"Multimodal models see, hear, and read. They still cannot fold laundry, but give them time."
Sage, Laundry Patient AI Agent
AI governance is the set of rules, norms, and institutions that determine how AI systems are developed, deployed, and controlled. Unlike the technical topics in earlier chapters, governance is fundamentally about coordination among humans: governments, companies, researchers, and civil society. The challenge is that AI capabilities are advancing faster than governance institutions can adapt, creating a growing gap between what is technically possible and what is socially managed. This section surveys the governance landscape as of early 2026, identifies the open problems that no jurisdiction has solved, and examines the structural tensions that make AI governance uniquely difficult.
Prerequisites
This section builds on safety, ethics, and regulation from Chapter 32, particularly the regulatory landscape (Section 32.4) and governance frameworks (Section 32.5). No specialized legal knowledge is required.
1. Compute Governance
You cannot regulate an algorithm. You can barely regulate data. But you can regulate a warehouse full of GPUs that consumes as much electricity as a small town. Among the many possible levers for governing AI, compute governance has emerged as one of the most concrete and enforceable. Unlike data (which is easily copied and distributed) or algorithms (which can be published in a paper), compute is physical: it requires specific hardware, significant electricity, and substantial capital. This physicality makes it trackable and, in principle, regulable.
The Logic of Compute Governance
Heim (2024) at the Centre for the Governance of AI articulated the core argument for compute governance. Training a frontier model requires a compute cluster that costs hundreds of millions of dollars and consumes megawatts of power. These clusters are built from a small number of chip types (primarily NVIDIA H100/H200/B200 GPUs), manufactured by a small number of companies, using equipment from an even smaller number of suppliers (primarily ASML for advanced lithography). This concentrated supply chain creates natural chokepoints for governance.
The United States has already leveraged compute governance through export controls on advanced AI chips to China, implemented through the Bureau of Industry and Security (BIS) starting in October 2022 and progressively tightened. These controls restrict the sale of chips above a certain performance threshold (measured in TOPS, or tera-operations per second) and restrict the sale of the equipment needed to manufacture such chips.
Know-Your-Customer for Compute
A more targeted proposal is "know-your-customer" (KYC) requirements for cloud compute providers, analogous to KYC rules in banking. Under this framework, cloud providers offering GPU clusters above a certain size would be required to verify the identity of customers and the intended use of the compute. This would not restrict access but would create an audit trail, enabling detection of unauthorized frontier training runs.
Proponents argue that KYC for compute is minimally invasive: it does not restrict what you can compute, only requires that you identify yourself. Critics counter that it creates a surveillance infrastructure that could be abused, that it disadvantages academic researchers and startups relative to incumbents, and that determined actors can circumvent it by distributing compute across multiple providers or jurisdictions.
Limitations of Compute Governance
Compute governance has important limitations. First, it governs training, not deployment: once a model is trained, it can be copied and deployed on much less compute. Export controls on training chips do not prevent the use of models trained elsewhere. Second, the compute threshold for "frontier" models is a moving target; algorithmic improvements (better architectures, more efficient training) continuously lower the compute required to achieve a given capability level. Third, compute governance is geopolitically fraught: it is perceived by some nations as a tool of technology containment rather than safety governance, which complicates international cooperation.
2. International Regulatory Landscape
As of early 2026, the global AI regulatory landscape is fragmented, with different jurisdictions pursuing substantially different approaches. Understanding these differences is essential for any organization deploying AI internationally.
The European Union: AI Act
The EU AI Act, which entered into force in August 2024 with provisions phasing in through 2026, represents the most comprehensive AI-specific regulation globally. It classifies AI systems into risk categories:
- Unacceptable risk (banned): social scoring, real-time biometric surveillance in public spaces (with narrow exceptions), manipulation of vulnerable groups.
- High risk (heavy regulation): AI in critical infrastructure, education, employment, law enforcement, migration, and democratic processes. These systems require conformity assessments, human oversight mechanisms, detailed documentation, and post-market monitoring.
- Limited risk (transparency requirements): chatbots, deepfakes, and emotion recognition systems must disclose their AI nature to users.
- Minimal risk (no specific requirements): spam filters, AI-powered video games, and similar low-stakes applications.
