AI Regulation Around the World: Where the Frameworks Converge, Where They Diverge, and What It Means for Global Operators
As more than forty jurisdictions race to govern artificial intelligence, the frameworks are converging on a shared set of problems while diverging sharply on the values, institutions, and prohibitions behind them — and telling the difference is now the core compliance skill for any global operator.
June 29, 2026 · Quantum Nexus Ventures FZCO
The global AI regulatory landscape has, in the span of four years, gone from near-empty to bewildering. More than forty jurisdictions now have binding rules, draft legislation, or formal governance frameworks specifically addressing artificial intelligence. A practitioner trying to deploy an AI system across multiple markets faces a patchwork of obligations that overlap in some places, contradict in others, and use the same vocabulary to mean different things.
This article maps that terrain technically. The goal is not a survey of every framework — that would produce a list, not understanding. The goal is to identify where the frameworks genuinely agree at the design level, where they diverge in ways that create real compliance conflicts, and what the structural fault lines look like for the next five years.
The Major Frameworks
Before comparing, the frameworks worth comparing:
EU AI Act (Regulation 2024/1689): horizontal, risk-based, mandatory, with specific obligations for high-risk systems under Annex III, prohibited practices, and a dedicated regime for general-purpose AI (GPAI) models, with extra obligations for models presumed to carry systemic risk — presumed where cumulative training compute exceeds 10^25 FLOP (Article 51). It applies in phases: prohibited practices since February 2025, GPAI obligations since August 2025, most high-risk (Annex III) obligations from 2 August 2026, and high-risk systems embedded in regulated products (Annex I) from 2 August 2027. A "Digital Omnibus on AI" amendment — adopted by the European Parliament and Council in June 2026 and, as of this writing, awaiting publication in the Official Journal — would defer the Annex III date to 2 December 2027.Sources: EU AI Act (Reg. 2024/1689) · Article 51 · Digital Omnibus on AI
China: a layered system — Algorithmic Recommendation Measures (2022), Deep Synthesis Provisions (2022), Generative AI Measures (2023), with a comprehensive AI Law in drafting. Sector and application-specific, led by the Cyberspace Administration of China (CAC), co-issued with bodies including MIIT and the Ministry of Public Security (SAMR co-signed the algorithmic-recommendation rules).
United States: no comprehensive (horizontal) federal AI statute as of mid-2026. EO 14110 (2023) was revoked in January 2025 (EO 14148) and replaced by EO 14179. Governance lives in sectoral regulation: Federal Reserve / OCC model risk guidance (SR 11-7), FTC enforcement authority, FDA AI/ML-based SaMD framework, FAA rules for aviation AI, state-level legislation (Colorado's AI Act (SB 24-205, since narrowed by SB 26-189), Texas's Responsible AI Governance Act (TRAIGA / HB 149, 2025), Illinois BIPA). NIST's voluntary AI Risk Management Framework (NIST AI 100-1, 2023), and the separate SP 1270 bias publication (2022), are the voluntary baseline.Sources: EO 14110 · Texas TRAIGA (HB 149) · Colorado SB 26-189 · NIST AI RMF
United Kingdom: deliberate non-legislation. The AI Security Institute (established 2023 as the AI Safety Institute; renamed February 2025), sector-specific regulator guidance (ICO, FCA, CMA, Ofcom, CQC), and the International AI Safety Report. Pro-innovation posture hardened into policy since the 2023 white paper.Sources: AI Security Institute
Canada: AIDA (part of Bill C-27) died on the Order Paper when Parliament was prorogued in January 2025 and was not revived before the 2025 federal election — any federal AI law would require fresh legislation; in the meantime, sector-specific rules and a voluntary code for generative AI apply.Sources: Bill C-27 / AIDA (analysis)
Brazil: Bill 2338/2023, approved by the Federal Senate in December 2024 and now under review in the Chamber of Deputies, adopts a risk-based architecture inspired by the EU AI Act. If passed, would be the most comprehensive AI framework in Latin America.Sources: Brazil PL 2338/2023
Japan: a light-touch AI Promotion Act (2025) — binding as a 'fundamental law' of basic policy but carrying no penalties, relying on guidance and voluntary compliance ('agile governance') — plus a Basic AI Plan and a strong track record on standards participation (ISO/IEC JTC 1/SC 42).Sources: Japan AI Promotion Act
Singapore: Model AI Governance Framework (2019, updated 2020; extended for generative AI in 2024), AI Verify testing toolkit, voluntary and industry-focused. MAS FEAT guidance for financial-sector AI.
