CHAPTER 5 Navigating AI Governance as a Normative Field: Norms, Patterns, and Dynamics

Defining AI Governance

Defining the contours of AI governance is not an easy task.⁹ The definition of what accounts for AI has been contested all along and varies across contexts and actors. Despite various efforts, a uniform standard definition has not emerged yet—and even some of the most influential definitions are subject to updates, as the recent definitional amendments to AI Guidelines of the Organisation for Economic Co-operation and Development (OECD) illustrate.¹⁰ The challenge of defining where AI governance starts and where it ends is further exacerbated not only because the term AI is contested but also because the notion of governance is a highly amorphous concept with many meanings across different cultural and application contexts.¹¹ Questions of terminology seem mostly of academic interest at first, and it is striking that languages generally have received relatively little attention in contemporary AI conversations. But when entering the regulatory arena, more precise understandings of certain terms matter greatly and have real-world consequences, as the struggles to specify the many newly introduced terms in the EU AI Act might illustrate.

This article avoids a sharp definition of the subject it seeks to explore and takes a pragmatic approach. With respect to AI, the updated definition by the OECD serves as the term’s core with a halo around it, reflecting broader definitions used in other norm complexes aimed at steering the development, deployment, and use of AI across a spectrum of open and closed technological and organizational settings. Similarly, a pragmatic understanding of the concept of governance is adopted, embracing a diversity of modalities of norms (from ethical principles to hard law), different levels of governance (from local to global), and a range of actors involved in such efforts (from professional associations to lawmakers).

Taking these elements together, AI governance can be circumscribed as the sum of all coexisting forms of collective regulation of matters associated with machine-based systems, which infer from inputs how to generate outputs that have the potential to influence physical or virtual environments.

Emerging AI Governance Arrangements

Fueled by an accelerating pace of innovation in AI research, development, and deployment, debates about the needs for and modalities of AI governance have intensified in recent years, spanning local to global levels. A broad range of stakeholders has launched various initiatives to set up dedicated guardrails for AI-based technologies, starting with several hundred AI ethics principles initiatives,¹² followed by hundreds of legislative and regulatory interventions,¹³ as well as a plethora of standard-setting and best practice efforts. Among the many initiatives, the following flagship efforts with the potential for international impact serve as reference points in this chapter:

• Canada’s Draft Artificial Intelligence and Data Act¹⁴ introduces guardrails to ensure that AI systems deployed in Canada are safe and nondiscriminatory and creates accountability mechanisms for businesses as they develop and use AI-based technologies.
• China’s Interim Generative AI Measures¹⁵ seek to encourage and guide the responsible use of generative AI with respect for national security while making everyone who develops and uses generative AI products to provide services to the public in China subject to government oversight.
• Brazil’s Draft Artificial Intelligence Act¹⁶ seeks to create rules for making AI systems available in Brazil, establish rights for people affected by their operation, provide penalties for violations, and set up a supervising body.
• EU’s AI Act¹⁷ is a comprehensive draft law aimed at addressing the risks of AI through a broad range of obligations and requirements to safeguard the health, safety, and fundamental rights of citizens. It seeks to ensure the proper functioning of the EU single market by setting consistent rules for AI systems across the EU.
• US Executive Order on Safe, Secure, and Trustworthy AI¹⁸ establishes new and whole-of-government standards for government agencies to address safety and security risks associated with the development and use of AI in the social, economic, and national security spheres.

These initiatives only provide a subset of the diverse AI governance arrangements at the national level. The US AI governance landscape, for instance, consists of an amalgam of norms, which includes—in addition to the Executive Order and bills such as the US Algorithmic Accountability Act¹⁹—sector-specific initiatives (e.g., in the health and transportation sectors) and legislation at the state and city level, in addition to a broad range of soft law instruments ranging from an AI Bill of Rights²⁰ to voluntary commitments by leading AI companies, numerous ethical principles by private and public sector entities, and technical standards by standard-setting organizations such as the National Institute of Standards and Technology (NIST),²¹ to name just a few AI governance sources.

Other nation states—including the United Kingdom, India, Japan, Singapore, and Switzerland—have taken a different route so far (note that things remain in flux) by either pursuing a sectoral approach to AI governance or refraining from the use of hard law while promoting the responsible development, deployment, and use of AI through nonbinding governance mechanisms such as guidelines, best practices, and standards.

While some of these efforts at the national and regional level target AI specifically as a distinct set of technologies using different techniques and methods, AI governance has not emerged in isolation. Existing general guardrail regimes, among other factors discussed subsequently, provide the relevant normative context in which more specific interventions now take place.

Contextualizing AI Governance

AI governance, like AI itself, should not be considered in isolation but rather contextualized as part of a social fabric of norms and stabilized expectations, ranging from formalized policies and laws to often more implicit cultural values and attitudes.²² They shape and limit what is possible, feasible, and desirable within a given ecosystem when addressing the broad range of opportunities and challenges associated with AI through means of governance.