The AI Act also includes specific provisions for "general-purpose AI models" (GPAIs), including frontier LLMs. Models above a compute threshold (10^25 FLOPS for training) face additional requirements: adversarial testing, incident reporting, cybersecurity protections, and energy consumption disclosure. Open-source models receive some exemptions, though the scope of these exemptions has been contentious.
The United States: Executive Orders and Sector-Specific Regulation
The US approach has been less centralized than the EU's. The Biden administration's Executive Order 14110 on AI Safety (October 2023) established reporting requirements for frontier training runs (above approximately 10^26 FLOPS) and directed federal agencies to develop sector-specific AI guidelines. Subsequent legislative proposals have varied widely, from narrow bills addressing deepfakes in elections to broad proposals for AI licensing regimes.
The regulatory direction shifted with the change in administration in January 2025. The focus moved from preemptive regulation toward innovation-friendly policies, with more emphasis on voluntary commitments by industry and less on mandatory compliance. The long-term trajectory of US AI regulation remains uncertain, as bipartisan support exists for some measures (deepfake labeling, child safety) but not others (frontier model licensing, compute reporting).
China: Targeted Regulation
China has adopted a more targeted approach, regulating specific AI applications rather than AI broadly. Regulations have been issued for recommendation algorithms (2022), deepfakes and synthetic content (2023), and generative AI services (2023). The generative AI regulation requires providers to obtain government approval before launching public-facing services, to ensure training data complies with Chinese law, and to prevent generated content from "subverting state power" or "undermining national unity."
China's approach is notable for its speed (regulations are issued and enforced quickly relative to the EU's multi-year legislative process) and its focus on content control alongside safety and reliability.
The UK: Evaluation and Soft Governance
The UK established the AI Safety Institute (AISI) in November 2023, positioning itself as a hub for frontier model evaluation rather than top-down regulation. AISI conducts pre-deployment evaluations of frontier models from leading labs and publishes safety assessments. The UK approach emphasizes voluntary cooperation with labs, technical evaluation capacity, and international coordination, while avoiding prescriptive regulation that might drive AI development to other jurisdictions.
| Jurisdiction | Approach | Key Instruments | Enforcement |
|---|---|---|---|
| EU | Risk-based comprehensive regulation | AI Act (2024) | Fines up to 7% global revenue |
| US | Sector-specific, executive action | EO 14110, agency guidance | Varies by sector |
| China | Application-specific, content-focused | Generative AI measures (2023) | Pre-launch approval |
| UK | Evaluation-centered, soft governance | AISI evaluations | Voluntary cooperation |
Regulation is racing to catch up with capability, and the gap is widening. The EU AI Act took four years from proposal to enforcement. In that time, capabilities advanced from GPT-3 to reasoning models like o3 and DeepSeek-R1. The regulatory frameworks described above were designed for a world of text-only chatbots and classification systems; they do not yet account for autonomous agents (Chapter 22), multi-agent systems (Chapter 24), or models that can self-improve through test-time compute (Section 08.2). For practitioners, this means that regulatory compliance is a moving target. Build systems that are auditable and configurable so that you can adapt to new requirements without redesigning from scratch.
3. The Open-Weight Debate
The regulatory frameworks above govern how models are deployed, but they do not fully address a prior question: should powerful models be publicly available at all? One of the most contentious governance questions is whether frontier AI models should be released with open weights (allowing anyone to download, modify, and deploy the model). The debate has two clearly articulated sides, and the resolution has significant implications for the structure of the AI industry.
The Case for Open Weights
- Safety through transparency. Open models can be scrutinized by independent researchers for biases, vulnerabilities, and alignment failures. Closed models must be evaluated through their API, which provides limited visibility.
- Competition and innovation. Open models prevent concentration of AI capabilities in a small number of companies. They enable startups, academics, and researchers in developing countries to participate in AI development.
- Reproducibility. Scientific claims about AI capabilities, safety properties, and alignment techniques can only be verified if the models are available for independent testing.
- Resilience. A world where AI capabilities are distributed across many actors is more resilient to capture by any single entity (corporate or governmental).
The Case Against Unrestricted Open Weights
- Proliferation risk. Once a model's weights are released, they cannot be recalled. If a model has dangerous capabilities (e.g., assisting with bioweapon synthesis), those capabilities are permanently available to all actors, including malicious ones.
