Home/Safety & Ethics/AI Regulation
Safety & Ethics

AI Regulation

Governments deciding what AI systems may do — moving fast by legislative standards, slowly by technological ones, and genuinely contested.

Reading level: Curious
Pick your depth ↓

When not to use it

  • (It's a landscape, not a tool. The question is when it applies.)*
  • Assuming it doesn't apply because you're small. Obligations follow the decision, not the company size.
  • Assuming it doesn't apply because you're outside the EU. The reach is extraterritorial by use.
  • Treating a compute threshold as a capability measure. Efficiency rises; the threshold captures less each year.
  • Reading any summary — including this one — as legal advice. It isn't. Get a lawyer if the tiers touch you.

Reach for something else instead

  • (Adjacent approaches, not substitutes.)*
  • Existing sectoral law — discrimination, product liability, consumer protection already apply.
  • NIST AI RMF — voluntary structure, no jurisdiction required.
  • Internal governance — evaluation, documentation, human oversight, whether or not anyone makes you.
  • Third-party audit — the enforcement mechanism most frameworks lack.

Sources & further reading

  • European Union (2024), Regulation (EU) 2024/1689 (AI Act) — the primary text; read the risk tiers rather than the coverage.
  • NIST (2023), AI Risk Management Framework 1.0 — voluntary, structured, useful in any jurisdiction.
  • Bommasani et al. (2021), On the Opportunities and Risks of Foundation Models — why general-purpose systems break use-based regulatory categories.

Primary sources, listed so you can check the claims on this page rather than take them on trust.

Where people go wrong

  • Asking "is it AI" instead of "what decision does it affect." Every framework turns on the second.
  • Assuming geography protects you. Use, not location.
  • Treating documentation obligations as novel. They're model cards, made mandatory.
  • Believing either side's account that this is obvious. The trade-offs are real in both directions.

At a glance

FieldSafety & Ethics
The common structurerisk tiers by use, not by technology
The trigger questionwhat decision does it affect
Reachextraterritorial, by use
The structural flawcompute thresholds are administrable and a poor capability proxy
Statusgenuinely contested
DifficultyBeginner
Flashcards for this concept
Question
Answer
1 / 4

Often compared with

Regulating the model vs. regulating the application — a general-purpose model has no fixed use, so obligations have to attach somewhere, and neither place fits cleanly.