific framework, because most are variations on the same themes.

• Risk assessment — identifying and documenting what could go wrong before a system is deployed.
• Data and design documentation — recording how a system was built, what it was trained on, and how it was tested, so that others can scrutinise it.
• Transparency obligations — informing people when they are subject to an automated decision or interacting with an AI system, and in some cases explaining the decision.
• Human oversight — ensuring that consequential decisions retain meaningful human involvement and the possibility of intervention.
• Monitoring after deployment — watching for failures and harms once a system is operating in the real world, not only before launch.

The striking thing about the emerging rules is not how exotic they are but how familiar: they are, in large part, the documentation, testing, and accountability that any safety-critical field already expects.

What the rules tend to leave out

A map is as useful for its blank spaces as its features. Several important areas remain only lightly addressed by most current governance efforts, and these gaps are where much of the future debate will concentrate.

The first is the most powerful general-purpose systems, whose range of possible uses makes the neat risk categories harder to apply. Rules built around specific applications struggle with a system that can be turned to almost any application. The second is enforcement: writing a requirement is one thing, and resourcing the regulators and audits needed to check compliance is another, frequently underfunded, thing. The third is the international dimension. Artificial intelligence does not respect borders, and a patchwork of differing national rules creates both gaps that can be exploited and burdens for organisations trying to comply with all of them at once.

Why the differences matter

It would be convenient if the world were converging on a single approach to governing artificial intelligence. It is not — at least not yet. The risk-based model favoured in some places, the lighter-touch and sectoral models favoured in others, and the voluntary standards filling the spaces between them add up to a fragmented landscape. For the public, this fragmentation has real consequences: the protections you enjoy when an AI system makes a decision about you may depend heavily on where you live and which rules happen to apply.

It also places a premium on a particular kind of work: clear, independent analysis of what the various rules actually do, free from the interests of those they regulate. Industry has every incentive to characterise rules as either reassuringly adequate or unworkably burdensome, depending on its aims. An honest account — describing what each framework covers, what it omits, and what is genuinely uncertain — is harder to come by and more valuable for it.

Where this is heading

The era of artificial intelligence governed by almost nothing is over, and it is not coming back. What replaces it is still being decided, in legislatures, standards bodies, and courtrooms, and the decisions are being made now, while the technology and our understanding of it are both still in motion. That is an uncomfortable position from which to write durable rules, but it is the only position available.

For the public, the task is not to master every provision but to understand the shape of the choices being made and to hold the people making them to account. A society that grasps the broad logic of how it is governing a powerful technology is in a far stronger position than one that leaves the question to specialists and interested parties. Providing the map for that understanding is part of why the Artificial Intelligence Foundation exists.