- Safety guardrails are removable. Fine-tuning can remove safety training from an open-weight model with modest compute, as demonstrated by multiple research groups. Open weights make safety guardrails a suggestion, not a constraint.
- Liability gaps. When a model is released open-source and then modified by a third party, liability for harmful outputs is unclear. The original developer, the modifier, and the deployer may each claim that harm is the others' responsibility.
- Competitive pressure. If frontier labs release open models, they face pressure to release ever-more-capable models openly to maintain community goodwill, even as capabilities reach levels where open release may be genuinely risky.
The practical reality is that the industry has settled on a spectrum. Models below a certain capability level (roughly GPT-3.5 class) are widely available as open weights. Frontier models are generally closed, with some exceptions (Meta's Llama series). The question is where the threshold should be, who should set it, and whether it should be a hard legal boundary or a soft norm.
4. Frontier Model Evaluations
A growing consensus (across both open and closed model advocates) is that frontier models should undergo rigorous pre-deployment evaluation for dangerous capabilities. The question is: what should be evaluated, by whom, and with what consequences?
What to Evaluate
The UK AISI and major labs have converged on a set of "dangerous capability evaluations" (evals) that test whether a model can:
- Assist with the synthesis of biological, chemical, or radiological weapons
- Generate persuasive disinformation at scale
- Conduct autonomous cyberattacks (discovering vulnerabilities, writing exploits, establishing persistence)
- Assist with surveillance, social engineering, or manipulation
- Engage in autonomous self-replication or resource acquisition
- Deceive evaluators about its capabilities or intentions
These evaluations are distinct from standard capability benchmarks (MMLU, HumanEval, etc.) in that they specifically target misuse scenarios. They require adversarial testing methodologies, often including red-teaming by domain experts (biosecurity specialists, offensive security researchers).
ARC-AGI and Capability Benchmarks as Governance Tools
Francois Chollet's ARC-AGI benchmark has gained attention as a potential governance tool because it attempts to measure general reasoning ability rather than narrow task performance. The idea is that a model's ARC-AGI score could serve as a proxy for its "general capability level," which could then trigger regulatory requirements above certain thresholds.
The challenges with using benchmarks as governance tools are substantial. Benchmarks can be gamed (trained on directly or indirectly). They measure specific capabilities, not general dangerousness. A model could score poorly on ARC-AGI but excel at assisting with specific dangerous tasks, or vice versa. And any fixed benchmark will eventually saturate as models improve, requiring constant revision.
Who Should Evaluate
Three models for evaluation governance have emerged:
- Self-evaluation by labs. Major labs conduct their own safety evaluations. This is the current default. The concern is obvious: the entity with the strongest incentive to deploy a model is also judging whether it is safe to deploy.
- Government evaluation. Institutions like the UK AISI or a US equivalent evaluate models before deployment. This provides independence but requires government agencies to maintain frontier technical capabilities, which is challenging given talent competition with industry.
- Independent third-party evaluation. Analogous to financial auditing, independent organizations evaluate models against agreed standards. This is the model proposed by several governance researchers, though no such institution yet operates at scale.
5. Open Problems in AI Governance
Several governance questions remain genuinely unresolved:
Dual-Use Capabilities
Almost all AI capabilities are dual-use: the same model that helps a doctor diagnose rare diseases can help an attacker craft convincing phishing emails. Governance regimes that restrict dangerous uses must avoid crippling beneficial ones. No jurisdiction has found a satisfactory solution to this tension. The challenge is compounded by the fact that "danger" is context-dependent: a model capability that is safe in one context (a cybersecurity professional testing defenses) is dangerous in another (a criminal exploiting vulnerabilities).
Liability for AI Outputs
When an AI system causes harm, who is liable? The model developer, the deployer, the user who crafted the prompt, or some combination? Existing legal frameworks (product liability, negligence, contract law) do not map cleanly onto AI systems, which are neither traditional products nor traditional services. The EU AI Act assigns primary responsibility to deployers (for high-risk systems), but the boundaries are contested and untested in court.
