Our thinking

AI Watch: Global regulatory tracker

What's inside

Keeping track of AI regulatory developments around the world.

The global dash to regulate AI

Artificial intelligence (AI) has made enormous strides in recent years and has increasingly moved into the public consciousness.

Increases in computational power, coupled with advances in machine learning, have fueled the rapid rise of AI. This has brought enormous opportunities, as new AI applications have given rise to new ways of doing business. It has also brought potential risks, from unintended impacts on individuals (e.g., AI errors harming an individual's credit score or public reputation) to the risk of misuse of AI by malicious third parties (e.g., by manipulating AI systems to produce inaccurate or misleading output, or by using AI to create deepfakes).

Governments and regulatory bodies around the world have had to act quickly to try to ensure that their regulatory frameworks do not become obsolete. In addition, international organizations such as the G7, the UN, the Council of Europe and the OECD have responded to this technological shift by issuing their own AI frameworks. But they are all scrambling to stay abreast of technological developments, and already there are signs that emerging efforts to regulate AI will struggle to keep pace. In an effort to introduce some degree of international consensus, the UK government organized the first global AI Safety Summit in November 2023, with the aim of encouraging the safe and responsible development of AI around the world. 

Most jurisdictions have sought to strike a balance between encouraging AI innovation and investment, while at the same time attempting to create rules to protect against possible harms. However, jurisdictions around the world have taken substantially different approaches to achieving these goals, which has in turn increased the risk that businesses face from a fragmented and inconsistent AI regulatory environment. Nevertheless, certain trends are becoming clearer at this stage:

  1. "AI" means different things in different jurisdictions: One of the foundational challenges that any international business faces when designing an AI regulatory compliance strategy is figuring out what constitutes "AI." Unfortunately, the definition of AI varies from one jurisdiction to the next. For example, the draft text of the EU AI Act adopts a definition of "AI systems" that is based on (but is not identical to) the OECD's definition, and which leaves room for substantial doubt due to its uncertain wording. Canada has proposed a similar, though more concise, definition. Various US states have proposed their own definitions, which differ from one another. And many jurisdictions (e.g., the UK, Israel, China, and Japan) do not currently provide a comprehensive definition of AI. Because several of the proposed AI regulations have extraterritorial effect (meaning more than one AI regulation may apply simultaneously), international businesses may be forced to adopt a "highest common denominator" approach to identifying AI based on the strictest applicable standard.
  2. Emerging AI regulations come in different forms: The various emerging AI regulations have no consistent legal form – some are statutes, some are executive orders, some are expansions of existing regulatory frameworks, and so on. The EU AI Act is a "Regulation" (which means that most of it will apply directly in all EU Member States, without the need for national implementation in most cases). The UK has taken a different approach, declining to legislate at this early stage in the development of AI, and instead choosing to task existing UK regulators with the responsibility of interpreting and applying five AI principles in their respective spheres. In the US, there is a mix of White House Executive Orders, federal and state initiatives, and actions by existing regulatory agencies, such as the Federal Trade Commission. As a result, the types of compliance obligations that international businesses face are likely to be materially different from one jurisdiction to the next. Many other jurisdictions have yet to decide whether they will issue sector-specific or generally applicable rules and have yet to decide between creating new regulators or expanding the roles of existing regulators, making it challenging for businesses to anticipate what form their AI regulatory relationships will take in the long term.
  3. Emerging AI regulations have different conceptual approaches: The next difficulty is the lack of a consistent conceptual approach among emerging AI regulations around the world – some are legally binding while others are not, some are sector-specific while others apply across all sectors, some will be enforced by regulators while others are merely guidelines or recommendations, and so on. As noted above, the UK approach is to use existing regulators to implement five AI principles, but with no new explicit legal obligations. This has the advantage of meaning that businesses will deal with AI regulators with whom they are already familiar but has the disadvantage that different UK regulators may interpret these principles differently in their respective spheres. The EU AI Act is cross-sectoral and creates new regulatory and enforcement powers for existing bodies, including the European Commission, and also creates entirely new bodies such as the AI Board and the AI Office, while leaving EU Member States to appoint their own AI regulators tasked with enforcing the AI Act. In the US, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau, and Department of Justice issued a joint statement clarifying that their existing authority covers AI, while various state regulators are also likely to have competence to regulate AI. International organizations including the OECD, the UN, and the G7 have issued AI principles, but these impose no legal obligations on businesses. In principle, these initiatives encourage consistency across members of each organization, but in practice this does not seem to have worked.
  4. Flexibility is a double-edged sword: In an effort to create AI regulations that can adapt to technological advances that have not yet been anticipated, many jurisdictions have sought to include substantial flexibility in those regulations, either by using deliberately high-level wording and policies, or by allowing for future interpretation and application by courts and regulators. This has the obvious advantage of prolonging the lifespan of such regulations by allowing them to be adapted to future technologies. However, it also creates the disadvantage of uncertainty because it leaves businesses uncertain of how their compliance obligations will be interpreted in the future. This is likely to mean that it is harder for businesses to know whether their planned implementations of AI will be lawful in the medium-to-long term and may make it harder to attract long-term AI investment in those jurisdictions.
  5. The overlap between AI regulation and other areas of law is complex: A substantial number of laws that are not directly focused on AI nevertheless apply to AI by association within their respective spheres, meaning that any use of AI will often trigger compliance issues and legal challenges even where there is not (yet) any enforceable AI-specific law. These areas of overlap include: IP (e.g., IP infringement issues with respect to AI model training data, and questions about copyright and patentability of AI-assisted inventions); antitrust; data protection (which adds restrictions to processing of personal data, and in some cases imposes special compliance obligations for processing carried out by automated means, including by AI); M&A (where AI innovation is driving dealmaking in many markets); financial regulation (where financial regulatory requirements may limit the ways in which AI can lawfully be deployed); litigation; digital infrastructure; securities; global trade; foreign direct investment; mining & metals; and so on. This overlap will mean that many businesses need to understand not just AI regulations in general, but also any rules that affect the use of AI in the context of the relevant sector or business activity.