South Korea: AI Basic Act (formally the Framework Act on the Development of Artificial Intelligence and Establishment of Trust) — passed December 2024, promulgated January 2025, effective January 2026 — risk-based, with obligations for 'high-impact AI'.Sources: South Korea AI Basic Act
Vietnam: a standalone AI Law (Law No. 134/2025/QH15), effective 1 March 2026, establishing human oversight of AI decisions as a core principle and mandating human oversight for high-risk systems.Sources: Vietnam AI Law
Council of Europe: Framework Convention on Artificial Intelligence (CETS 225, 2024) — the first binding international treaty on AI, open for non-member state accession.Sources: CoE Framework Convention (CETS 225)
Zones of Convergence
1. Risk-Based Stratification
The most significant structural convergence is the acceptance of risk-based approaches as the organizing principle. The EU AI Act, the Council of Europe Convention, Brazil's draft, South Korea's Basic Act, and even China's measures all tier obligations based on the potential impact of the AI system. Low-risk systems face disclosure requirements at most; high-impact systems face conformity assessment, documentation, human oversight, and post-market monitoring.
The practical implication: any compliance architecture built for the EU AI Act's risk tiers will have broad conceptual transferability across these frameworks. The tiers are not identical — definitions of "high-risk" diverge significantly — but the underlying logic is shared.
2. Human Oversight as a Non-Negotiable
Every major framework, including the US sector-specific guidance, requires that consequential AI decisions be subject to human oversight capable of overriding the system. The EU AI Act (Article 14), Vietnam's AI Law, US model risk management guidance (SR 11-7's independent validation requirements), and the Council of Europe Convention all converge here.Sources: Article 14
The technical requirements differ, but the structural requirement is the same: a human must be in a position to meaningfully review and override the AI system's outputs before they produce binding consequences. "Meaningful" is the operative word. A human who cannot outthink the system — who lacks the domain depth to evaluate its outputs critically — satisfies the formal requirement but fails the functional one. This is an organizational design problem as much as a compliance problem.
3. Transparency and Explainability
All major frameworks require some form of transparency toward affected persons and, where applicable, regulators. The scope varies: the EU AI Act requires documentation, logging, and instructions for use; the US Federal Trade Commission treats unexplainable AI decisions as potentially deceptive; China's Generative AI Measures require disclosure of AI-generated content; the Council of Europe Convention includes transparency as a core principle.
The technical standard implied — that a system's outputs must be traceable to identifiable inputs and reasoning steps — is common across jurisdictions. The level of technical granularity required differs. The EU AI Act contemplates audit logs capable of reconstructing decisions post-hoc. US model risk guidance requires independent validation of model logic. Both demand something the same: the ability to explain, under scrutiny, why the system produced a given output.
4. Narrow Prohibitions
A narrower but genuine zone of convergence: social scoring systems that rate individuals across contexts for general-purpose societal control are prohibited or heavily restricted in both the EU AI Act (Article 5) and by principle in the Council of Europe Convention. Subliminal manipulation below the threshold of conscious awareness is similarly prohibited across most frameworks. Real-time remote biometric identification in public spaces is restricted by the EU and by data protection frameworks in multiple jurisdictions.
The convergence here is meaningful but limited: what is prohibited in one jurisdiction is often permitted or even mandated in another (see: China's use of facial recognition infrastructure for public safety purposes, which the EU AI Act would prohibit for equivalent EU deployments).
5. General-Purpose AI / Foundation Models
The EU AI Act's Chapter V (Articles 51-56) GPAI obligations and China's Generative AI Measures represent the first binding frameworks to address foundation models specifically, not just their downstream deployments. Both require capability evaluations, systemic risk assessments for the most powerful models, and transparency about training data. The US EO 14110 (now revoked) similarly focused on models above a compute threshold.
The convergence is conceptual: regulators worldwide are grappling with the fact that the risk-based framework designed for specific applications breaks down when a single model underlies thousands of applications. The technical response — compute thresholds as a first-pass proxy for capability, with secondary assessments — has been adopted by the EU and was present in the US approach before it was revoked.
