AI Regulation Around the World: A Practical Comparison
AI regulation around the world has stopped being a hypothetical policy debate and become an actual compliance problem for anyone building or deploying AI across more than one country. The rules diverge sharply depending on jurisdiction, and they're changing fast enough that a comparison written a year ago is already out of date. Here's a practical look at where the major approaches stand and what the differences actually mean.
AI Regulation Around the World: The Three Big Models
Broadly, AI regulation around the world has settled into three distinct philosophies. The European Union has built a comprehensive, risk-tiered legal framework that applies horizontally across industries. The United States has taken a lighter-touch, sector-by-sector approach, layering guidance and existing law on top of AI rather than writing a single comprehensive statute. China has pursued direct state oversight, requiring registration and security review for AI systems, particularly generative ones, before they reach the public. Most other countries are picking pieces from these three models rather than inventing a fourth.
The European Union's Rulebook Approach
The EU AI Act is the most comprehensive AI-specific law passed by any major economy, and it works by sorting AI systems into risk tiers. Systems judged "unacceptable risk" — certain forms of social scoring or manipulative AI — are banned outright. "High-risk" systems, including AI used in hiring, credit scoring, law enforcement, and critical infrastructure, face strict requirements around documentation, human oversight, and testing before deployment. Lower-risk systems face lighter transparency obligations, like disclosing when a user is interacting with an AI system rather than a human. You can read the official framework directly at the European Commission's digital strategy page.
The practical effect for companies outside Europe is straightforward: if you have EU users, EU rules likely apply to you regardless of where your company is headquartered, the same extraterritorial pattern that made GDPR a de facto global standard for data privacy.
The United States' Lighter-Touch, Sector-by-Sector Approach
Rather than one federal AI law, the U.S. approach layers AI-specific guidance on top of existing sectoral regulators — financial regulators overseeing AI in lending, health regulators overseeing AI in medical devices, employment law covering AI in hiring decisions. States have moved faster than the federal government in places, passing their own AI-specific laws covering areas like automated employment decisions and consumer disclosure. The result is a patchwork: a company operating nationally may face different specific obligations depending on which states its users are in, on top of federal sectoral rules.
This fragmented pattern is part of why AI adoption inside large organizations increasingly runs through formal internal review, a trend covered in more depth in our piece on AI governance policy inside businesses. Companies are often building their own internal compliance frameworks precisely because the external regulatory picture is inconsistent across states and still shifting at the federal level.
China's State-Directed Model
China's approach centers on direct government oversight before deployment rather than post-hoc enforcement. Generative AI services face registration and algorithm-filing requirements with state regulators, content generated by these systems must align with specific content rules, and providers are held responsible for the outputs of their own systems in a more direct way than most Western frameworks require. This model prioritizes state visibility and control over the innovation-first, permissionless-launch culture more common in Silicon Valley, reflecting a broader difference in how the two systems balance state oversight against speed to market.
The Middle Path: How Everyone Else Is Choosing Sides
Most countries outside these three major blocs are still assembling their approach, and many are leaning on international coordination rather than writing fully original frameworks from scratch. The OECD's AI Policy Observatory tracks national AI strategies and policies across dozens of countries and has become a common reference point, since its AI Principles, first adopted in 2019 and updated since, were among the earliest internationally agreed AI governance frameworks and have influenced national policy well beyond the OECD's own member countries. The UK has favored a principles-based approach that leans on existing regulators rather than new AI-specific law, closer in spirit to the U.S. model, while countries like Canada, Brazil, and several across Southeast Asia have draft legislation that borrows structural elements directly from the EU's risk-tier system.
What This Means If You Build or Use AI Across Borders
For any organization operating internationally, the practical takeaway is that "AI regulation" is not one thing to comply with — it's several overlapping, sometimes contradictory regimes, and the cost of getting it wrong ranges from fines to being blocked from a market outright. The safest working assumption is to build toward the strictest applicable standard, which today is usually the EU's, since it's generally easier to relax internal controls for lighter-touch jurisdictions than to retrofit compliance after a high-risk system is already in production. For a look at how this regulatory uncertainty plays out in a specific, safety-critical physical industry, see our piece on AI on the construction site, where liability questions are still catching up with how fast the equipment itself is advancing. Regulation will keep changing, but the underlying pattern — risk-based rules, sectoral patchwork, or direct state control — is a useful map for predicting where any given country is likely to land next.