International AI Governance Frameworks
AI governance is happening simultaneously at every level — municipal ordinances, national statutes, regional regulations, and emerging international standards — and the resulting patchwork is both the most important and least understood layer of AI policy. How major jurisdictions choose to govern AI will shape not just their own technology sectors but the global development and deployment of these systems for decades.
The global governance landscape
The past several years have produced an extraordinary proliferation of AI governance initiatives. Every significant economy has either enacted AI legislation, published national AI strategies, established regulatory bodies, or done all three. International organizations from the OECD to the United Nations to the G7 have issued principles, recommendations, and standards. The pace of initiative has outrun the pace of implementation, and the diversity of approaches has created genuine complexity for organizations that operate across jurisdictions.
Three broad governance philosophies have emerged. Rights-based regulatory approaches, most fully expressed in the EU AI Act, define categories of harmful AI and impose legally binding requirements calibrated to risk. Principle-based soft law approaches, characteristic of the OECD and international standards bodies, articulate high-level values and best practices without creating enforceable mandates. Sectoral and context-specific approaches, more characteristic of the United States, apply existing domain-specific regulation to AI uses in particular contexts — healthcare, finance, employment — without enacting comprehensive AI-specific legislation.
None of these approaches is purely practiced; most jurisdictions mix elements of each. But the characterization helps clarify why regulatory fragmentation is so significant: organizations operating under multiple jurisdictions may face binding requirements from one, voluntary guidance from another, and complete regulatory silence on certain AI uses from a third.
The EU AI Act: a risk-based regulatory framework
The EU AI Act, formally adopted in 2024 after several years of negotiation, is the world's most comprehensive legally binding AI regulation. It applies to providers and deployers of AI systems in the EU market, regardless of where those systems are developed — a jurisdictional reach modeled on the GDPR that gives the Act significant global effect.
The Act's defining structure is a four-tier risk classification. Unacceptable risk AI practices are prohibited outright. These include AI systems that manipulate individuals through subliminal techniques, exploit vulnerabilities of specific groups, deploy untargeted facial recognition from databases using internet or CCTV footage, use AI for social scoring of individuals by public authorities, and — with narrow law enforcement exceptions — real-time remote biometric identification in public spaces. The prohibitions represent political consensus about AI uses incompatible with EU fundamental rights, not merely regulatory calibration of risk.
High-risk AI systems are permitted but subject to significant obligations before they can be placed on the market. High-risk systems include those used in critical infrastructure, educational and vocational training, employment and worker management, access to essential services, law enforcement, migration and border control, administration of justice, and democratic processes. Providers of high-risk systems must: establish a risk management system; use high-quality training data with appropriate governance; maintain technical documentation; implement logging for traceability; provide transparency information to users; enable human oversight; achieve appropriate accuracy, robustness, and cybersecurity; and, for many systems, register in an EU database. Third-party conformity assessment is required for certain high-risk categories, including biometric systems and critical infrastructure AI.
The final text of the EU AI Act includes provisions specifically addressing general-purpose AI models — large foundation models that can be adapted to many downstream uses. Providers of general-purpose AI models must provide technical documentation, comply with EU copyright law, and publish summaries of training data. Providers of models with "systemic risk" — defined by reference to training compute thresholds — face additional obligations including adversarial testing, serious incident reporting, and cybersecurity measures. This tier directly addresses the most capable frontier AI systems, including large language models.
Limited-risk systems face transparency obligations — particularly disclosure requirements so users know they are interacting with AI, including chatbots and deepfake generators. Minimal-risk systems face no mandatory requirements, though voluntary codes of practice are encouraged.
The Act's enforcement structure pairs national market surveillance authorities with a new European AI Office at the Commission level, which has competence over general-purpose AI models and the power to conduct investigations and impose fines. Maximum fines for prohibited practices reach 35 million euros or 7 percent of global annual turnover, whichever is higher — a penalty structure designed to have deterrent effect on even large technology companies.
The OECD AI Principles
The Organisation for Economic Cooperation and Development adopted its Recommendation on Artificial Intelligence in 2019 — the first intergovernmental standard on AI endorsed by countries representing the majority of global AI investment. Updated in 2024 to reflect developments in foundation models and generative AI, the OECD Principles have been endorsed by more than fifty countries, including non-OECD members, and have served as a reference framework for many national AI strategies and policies.
The OECD Principles are organized around five value-based principles for trustworthy AI and five recommendations to governments. The value principles state that AI should be: beneficial to individuals and society and the planet; designed with respect for rule of law, human rights, and democratic values; transparent and explainable; robust, secure, and safe across the lifecycle; and governed by accountable actors. The governmental recommendations address investment in research and development, building digital infrastructure and skills, enabling a policy environment for deployment, building human capacity, and international cooperation for trustworthy AI.