Approaches to AI governance arrangements are situated within broader economic, social, environmental, technology, and regulatory policies of countries. Within these general parameters, many nations have enacted national AI strategies, which often also outline the contours of the envisioned AI regime.²³ A comparative analysis of AI strategies across twenty-two countries suggests a typology of prescribed governance approaches, resulting in a matrix with strong versus weak state interventions on one axis and stimulation versus enclosure-and-control approaches on the other. Different roles of the state in AI governance can be mapped onto each resulting quadrant, indicating certain levels of activity and the use of preferred governance instruments.²⁴

Preexisting laws are another contextual element, as briefly mentioned. Consider, for instance, how relatively relaxed privacy laws or safe harbor provisions have contributed to an AI innovation-friendly ecosystem in the United States.²⁵ Conversely, other sets of norms have arguably constrained some of the conditions conducive to AI advancement. While the empirical effects of stricter data protection laws in Europe on the development and adoption of AI remain contested, some studies suggest that the General Data Protection Regulation (GDPR) and particularly more stringent enforcement actions shaped important dimensions of the research and innovation ecosystems.²⁶

The relevant context of AI governance is of course not limited to policy and law. Powerful forces that shape the present and future of AI governance originate from the spheres of economic and national security interests—an important nexus that goes beyond the scope of this chapter.²⁷ For context, it suffices to acknowledge that the shapes both of general legal norms and specific AI guardrails are heavily influenced by the political economy, understood as the actions taken by different stakeholders with divergent interests and unequal resources and power that characterize a given environment.²⁸ The extensive lobbying efforts by large technology companies, for instance, to push for guardrails that are favorable to their businesses are well-known and have also become apparent in the AI context. Perhaps more than anything, geopolitical dynamics—both in terms of competition and cooperation—frame the broader normative picture in which AI governance activities unfold in each domain and region,²⁹ and have led to what some have described as a “race to AI regulation” on top of the global race for AI.³⁰ The AI policy of the European Union, for instance, was positioned from the outset against the backdrop of global developments,³¹ and its AI Act has already been analyzed through the prism of the so-called Brussels effect.³²

These and several other factors—including culturally anchored values, preferences, and attitudes by people toward innovative technologies³³—influence the normative context in which present day AI governance efforts crystallize. In other words, emerging AI governance norms are not endogenous rules but are socially embedded. The AI policies of Nordic nations, for instance, distinctly rely on core cultural values as organizing principles to steer the development of AI in society.³⁴ These normative dynamics complicate any comparison between different regimes and, above all, limit the possibility of successfully transplanting legal and other AI norms from one context to another.

International Initiatives

The AI governance landscape at the national and regional level is also shaped by a series of important international developments and initiatives,³⁵ including the influential OECD Principles on Artificial Intelligence,³⁶ which seek to promote AI that is innovative and trustworthy and that respects human rights and democratic values; the UNESCO Recommendations on the Ethics of AI³⁷ that spans standard-setting, policy advice, and capacity building; the UK-led Bletchley Declaration³⁸ that concerns international coordination on frontier AI; the G7 Hiroshima AI Process that promotes guardrails for advanced AI systems at the global level, among several others, including efforts such as the formation of a UN High-Level Advisory Body on AI and, more recently, the UN Resolution on Safe, Secure and Trustworthy Artificial Intelligence System.³⁹

As this incomplete list already indicates, international efforts also range from relatively high-level aspirational principles to binding instruments. With respect to the latter, the most important initiative is the Council of Europe’s (CoE) Framework Convention on Artificial Intelligence Human Rights, Democracy, and the Rule of Law.⁴⁰ The treaty covers the use of AI systems in both public and private sectors (with notable exceptions in areas such as national security), offering two compliance pathways when regulating the private sector: direct obligation to the treaty’s provisions or alternative measures while respecting international human rights, democracy, and the rule of law. This accommodates global legal diversity. It mandates transparency, oversight, risk assessment, and mitigation measures, including identifying AI-generated content and assessing the need for moratoriums or bans on high-risk AI uses.

The treaty ensures AI systems uphold equality, privacy rights, and accountability for adverse impacts, with legal remedies for human rights violations and procedural safeguards. It requires parties to adopt measures to ensure that AI systems do not undermine democratic institutions and establishes a Conference of the Parties for follow-up, and it requires independent oversight to ensure compliance, raise awareness, and foster public debate on AI technology.⁴¹

Relevant building blocks of international AI governance that predate some of the most recent global AI initiatives can also be found in the domain of free trade and digital economy agreements. For instance, the Digital Economy Partnership Agreement between Singapore, Chile, and New Zealand, promoting interoperability among the different digital trade regimens, promoted the adoption of ethical AI frameworks and developed mechanisms for cross-border data flows.⁴² The UK-New Zealand Free Trade Agreement, to take another example, removed certain data localization requirements and established guardrails for international data flows between the two countries.⁴³

Institutionalized initiatives also include regional and bilateral efforts.⁴⁴ Under the institutional umbrella of the US-EU Trade and Technology Council (TCC), for instance, the United States and the European Union committed to a series of projects to advance trustworthy AI through collaborations in the area of measurement and evaluation, the design of AI tools to protect privacy, and the economic analysis of AI’s impact on workforce. An initial contribution is the TCC Joint Roadmap on Evaluation and Measurements Tools for Trustworthy AI and Risk Management, with commitments to work toward a common terminology (a draft of an EU-US Terminology and Taxonomy for Artificial Intelligence was recently released for consultation) and a common knowledge base of metrics and methodologies to coordinate their work with international standard bodies, and track emerging risks and work toward compatible evaluations of AI systems. Progress has also been made in the area of privacy and AI workforce impact analysis.

Cross-Pollination

Even below the threshold of larger institutionalized international efforts, and despite the previously mentioned idiosyncrasies that point toward nuanced AI governance arrangements across geographies and contexts, the process of developing such arrangements at the local and national levels is currently characterized by a remarkable degree of cross-pollination among policymakers and lawmakers.⁴⁵ Put differently, not only do geopolitical dynamics shape the normative field of AI governance, but the approaches and instruments that are deployed within the respective spheres of polycentric governance-making are themselves shaped by interactions among relevant stakeholders, elevating the complexity of the norm dynamics at play.

