AI governance is the messy, necessary work of deciding who gets to build what, who is responsible when things go wrong, and what guardrails exist between a research breakthrough and its deployment into the lives of billions of people. It operates at multiple levels simultaneously: international agreements (the Bletchley Declaration, the G7 Hiroshima Process), national legislation (the EU AI Act, China's Interim Measures for Generative AI), industry self-regulation (Anthropic's Responsible Scaling Policy, Google's AI Principles), and internal corporate governance (ethics review boards, red teams, deployment checklists). None of these levels works well in isolation, and the interactions between them create a governance landscape that is genuinely difficult to navigate.
The EU AI Act, which began enforcement in stages starting in 2025, is the most comprehensive AI-specific legislation in the world. It classifies AI systems by risk level: unacceptable (banned outright, like social scoring), high-risk (subject to conformity assessments, documentation requirements, and human oversight mandates), and limited/minimal risk (lighter obligations). The approach is systematic but complex — companies building general-purpose AI models face a distinct set of rules under the "GPAI" provisions, including transparency requirements and, for the most powerful models, adversarial testing and incident reporting obligations. The United States, by contrast, has taken a sector-specific approach: FDA guidance for AI in medical devices, NIST's AI Risk Management Framework as a voluntary standard, and a patchwork of state laws. China has moved quickly with targeted regulations on deepfakes, recommendation algorithms, and generative AI, each with specific registration and content requirements. For companies operating globally, compliance means navigating all of these simultaneously, and the rules do not always agree with each other.
Inside organizations, AI governance means more than publishing an ethics statement. The companies that do this well have concrete mechanisms: pre-deployment review processes that require sign-off from safety teams before a model ships, red-team exercises where internal adversaries try to break systems before launch, model cards and system documentation that track a model's capabilities, limitations, and known failure modes, and incident response plans for when things go wrong in production. The companies that do this poorly treat governance as a communications exercise — a page on their website listing principles that their engineering teams have never read. The difference is usually visible in the org chart: if the safety team reports to the product team, governance tends to lose when it conflicts with shipping deadlines. If it reports independently, it has a fighting chance.
The AI industry's self-regulatory efforts are a source of genuine disagreement among thoughtful people. Proponents point to concrete outcomes: Anthropic's Responsible Scaling Policy defines capability thresholds that trigger increasingly stringent safety requirements as models get more powerful. OpenAI's Preparedness Framework commits to specific evaluations before deployment. The Frontier Model Forum brings major labs together to share safety research. Critics counter that these commitments are voluntary, self-assessed, and routinely subordinated to competitive pressure. When OpenAI dissolved its Superalignment team in 2024, it demonstrated the fragility of self-governance when it conflicts with commercial objectives. The honest assessment is that self-regulation has produced genuinely useful safety practices, but it is insufficient on its own — particularly for risks that affect people outside the company's user base.
Several fundamental governance questions remain genuinely unresolved. Should frontier AI models require government licensing, similar to pharmaceuticals or nuclear technology? How do you regulate open-source models that, once released, cannot be recalled? Who is liable when an AI system causes harm — the model developer, the company that deployed it, or the user who prompted it? How do you enforce rules on AI systems whose capabilities are difficult even for their creators to fully enumerate? And at the international level, how do you prevent a race to the bottom where companies and researchers relocate to the jurisdiction with the lightest regulation? These are not rhetorical questions. They are active policy debates with real consequences, and the answers will shape whether AI governance becomes a functional system or an exercise in paper compliance.