The Principles' influence is in their framing more than their enforcement — they cannot be enforced, being a recommendation rather than binding law. But by establishing shared vocabulary and conceptual architecture before most countries had developed domestic AI policy, the OECD shaped how governments framed subsequent regulatory efforts. The EU AI Act, the UK's pro-innovation framework, Canada's Directive on Automated Decision-Making, and dozens of national AI strategies all explicitly reference OECD Principles or use their conceptual categories.
UNESCO Recommendation on the Ethics of AI
UNESCO adopted its Recommendation on the Ethics of Artificial Intelligence in November 2021, with endorsement from all 193 member states — the broadest multilateral consensus on AI governance to date. The Recommendation addresses AI ethics from a human rights and sustainable development perspective, with particular emphasis on issues often under-addressed in OECD-focused frameworks: gender equality, environmental sustainability, the rights of indigenous peoples, and the needs of low- and middle-income countries.
The UNESCO framework is notable for its explicit treatment of AI's environmental impact — recommending that member states assess and report on the energy and resource consumption of AI systems — and for its emphasis on cultural diversity, noting that AI systems trained predominantly on data from wealthy countries may not serve, and may actively harm, the interests of populations with different languages, cultures, and socioeconomic contexts. These dimensions remain underrepresented in most regulatory frameworks developed by high-income countries.
The G7 Hiroshima AI Process
The G7 Hiroshima AI Process, launched at the 2023 Hiroshima Summit, produced the first significant multilateral output on frontier AI governance: the International Guiding Principles on AI and a voluntary Code of Conduct for AI Developers, released in October 2023. The Process represented an effort by major democracies to develop shared governance norms for the most capable AI systems at a moment of rapid capability development — responding particularly to the public release of large language models that had demonstrated capabilities far beyond those of previous generation AI systems.
The Hiroshima Principles cover eleven areas including transparency, accountability, safety, and security. They explicitly address risks from the most advanced AI systems, including dual-use risks, disinformation capabilities, and potential for misuse in weapons development. The voluntary Code of Conduct asks developers to: identify and mitigate risks before deployment; invest in cybersecurity; develop trust mechanisms including labeling of AI-generated content; implement research on AI safety; and report serious incidents. While voluntary, the Code represents normative consensus among the world's largest AI-developing economies.
The United States: executive action and sectoral regulation
President Biden's Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, signed in October 2023, was the most significant U.S. federal action on AI governance prior to any comprehensive legislation. The Order directed federal agencies to develop guidance, standards, and requirements across a wide range of AI applications; required developers of the most powerful AI systems to share safety test results with the federal government; directed the development of standards for AI-generated content authentication; addressed AI's implications for workers, civil rights, and national security; and sought to position the U.S. as a leader in international AI governance.
The Order's implementation was necessarily incremental — executive orders cannot create new statutory requirements on private actors without congressional authority, and many of its directives were to federal agencies about their own use of AI or about developing guidance that would subsequently inform rulemaking. The Biden Order was revoked by President Trump's executive order in January 2025, which directed a new national AI action plan oriented around "removing barriers to American AI leadership" — a significant shift in federal AI governance philosophy.
U.S. AI governance continues primarily through sectoral regulation: the Food and Drug Administration regulates AI in medical devices; the Equal Employment Opportunity Commission addresses AI in hiring; the Consumer Financial Protection Bureau governs AI in lending; the Federal Trade Commission has authority over deceptive and unfair practices including AI-generated deception. This sectoral approach has the advantage of applying specialized expertise and existing legal authority but creates gaps for AI applications that cross regulatory domains.
China's AI regulatory approach
China has taken a distinctive regulatory path: rather than comprehensive AI legislation, it has enacted a series of targeted regulations addressing specific AI capabilities as those capabilities became significant. The Provisions on the Management of Algorithmic Recommendations (effective March 2022) addressed recommendation systems, requiring transparency, the ability to opt out, and prohibiting discriminatory pricing and addiction-inducing design. The Provisions on Deep Synthesis Internet Information Services (effective January 2023) regulated deepfake and synthetic media generation, requiring labeling of synthetic content and prohibiting impersonation of specific individuals without consent. The Interim Measures for the Management of Generative AI Services (effective August 2023) addressed large language models and image generation, requiring security assessments, content filtering aligned with Chinese law and values, and user identity verification.
This sequential, capability-specific approach allows regulation to track actual technology deployment rather than anticipate hypothetical risks, but creates a patchwork that may not address cross-cutting concerns. It also reflects the particular governance concerns relevant in China: content control and alignment with state values, preventing manipulation of public opinion, and ensuring AI development serves national strategic goals.
The UK's pro-innovation approach and AI Safety Institute
The United Kingdom has positioned itself as offering an alternative to the EU's comprehensive regulatory approach, emphasizing principles-based guidance through existing sector regulators rather than new AI-specific legislation. The UK's AI Regulation White Paper, published in 2023, articulated five cross-sector principles — safety, security, robustness; transparency and explainability; fairness; accountability and governance; contestability and redress — while tasking existing sector regulators with interpreting their application in their domains.