Forums and venues where such processes take place range from informal Zoom calls, conferences, and workshops to engagement in committees and networks, such as the Global Partnership on AI Governance or the G20 Working Group on Artificial Intelligence, to name just a few examples specific to the domain of AI. Platforms such as Globalpolicy.AI, the Transatlantic Policy Network, and the World Economic Forum, or collaborations between think tanks such as the Brookings Institution and the Center for European Policy Studies, also serve as important spaces for cross-pollination among various stakeholders, including policymakers and lawmakers, in addition to direct lines of communication among them. (Members of the US Congress, for instance, have engaged with one of the rapporteurs of the EU AI Act.) Efforts facilitated by academic institutions, such as the Stanford Institute for Human-Centered AI, also serve as exchange points for decision-makers in the field of AI.

Cross-pollination through knowledge diffusion in the field of AI governance takes place though various other mechanisms with varying degrees of informality and transparency. Examples include structured interactions in the context of standards-setting organizations involved in AI governance—the collaboration between the OECD and NIST to develop a catalog of AI tools and metrics is a case in point—but also lobbying efforts by industry and industry associations that often operate across jurisdictions and promote certain approaches or instruments across different forums of AI governance-making.

Toward Governance Innovation?

Each cycle of technological innovation with the potential to induce structural shifts in a socioeconomic environment when interacting with humans and society typically challenges existing governance structures. While the default response to such challenges is to apply the old structures to the new phenomenon, the disruptions also offer a window of opportunity for innovation within governance systems. Some of these governance innovations are gradual in nature and others more radical; some include novel institutions, and others innovate around processes or rights.⁴⁶ The internet revolution, for instance, led to several governance innovations across all three domains, with ICANN being an example of an institutional innovation, online dispute resolution systems a process innovation, and the right to be forgotten a rights innovation.⁴⁷

While traces of innovative governance might be spotted at the levels of individual norms within large governance projects such as the EU AI Act, it is the calls for new AI oversight institutions voiced by government representatives, industry leaders, and academics that have recently garnered public attention. The new models proposed for AI governance often find inspiration in other policy domains, including climate, finance, or nuclear energy. A recent review of proposals for new AI institutions clustered them into seven functional categories that transcend traditional government policies. Models range from scientific and political consensus-building to coordinating institutions in the realm of policy and regulation, and from enforcement of standards and restrictions to international joint research and distribution of benefits and access to AI technology.⁴⁸

The analysis suggests a wide array of models and experiences that can be leveraged as the quest for global AI governance intensifies. In the current quicksilver environment, it is arguably one of the most intriguing and consequential questions how much innovation in governance is needed and (politically) possible to unlock the benefits of AI while managing its risk at the global level, and what would such an arrangement look like in practice.⁴⁹

Positioning Approaches

With these caveats in mind, one might take a closer look at the diverse AI governance arrangements that together form the normative field. Given the number of initiatives and the fluid state of norm development around the world, it is virtually impossible within the scope and purpose of this article to offer even a representative, let alone a comprehensive overview of current attempts aimed at governing AI. A more modest approach is to position some of the most salient governance initiatives along several spectrums with ideal-type approaches at their respective ends:

• Sectoral versus horizontal approaches: AI-based technologies cover various application contexts. Governance approaches can seek to regulate AI horizontally across their different use cases or regulate the development, deployment, and use for specific sectors, such as health, transportation, justice, or education, to name just a few. The United Kingdom takes a sectoral approach; other country examples include Japan and Switzerland. At least traditionally, the United States has also pursued a sectoral approach, with the recent Executive Order blurring the lines to the extent it pursues a whole-of-government approach. The EU, with its EU AI Act and related efforts like the AI Liability Directive, takes a decidedly horizontal approach to AI governance, supplemented by sector-specific regulations, resulting in a mixed approach, but partly also interacting with other legislation, including the GDPR but also the Digital Services Act (DSA)—the latter in which foundation models are incorporated in very large online platforms and search engines.⁵⁰
• Soft law versus hard law: Another positioning point is the question whether a given AI governance approach relies more on soft law or hard law. Soft law instruments include standards, ethics guidelines, checklists, best practices, to name a few. They play a key role in self-regulatory regimes, but in the field of AI, they also supplement state-driven legislation and regulation. Japan and Singapore currently rely heavily on soft law instruments, which continue to play a prominent role in the United States, for instance, in the gestalt of the Voluntary Commitments⁵¹ from leading companies to manage the risks posed by AI, but also the NIST AI Risk Management Framework,⁵² among others. Ambitious hard law approaches are currently pursued in the European Union, Canada, and Brazil, but also part of the AI governance mix in the United Kingdom (sectoral regulation) and the United States (particularly state and local levels), as already mentioned.

The spectrums outlined here interact with each other and partially overlap. As already indicated, AI governance initiatives often combine different approaches and instruments within them. For instance, hard law approaches to AI governance will typically also rely on standard-setting outside the formal lawmaking processes, as subsequently discussed. While not being exclusive and clear-cut, the spectrums might still serve as a rough coordination system to identify the position of different approaches relative to each other.

