Artificial intelligence development has, until recently, proceeded largely without specific regulatory oversight. The general principles of product liability, consumer protection, data protection, and sector-specific regulation applied to AI outputs, but no regulatory framework specifically addressed the risks posed by AI systems themselves. That is changing rapidly. A wave of AI-specific legislation is emerging globally, and organisations deploying AI systems need to understand its requirements.
The EU AI Act: A Risk-Based Framework
The EU AI Act, which entered into force in August 2024 and will be fully applicable from August 2026, is the world's most comprehensive AI regulation to date. It takes a risk-based approach, classifying AI systems into four categories: unacceptable risk (prohibited), high risk (heavily regulated), limited risk (transparency requirements), and minimal risk (voluntary codes of practice).
Prohibited AI practices include social scoring by governments, real-time biometric surveillance in public spaces (with narrow exceptions), AI that exploits psychological vulnerabilities, and systems that infer sensitive characteristics from biometric data. These are banned outright, with substantial fines for non-compliance.
High-risk AI systems — those that could pose significant risks to health, safety, or fundamental rights — include AI used in critical infrastructure, education, employment, credit, insurance, law enforcement, migration, and the administration of justice. These systems must meet strict requirements: risk management systems, high-quality training data, technical documentation, record-keeping, transparency towards users, human oversight mechanisms, and accuracy, robustness, and cybersecurity standards. Conformity assessment must be conducted before deployment.
The UK Approach: Principles Over Legislation
The UK has taken a deliberately different approach. Rather than introducing sector-specific AI legislation, the UK government has tasked existing regulators — the FCA, the ICO, the CMA, OFCOM, and others — with applying AI-specific guidance within their existing frameworks. The AI Safety Institute conducts evaluations of frontier AI models; the National AI Strategy provides investment direction; sector-specific guidance documents address AI in financial services, healthcare, and other regulated industries.
This approach is more flexible and faster to implement, but potentially less consistent across sectors. The UK is positioning itself as a pro-innovation AI jurisdiction — lighter touch regulation to attract AI investment and talent — while participating in international efforts to agree on standards for frontier AI safety.
US Federal and State Approaches
In the United States, AI regulation has developed piecemeal at the federal level, with the Biden administration's 2023 Executive Order on AI providing a framework for federal agency action. Sector-specific guidance from the CFPB (consumer finance), EEOC (employment), and other agencies applies existing anti-discrimination laws to AI systems. The FTC has taken action against deceptive AI products under consumer protection law. A comprehensive federal AI law has been under discussion but has not yet passed.
At the state level, Colorado, California, and several other states have enacted or proposed AI-specific legislation, particularly focused on automated decision-making in employment, housing, and credit. The patchwork of state laws creates compliance complexity for companies operating across multiple jurisdictions.
China's Regulatory Framework
China has taken a rapid, prescriptive approach to AI regulation. Regulations on algorithmic recommendations (2022), deep synthesis (deepfakes, 2022), and generative AI services (2023) impose specific requirements on AI providers: security assessments, content moderation, watermarking of AI-generated content, user identification, and prohibition of specific content categories. China's framework is notable for its focus on content rather than risk categories, reflecting a different set of regulatory priorities.
International Standards and Coordination
Global AI governance is being shaped by international standards bodies and diplomatic forums. The OECD's AI Principles — endorsed by 46 countries — provide a non-binding framework emphasising transparency, accountability, safety, and human-centred values. The Global Partnership on AI (GPAI) provides a forum for multilateral AI governance discussion. ISO and IEEE are developing technical standards for AI risk management, bias testing, and explainability. The Bletchley Declaration, signed at the UK AI Safety Summit in November 2023, committed major AI nations to collaborative action on frontier AI safety — a first step towards international governance of the most powerful AI systems.
Practical Implications for Organisations
For organisations deploying AI, the message is clear: the regulatory environment is tightening and will continue to do so. Investing now in AI governance infrastructure — model registries, impact assessments, bias testing, explainability tooling, and human oversight procedures — reduces future compliance cost and reputational risk. Appointing dedicated AI governance roles or committees, engaging with regulators proactively, and monitoring the regulatory landscape continuously are essential elements of responsible AI deployment in a rapidly evolving policy environment.