Authored By: Pavan Kumar Saini
Devi Ahilya University, India
Abstract
Artificial intelligence is changing the world faster than the law can keep up. Three major powers, the European Union, the United States, and China, have each responded differently. The EU has built a detailed rulebook grounded in human rights. The US has largely left it to the market, nudged along by executive orders. China has moved swiftly, but with state control firmly at the centre. This article walks through each approach honestly, asks what they get right and what they miss, and argues that none of them alone is enough. What the world needs and does not yet have, is a shared foundation that all three can build on together.
I. Introduction: A Technology That Did Not Wait for Permission
Nobody voted for artificial intelligence. It did not go through a parliament, a senate, or a public consultation before it began making decisions about who gets a loan, who gets flagged by the police, whose job application goes to the top of the pile, and whose gets quietly discarded. It simply arrived, and kept arriving, faster and in more places than anyone had anticipated.
That is what makes regulating AI so genuinely hard. It is not like regulating a new drug, where the harm is biological and the mechanism is understood. It is not like regulating a new financial product, where the risks can be priced and the actors can be licensed. AI is a general-purpose technology, a tool that can be used for almost anything, by almost anyone, in almost any context. Writing a single law that governs it sensibly is a bit like writing a single law that governs all uses of electricity.[1]
And yet the world has to try. The harms are real, algorithmic discrimination, mass surveillance, autonomous weapons that make life-or-death decisions without meaningful human oversight, systems that can generate convincing misinformation at industrial scale. The question is not whether to regulate, but how: how much, how fast, and who decides.
This article looks at the three most significant answers that have emerged so far. The European Union has produced the world’s first comprehensive AI law. The United States has relied on a mix of executive orders and voluntary frameworks. China has moved quickly, but through a lens of state authority and social control. Each approach reveals something important, about the technology itself, and about the societies trying to tame it.
II. The European Union: Drawing Lines in Advance
The EU’s Artificial Intelligence Act, which entered into force in 2024, is the product of years of debate, lobbying, controversy, and genuine intellectual effort. It is also, by a considerable distance, the most ambitious attempt by any government to govern AI through law.
A. The basic idea: risk determines the rules
The AI Act’s central insight is simple: not all AI is equally dangerous. A spam filter is not the same as an algorithm that decides whether you go to prison. A music recommendation engine is not the same as a facial recognition system scanning a public square. So rather than applying the same rules to everything, the Act sorts AI systems into categories based on how much harm they could cause and then assigns legal obligations accordingly.
At the top of the hierarchy are applications that are simply banned.[2] The EU has decided, as a matter of principle, that some uses of AI are incompatible with human dignity and should not exist at all. Real-time facial recognition in public spaces is one. AI systems that exploit psychological vulnerabilities to manipulate people’s behaviour is another. Government systems that score citizens on their social conduct. the kind of social credit systems associated with China, are a third. These are not provisional prohibitions pending further evidence. They are value judgements encoded in law.
Below that sits the ‘high-risk’ category, a long and detailed list of AI applications that are not banned but are subject to serious obligations before they can be deployed.[3] Systems used in hiring, credit decisions, law enforcement, border control, education, and critical infrastructure all fall here. Developers must demonstrate that their systems are safe, accurate, and transparent. They must maintain detailed documentation. They must build in human oversight. And they must submit to conformity assessments, essentially, a legal audit, before their systems go live.
B. The harder question: what about GPT-scale models?
The original AI Act proposal was written before ChatGPT made large language models a household name. By the time the law was finalised, legislators had to scramble to address a category of AI that had barely existed when they started. The result, the ‘general-purpose AI’ provisions[4], is one of the most interesting and contested parts of the Act. It imposes transparency obligations on all providers of large foundation models, and additional ‘systemic risk’ requirements on those whose models exceed a certain computational threshold. Whether training compute is the right proxy for risk or capability is genuinely debated. But the instinct that the most powerful AI systems deserve the most scrutiny, seems hard to argue with.
III. The United States: Innovation First, Rules Later
The American approach to AI regulation is, in one sense, very easy to describe: there isn’t one not yet, at least, in any comprehensive legislative form. The US has no federal AI statute. What it has instead is a patchwork of executive orders, agency guidance, voluntary commitments from technology companies, and sector-specific rules applied by existing regulators.
A. Executive orders and voluntary frameworks
The most significant federal intervention came from President Biden’s Executive Order 14110, issued in October 2023.[5] It was a serious document; detailed, technically informed, and unusually ambitious in scope for an executive order. It directed agencies to develop AI safety standards, required developers of the most powerful models to share safety test results with the government, and mandated the National Institute of Standards and Technology to produce risk management guidance.
NIST duly produced its AI Risk Management Framework, a voluntary guidance document that is, technically speaking, excellent.[6] The framework is careful, nuanced, and genuinely useful for organisations trying to think systematically about AI risks. Its weakness is structural: it is voluntary. Companies can use it, adapt it, ignore it, or cite it in their press releases while doing something entirely different. There is no enforcement mechanism, no penalty for non-compliance, and no way for affected individuals to invoke it when things go wrong.