Cutting across the sectoral versus horizontal and soft versus hard law approaches are two other spectrums that can be helpful when considering the available toolbox of AI governance and comparing different strategic choices made by AI governance bodies:

• Outcomes versus procedural approaches: Outcome-based approaches to AI governance stipulate a desirable outcome such as innovation, economic growth, or safety, to name just a few objectives, and keep the means to achieve these objectives typically flexible. Procedural approaches, in contrast, prescribe instruments that need to be adopted along the way, assuming that they will lead to a desirable outcome. Risk management is a case in point. Risk-based approaches categorize AI applications based on their level of risk to individuals and society and attach tailored requirements to each level. Perhaps the most prominent example in the latter category is the EU AI Act, with its intricate scheme of risk classification and corresponding legal obligations. The Canadian draft legislation also builds upon a risk-based approach, as well as the Brazilian Draft AI Law, which the EU AI Act inspired. Examples of the former approach include the United Kingdom’s pro-innovation approach to AI governance, which targets the outcomes AI will likely generate in specific applications rather than assigning rules according to risk levels.
• Principles versus rules-based approaches: As the name suggests, principle-based approaches seek to guide the development, deployment, and use of AI by laying down a set of overarching principles that guide the relevant stakeholders. Prominent examples of such an approach are the OECD AI Principles and the G7 International Guiding Principles on AI. Rules-based approaches, in contrast, typically lay out specific and more detailed rules according to which the relevant stakeholders must play. At the country level, China’s Interim Measures in the realm of generative AI are illustrative. But also sector-specific requirements, for instance, in the area of medical AI or transportation, might often be rule-based, suggesting again that approaches might be mixed and are often not clear-cut.

Across these four spectrums (and others could be added), it is important to remember that any categorization of this sort runs the risk of oversimplification and is of limited value given the characteristics of AI as a “messy” normative field as discussed in the earlier section. At the very least, however, they might illustrate the range of approaches available and serve as a rough navigation aid when contrasting different choices made by various AI governance actors.

Functional Dimensions

Another lens for positioning approaches to AI governance—and within such approaches, individual norms—is functional in nature. Borrowing from analyses of previous cycles of technological innovation and accompanying governance responses in law and regulation, one can distinguish between constraining, enabling, and leveling functions of norms.⁵³

Lawmakers or regulators might draft and enact norms that constrain the development or use of certain types of technologies or functionalities. Frequently used instruments include the following:

• Prohibitions: Legislation or regulation can ban the development or use of certain AI systems or applications. The EU AI Act, for instance, prohibits certain AI use cases that pose unacceptable risks. Its far-reaching restrictions on using facial recognition technology are another case in point. Similarly, several US municipalities have restricted or banned the use of facial recognition technology by local agencies. Restrictions on the export of dual-use technologies are another illustration. More generally, the Canadian AIDA proposes new criminal law provisions to prohibit any reckless and malicious uses of AI that cause serious harm to Canadians and their interests.
• Premarket obligations: AI laws and regulations can stipulate requirements that need to be met before an AI product enters the market. The EU AI Act requires developers of high-risk AI systems to perform comprehensive conformity assessments before placing them on the market. In areas such as medical AI or autonomous vehicles premarket approval is often required, including under US regulations. Post-market monitoring is another instrument in the toolbox, often supplementing premarket regulatory schemes, like in the case of high-risk systems under the EU AI Act.
• Certification and registration: Analytically distinct, but closely related to premarket requirements are certification and registration schemes. The important role of (at least) voluntary certifications is mentioned in the in the Canadian Artificial Intelligence and Data Act (AIDA), for example. High-Risk AI systems under the proposed EU AI Act are subject to a strict certification regime. In addition, such systems, as well as foundational models, need to be registered in an EU database.

Enabling norms, in contrast, are designed to permit or even promote the development and use of technology. Such norms—most prominently so-called safe harbors—have played an important role in creating a flourishing digital platform economy, as mentioned before. In the AI realm, laws and regulations can promote the development and use of AI systems in various ways, ranging from compliance exceptions for certain use cases to government investments. Some of the common instruments include the following:

• Funding and subsides: Enabling AI legislation can establish funding schemes to support the development or adoption of AI-based technologies. Lawmakers across countries and regions, including the United States and Europe, have enacted laws as a foundation to direct investment and subsidies toward industry as well as the public sector. The US Executive Order, for instance, directs federal funding toward a research coordination network to support privacy preserving technologies, among several other actions.
• Capacity building: AI legislation might stipulate capacity building measures. Instruments may range from technical assistance programs to setting up resource and innovation centers. The US Executive Order, for instance, provides small developers and entrepreneurs with access to technical assistance and resources. The envisioned AI and Data commissioner under the Canadian AIDA is also engaged in capacity building.
• Sandboxes: Various AI laws encourage or even mandate regulatory sandboxes, which allow businesses and regulators to cooperate in a controlled environment to test innovative products or services and gain insights with regard to risks of these innovation and appropriate safeguards. Sandboxes are a key measure in support of innovation under the EU AI Act, for instance. The Brazilian AI Act set the foundation for testing environments to support the development of innovative AI systems.

Norms that are leveling the playing field include, for instance, general rules prohibiting anti-competitive behavior or deceptive business practices. Specific instruments that seek to address information asymmetries or other imbalances in the AI context include the following:

• Transparency: To bridge information gaps, AI laws and regulations often impose disclosure obligations, which come in many forms and shapes. The EU AI Act, for instance, requires clear and comprehensible information about the capabilities and limitations of high-risk AI systems, and transparent and traceable decision-making processes. The Brazilian AI Act, to take another example, mandates transparency in the use of AI systems in interactions with natural persons, among other requirements.
• Education and training: AI literacy and skill-building programs might also have their anchor in laws and regulations. The US Executive Order, for instance, supports various programs to enhance AI-relevant skills to ensure access to AI opportunities for the workforce in general, and for specialized groups of professionals, such as investigators or prosecutors.

