AI Governance: The Rules Are Coming

For a while, AI felt like the Wild West. Companies could build and deploy pretty much anything, and the rules hadn't caught up yet. Move fast and break things. Ask forgiveness, not permission.

That's changing quickly. And honestly, after seeing some of the AI failures and misuses of the past few years, it's probably a good thing—even if it makes things more complicated for people building with AI.

The Global Regulatory Landscape

Different parts of the world are approaching AI governance differently. Here's the current state:

European Union: The AI Act

The EU has taken the most comprehensive approach with its AI Act, which became enforceable in 2025. The framework categorizes AI systems by risk level:

Unacceptable Risk (Banned)

• Social scoring systems (like China's)
• Real-time biometric surveillance in public spaces
• AI that manipulates people's behavior subconsciously
• Emotional recognition in workplaces and schools

High Risk (Heavy Regulation)

• AI in hiring and employment decisions
• AI in educational assessment
• AI in healthcare and medical devices
• AI in law enforcement and justice systems
• AI in critical infrastructure control

Limited Risk (Transparency Requirements)

• Chatbots and virtual assistants (must disclose they're AI)
• Emotion recognition systems
• AI-generated content

Minimal Risk (No Specific Regulation)

• AI in video games
• Spam filters
• Most consumer applications

For high-risk AI, companies must:

• Document the system's purpose, design, and training data
• Test for bias and discrimination
• Provide explanations for AI decisions
• Enable human oversight and intervention
• Maintain detailed logs and records

United States: Sector-Specific Approach

The US has avoided comprehensive AI legislation in favor of sector-specific rules and executive guidance:

• Healthcare: FDA frameworks for AI medical devices
• Financial: Existing fair lending laws apply to AI decisions
• Employment: EEOC guidance on AI in hiring
• Defense: DoD ethical AI principles

The Biden administration's 2023 Executive Order on AI established requirements for powerful AI systems, including safety testing and government oversight. However, enforcement remains fragmented.

China: State-Controlled Innovation

China has implemented regulations that balance promoting AI leadership with maintaining state control:

• Requirements for AI-generated content labeling
• Restrictions on generative AI that contradicts state positions
• Data localization requirements
• Algorithm registration and review

Other Major Players

• UK: Post-Brexit "pro-innovation" approach with lighter regulation
• Japan: Principles-based governance, minimal hard rules
• Singapore: Voluntary AI governance framework
• Brazil: AI law modeled partly on EU approach

Why This Matters Even If You're Not in Europe

A typical reaction from US-based companies: "I'm not selling in Europe, so EU rules don't apply to me."

This is increasingly wrong for several reasons:

The Brussels Effect

Many companies building AI tools serve global customers. If you want to sell in Europe—or if your customers want to serve European clients—you follow European rules. In practice, companies often implement EU compliance globally rather than maintaining separate systems.

This "Brussels Effect" means EU regulations effectively become global standards.

Regulatory Contagion

Other countries are watching the EU experiment and will likely copy elements that work. If EU-style rules prove effective, expect similar frameworks in Brazil, India, and eventually the US.

Customer Expectations

Even without legal requirements, customers increasingly expect AI transparency and fairness. Regulatory frameworks create benchmarks that become market expectations.

What's Actually Being Required

Let's get specific about what regulations typically require:

Documentation

You need to document:

• What your AI system does and is intended for
• How the system was trained (data sources, methods)
• Known limitations and failure modes
• How the system is tested and monitored

Bias Testing

Before deployment and ongoing:

• Test for discriminatory outcomes across protected groups
• Document test results and any issues found
• Explain mitigation steps for identified biases

Explainability

For high-stakes decisions:

• Ability to explain why the AI made a specific decision
• Human-readable explanations for affected individuals
• Technical documentation for auditors

Human Oversight

Requirements that humans can:

• Understand the AI system's outputs
• Decide whether to override AI recommendations
• Intervene to prevent harm
• Be ultimately accountable for decisions

Data Governance

• Clear records of training data sources
• Consent or legal basis for using training data
• Ability to respond to data subject requests
• Data retention and deletion policies

My Honest Take: The Good and the Bad

I've seen enough AI failures to think some guardrails are needed. Hiring algorithms with racial bias. Medical AI that works worse for minority patients. Content recommendation systems that radicalize users. Customer service bots that gaslight customers.

The question isn't whether regulation is needed—it's whether the specific regulations will be sensible and proportionate.

What's Good About Current Approaches

Risk-based frameworks make sense. Regulating a hiring algorithm more strictly than a game AI is logical. Not all AI needs the same oversight.

Transparency requirements are overdue. People deserve to know when they're interacting with AI and when AI is making decisions about them.

Bias testing should be standard. If you're deploying AI that affects people's lives, you should test whether it harms certain groups. This should be common practice, not a regulatory burden.

What's Concerning

Compliance costs favor big companies. Detailed documentation, bias testing, and explanation systems require resources. Small companies and startups may struggle to comply, effectively creating barriers to competition.

Definitions are fuzzy. What exactly is "high risk"? What counts as "bias"? What's an acceptable explanation? Vague definitions create uncertainty and potential for inconsistent enforcement.

Global fragmentation. Different rules in different countries create complexity. A company might comply with EU rules but violate Chinese rules, or vice versa.

Speed vs. caution tension. Regulation inevitably slows things down. While some slowdown is appropriate, overly burdensome rules might push AI development to less regulated jurisdictions.

What to Do About It: Practical Steps

If You're Building AI Products

Start documenting now. Even if regulations don't currently require it, you'll eventually need to document your AI systems. Building this habit early is easier than retrofitting later.

Think about bias testing before launch. If your AI makes decisions about people, test whether outcomes are equitable across groups. This is good practice regardless of legal requirements.

Design for explainability from the start. Adding explanations after the fact is hard. Building in logging and interpretability from the beginning is much easier.

Monitor your specific industry. Regulations vary by sector. Healthcare AI faces different rules than entertainment AI. Know what applies to you.

Watch the big cases. Enforcement actions and court cases establish precedents. Following regulatory announcements isn't enough—watch how rules are actually applied.

If You're Using AI Tools

Know that the landscape is evolving. The tools you use in a few years will probably have more transparency and oversight than today's tools.

Ask vendors about compliance. If you're using AI tools for high-stakes decisions, ask about bias testing, documentation, and ability to explain decisions.

Don't assume AI is unbiased. Current AI systems can reflect and amplify biases. Human oversight remains important.

Looking Forward

The wild west era of AI is ending. What replaces it will be a balance between innovation and oversight, shaped by ongoing negotiation between technologists, regulators, and affected communities.

The best-case scenario: sensible regulation that prevents the worst harms while allowing beneficial innovation. The risk: either too-light regulation that doesn't address real problems, or too-heavy regulation that stifles development while providing false confidence in safety.

If you're building with AI, the smart approach is to assume regulation is coming, design systems that can handle oversight, and engage constructively with policy development rather than ignoring it until it's imposed.

Related reading:

• AI Ethics in Content Creation
• YouTube's AI Slop Crackdown
• Responsible AI Tools