Global Fragmentation of AI Governance

By Aryamehr Fattahi | 30 January 2026

Summary

• Global AI governance has fragmented into competing regulatory philosophies, with the European Union (EU) enforcing mandatory compliance, the United States (US) pursuing federal preemption of state laws, and Asia-Pacific favouring voluntary frameworks. Approximately over 70 countries have established AI strategies, but only around 27 have enacted binding AI-specific legislation.

• Organisations operating across jurisdictions face the challenge of building parallel compliance architectures whilst managing internal risks from shadow AI proliferation and the emergence of agentic AI systems that challenge traditional accountability frameworks.

• Regulatory divergence will intensify through 2027, with the EU-US gap widening as enforcement actions begin. Enterprises with mature AI governance will likely capture competitive advantage through differentiation, whilst laggards face both regulatory penalties and heightened operational risks.

Context

The regulatory landscape entering 2026 reflects fundamentally incompatible approaches to AI oversight. The EU AI Act, which entered into force on 1 August 2024, phases in its most consequential provisions on 2 August 2026, when high-risk AI system obligations become enforceable. Providers must complete conformity assessments, implement quality management systems, and register systems in the EU database before market placement. Deployers face requirements including human oversight assignment, fundamental rights impact assessments, and log retention for a minimum of 6 months. Penalties reach EUR 35m or 7% of global turnover for prohibited practices violations. However, the European Commission's Digital Omnibus proposal could extend these deadlines if standards and support tools are not finalised in time, creating additional planning uncertainty for enterprises.

The US has moved in the opposite direction. US President Donald Trump signed Executive Order 14365 on 11 December 2025, establishing a policy to sustain US global AI dominance through a minimally burdensome national policy framework. The order creates an AI Litigation Task Force mandated to challenge state AI laws deemed inconsistent with federal policy, though executive orders cannot directly preempt state legislation; court rulings are required for preemption to take effect. The Commerce Department must publish an evaluation of state laws within 90 days, specifically targeting Colorado's algorithmic discrimination provisions. State-level regulation nonetheless advances. Multiple state AI laws took effect on 1 January 2026, including California's Transparency in Frontier AI Act and Texas's Responsible AI Governance Act.

Asia-Pacific approaches remain predominantly voluntary. Singapore launched the world's first governance framework for agentic AI on 22 January 2026, addressing autonomous systems capable of planning and executing tasks with minimal human intervention. South Korea's AI Basic Act, Asia-Pacific's first binding comprehensive AI law, took effect the same day. The World Economic Forum's Global Risks Report 2026 ranks adverse outcomes of AI as the 5th highest long-term global risk, rising from 30th in short-term assessments, the starkest trajectory of any risk category.

Implications and Analysis

The regulatory divergence outlined above creates cascading effects across compliance, enterprise governance, cybersecurity, and competitive positioning.

Implications for Compliance and Operations

Regulatory fragmentation creates layered compliance obligations that compound operational complexity. Organisations serving EU customers must meet binding requirements by August 2026, regardless of headquarters location, given the AI Act's extraterritorial scope. Simultaneously, US operations face state-by-state obligations with varying definitions, enforcement mechanisms, and penalty structures, whilst federal policy actively discourages compliance with certain state laws through threatened funding restrictions.

The practical consequence is that multinationals cannot build unified compliance programmes. EU requirements mandate full data lineage tracking, human-in-the-loop checkpoints, and risk classification documentation. US voluntary frameworks like NIST's AI Risk Management Framework provide operational guidance but carry no enforcement mechanism. Chinese regulations impose penalties reaching 50 million yuan or 5% of annual turnover, whilst requiring strict data localisation, but are incompatible with EU adequacy determinations.

Standards bodies offer partial convergence. ISO/IEC 42001, the first certifiable international AI management system standard, has achieved notable adoption. Yet voluntary standards cannot substitute for regulatory compliance, and companies planning AI audits or certification face uncertain returns as jurisdictional requirements diverge.