To be sure, this list of instruments is not exhaustive; additional mechanisms currently under consideration cover a broad spectrum of governance techniques, including licensing requirements,⁵⁴ tax obligations, rulemaking authority, and procurement power, among others. Furthermore, several additional instruments transcend the three categories of constraining, enabling, and leveling norms. For instance, auditing and inspection regimes, oversight mechanisms, or sanctions are frequently used techniques to create accountability and ensure compliance and thus serve a cross-cutting function.

Mixed Approaches

Clearly, the evolving normative field of AI governance is complex and the traditional taxonomies start to blur. Particularly at the country level, AI governance often involves mixed approaches, combining different strategies and instruments and situating these countries somewhere along the spectrum of the ideal-type approaches outlined earlier. Moreover, although the dimensions that mark each spectrum might be analytically distinct, they are also interacting. The EU approach to AI governance is a helpful illustration in this regard: The EU AI Act advances a risk-based approach through hard law but is supplemented by sectoral regulations in areas such as health and transportation as well as soft law instruments such as technical standards and ethical principles. As already indicated, the coordination system is perhaps most helpful to understand the relative positioning between different approaches and to create awareness of the available options, particularly for countries and communities that remain undecided on which approach to pursue.

The same applies to the functional categories. AI governance, like previous tech-induced governance regimes, typically consists of a complex amalgam of norms. Such arrangements typically combine several of the functions briefly described earlier, as a recent empirical study of several hundred of proposed (and at times enacted) AI laws and regulations across the Atlantic indicates.⁵⁵ Nonetheless, certain trends become visible when applying a functional lens. Mapping proposed, rejected, and enacted legislation on AI-based technologies in the United States and Europe over the past seven years, the study reveals that legislative activities on both sides of the Atlantic serve different functions, but (proposed) laws and regulations in the United States tend to be more strongly in the enabling zone than their European counterparts.

Effectiveness and Ripple Effects

Mapping existing approaches to AI governance in general, and a high-level overview of some of the most salient instruments that are available to lawmakers and regulators in particular, indicates a deep reservoir of normative techniques (both social and technological in nature) that AI governing bodies can tap into when seeking to steer the development, deployment, and use of AI across diverse application areas. While the choices among approaches and instruments are not unconstrained and, as discussed in the subsection “Contextualizing AI Governance”, shaped by numerous factors that create path-dependencies, the respective actors involved often have significant leeway when selecting and mixing the tools to address specific AI governance issues.

AI governance shares characteristics of a wicked policy problem with many interdependencies and contingencies, making it virtually impossible to predict in all nuances the individual and aggregated effects when choosing one governance approach over another, or when selecting certain instruments while not deploying others.⁵⁶ Experiences from previous cycles of technology innovation offer some high-level insights for the design of “good governance” and clues about possible ramifications of different approaches at a basic level.⁵⁷ For instance, comparisons between US and European approaches to privacy and data protection, or an analysis of different governance regimes across regions when regulating online intermediaries such as social media platforms, might teach some lessons.⁵⁸ However, at the more granular level of specific instruments, lawmakers and regulators often fly in the dark, as links between interventions and desirable outcomes (for instance, in terms of effectiveness, efficiency, and flexibility when addressing a given AI issue) remain chronically uncertain when dealing with structural sociotechnological transitions.⁵⁹

In the normative field of AI governance, as in other domains, a complex web of economic, social, technological, organizational, and also human factors influences the practical outcomes emerging from any given mix of governance approaches and instruments over time. Constraining norms as a subset of AI governance arrangements and the question of pressures and incentives that might affect compliance and enforceability are indicative of some of the complicating dynamics. Research on the effects of different approaches to privacy and (pre-GDPR) data protection in the United States and European countries, for instance, revealed that on-the-ground practices—including overall awareness, leadership buy-in, and professional culture—have been critical factors determining privacy outcomes regardless of the underlying conceptual choices made by lawmakers and regulators.⁶⁰ Another example is a finding from a recent in-depth examination of China’s hard law approach to AI governance concerning generative AI, suggesting a significant gap between the “law on the books” and “law in action” when it comes to the willingness to enforce the strict rules amid the geopolitical arms race and vis-à-vis domestic economic struggles.⁶¹ At a more abstract level, both stories—albeit for different reasons—point toward the importance of communities of practice and implementation capacities, respectively, that in no small part will co-determine the effectiveness of any of the available approaches to AI governance.

The uncertainties and dynamics involved when dealing with emerging science and technology such as AI make it not only challenging to select and combine approaches in ways that best address a given governance issue but also very difficult to anticipate second order and ripple effects. Governance instruments that promote the use of AI in the public administration, for instance, might exacerbate environmental issues or have implications for AI supply chains. AI guardrails that do not stand the test of time might affect public trust not only in the technology but also in the state. For all these reasons, it is vital to incorporate performance benchmarks and evaluation processes as well as mechanisms of responsible experimentation and systematic learning into AI governance arrangements, whether based on soft or hard law or on a sectoral or horizontal approach.⁶²