Organizations that deploy AI systems in high-stakes domains (hiring, lending, healthcare, criminal justice) without documented governance processes face serious legal and financial exposure. Under the EU AI Act, non-compliance penalties reach up to 7% of global annual revenue. In the United States, the FTC has already pursued enforcement actions against companies whose AI systems produced discriminatory outcomes, even absent AI-specific legislation. Beyond regulatory fines, organizations may face class-action lawsuits, reputational harm, and loss of operating licenses. If your system influences decisions that affect people's lives, livelihoods, or legal rights, you must implement bias auditing, maintain human oversight mechanisms, and keep thorough documentation of your model's training data, evaluation results, and deployment safeguards. "We did not know the model was biased" is not a viable legal defense when auditing tools and evaluation frameworks are widely available.
Training Data IP
The legal status of using copyrighted material for AI training remains unresolved in most jurisdictions. The US courts are hearing multiple cases (New York Times v. OpenAI, Getty Images v. Stability AI, and others). The EU AI Act requires transparency about training data but does not clearly resolve the copyright question. Japan has taken a permissive stance, while the UK has oscillated between positions. The outcome of these legal battles will significantly shape the economics of AI development.
Autonomous Systems
As AI agents become more capable (see Chapter 22), governance must address systems that take actions in the world with limited human oversight. Autonomous trading systems, self-driving vehicles, and AI-powered hiring tools all raise questions about accountability, liability, and the appropriate level of human control. The challenge intensifies as AI agents are chained together in multi-agent systems (Chapter 24), where the behavior of the system emerges from interactions between agents and may not be predictable from the behavior of any individual agent.
Many policy analysts argue that the most productive governance approach is a combination of compute transparency (KYC for cloud compute), mandatory dangerous-capability evaluations for frontier models (by independent third parties, not just by labs themselves), and a layered liability framework where responsibility is shared between developers and deployers based on the degree of customization and control. Approaches that attempt to ban specific capabilities face skepticism, because dual-use makes this practically impossible without crippling beneficial uses. Purely voluntary commitments also draw criticism, because the competitive pressure to deploy quickly creates systematic incentives to cut corners on safety. The open-weight question is the hardest: graduated access (open weights below a capability threshold, structured access above it) has gained traction, but setting the threshold is a deeply value-laden decision that should involve broad public input, not just the views of AI researchers and companies.
Exercises
Your company is planning to deploy an LLM-powered medical triage system in three markets: the EU, the US, and the UK. The system takes patient symptom descriptions and suggests urgency levels and potential diagnoses for review by human clinicians.
- Under the EU AI Act, what risk category would this system likely fall into? What compliance requirements would apply?
- What US regulatory framework(s) would apply to this system? How does the regulatory burden compare to the EU?
- How would the UK's approach differ from both the EU and US approaches?
- Propose a unified compliance strategy that satisfies all three jurisdictions simultaneously.
Show Answer
1. Under the EU AI Act, a medical triage system would likely be classified as "high risk" because it falls under healthcare applications that affect patient safety. Requirements include: a conformity assessment before deployment, a quality management system, detailed technical documentation, human oversight mechanisms (the "human in the loop" clinician review helps here), robustness and accuracy testing, bias monitoring, and post-market surveillance with incident reporting.
2. In the US, the system would fall under FDA oversight as a Software as a Medical Device (SaMD). The FDA's AI/ML regulatory framework requires pre-market submission (510(k) or De Novo pathway), clinical validation, and a predetermined change control plan for model updates. HIPAA applies to patient data handling. The regulatory burden is comparable to the EU for the medical-specific requirements but differs in approach: the FDA focuses on clinical safety and efficacy, while the EU AI Act adds broader requirements around transparency, human oversight, and fundamental rights.
3. The UK, via the MHRA (Medicines and Healthcare products Regulatory Agency), takes a similar approach to the FDA but with more flexibility through the "sandbox" regulatory approach. The UK AISI's evaluation framework would apply if the underlying LLM is a frontier model, but for a deployed medical application, the primary regulatory framework is medical device regulation rather than AI-specific regulation.
