Why AI regulation suddenly matters
For most of the last decade, AI was governed by general-purpose laws — data protection, anti-discrimination, product liability — applied after the fact. In 2024 that changed. Jurisdictions began passing rules written specifically for AI, with real obligations and real penalties. The shift matters because the rules increasingly attach to how a system is used, not just to who built it, so an ordinary company that merely deploys an AI tool for hiring or lending can now carry legal duties. Understanding the four most consequential regimes — the EU, the US, the UK, and China — is now part of operating responsibly.
The EU AI Act: risk tiers and extraterritorial reach
The EU AI Act is the world’s first comprehensive AI law and the one most businesses must plan around. Its core idea is risk-based regulation. A short list of uses is banned outright (such as social scoring and certain biometric surveillance). High-risk systems — used in employment, credit, education, medical devices, and critical infrastructure — must meet strict requirements: risk management, data governance, human oversight, logging, accuracy testing, and conformity assessment before going to market. Limited-risk systems like chatbots and deepfakes carry transparency duties (users must be told they are interacting with AI). General-purpose AI models face documentation and copyright obligations of their own. Crucially, the Act applies to any provider or deployer whose output is used in the EU, so non-EU companies are in scope.
The US approach: executive order plus a state patchwork
The US has taken a more fragmented path. The 2023 AI Executive Order does not create binding rules for the private sector directly; instead it directs federal agencies to develop safety standards, requires reporting from developers of the most powerful models, and tasks bodies like NIST with producing guidance such as the AI Risk Management Framework. Sector regulators — the FTC, EEOC, and financial regulators — apply existing consumer-protection, anti-discrimination, and fair-lending law to AI. Meanwhile states are filling the gap: Colorado passed a broad AI act, California enacted transparency and deepfake laws, and others are following. The result is a layered, evolving patchwork rather than a single statute.
The UK and China: two contrasting models
The UK has deliberately avoided a single AI law, opting instead for a principles-based, pro-innovation framework in which existing regulators apply five cross-sector principles (safety, transparency, fairness, accountability, and contestability) within their own domains. It pairs this with a voluntary safety testing regime via the AI Safety Institute. China has moved fastest on specific, binding rules — covering algorithmic recommendation, deep synthesis (deepfakes), and generative AI — with requirements such as labelling synthetic content, security reviews, and alignment with content rules. The two illustrate the spectrum: light-touch and flexible versus prescriptive and enforcement-heavy.
Practical compliance steps to take now
You do not need a legal department to start. First, inventory every AI system you build or use and record its purpose, data, and the jurisdictions of its users. Second, classify each system’s risk under the regimes that apply — most obligations key off this. Third, build the paper trail that nearly every framework demands: documentation of training data and limitations, human-oversight procedures, and testing for accuracy and bias. Fourth, add transparency: tell users when they are interacting with AI or seeing AI-generated content. Finally, assign ownership so someone is accountable for keeping the inventory and controls current as the rules — which are still being written — continue to evolve. Treating governance as an ongoing process rather than a one-off project is the durable way to stay compliant.