Zones of Divergence
1. Binding vs. Voluntary / Horizontal vs. Sector-Specific
The EU AI Act is horizontal (applies across all sectors), mandatory, and enforced by national market surveillance authorities with substantial fine authority (up to €35M or 7% of global turnover for prohibited-practice violations). The UK has no equivalent and explicitly chose not to create one. The US has no federal horizontal AI statute. Japan, Singapore, and Australia maintain voluntary frameworks.Sources: Article 99
This is not a minor procedural difference. It determines whether compliance is a legal obligation or a reputational choice, who enforces it, and what the cost of non-compliance actually is. A global AI system deployed in the EU faces mandatory conformity assessment for certain applications. The same system deployed only in Singapore faces a voluntary checklist.
2. The Fundamental Rights vs. National Security Axis
The EU AI Act is built on a fundamental rights foundation. Its high-risk categories are defined by their potential to affect health, safety, and fundamental rights. Its prohibitions are framed in terms of human dignity and autonomy. The legal basis is internal market regulation, but the value framework is the EU Charter of Fundamental Rights.
China's framework is built on a different value foundation: social stability, national security, and the correct political direction of content. The Generative AI Measures require that AI-generated content align with "core socialist values" and not "subvert state power." The Deep Synthesis Provisions focus on controlling disinformation that could destabilize public order.
These are not superficially different approaches to the same goal. They represent genuinely different conceptions of what AI governance is for. A system designed for compliance with EU requirements — which include prohibitions on certain content moderation practices that restrict political expression — may be structurally incompatible with Chinese requirements for that same moderation. This is not a documentation problem; it is an architectural one.
3. Extraterritoriality and the Brussels Effect
The EU AI Act applies to AI systems placed on the EU market or whose outputs are used in the EU, regardless of where the provider is established. This is explicit in Article 2. A provider in Dubai deploying an AI system used by EU clients is an EU AI Act obligor.
US regulation has narrower extraterritorial reach: it applies to regulated entities in specific sectors (banks, medical device manufacturers, consumer-facing companies subject to FTC jurisdiction) rather than to the technology as such. China has some extraterritorial provisions in its data security and network security frameworks but the AI-specific measures are more domestically focused.
The practical result: the EU AI Act functions as a de facto global standard for any provider that cannot segment its EU client base. This is the Brussels Effect in operation — the compliance cost of building a separate EU-only architecture exceeds the cost of building EU-compliant globally.
4. Technical Standards and Conformity Assessment
The EU AI Act relies on harmonized technical standards from CEN/CENELEC and ISO/IEC for demonstrating compliance. ISO/IEC 42001 (AI Management Systems) and related standards under ISO/IEC JTC 1/SC 42 are the primary reference. Third-party conformity assessment is mandatory for high-risk systems in certain Annex III categories.
The US relies on NIST frameworks (AI RMF, SP 1270) that are voluntary for most sectors. The methodologies are compatible but not equivalent. An ISO 42001 certification does not automatically satisfy NIST AI RMF alignment; alignment requires separate demonstration.
For global operators, this creates a standards navigation problem. Building to ISO 42001 is the safest path for EU compliance. Building to NIST AI RMF satisfies US federal procurement requirements and provides strong reputational positioning. The frameworks are complementary enough that doing both is feasible but requires intentional mapping that currently has to be done manually.
5. Prohibited vs. Mandated: The Biometrics Problem
The EU AI Act prohibits real-time remote biometric identification in publicly accessible spaces by law enforcement, with narrow exceptions. Under Article 14(5), for remote biometric identification systems no action may be taken on an identification unless it is separately verified and confirmed by at least two competent persons — subject to an exception for certain law-enforcement, migration and border-control uses. Facial recognition in public infrastructure is, in most applications, prohibited.Sources: Article 14(5)
Several jurisdictions not only permit but mandate exactly this infrastructure for specific applications: border control, public safety monitoring, national security. A provider selling biometric AI systems faces genuinely incompatible obligations depending on the deployment jurisdiction. This cannot be resolved by documentation or process; it requires product segmentation.
6. Enforcement Architecture
The EU AI Act creates a decentralized enforcement structure: each member state designates a national competent authority, with the European AI Office handling GPAI oversight and cross-border cases. Fines are calibrated by violation severity.