Businesses in almost all sectors need to keep a close eye on these developments to ensure that they are aware of the AI regulations and forthcoming trends, in order to identify new opportunities and new potential business risks. But even at this early stage, the inconsistent approaches each jurisdiction has taken to the core questions of how to regulate AI is clear. As a result, it appears that international businesses may face substantially different AI regulatory compliance challenges in different parts of the world. To that end, this AI Tracker is designed to provide businesses with an understanding of the state of play of AI regulations in the core markets in which they operate. It provides analysis of the approach that each jurisdiction has taken to AI regulation and provides helpful commentary on the likely direction of travel.

Because global AI regulations remain in a constant state of flux, this AI Tracker will develop over time, adding updates and new jurisdictions when appropriate. Stay tuned, as we continue to provide insights to help businesses navigate these ever-evolving issues.



Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.



The enactment of Brazil's proposed AI Regulation remains uncertain with compliance requirements pending review.

Sao Paulo


AIDA expected to regulate AI at the federal level in Canada but provincial legislatures have yet to be introduced.



The Interim AI Measures is China's first specific, administrative regulation on the management of generative AI services.


Council of Europe

The Council of Europe is developing a new Convention on AI to safeguard human rights, democracy, and the rule of law in the digital space covering governance, accountability and risk assessment.

European Union

Czech Republic

The successful implementation of the EU AI Act into national law is the primary focus for the Czech Republic, with its National AI Strategy being the main policy document.

Czech Republic

European Union

The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.


European Union


France actively participates in international efforts and proposes sector-specific laws.



The G7's AI regulations mandate Member States' compliance with international human rights law and relevant international frameworks.

G7 flags


Germany evaluates AI-specific legislation needs and actively engages in international initiatives.



National frameworks inform India’s approach to AI regulation, with sector-specific initiatives in finance and health sectors.



Israel promotes responsible AI innovation through policy and sector-specific guidelines to address core issues and ethical principles.



Italy engages in political discussions for future laws.



Japan adopts a soft law approach to AI governance but lawmakers advance proposal for a hard law approach for certain harms.



Kenya's National AI Strategy and Code of Practice expected to set foundation of AI regulation once finalized.



Nigeria's draft National AI Policy underway and will pave the way for a comprehensive national AI strategy.



Position paper informs Norwegian approach to AI, with sector-specific legislative amendments to regulate developments in AI.



The OECD's AI recommendations encourage Member States to uphold principles of trustworthy AI.

country flags

Saudi Arabia

Saudi Arabia is yet to enact AI Regulations, relying on guidelines to establish practice standards and general principles.

Riyadh_Hero_1600x600 Saudi Arabia


Singapore's AI frameworks guide AI ethical and governance principles, with existing sector-specific regulations addressing AI risks.


South Africa

South Africa is yet to announce any AI regulation proposals but is in the process of obtaining inputs for a draft National AI plan.


South Korea

South Korea's AI Act to act as a consolidated body of law governing AI once approved by the National Assembly.



Spain creates Europe's first AI supervisory agency and actively participates in EU AI Act negotiations.



