Chapter 53: Regulation, Compliance, and Governance

Chapter opener illustration: Regulation.

"Regulation is the price of being taken seriously."
Compass, Regulation-Aware AI Agent

Looking Back

Chapter 52 measured bias and harm. This chapter maps the regulatory response: the EU AI Act, the US executive orders and state-level laws, the UK and APAC frameworks, and the compliance work product (risk registers, transparency reports, conformity assessments) that LLM teams now ship alongside the model.

Big Picture

EU AI Act, GDPR, NIST AI RMF, sector-specific regs, risk governance, and compliance-as-code.

Chapter Overview

Regulation is the part of the LLM stack that lawyers and product teams have to share. This chapter walks the global regulatory landscape, the EU AI Act in operational detail (high-risk classification, conformity assessment, transparency duties), risk governance and model inventory practice, LLM licensing and intellectual-property questions, and the open governance problems (international coordination, frontier risk, capability evaluations) that will shape the next regulatory cycle.

Regulation moved from "watching from a distance" to "binding on shipped products" in 2024 and 2025. This chapter is the practitioner's map: what is binding now, what is coming, and where the genuine open questions sit.

Note: Learning Objectives

Map the global regulatory landscape (EU AI Act, NIST AI RMF, ISO 42001, sector-specific rules) to a target deployment.
Apply the EU AI Act's high-risk classification and conformity-assessment workflow to a real product.
Architect a risk-governance and model-inventory system for an enterprise AI program.
Diagnose LLM licensing, intellectual-property, and privacy questions across training and inference.
Evaluate the open governance problems (international coordination, frontier risk) that shape near-term policy.

Prerequisites

Bias and fairness from Chapter 52
Evaluation foundations from Chapter 42
Familiarity with at least one regulatory environment (privacy, finance, healthcare)

Sections

What's Next?

This chapter begins with Section 53.1: Global Regulatory Landscape. Each section builds on the previous one, so we recommend reading them in order.

Further Reading

Primary Regulatory Texts

European Parliament & Council. (2024). "Regulation (EU) 2024/1689 on Artificial Intelligence (AI Act)." Official Journal of the European Union. EUR-Lex 32024R1689. The authoritative text of the world's first comprehensive AI regulation; every Article-50 transparency clause and Article-51/55 GPAI obligation discussed in 53.2 lives here.

NIST. (2023). AI Risk Management Framework (AI RMF 1.0). NIST AI 100-1. NIST AI RMF. The US voluntary risk framework that has become the de facto enterprise governance reference; map directly to the model-inventory and ownership patterns in 53.3.

ISO/IEC. (2023). ISO/IEC 42001: Information technology, Artificial intelligence, Management system. International Organization for Standardization. ISO 42001. The international AI management-system standard that enterprises certify against; complements NIST AI RMF for ISO-aligned governance programs.

Analyses and Commentary

Veale, M., & Borgesius, F. Z. (2021). "Demystifying the Draft EU Artificial Intelligence Act." Computer Law Review International, 22(4). arXiv:2107.03721. The most widely cited legal analysis of the AI Act's structure; essential context for the risk-tier and obligation taxonomy.

Anderljung, M., Barnhart, J., Korinek, A., Leung, J., O'Keefe, C., Whittlestone, J., et al. (2023). "Frontier AI Regulation: Managing Emerging Risks to Public Safety." arXiv preprint. arXiv:2307.03718. Influential policy paper proposing frontier-model registration, evaluation, and licensing regimes that informs the GPAI obligations.

Licensing, IP, and Privacy

Lemley, M. A., & Casey, B. (2021). "Fair Learning." Texas Law Review, 99(4). SSRN:3528447. The foundational legal argument for training-data fair use that frames the ongoing NYT v. OpenAI and Authors Guild litigation cited in 53.4.