The EU AI Act hits all three of Scott's institutional pillars at once. Here is why that makes it the most consequential IS policy since GDPR.
I was reading the Grisold, Berente, and Seidel (2025) paper on guardrails for human-AI ecologies and I stopped at the paragraph where they quoted the EU AI Act directly. The Act was not just a regulatory backdrop in their argument. It was a source of principles that deep norms in human-AI ecologies should reflect. Human agency and oversight, technical robustness and safety, privacy and data governance, transparency, non-discrimination, fairness, accountability. The paper treated these as the normative foundation of the whole guardrails framework. And I realized this is what institutional theory looks like while it is still happening, before the taken-for-grantedness settles in and nobody remembers the alternative.
Scott (1995) gave us three institutional pillars for understanding why organizations adopt practices. The regulative pillar works through laws, rules, and sanctions on the logic of expedience. The normative pillar works through values, professional standards, and obligations on the logic of social appropriateness. The cultural-cognitive pillar works through shared taken-for-granted understandings and schemas on the logic of ontological reality, the quiet assumption that this is simply how things are done here. Most regulatory interventions hit one pillar hard and maybe graze another. The EU AI Act is landing on all three at the same time, and that is rare enough that it deserves close attention from anyone who studies how institutions shape technology adoption.
Start with the regulative pillar because it is the most visible and the easiest to measure. The EU AI Act imposes fines for noncompliance. I need to double-check this, but my recollection is that the most serious violations can draw penalties up to seven percent of global annual turnover. That figure changes the calculus for every company that does business in the European market. It is classic coercive isomorphism in the DiMaggio and Powell (1983) sense. The pressure is external, it is regulatory, and the cost of ignoring it is concrete and material. Organizations do not adopt AI governance frameworks because they independently decided governance was the right thing to do. They adopt them because the alternative is a fine that can reach billions for the largest firms. The regulative pillar operates on expedience, and expedience is a reliable mechanism if what you want is compliance.
But the AI Act does not stop at fines. It names values that the professional AI community will spend the next decade operationalizing. The same principles that Grisold et al. (2025) use as deep norms are the ones the Act codifies. Professional associations, auditors, AI ethicists, and consultants will build standards, certifications, and best-practice frameworks around these principles. Over time, adopting those frameworks will feel less like compliance and more like professional competence. Organizations will hire AI ethics officers not because the regulation directly mandates it, but because the normative field now says a responsible AI operation has one. That is normative isomorphism propagating through professional networks and shared certifications. I wrote about this pattern before in my post on institutional isomorphism and AI adoption, where normative pressure from professional associations makes certain practices feel like the only reasonable path. The EU AI Act is accelerating that same normative convergence for governance specifically.
The cultural-cognitive pillar is the one I find most interesting because it is invisible while it is being built. The EU AI Act, together with GDPR before it, is defining what responsible AI means at the level of taken-for-granted assumption. A startup building an AI product in 2026 is not debating whether it needs fairness assessments or transparency documentation. Those are built into the platform now. The question of whether to do responsible AI governance does not arise. The only question is which vendor or framework to use for implementing it. That is the cultural-cognitive pillar closing. Scott described it as operating below conscious awareness, where organizations adopt practices not because they are required or even because they are best practice, but because the alternatives are no longer conceivable. The EU AI Act is accelerating that closure for AI governance the same way GDPR did for privacy.
This is why GDPR matters so much as a precedent. When GDPR went into effect in 2018, it was experienced primarily as coercive pressure. Companies scrambled to comply. Legal teams rewrote terms of service. Consultants built entire practices around it. That was the regulative pillar in action. But look at the landscape in 2026. GDPR compliance is infrastructure. No company that handles EU personal data asks whether they need a privacy notice. No platform debates whether to support data access requests. The norm has been internalized so deeply that the original coercive pressure is invisible. GDPR started as coercive isomorphism and settled into the cultural-cognitive layer. I think the EU AI Act will follow the same trajectory, and it will move faster because the institutional field around AI governance is less established than the privacy field was in 2018. There is more room to define what the field becomes.
The global reach of this is what some scholars call the Brussels Effect. When the EU regulates, companies often comply globally rather than maintain separate product lines and compliance stacks for different regions. GDPR was the clearest example. Privacy regulations in Brazil, Japan, and California borrowed DNA from GDPR because it was the most comprehensive framework available. The EU AI Act is positioned for the same pattern. Not because the EU has the most AI companies, but because the EU has a market large enough that access conditions become global design constraints. An AI company that wants to operate in Europe will comply with the Act. That same company will find it cheaper to apply the same governance framework everywhere. And companies that have no plans to operate in Europe will still look at the EU AI Act as the most legitimated governance framework available and adopt it as a template for mimetic convenience.
I keep noticing an asymmetry in how this plays out. There are three categories of organizations. Those inside the EU will comply because they have to. Those outside the EU that target EU users will also comply because the market access condition is binding. Those outside the EU that do not target EU users will likely use the EU AI Act as a template anyway, because uncertainty about how to govern AI is high and building an original framework from scratch is expensive. That third group is mimetic isomorphism in DiMaggio and Powell's original sense. They adopt the EU framework not because the law applies to them but because it is the available answer to a hard question, and adopting the available answer is what organizations do under uncertainty.
I think the EU AI Act is the most important IS policy event since GDPR. Not because of the fine amounts or the compliance deadlines. Those are standard regulatory mechanics. The reason it matters is that it changes the institutional field in which every global AI company operates. Scott's three pillars framework tells the full story. The regulative pillar creates the floor through fines. The normative pillar builds the walls through professional standards and certification. The cultural-cognitive pillar closes the ceiling by making the EU framework feel like the only reasonable way to think about AI governance. Each pillar reinforces the others. The fines change the expedience calculus. The principles change the professional norm set. And the taken-for-grantedness that will follow changes what questions organizations even think to ask about AI. The EU is not just writing rules. It is building the institutional infrastructure of an entire technological domain. Twenty years from now I doubt anyone will remember the debates about whether the Act was too strict or too permissive. What they will remember is that after it passed, the question of whether AI should be governed was no longer a question.
About the author
Share
More notes
Related notes