Switzerland's National AI Strategy sets out guidelines for the use of AI, and aims to finalize an AI regulatory proposal in 2025.



Draft laws and guidelines are under consideration in Taiwan, with sector-specific initiatives already in place.

Taiwan city


Turkey has published multiple guidelines on the use of AI in various sectors, with a bill for AI regulation now in the legislative process.


United Arab Emirates

Mainland UAE has published an array of decrees and guidelines regarding regulation of AI, while the ADGM and DIFC free zones each rely on amendments to existing data protection laws to regulate AI.


United Kingdom

The UK prioritizes a flexible framework over comprehensive regulation and emphasizes sector-specific laws.

London hero image

United Nations

The UN's new draft resolution on AI encourages Member States to implement national regulatory and governance approaches for a global consensus on safe, secure and trustworthy AI systems.

United Nations

United States

The US relies on existing federal laws and guidelines to regulate AI but aims to introduce AI legislation and a federal regulation authority.

New York city photo


Tim Hickman
Erin Hanson
New York
Dr. Sylvia Lorenz
New York city photo

AI Watch: Global regulatory tracker - United States

The US relies on existing federal laws and guidelines to regulate AI but aims to introduce AI legislation and a federal regulation authority.

14 min read

Laws/Regulations directly regulating AI (the “AI Regulations”)

Currently, there is no comprehensive federal legislation or regulations in the US that regulate the development of AI or specifically prohibit or restrict their use. However, there are existing federal laws that concern AI albeit with limited application. A non-exhaustive list of key examples includes:

  • Federal Aviation Administration Reauthorization Act, which includes language requiring review of AI in aviation.1
  • National Defense Authorization Act for Fiscal Year 2019, which directed the Department of Defense to undertake various AI-related activities, including appointing a coordinator to oversee AI activities.2
  • National AI Initiative Act of 2020, which focused on expanding AI research and development and created the National Artificial Intelligence Initiative Office that is responsible for “overseeing and implementing the US national AI strategy.”3

Nevertheless, various frameworks and guidelines exist to guide the regulation of AI, including:

  • The White House Executive Order on AI (titled Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence) which is aimed at numerous sectors, and is premised on the understanding that “[h]arnessing AI for good and realizing its myriad benefits requires mitigating its substantial risks.” 4 The executive order focuses on federal agencies and developers of foundation models, mandates the development of federal standards, and requires developers of the most powerful AI systems to share safety tests results and other critical information with the U.S. government. The Executive Order also calls on the Department of Commerce to issue guidance for content authentication and watermarking to label AI-generated content.
  • The White House Blueprint for an AI Bill of Rights, which asserts guidance around equitable access and use of AI systems.5 The AI Bill of Rights provides five principles and associated practices to help guide the design, use and deployment of “automated systems” including safe and effective systems; algorithmic discrimination and protection; data privacy; notice and explanation; and human alternatives, consideration and fallbacks
  • Several leading AI companies (e.g., Adobe, Amazon, IBM, Google, Meta, Microsoft, Open AI, and Salesforce) have voluntarily committed to “help move toward safe, secure, and transparent development of AI technology.”6 These companies committed to internal/external security testing of AI systems before release, sharing information on managing AI risks and investing in safeguards. 
  • The Federal Communications Commission issued a declaratory ruling stating that the restrictions on the use of “artificial or pre-recorded voice” messages in the 1990s era Telephone Consumer Protection Act include AI technologies that generate human voices, demonstrating that regulatory agencies will apply existing law to AI.7

Status of AI- specific legislation

On September 12, 2023, the US Senate held public hearings regarding AI8, which laid out potential forthcoming AI regulations. Possible legislation could include requiring licensing and creating a new federal regulatory agency. Additionally, US lawmakers held closed-door listening sessions with AI developers, technology leaders and civil society groups on September 13, 2023 in a continued push to understand and address AI.9

There are several federal proposed laws related to AI. A non-exhaustive list of key examples includes:

  • The SAFE Innovation AI Framework,10 which is a bipartisan set of guidelines for AI developers, companies and policymakers. This is not a law, but rather a set of principles to encourage federal law-making on AI
  • The REAL Political Advertisements Act,11 which aims to regulate generative AI in political advertisements
  • The Stop Spying Bosses Act,12 which aims to regulate employers surveilling employees with machine learning and AI techniques
  • The Draft No FAKES Act,13 which would protect voice and visual likenesses of individuals from unauthorized recreations from Generative AI
  • The AI Research Innovation and Accountability Act,14 which calls for greater transparency, accountability and security in AI, while establishing a framework for AI innovation. It would create an enforceable testing and evaluation standard for high-risk AI systems and require companies that use high-risk AI systems to produce transparency reports. It also empowers the National Institute of Standards and Technology to issue sector-specific recommendations to regulate them 