In parallel, the UK established the AI Safety Institute (AISI) in November 2023 — the world's first government body specifically tasked with evaluating the safety of frontier AI systems before and after deployment. The AISI conducts evaluations of advanced AI models, including red-teaming for dangerous capabilities, and publishes findings. This focus on frontier AI safety — the risks from the most capable systems — rather than regulation of AI-enabled harms in particular sectors represents a distinctive contribution to the governance landscape.
Rule-based versus principle-based governance
The contrast between rule-based and principle-based governance approaches is fundamental to evaluating international AI frameworks. Rule-based approaches — like the EU AI Act's prohibited practices list and high-risk category definitions — offer predictability and enforceability. Organizations know in advance what they must do, can design compliance programs, and can be held to account against specific requirements. But rules may be overinclusive (prohibiting beneficial applications) or underinclusive (missing harmful applications the rule didn't anticipate), and they can become outdated as technology evolves.
Principle-based approaches — like the OECD Principles or the UK's cross-sector framework — offer flexibility and durability. A principle that AI should be transparent and accountable applies regardless of the specific technology or application. But principles offer less legal certainty, may be interpreted inconsistently across contexts, and can be difficult to enforce against organizations that claim compliance while engaging in harmful practices. The most sophisticated regulatory approaches combine both: binding rules for the clearest cases of harm and enforceable principles that capture the space rules cannot fully specify.
Regulatory fragmentation and calls for international coordination
The proliferation of AI governance frameworks has created genuine regulatory fragmentation — different and sometimes conflicting requirements across jurisdictions that make it difficult for organizations developing and deploying AI globally to navigate compliance. A facial recognition system lawful in one country may be prohibited in another; a training data practice acceptable under one jurisdiction's copyright law may violate another's; a transparency requirement in the EU may conflict with trade secret protections elsewhere.
Scholars and policymakers have increasingly called for some form of international coordination — whether through mutual recognition of comparable regulatory regimes, convergence around shared technical standards, or more ambitiously, an international AI governance body analogous to the IAEA (International Atomic Energy Agency) for nuclear technology. The Bletchley Declaration, signed by twenty-eight countries including the U.S., EU, UK, and China at the first AI Safety Summit in November 2023, acknowledged shared concern about frontier AI risks and committed to information sharing and joint evaluation — a modest but symbolically significant first step.
For government technology buyers, regulatory fragmentation creates specific challenges. An AI system procured for a national government use case may comply with domestic requirements while violating requirements in EU jurisdictions where agency data flows or where affected individuals are located. Agencies that procure AI from global vendors must assess not only their own jurisdiction's requirements but the compliance posture of the vendor's system against the regulatory frameworks of every jurisdiction in which the system operates or whose residents it affects.
This complexity argues strongly for requiring vendors to provide documentation sufficient to assess compliance across frameworks, rather than accepting vendor assertions of compliance with a single jurisdiction's requirements.
What international frameworks mean for government technology procurement
The international AI governance landscape has direct practical implications for governments procuring AI systems. The EU AI Act creates binding requirements for any AI system deployed in EU member states or affecting EU residents — public sector deployers are subject to the Act's obligations for high-risk systems, which include most AI used in law enforcement, border control, justice administration, and access to public services. Even governments outside the EU must consider these requirements when procuring systems from vendors who also supply EU markets, since vendor compliance architecture will reflect EU requirements.
The OECD Principles and Hiroshima Process outputs provide a normative baseline that procurement requirements can reference: requirements for transparency and explainability, human oversight, robustness and security, and accountability align with these international consensus documents and provide justification for procurement requirements that vendors might otherwise contest as going beyond what is legally required.
The emergence of the UK AI Safety Institute model — independent evaluation of AI systems against safety criteria — suggests a direction for government procurement: rather than relying solely on vendor-provided documentation and testing, procurement agencies could require that systems undergo independent evaluation by accredited testing organizations. The technical infrastructure for this is nascent but developing, and government procurement requirements could accelerate its development by creating market demand for independent AI system evaluation.
Despite the diversity of governance approaches, there is striking convergence at the level of core principles across the EU AI Act, OECD Principles, UNESCO Recommendation, G7 Hiroshima Process, and national frameworks. All emphasize: human oversight of consequential AI decisions; transparency about AI use and AI-generated content; accountability for AI-caused harms; fairness and non-discrimination; and safety and robustness. Governments building AI governance frameworks can take these convergent principles as a stable foundation, even as the specific regulatory mechanisms for implementing them continue to evolve.
The international AI governance landscape is in its formative period. The frameworks enacted in the next few years — the implementation of the EU AI Act, the development of international standards through ISO and IEEE, the evolution of the OECD Principles, and whatever international coordination mechanisms emerge from the AI safety summits — will establish the institutional infrastructure within which AI governance operates for a generation. Government technology officials who understand this landscape are better positioned to participate in shaping it, rather than simply adapting to requirements developed without their input.