Protection of Established Rights

Various legal norms in evolving AI governing arrangements seek to ensure and bolster the protection of established rights of rightsholders vis-à-vis novel risks and potential harms associated with the development and use of AI. Together, this cluster of norms forms one of the key patterns that transcend the heterogeneous set of norms of AI governance. Within the EU AI Act, for instance, the protection of established rights plays an important role and goes to the heart of the raison d’être of the legislation, which is set out to ensure a high level of protection of health, safety, fundamental rights, democracy, the rule of law, and the environment from harmful effects of AI systems. Similarly, several sections of the US Executive Order aim to protect established rights, for instance, when stipulating requirements against unlawful discrimination, protection against fraud, and threats to privacy, or to ensure the safety, security, and reliability of AI systems. Brazil’s proposed AI legislation, for example, included a section on the protection of the rights of individuals impacted by AI decision-making and outlined individual and collective rights of action. Rights protection is also a core motif of soft law instruments advanced globally. Consider, for example, Singapore’s Model AI Governance Framework, which includes the protection of the interests of human beings, including their well-being and safety, as primary considerations in the design, development, and deployment of AI. Also, in the international realm, various AI governance initiatives include explicit or implicit references to protecting established rights. The G7 Hiroshima Process International Code of Conduct for Organizations Developing Advanced AI Systems with its requirement to respect human rights and protect children and vulnerable groups, or the Bletchley Declaration with its recognition that the protection of human rights, safety, privacy, and data protection needs to be addressed, or the CoE’s Framework Convention with its rules to align the life cycle of AI systems with international and national legal protections of human rights, are examples of pars pro toto.

Protection of Established Positions

A second, related pattern that crystallizes across a diverse set of AI governance arrangements at the national and international levels is the protection of established positions, where some of the legal norms aimed at governing AI are crafted in ways that are protective of previously recognized economic, cultural, and social interests and aimed at preserving a given status quo. The EU AI Act includes various normative references along these lines. At the systemic and most fundamental level, measures taken to shield democracy and justice, for instance by limiting certain uses of AI or imposing strict upfront requirements, are examples of the protection of established positions. Regarding the protection of individual interests, the EU AI Act clarifies that it does not alter any of the previous rules, particularly in the realm of data protection, consumer protection, and product safety, which establish important baselines in terms of protected interests and positions. In other cases, it seeks to reaffirm established interests, for instance, with respect to copyright holders’ economic interests in the context of the regulation of foundation models used in generative AI systems, where providers would be required to publicly disclose a sufficiently detailed summary of the copyrighted material used as training data. In the same way, the Brazilian AI Law reinforces previous regulations, especially those related to data and consumer protection. Concerning intellectual property, it establishes that it is without prejudice to the owners of these rights. US Executive Order also includes norms aimed at protecting established positions, for instance, in the form of requirements aimed at improving the security, resilience, and incident response related to AI usage in critical infrastructure or when outlining different measures and programs in support of workers who might face future AI-related job disruptions, including the protection of their economic interests and well-being. Protecting established positions is also a key driver behind international AI governance initiatives. The Bletchley Declaration, to take just one example, with its focus on measures to ensure the safety of AI systems, for instance, in the context of frontier AI capabilities, is motivated to safeguard protected interests and existing positions of individuals, organizations, and governments.

Market Functional Pattern

The market functional pattern is a dynamic element in AI governance arrangements. Norms at the core of this pattern aim to promote new economic activities, stimulate technological development through market mechanisms, and support new markets and business models. Improving the smooth functioning of the internal market while promoting the uptake of human-centric and trustworthy AI and ensuring high levels of protection is among the overarching objectives of the EU AI Act. It enables AI systems, with notable exceptions, to benefit from the principle of free movement of goods and services. References to market functioning are spread across the proposed law and mentioned in the context of open software and data as enablers of market-based research and innovation. Transparency requirements are also contextualized as minimally invasive measures to avoid unjustifiable restrictions on trade. More generally, the EU AI Act is embedded in a broader digital strategy aimed at enhancing Europe’s competitiveness and promoting innovation in the digital market. On the other side of the Atlantic, the US Executive Order also states as a core principle the promotion of responsible innovation and competition and stresses the importance of a fair, open, and competitive ecosystem and marketplace for AI and related technologies. Its requirements to promote innovation and competition, but also to nurture AI talent and strengthen US leadership internationally are, to a large extent, part of a market functional pattern. At least traces of the same pattern can also be found in soft law instruments. The Singaporean Model AI Framework,⁶⁵ for instance, contextualizes its best practices in terms of AI as an enabler of new goods and services and a booster of productivity and competitiveness, which can lead to economic growth and better quality of life. At the international level, the market functional pattern has been less explicit in recent AI governance initiatives, with occasional references to productivity gains and inclusive economic growth, for instance, in the Bletchley Declaration. Market functional rationales also pop up in various AI-related efforts, such as in the realm of data governance aimed at enabling trans-border flows of data, building upon the international order of IP and trade as the normative bedrock of globalized markets.

Fostering Innovation

As already mentioned in the context of the functional dimensions of AI governance, several AI governance arrangements contain dedicated norms to promote research and development of AI-based technologies. Expanding on the original concept of normative pattern analysis pioneered by Anna Christensen, this complex of norms can be conceptualized as the fostering of innovation pattern. It interacts with the market functional pattern and is often framed as the protection of the potential for innovation based on preexisting commitments to free trade and intellectual property. Again, this normative pattern is typically present in national-level AI governance arrangements and in international initiatives and cuts across the hard law and soft law distinction. The provisions of the EU AI Act mention innovation close to thirty times. It stipulates various norms aimed at promoting innovation or protecting the potential for innovation, ranging from the possibility of regulatory sandboxes and coordinated standard-setting in the technical realm to AI literacy initiatives, among others. Likewise, the proposed Brazilian legislation also adopts regulatory sandboxes to promote innovation. Norms aimed at promoting AI innovation are also integral to the UK White Paper, which proportionately tailors its regulatory framework to fulfill the goal of innovation promotion,⁶⁶ and to the US Executive Order, which outlines a broad range of measures to promote innovation and competition through immigration reform, investments in resources, support for research and development, and measures in the realm of IP protection, spanning various governmental agencies and bolstering private-public partnerships. Soft law instruments of AI governance often also include recommendations aimed at promoting innovation, both at the national and international levels. The influential OECD AI Principles, for example, call on governments to consider long-term public investments and encourage private investments in research and development to spur innovation in trustworthy AI, including in creating open datasets to support the overall environment for responsible AI research. Along similar lines, at the global level, the UNESCO Recommendation on the Ethics of AI calls upon member states to ensure that public funds are dedicated to responsible and inclusive AI research and that governments promote international collaboration to advance innovation.