State legislatures have also introduced a substantial number of bills aimed at regulating AI, notably:

  • On May 17, 2024, Colorado enacted the first comprehensive US AI legislation, the Colorado AI Act. The Act creates duties for developers and for those that deploy AI. The Act focuses on automated decision-making systems and defines a covered high-risk AI system as one that "when deployed, makes, or is a substantial factor in making a consequential decision." There is a specific focus on bias and discrimination, and developer and deployers must use reasonable care to avoid discrimination via AI systems that make, or are a substantial factor in making a consequential decision. The Act will go into effect in 2026 
  • The California Consumer Privacy Act,15 which contains provisions on the use of automated decision-making tools. Additionally, the California Privacy Protection Agency released draft rules on these provisions16 governing consumer notice, access and opt-out rights with respect to automated decision-making technology, which the rules define broadly. The regulations are still being finalized but will likely cover expanded uses of AI. The draft rules, which are not expected to be formalized until sometime in 2024, would require significant disclosure about businesses’ implementation and use of ADMT
  • More than 40 state AI bills were introduced in 2023, with Connecticut17 and Texas18 actually adopting statutes. Both of those enacted statutes establish state working groups to assess state agencies’ use of AI systems to ensure they do not result in unlawful discrimination

Other laws affecting AI

Existing legislation has been the primary way in which the US regulates AI as established law, including privacy and intellectual property laws, which are generally applicable to AI technologies. 

Notably, in April 2023, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau, and Department of Justice issued a joint statement noting that "existing legal authorities apply to the use of automated systems and innovative new technologies."19 As cited above, in February 2024, the Federal Communications Commission applied restrictions in the Telephone Consumer Protection Act on AI-generated voices.

Several states have enacted comprehensive privacy legislation that can also regulate AI. A non-exhaustive list of notable state legislation includes:

  • The California Privacy Protection Act, which regulates automated decision-making20
  • The Biometric Information Privacy Act in Illinois,21 which is very broad and allows for extremely high damages for violations. There is currently pending litigation in the AI context 

Existing intellectual property laws also apply to AI, both with respect to the data AI technologies are trained upon and the outputs of such technologies. For example, with respect to outputs, the US District Court has held that human authorship is an essential part of a valid copyright claim, and the Copyright Office will refuse to register a work unless it was created by a human being."22 There are also numerous cases before the courts in the US alleging copyright infringement, among other things, with respect to training data.23 

Several states have also issued executive orders regarding AI. Notably, in California, the Executive Order on Generative AI24 highlights the benefits of Generative AI, but also the need for safety instructing state agencies to examine how AI use for California residents may threaten privacy and security.

Definition of “AI” 

There is no single definition of AI. 

The National Artificial Intelligence Initiative and White House Executive Order on AI define AI as "a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. Artificial intelligence systems use machine- and human-based inputs to perceive real and virtual environments; abstract such perceptions into models through analysis in an automated manner; and use model inference to formulate options for information or action."25

Many state privacy bills have different definitions of automated decision-making technology or "profiling":

  • A recent Texas statute establishing an AI advisory council (HB 2060) defines an "automated decision system" as "an algorithm, including an algorithm incorporating machine learning or other artificial intelligence techniques, that uses data-based analytics to make or support governmental decisions, judgments or conclusions"26 
  • Connecticut’s Public Act No. 22-15 defines "profiling" as "any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements" 27
  • The California Privacy Protection Act defines "profiling" as "any form of automated processing of personal information, [...] to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements."28

Territorial scope

As noted above, there are currently no comprehensive federal laws that have been enacted to specifically regulate AI. Accordingly, there is no specific territorial scope of federal legislation. However, many existing statutes regulate activities in which AI can be used, and those federal statutes typically apply nationally and, in some cases, extra-territorially. State legislation regulating AI generally has extra-territorial effect as its application typically extends to entities that target its residents from within or outside the state.