B. Why Congress hasn’t acted
The reasons the US has not produced comprehensive AI legislation are structural rather than accidental. The technology industry in America is extraordinarily influential in Washington. The political system makes comprehensive legislation genuinely difficult, passing a major bill through the Senate requires sixty votes, a threshold that rarely exists for controversial technology policy. And there is a deep-seated American scepticism of ex ante regulation: a preference for letting markets innovate, identifying harms after the fact, and then deciding whether to respond.[7]
The consequence is a regulatory landscape that is flexible but fragmented. A company deploying AI in employment faces EEOC guidance; in consumer credit, FTC scrutiny; in healthcare, FDA oversight. None of these frameworks was designed with AI in mind. They apply awkwardly, inconsistently, and with gaps that a determined actor can exploit.[8]
IV. China: Fast, Strategic, and State-Centred
China’s approach to AI regulation is often misunderstood in the West, sometimes dismissed as pure authoritarianism, sometimes admired as decisive state action. The reality is more interesting than either characterisation suggests.
A. Sector-specific, not comprehensive
China has not produced a single comprehensive AI law. Instead, it has issued a series of regulations targeting specific AI applications and use cases. There are rules for algorithmic recommendation systems, rules for deep synthesis (deepfake) technologies, and most significantly, the Measures for the Management of Generative Artificial Intelligence Services, which entered into force in August 2023.[9]
The Generative AI Measures require providers to ensure that outputs reflect ‘core socialist values’, to conduct security assessments before deployment, and to implement content filtering.[10] The political dimension is unmistakable: these regulations are not only about safety or consumer protection. They are also about ensuring that powerful AI systems do not become vehicles for content the state considers threatening. That is a genuinely different regulatory goal from anything in the EU Act or the US framework, and it is worth naming honestly rather than glossing over.
B. Data, privacy, and the limits of the comparison
China also has a Personal Information Protection Law[11] that offers individual privacy protections more substantive than many Western observers acknowledge. The picture is complicated: China’s legal framework restricts commercial actors from exploiting personal data in ways that would be illegal in Europe, but it preserves extensive state access to that same data for governance and security purposes.[12] The PIPL protects you from tech companies in ways that matter. It does not protect you from the state in ways that also matter. Both things are true simultaneously.
V. What the Three Models Tell Us
A. Where they actually agree
It would be easy to conclude from the above that the EU, US, and China are simply doing three completely different things with no common ground. That is not quite right. All three accept, at least in principle, that AI deployed in high-stakes contexts needs more scrutiny than AI deployed in low-stakes ones. All three recognise that transparency about AI systems is important. And all three have acknowledged, in their different ways, that very large AI models present distinctive governance challenges that existing frameworks are ill-equipped to handle. That is more agreement than often appears in the headlines.
B. Where they genuinely diverge
The divergences, though, go deeper than regulatory technique. They reflect different answers to fundamental questions about what AI governance is for.[13]
The EU’s framework is grounded in rights. It treats certain uses of AI as categorically incompatible with human dignity, not because they are necessarily more harmful in every individual case, but because the kind of society that permits them is not the kind of society the EU has committed to being. The US framework prioritises freedom, freedom of markets to innovate, freedom of individuals from government prescription, freedom of companies to compete globally. China’s framework prioritises stability, social order, national security, and the technological strength of the Chinese state.[14]
These are not differences that can be resolved by better technical standards or clearer definitions. They are political and philosophical differences. A world in which all three converge on a single AI regulatory model is not a world that currently exists, and it would be naive to pretend otherwise.
C. The coordination problem nobody is solving
The most serious gap in global AI governance is not within any one jurisdiction; it is between them. AI systems are built in one country, trained on data from dozens more, deployed across borders, and their effects felt by people who have no relationship with the company that built them or the government that approved them. A facial recognition system built in the EU, trained on global data, and used by a government in sub-Saharan Africa falls outside every framework discussed in this article.[15]
The EU has proposed an international code of conduct for AI[16] and has tried to leverage its market power, the same strategy that made the GDPR a de facto global standard, to push its framework beyond its own borders. Whether that will work for AI is genuinely uncertain. The GDPR worked in part because it addressed a well-defined problem through mechanisms that foreign companies could adopt without enormous disruption. The AI Act is more complex, more demanding, and addresses a moving target.[17]
VI. Conclusion: We Need Better than This
The world is not short of AI regulation. In the time it has taken to write this article, the EU’s AI Act has continued to take effect, the US has seen another round of congressional hearings produce no legislation, and China has continued refining its sectoral rules. Everyone is doing something. The question is whether what everyone is doing adds up to something adequate, and the honest answer is not yet.
The EU’s approach is the most serious attempt to govern AI as a system-wide challenge. It deserves credit for that. But it is also administratively complex, potentially stifling for smaller innovators, and built on risk categories that may not map cleanly onto the AI applications of five years from now.[18] The American approach preserves innovation and flexibility but at the cost of accountability and coherence. China’s approach is decisive and technically serious, but it serves state interests in ways that make genuine international convergence very difficult.