4. Unified strategy: design the system to the strictest standard (EU AI Act high-risk requirements), which will generally satisfy US and UK requirements as well. Specifically: implement comprehensive documentation (satisfies all three), build in human oversight as a core design feature (required by EU, recommended by all), conduct clinical validation to FDA standards (meets the highest clinical evidence bar), implement post-market monitoring and incident reporting, and maintain a predetermined change control plan for model updates. The incremental cost of meeting all three frameworks simultaneously is modest compared to meeting any single framework, because the requirements overlap substantially.
A major AI lab has developed a new model that significantly advances the state of the art in code generation. The model can autonomously discover and exploit software vulnerabilities with modest prompting. The lab is deciding whether to release the model with open weights.
- Construct the strongest possible argument for open-weight release of this model.
- Construct the strongest possible argument against open-weight release.
- Propose a "structured access" compromise that captures some benefits of both positions.
Show Answer
1. For open release: The capability to discover vulnerabilities is essential for defensive cybersecurity. Open release allows security researchers, small companies, and governments worldwide to use the model for defense. Restricting access concentrates this capability among well-funded actors (who can develop similar models independently), while leaving defenders without it. The vulnerabilities the model can find already exist; the model accelerates discovery, which is beneficial if defenders use it before attackers develop equivalent tools independently. Historically, restricting security tools (e.g., Metasploit) has been less effective than broad availability with responsible disclosure norms.
2. Against open release: Unlike traditional security tools, this model significantly lowers the skill barrier for exploitation. A Metasploit user still needs substantial knowledge; this model does not require it. Open release is irreversible. Defensive use cases can be served through an API with usage monitoring, while open weights provide unmonitored access. The asymmetry between attack and defense matters: finding one vulnerability is enough for an attacker, while defenders must find them all. Accelerating vulnerability discovery disproportionately benefits attackers.
3. Structured access compromise: Release the model under a "responsible access" program: (a) Free API access for verified security researchers and organizations with responsible disclosure commitments. (b) Delayed open-weight release (e.g., 6 months after API launch) to give defenders a head start. (c) A fine-tuned variant with exploitation capabilities specifically removed for general open-weight release. (d) Monitoring and rate-limiting for the API version to detect misuse patterns. (e) Collaboration with major software vendors to use the model for proactive vulnerability discovery before any form of release.
- Compute governance is emerging as a practical lever. Tracking and regulating access to large-scale compute clusters provides a more enforceable mechanism than regulating algorithms or data directly.
- The regulatory landscape is fragmented globally. The EU AI Act, US executive orders, and Chinese regulations take fundamentally different approaches, creating compliance complexity for global deployments.
- Frontier model evaluations are still immature. Standardized dangerous capability evaluations are needed but lack consensus on methodology, thresholds, and enforcement mechanisms.
What Comes Next
In the next section, Section 35.3: Societal Impact, we broaden the lens from governance to examine AI's wider effects on labor markets, creative industries, scientific discovery, and education.
The world's first comprehensive AI regulation, establishing a risk-based framework that categorizes AI systems by their potential for harm. The primary legal text for understanding the EU's regulatory approach discussed in this section.
Established reporting requirements for frontier model training and directed federal agencies to develop AI safety standards. The key US policy document discussed in this section's comparison of governance approaches.
A comprehensive framework for regulating frontier AI systems, proposing safety evaluations and deployment oversight. Bridges the gap between technical safety research and practical policy design.
Heim, L. (2024). "Compute Governance and International AI Safety." Centre for the Governance of AI.
Argues that compute is the most measurable and controllable input to AI development, making it the natural lever for governance. Provides the analytical framework for the compute governance discussion in this section.
Proposes technical mechanisms for verifying compliance with compute thresholds through hardware monitoring. Demonstrates that compute governance can be technically implemented, not just theoretically discussed.
Systematically analyzes the risks and benefits of open-sourcing powerful AI models, proposing structured release strategies. Essential reading for the open vs. closed debate in AI governance.
Chollet, F. (2024). "ARC-AGI: A Formal Measure of Intelligence." ARC Prize Foundation.
Proposes the Abstraction and Reasoning Corpus as a benchmark for measuring genuine intelligence rather than memorization. Relevant to the governance challenge of assessing when models reach concerning capability levels.
Proposes institutional and technical mechanisms for verifying safety claims made by AI developers. Connects the abstract goal of trustworthy AI to concrete organizational and auditing practices.