Sectoral scope

As noted above, there are currently no comprehensive federal laws that directly regulate AI. Accordingly, there is no specific federal sectoral scope at this stage. Nevertheless, there are certain sector-specific frameworks that have been implemented in the US to regulate the use of AI. A non-exhaustive list of key examples includes:

  • In the insurance sector, the National Association of Insurance Commissioners issued a model bulletin29 that focuses on governance frameworks, risk management protocols and testing methodologies that insurers should have in place to govern their use of AI systems that impact insurance consumers. Once adopted by the NAIC (expected early 2024), state insurance departments could use the bulletin at their discretion as the bulletin is not new law, but instead enforces the application of current laws to insurers’ use of AI and serves as guidance as to regulatory expectations
  • In the employment sector, the City of New York enacted Local Law 144 of 202130 that "prohibits employers and employment agencies [in the city] from using an automated employment decision tool unless the tool has been subject to a bias audit within one year of the use of the tool, information about the bias audit is publicly available, and certain notices have been provided to employees or job candidates"31

Compliance roles

As noted above, there is currently no comprehensive federal legislation in the US that directly regulates AI. Accordingly, there are currently no specific or unique federal obligations imposed on developers, users, operators and/or deployers of AI systems. However, developers, users, operators and deployers of AI systems should anticipate that existing law will apply to any regulated activity that uses AI, and consult legal counsel about the potential liabilities that may arise. While potentially novel, the use of AI does not per se provide a shield from the application of existing law.

Core issues that the AI regulations seek to address

As noted above, there is currently no comprehensive legislation in the US that directly regulates AI. However, the White House Executive Order on AI and proposed legislation at the federal and state level generally seeks to address the following issues:

  • Safety and security
  • Responsible innovation and development
  • Equity and unlawful discrimination
  • Protection of privacy and civil liberties

Risk categorization

As noted above, there is currently no comprehensive legislation in the US that directly regulates AI. AI is also not generally classified according to risk in the relevant frameworks and principles.

Key compliance requirements

As noted above, there is currently no comprehensive federal legislation in the US that directly regulates AI. Nevertheless, the White House Executive Order on AI lists the following eight key principles and priorities to encourage the responsible development of AI technologies and safeguard against potential harms:

  • AI must be safe and secure
  • To lead in AI, the US must promote responsible innovation, competition and collaboration
  • Responsible development and use of AI requires a commitment to supporting American workers
  • AI policies must advance equity and civil rights
  • The interests of Americans who increasingly use, interact with, or purchase AI and AI-enabled products in their daily lives must be protected
  • Privacy and civil liberties must be protected
  • The federal government must manage the risks of its own use of AI
  • The federal government should exercise global leadership in societal, economic and technological progress32


Currently, there is no AI-specific federal regulator in the US. However, in April 2023, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau and Department of Justice issued a joint statement clarifying that their authority applies to "software and algorithmic processes, including AI."33

Similarly, state regulators that regulate privacy legislation likely also have the authority to regulate AI vis-à-vis existing privacy provisions. The FTC has been active in this area, and we can expect to see more from them going forward; see discussion of Rite Aid below.

Enforcement powers and penalties

As noted above, there are currently no comprehensive federal laws or regulations in the US that have been enacted specifically to regulate AI. As such, enforcement and penalties relating to the creation, dissemination and/or use of AI are governed by application of existing law to situations involving AI, through regulatory or judicial application of non-AI-specific federal and state statutes or AI-specific state privacy legislation.

In addition, the Federal Trade Commission has evoked an interest in and focus on regulating AI through enforcement. On December 19, 2023, the FTC settled a significant action focused on artificial intelligence bias and discrimination against Rite Aid regarding the company’s use of facial recognition technology for retail theft deterrence.34 This illustrative case provides guidance on the FTC’s enforcement on AI systems. For example, the proposed consent order35 between Rite Aid and the FTC: 

  • Prohibits Rite Aid from using AI facial recognition for five years
  • Requires Rite Aid to delete all photos and videos of consumers used in its AI facial recognition 
  • Specifies that after Rite Aid’s ban on using AI facial recognition expires, if Rite Aid operates AI facial recognition technology for surveillance, it must maintain a comprehensive automated biometric security or surveillance system monitoring program that identifies and addresses the risks of such operation and notifies consumers of its use of AI facial recognition. Rite Aid must also provide a means for consumers to lodge complaints, and investigate and respond to all complaints received, among other requirements

Further insights from White & Case:

https://www.congress.gov/116/crpt/hrpt617/CRPT-116hrpt617.pdf#page=1210; https://trumpwhitehouse.archives.gov/briefings-statements/white-house-launches-national-artificial-intelligence-initiative-office/ 
https://www.coons.senate.gov/imo/media/doc/no_fakes_act_one_pager.pdf ; and https://www.coons.senate.gov/imo/media/doc/no_fakes_act_draft_text.pdf 
https://www.govinfo.gov/content/pkg/USCODE-2022-title15/pdf/USCODE-2022-title15-chap119-sec9401.pdf ; and https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence 

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2024 White & Case LLP