AI Regulation
Governments deciding what AI systems may do — moving fast by legislative standards, slowly by technological ones, and genuinely contested.
When not to use it
- (It's a landscape, not a tool. The question is when it applies.)*
- Assuming it doesn't apply because you're small. Obligations follow the decision, not the company size.
- Assuming it doesn't apply because you're outside the EU. The reach is extraterritorial by use.
- Treating a compute threshold as a capability measure. Efficiency rises; the threshold captures less each year.
- Reading any summary — including this one — as legal advice. It isn't. Get a lawyer if the tiers touch you.
Reach for something else instead
- (Adjacent approaches, not substitutes.)*
- Existing sectoral law — discrimination, product liability, consumer protection already apply.
- NIST AI RMF — voluntary structure, no jurisdiction required.
- Internal governance — evaluation, documentation, human oversight, whether or not anyone makes you.
- Third-party audit — the enforcement mechanism most frameworks lack.
Sources & further reading
- European Union (2024), Regulation (EU) 2024/1689 (AI Act) — the primary text; read the risk tiers rather than the coverage.
- NIST (2023), AI Risk Management Framework 1.0 — voluntary, structured, useful in any jurisdiction.
- Bommasani et al. (2021), On the Opportunities and Risks of Foundation Models — why general-purpose systems break use-based regulatory categories.
Primary sources, listed so you can check the claims on this page rather than take them on trust.
Where people go wrong
- Asking "is it AI" instead of "what decision does it affect." Every framework turns on the second.
- Assuming geography protects you. Use, not location.
- Treating documentation obligations as novel. They're model cards, made mandatory.
- Believing either side's account that this is obvious. The trade-offs are real in both directions.