The patterns proposed in this chapter, inspired by Christensen’s original work, are an attempt at describing some of the core normative elements within and across different AI governance arrangements. Given the complexity and heterogeneity of AI governance arrangement, these different patterns do not make up a hierarchy of norms; rather they coexist and interact with each other in ways shaped by various contextual factors, including cultural, political, and economic conditions as alluded to in the previous section when contextualizing AI governance. Although the mode of analysis is descriptive rather than prescriptive, the approach can serve as a foundation to study how patterns manifest themselves over time within and across different societal conditions and application contexts.

Zones of Convergence

While much nuance remains, some trends of convergence can be observed across most of the AI governance arrangements reviewed in this chapter. For the methodological reasons mentioned before, the following commonalities focus on conceptual “nodes” of AI governance rather than on individual norm-level comparisons.

• Prominence of risk-based approaches: While some AI governance actors opt for outcome-based approaches, risk-based approaches to AI governance have gained popularity at both the national and international levels, cutting across sectoral and horizontal as well as soft and hard law instruments. Leading examples at the national level include the EU AI Act, Canadian AI and Data Act, and Brazilian AI bill, which all use some forms of risk and impact assessment to group AI systems into different categories of compliance obligations. The US Executive Order also highlights the importance of a risk-based approach, particularly when managing risks from the federal government’s own use of AI and in the context of implementation measures, for instance, in the gestalt of the NIST AI Risk Management Framework as an influential voluntary standard. Other soft law instruments, such as the Singaporean Model AI Governance Framework, provide guidance to organizations to adopt a risk-based approach when implementing measures. At the international level, risk-based approaches have been promoted by G7 digital and technology ministers and referenced in the Hiroshima Process International Code of Conduct for Organizations Developing Advanced AI Systems.⁶⁷ Although these examples suggest conceptual convergence toward risk-based approaches, substantial differences continue to exist at the operational level.⁶⁸
• Role of regulatory sandboxes: Building on previous experiences using sandboxes as a supervised experimental space to enable responsible testing of emerging technologies and foster bidirectional learning between developers and regulators, AI governance bodies across the globe have started to embrace this technique and are currently applying it to AI. The European Union in the EU AI Act and several European member states, including Spain and Germany, are promoting the use of AI regulatory sandboxes as controlled environments with reduced regulatory burden to keep pace with rapid AI development while gaining experience dealing with it effectively. The Brazilian AI Act also authorizes the operation of an experimental regulatory environment for innovation in AI, and the preparation for a first sandbox is already underway. Singapore, as a last example, recently launched a Generative AI Evaluation Sandbox as an experimental platform for developers to build responsible AI use cases and enable the evaluation of trusted AI products.⁶⁹
• Importance of standards: Across all the reviewed AI governance arrangements, regardless of their respective positioning, standards play a vital role.⁷⁰ Even in cases where comprehensive legislation is at the core of AI governance, like in Europe with the EU AI Act, standard-setting is a critical part of the strategy. The European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC) are leading organizations developing standards that could provide developers the presumption of conformity with the EU AI Act. As already mentioned, NIST in the United States has been actively involved in developing standards for AI by creating a framework that fosters the development of trustworthy and responsible AI systems, covering areas such as bias, explainability, and robustness. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have a joint technical committee focused on AI standardization, and international organizations like the Institute of Electrical and Electronics Engineers (IEEE) have set up various working groups developing standards for ethical considerations in AI, to name just a few initiatives among many.

Zones of Divergence

The complexity and heterogeneity of the AI governance landscape make it unsurprising that many differences exist not only at the level of individual norms—for instance, whether a given AI governance arrangement specifically addresses foundation models, and if so, how—but also at the conceptual level. In addition to the higher-level differences resulting from distinct approaches to AI governance already mentioned earlier in “Approaches to AI Governance,” some of the particularly noteworthy conceptual areas of divergence include the following:

