The EU has comprehensive legislation. The US has executive orders. China has sector-specific rules. The UK has no AI-specific law. Organizations operating globally must navigate all four simultaneously.
A colleague who works in HR technology for a multinational company told me last year that she had four different legal teams reviewing the same AI-based hiring tool. One team was working on EU AI Act compliance for European operations. One was reviewing the tool against Executive Order 14110 guidance relevant to federal contractor requirements. One was checking against Chinese generative AI service regulations for the China deployment. And one was assessing UK employment law implications in the absence of any AI-specific legislation. Same tool. Same underlying model. Four parallel legal analyses producing requirements that do not align with each other. That is what regulatory fragmentation looks like in practice.
The EU AI Act is the most comprehensive of the four frameworks I want to look at here. I wrote about it in more detail in my post on what the EU AI Act means for IS practitioners, so I will keep the summary short: it passed in March 2024, entered into force August 2024, establishes a risk-based classification from unacceptable to minimal risk, and applies based on where the AI system's outputs are used rather than where the developer is located. The high-risk category covers domains including employment, credit, essential services, and law enforcement. The compliance obligations for high-risk systems are substantial: conformity assessments, technical documentation, human oversight mechanisms, and registration. This is prescriptive, comprehensive legislation.
The US approach as of 2023-2024 is considerably more diffuse. Executive Order 14110, signed in October 2023, directed federal agencies to address AI safety, security, and equity, and required safety evaluations for certain large AI models before federal deployment. This is real public record. The National AI Initiative, established by the National AI Initiative Act of 2020, and the NIST AI Risk Management Framework, published in 2023, provide voluntary guidance frameworks. "Voluntary" is the key word: US federal AI governance, outside of specific regulated industries like healthcare and finance, has been principle-based and non-prescriptive rather than legally mandating specific compliance requirements for private sector AI development. The approach reflects a deliberate choice to favor flexibility and innovation space over regulatory certainty.
China's regulatory approach has developed rapidly along different priorities. The Cyberspace Administration of China issued regulations on algorithmic recommendation systems in 2022 and regulations on generative AI services in 2023. Both are widely reported and real regulatory developments. The generative AI regulation, in particular, requires that AI-generated content meet standards around "social order," socialist core values, and prevention of content that could undermine state authority. These are different regulatory priorities than the EU's human rights and non-discrimination framework or the US's safety and security framing. Chinese regulation also moves quickly: the timeline from drafting to implementation has been compressed compared to EU legislative cycles. For a company operating in China, this means AI governance requirements can shift with relatively short notice.
The UK has taken what it calls a "pro-innovation" approach, which as of my last reading means largely relying on existing regulators to apply their existing mandates to AI within their domains. The Financial Conduct Authority applies its rules to AI in financial services. The ICO applies data protection law to AI systems using personal data. There is no single AI-specific law. The UK government published a white paper on AI regulation and has indicated it may introduce legislation, but the practical reality for organizations operating in the UK is that AI compliance is currently domain-specific and fragmented across existing regulatory frameworks rather than unified under a new act. I hedge any specific legislative timeline because the UK regulatory situation was actively evolving as of my knowledge.
Gartner research has tracked this fragmentation explicitly. A search of the Gartner newsroom at gartner.com/en/newsroom surfaces several relevant findings. A 2025 report noted that by 2027, fragmented AI regulation would grow to cover 50 percent of the world's economies, and by 2030 that fragmentation would extend to 75 percent of economies, driving what Gartner projected as a billion-dollar compliance market. A separate Gartner press release from October 2025 predicted that AI regulatory violations would result in a 30 percent increase in legal disputes for technology companies by 2028. These are forecasts, not measured outcomes, and I cite them as directional signals about how analysts assess the trajectory of this space. The core observation is consistent: the regulatory landscape is not converging. It is fragmenting.
The compliance challenge for a genuinely global organization is that these frameworks are not harmonized, and some of their requirements are in tension with each other. The EU AI Act requires specific technical documentation and human oversight for high-risk systems. NIST's AI RMF recommends a different organizational process for AI risk management. Chinese generative AI regulations require content filtering based on criteria that do not map cleanly onto EU non-discrimination requirements. An organization trying to build a single global AI governance framework faces the question of whether any architecture can satisfy all four simultaneously, or whether the organization needs fundamentally different compliance approaches per jurisdiction, which means different documentation, different testing protocols, and different oversight structures for what may be the same underlying system.
My read is that this is not primarily a technical problem. The technical community can build AI systems that are auditable, documented, and capable of being monitored for compliance. What is harder is the organizational and legal problem of maintaining multiple compliance postures across jurisdictions that start from different regulatory philosophies. The EU approach starts from fundamental rights and risk management. The US approach starts from innovation enablement and voluntary guidance. China's approach starts from social order and state oversight. These are different first principles, and you cannot satisfy all three simultaneously with a single governance framework. Something has to give.
For IS practitioners, the practical implication is that AI governance can no longer be designed at the product or system level alone. It needs to be designed at the deployment context level. An AI hiring tool is not simply an AI hiring tool. It is an AI hiring tool deployed in Germany (EU AI Act high-risk), and also in Texas (US executive guidance), and also in Shanghai (Chinese regulations), and also in London (UK existing regulator jurisdiction), and each of those deployment contexts carries distinct requirements. The governance architecture has to account for that variation, which means the compliance question has to be part of the system design from the beginning rather than a layer added after the product is built.
About the author
Share
More notes
Related notes