What would actually help is a set of shared international principles, not a single model, but a common floor, that all three could accept. Something built around transparency (AI systems should be explainable to those they affect), accountability (someone must be legally responsible when AI causes harm), non-discrimination (AI must not systematically disadvantage groups on the basis of protected characteristics), and meaningful human oversight of consequential decisions.[19]
None of those principles is alien to any of the three jurisdictions discussed here. All three have stated, in their different ways, that they care about them. The gap is not in the principles; it is in the political will to build something together rather than competing to set the global standard unilaterally. That is, ultimately, a choice. The technology is not waiting to see which way it goes.
Bibliography
Primary Sources
European Parliament and Council, Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), OJ L 2024/1689.
Executive Order No 14,110, 88 Fed Reg 75,191 (30 October 2023) on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.
China’s Measures for the Management of Generative Artificial Intelligence Services (Cyberspace Administration of China et al, effective 15 August 2023).
Personal Information Protection Law of the People’s Republic of China (promulgated 20 August 2021, effective 1 November 2021).
National Institute of Standards and Technology, Artificial Intelligence Risk Management Framework (AI RMF 1.0) (January 2023).
Secondary Sources
Bengio Y and others, ‘Managing AI Risks in an Era of Rapid Progress’ (2023) arXiv:2310.17688.
Calo R, ‘Artificial Intelligence Policy: A Primer and Roadmap’ (2017) 51 UC Davis L Rev 399.
Edwards L and Veale M, ‘Slave to the Algorithm? Why a Right to an Explanation is Probably Not the Remedy You Are Looking For’ (2017) 16 Duke Law & Technology Review 18.
Greenleaf G, ‘Adequacy, Equivalence and Mutual Recognition in Global Privacy Law’ (2022) 12 Int’l Data Privacy L 273.
Harari Y N, 21 Lessons for the 21st Century (Spiegel & Grau 2018).
Jia L and Burnett G, ‘Governing Generative AI in China’ (2023) 14 Internet Policy Review 1.
Schaake M, The Tech Coup: How to Save Democracy from Silicon Valley (Princeton University Press 2024).
Sunstein C R, The Cost-Benefit Revolution (MIT Press 2018).
European Commission, ‘Proposal for an International Code of Conduct for AI’ (2023) <https://digital-strategy.ec.europa.eu> accessed 20 May 2026.
[1]Ryan Calo, ‘Artificial Intelligence Policy: A Primer and Roadmap’ (2017) 51 UC Davis L Rev 399, 421–424.
[2]EU AI Act, art 5 (prohibited AI practices, including real-time biometric identification in public spaces and social scoring by public authorities).
[3]EU AI Act, arts 9–15 (conformity assessments, technical documentation, data governance, human oversight, and accuracy requirements for high-risk AI systems).
[4]EU AI Act, art 4a (general-purpose AI models; systemic risk classification based on training compute threshold of 10^25 FLOPs).
[5]Executive Order No 14,110, 88 Fed Reg 75,191 (30 October 2023) on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence [EO 14110].
[6]National Institute of Standards and Technology, Artificial Intelligence Risk Management Framework (AI RMF 1.0) (January 2023).
[7]Marietje Schaake, The Tech Coup: How to Save Democracy from Silicon Valley (Princeton University Press 2024) 114–119.
[8]Calo (n 7) 430–435.
[9]China’s Measures for the Management of Generative Artificial Intelligence Services (Cyberspace Administration of China, effective 15 August 2023) [China GAIS Measures].
[10]China GAIS Measures, art 4 (requirement that generated content reflect ‘core socialist values’ and not subvert state power).
[11]Personal Information Protection Law of the People’s Republic of China (promulgated 20 August 2021, effective 1 November 2021) [PIPL].
[12]Lianrui Jia and Graeme Burnett, ‘Governing Generative AI in China’ (2023) 14 Internet Policy Review 1, 5–8.
[13]Lilian Edwards and Michael Veale, ‘Slave to the Algorithm? Why a Right to an Explanation is Probably Not the Remedy You Are Looking For’ (2017) 16 Duke Law & Technology Review 18, 56–60.
[14]Yuval Noah Harari, 21 Lessons for the 21st Century (Spiegel & Grau 2018) 66–73.
[15]Yoshua Bengio and others, ‘Managing AI Risks in an Era of Rapid Progress’ (2023) arXiv:2310.17688, 4–7.
[16]European Commission, ‘Proposal for an International Code of Conduct for AI’ (2023) <https://digital-strategy.ec.europa.eu> accessed 20 May 2026.
[17]Graham Greenleaf, ‘Adequacy, Equivalence and Mutual Recognition in Global Privacy Law’ (2022) 12 Int’l Data Privacy L 273, 278–281.
[18]Cass R Sunstein, The Cost-Benefit Revolution (MIT Press 2018) 45–50.
[19]Bengio and others (n 13) 10–13.