• Scope and definitions: Many important nuances exist regarding the scope of application among the variety of different governance initiatives, as well as with respect to definitions of various technical and legal terms. Voluntary industry standards and professional best practices, for instance, have a very different scope and reach than mandatory laws and regulations, whether horizontal by design or sector-specific. The EU AI Act, for instance, seeks to regulate the full range of AI applications across the private and public sectors, whereas the aforementioned US Algorithmic Accountability Act appears to be more specific and selective. The US Executive Order, in contrast, takes a broad whole-of-government approach to AI governance. While progress has been made when it comes to developing a shared understanding of key terms such as AI itself at the international level—strongly influenced by the important work of the OECD, which recently updated the definition of AI—many other important definitions of key concepts are a work-in-progress or remain contested, as recent debates about the definition of all-purpose AI, generative AI, and foundation models in the EU AI Act illustrate. To be sure, differences in terminology are neither a new phenomenon nor unique to AI governance. However, in light of the heterogeneous norms landscape, it remains a significant challenge for the years to come to create appropriate levels of (semantic) interoperability across a thickening web of emerging laws, standards, and best practices that might apply simultaneously given the polycentric nature of AI governance.
• Level of normative commitment: Despite the flourishing of AI governance initiatives in general and recent momentum around the creation of hard laws after a phase with a strong emphasis on ethical norms, stark differences remain among such efforts when it comes to the level of the underlying normative commitment. Perhaps most significantly and visibly, the commitment to individual rights varies greatly across AI governance arrangements. This applies not only when comparing AI norms of environments governed by the rule of law versus others but also when considering the depth of normative guarantees offered by different democratic regimes. For instance, while the US Executive Order marks without any doubt an important step forward when it comes to the protection of civil rights and privacy against emerging AI risks, it does not immediately offer the same level of actionable legal protection for individuals as the provisions set forth in the EU AI Act and the General Data Protection Regulation, respectively. Similarly, most, if not all, the AI governance requirements stipulated in soft laws such as Singapore’s AI Model AI Governance Framework as well as many of the global AI governance initiatives, are important signals and milestones on a longer trajectory but still are relatively weak normative commitments when assessed from the vantage point of advancing individual rights beyond the current baseline of human rights protections.
• Enforcement: The AI governance arrangements reviewed in the context of this chapter (and beyond) vary greatly in terms of enforcement regimes. As a threshold, much depends initially on the specifics of the governance approach itself, for instance, the role of voluntary self-regulation versus government-based regulation through hard law. Consistent with the polycentric characteristics of the AI governance landscape, different norms are typically enforced by different actors, ranging from in-house AI accountability boards or professional associations to traditional law enforcement or from newly created AI authorities to preexisting specialized agencies tasked with AI norm enforcement in their respective sectors or industries. How an AI enforcement regime looks is yet again shaped by broader contextual factors, including preexisting legal order and market structure. For instance, the EU AI Act puts the primary enforcement responsibility in the hands of the member states, with consultation and coordination mechanisms at the EU level in the form of a European Artificial Intelligence Board chaired by the EU Commission. At least from a structural perspective, the EU approach to enforcement resembles regimes of harmonized data protection law, including strong enforcement tools. Adopting the same strategy, the Brazilian AI Law establishes a new supervisory authority that will be responsible for monitoring noncompliance with the law, promoting its implementation, and issuing other regulations related to AI. In the United States, the Federal Trade Commission (FTC)—in addition to the agencies now tasked with the implementation of the US Executive Order—is expected to play a particularly important role as an enforcer of consumer protection–oriented AI norms and standards at the federal level (complemented by specialized agencies such as the FDA in health AI), but without a comprehensive mandate compared to the EU counterparts.

Zones of Interoperability

The concept of interoperability offers an alternative analytical view on the diverse landscape of emerging AI governance arrangements—a perspective that transcends the binary division between zones of convergence and divergence. Originally a technical concept, interoperability in the digital realm can be broadly understood as the ability of different systems, applications, or components to work together based on the exchange of useful data and other information.⁷¹ Under the header of “legal interop,” it has been analogized to conceptualize the working together among distinct legal norms across jurisdiction that regulate the global flow of information.⁷² A number of instruments are available to enhance legal interoperability, including legal harmonization, mutual recognition, reciprocity, cooperation, and standardization—approaches that can be operationalized through various means, ranging from treaty law to self-regulation.⁷³ Some of these tools might also be relevant when seeking to enhance interop between AI governance arrangements or their components.

• Many of the international initiatives led by state and nonstate actors mentioned earlier in this chapter are often aimed at enhancing the interoperability of norms, rules, standards, and decision-making procedures across different AI governance arrangements. The OECD Principles on Artificial Intelligence or the UNESCO Recommendations on the Ethics of AI, for instance, have informed and often shaped hard law and soft law approaches across various jurisdictions, promoting interoperability at the norm and process levels and beyond. The G7 Hiroshima Process also aims to establish common guiding principles for organizations developing advanced AI systems while acknowledging that “different jurisdictions may take their own unique approaches to implementing these guiding principles in different way.”⁷⁴ More recent efforts such as the United Nations Resolution encourage “internationally interoperable identification, classification, evaluation, testing, prevention and mitigation of vulnerabilities and risks” of AI systems.⁷⁵
• Higher levels of interop, however, might not only come from top-down efforts. Multistakeholder initiatives can also enable the working together among different arrangements and regimes.⁷⁶ In the field of AI governance, such efforts are still in the early stages, but important work is well underway.⁷⁷ The Global Partnership on Artificial Intelligence, for instance, has produced various guides on the responsible development, use, and adoption of AI.⁷⁸ The Partnership on AI, too, has advanced best practices in various areas of AI governance, including synthetic media.⁷⁹ The AI Governance Alliance, convened by the World Economic Forum, produced interoperable building blocks to guide the safe development, deployment and use of generative AI across AI governance arrangements.⁸⁰ ETH Zurich in collaboration with the Swiss government hosts a multistakeholder Gen AI Redteaming network to collaborate on disclosing, replicating, and mitigating safety issues and develop best practices.⁸¹

As discussed, emerging AI governance arrangements introduce and legitimize a variety of innovative approaches, tools, and practices—ranging from human rights and risk assessments to codes of practices—that will need to be further specified and operationalized in different forums and processes. From an interop perspective, this modularization of AI governance opens the possibility for cross-border multistakeholder cooperation, with the promise to enhance alignment between different AI governance arrangements by enabling the working together among some of their core components even absent more ambitious harmonization at the international regime level.⁸²