China enforces through CAC (content/generative AI), MIIT (general manufacturing and industrial AI), SAMR (consumer-facing), and sector regulators — a fragmented multi-agency structure with significant overlap. Enforcement has been rapid and consequential; CAC fines for algorithmic recommendation violations have been substantial and swift.
The US has no primary AI enforcement body. FTC enforcement relies on Section 5 authority (unfair or deceptive acts); financial regulators use existing supervisory authority; state attorneys general are increasingly active. The enforcement texture is adversarial and reactive rather than prospective and systematic.
Structural Fault Lines
Framework arrears.
Every governance framework is retrospective: it codifies risks that have already been understood, from technology that has already been deployed. The regulatory cycle for comprehensive AI legislation is 5-7 years from drafting to enforcement. The technology cycle for significant capability shifts is 12-18 months. This gap is structural, not transitional. Frameworks will always be governing a prior version of the technology they are designed to address.
The enforcement capacity gap.
As practitioners in this space have observed, the EU AI Act was designed for the EU's institutional infrastructure. Conformity assessment bodies, market surveillance authorities, legal professions fluent in technical standards — these exist in EU member states. For jurisdictions that adopt EU-style frameworks without equivalent institutional capacity, enforcement becomes theoretical. The law reads correctly; nothing happens.
Vocabulary divergence.
"Transparency," "accountability," "fairness," "human oversight" appear in virtually every framework. They mean different things in each. Transparency in the EU AI Act means technical documentation and audit logs sufficient for third-party review. Transparency in China's measures means disclosing to users that content is AI-generated. Transparency in the US FTC context means not deceiving consumers. Compliance with all three may require three different implementations of something called "transparency."
The GPAI unsolved problem.
The EU's GPAI regime and China's Generative AI Measures are the only binding frameworks addressing foundation models directly. The rest of the world is either watching or waiting. The fundamental problem — that a single model underlies thousands of applications, each with its own risk profile — has no clean regulatory solution. Compute thresholds are a first approximation that will fail as efficiency improves. Capability evaluations are hard to standardize. The GPAI governance problem is genuinely unsolved, and the frameworks that have attempted it have taken different and partially incompatible approaches.
Implications for Global Operators
Build to the EU AI Act as the compliance floor.
For any operator with EU market exposure, the EU AI Act is the most demanding horizontal framework and the one most likely to impose direct enforcement consequences. A system built to its requirements will be over-compliant in most other jurisdictions.
Segment where jurisdictions are architecturally incompatible.
Biometrics in public spaces, content moderation for political speech, social scoring adjacent applications — these require genuine product segmentation, not process adaptation. No single architecture satisfies EU prohibitions and Chinese mandates simultaneously.
Invest in people who can span the technical-legal gap.
The frameworks converge on this point even if they express it differently: governance is not a documentation exercise. A system whose audit trail cannot be reconstructed by someone who understands both its technical operation and its regulatory context is not governed, it is archived. The scarcity is not frameworks; it is people who can navigate both.
Treat GPAI obligations as the leading edge, not the exception.
The GPAI-specific provisions of the EU AI Act and China's Generative AI Measures are the first attempts to govern AI at the model layer rather than the application layer. This approach will spread. Organizations using foundation models — including via API — should understand these obligations now, because the application-layer compliance architecture they are building may need to accommodate model-layer requirements that do not yet exist in their jurisdiction.
Track standards, not just laws.
ISO/IEC 42001, NIST AI RMF, and the technical standards being developed under CEN/CENELEC will increasingly determine what "compliance" means operationally. Laws establish requirements in general terms; standards specify what satisfying those requirements looks like technically. The standards landscape is moving faster than the legislative one and deserves more attention from governance teams than it typically receives.
The global AI regulatory landscape is not converging on a single framework. It is converging on a set of shared problems — risk stratification, human oversight, explainability, foundation model governance — while diverging on the values those frameworks are designed to protect, the institutional architectures that enforce them, and the specific prohibitions and mandates they impose. For global operators, the practical skill is not knowing which framework applies. It is knowing when the frameworks are genuinely compatible and when they are not, and building systems that can tell the difference.
This is an opinion / thought-leadership piece. It is not legal or financial advice.