Third-party vendor management adds another layer of complexity. Most enterprises rely on external AI providers for core capabilities, yet the EU AI Act assigns deployer obligations regardless of whether the AI system was developed in-house or procured. Organisations face the challenge of flowing compliance requirements through to vendors, conducting due diligence on third-party model governance, and maintaining contractual protections that may be difficult to enforce across jurisdictions. The opacity of many AI supply chains compounds this challenge, as organisations often lack visibility into the provenance and training data of models embedded within vendor products.

Enterprise Governance Challenges

The governance challenge extends beyond regulatory compliance to operational risk management. Shadow AI has become pervasive: An estimated 98% of organisations have employees using unsanctioned applications, including AI tools, with nearly 90% of enterprise AI usage invisible to IT departments. The financial impact is quantifiable: Shadow AI breaches add approximately USD 670,000 to average breach costs, a 16% increase.

Enterprise AI proliferation has accelerated dramatically. According to Palo Alto Networks' 2025 State of GenAI report, the average organisation now runs approximately 66 generative AI applications, with 10% classified as high-risk under emerging frameworks. This proliferation creates governance gaps that traditional compliance frameworks were not designed to address.

The accountability challenge intensifies with agentic AI adoption. Machine identities now outnumber human employees by substantial margins, and a majority of organisations report encountering risky behaviours from AI agents, including improper data exposure and unauthorised system access. Singapore's framework explicitly acknowledges that organisations remain legally accountable for their agents' behaviours, but enforcement mechanisms remain untested.

Cybersecurity Dimensions

AI governance intersects with cybersecurity at multiple points. Deepfakes now account for a significant portion of biometric fraud attempts, with deepfake file volumes reaching 8 million in 2025, up from 500,000 in 2023. The "harvest now, decrypt later" quantum computing threat has accelerated as AI advances quantum capabilities, with the exposure window for encrypted data extending decades under delayed post-quantum cryptography adoption.

AI supply chain vulnerabilities present governance challenges that existing frameworks struggle to address. Malicious open-source packages have increased substantially year-over-year, whilst malicious AI models on major repositories have grown considerably. Traditional software bills of materials were not designed for executable, fast-changing AI models, creating opacity that undermines both security and compliance.

Strategic and Competitive Implications

The compliance burden will likely stratify the competitive landscape. Multinational enterprises with mature AI governance may leverage certification as a competitive differentiation; early adopters of standards-based certification report improved contract win rates. Organisations without governance infrastructure face both regulatory penalties and potential procurement exclusion as government and critical infrastructure buyers demand conformity assessments upfront. The fragmented landscape may also force AI developers toward jurisdiction-specific model development, increasing costs and fragmenting innovation. US developers serving EU customers cannot rely on domestic deregulation, as extraterritorial enforcement will apply regardless of Trump administration policy.

For compliance teams, parallel compliance architectures are likely to become necessary, with EU requirements serving as the de facto ceiling for global operations. The AI governance software market is projected to grow substantially, reflecting the scale of the compliance challenge. From an investment perspective, AI governance maturity increasingly correlates with enterprise value. The emerging "trust premium" applies to companies demonstrating responsible AI deployment, whilst governance failures create material liability exposure. The high rate of S&P 500 AI risk disclosures signals that AI risk has shifted from emerging concern to board-level priority.

Forecast

• Short-term (Now - 3 months)

  • The Commerce Department evaluation of state AI laws (due by mid-March 2026) will likely identify Colorado's AI Act as problematic, triggering litigation that creates compliance uncertainty. Enterprises should maintain state law compliance pending court rulings. DOJ Task Force challenges are a realistic possibility, but immediate pre-emption is highly unlikely.

• Medium-term (3-12 months)

  • EU AI Act high-risk obligations (August 2026) will likely generate the first significant enforcement actions against non-compliant AI systems, targeting high-profile use cases in employment and financial services. Compliance costs will pressure smaller AI providers; market consolidation is a realistic possibility as governance requirements create barriers to entry.

• Long-term (>1 year)

  • Regulatory arbitrage will likely intensify as the EU-US gap widens, with some AI development relocating to lower-regulation jurisdictions. By 2028, large enterprises will likely require multiple distinct governance software products to manage fragmented compliance obligations. Global harmonisation remains a remote chance absent a major AI incident that catalyses international cooperation.