Three Models, One Moving Target
A practical orientation for businesses deploying AI across borders
Artificial intelligence has outpaced the law almost everywhere, but not evenly. A company deploying the same AI system in Brussels, Austin and Shanghai faces three fundamentally different regulatory philosophies, not three versions of the same rulebook. Understanding those differences is now a basic requirement of operating internationally, and getting it wrong carries real cost: fines, forced product changes, and in some markets the inability to launch at all.
This article offers a plain-English orientation. It explains the three dominant models of AI regulation, addresses the question we are asked most often, “how many countries actually have mature AI laws?” and sets out what businesses should be doing now, whatever their footprint.
Three models, not one
It is tempting to imagine that AI regulation is converging toward a single global standard. It is not. Three distinct approaches have emerged, and they reflect genuinely different priorities.
1. The European Union: one comprehensive law
The EU took the route it took with data protection: a single, comprehensive, binding statute that applies across all member states. The EU AI Act classifies AI systems by risk, from prohibited uses, through “high-risk” systems carrying extensive obligations, down to minimal-risk tools subject only to light transparency duties. The defining principle is simple: the higher the risk, the stricter the rules.
For businesses, the appeal is predictability. One framework, one logic, applied uniformly. The obligations are demanding, risk management systems, data governance, technical documentation, human oversight, conformity assessment, but they are knowable in advance, and the Act is being phased in over several years rather than imposed overnight.
2. The United States: a patchwork in motion
The United States has no single comprehensive federal AI law. Instead, compliance is assembled from three overlapping sources: federal agencies applying existing law (consumer protection, anti-discrimination, sector rules) to AI conduct; a fast-growing body of individual state laws; and sector-specific regulators in areas like finance and healthcare.
This makes the US the hardest of the three to summarize, because it is genuinely unsettled. Several states have enacted broad AI governance laws, others target narrower issues like hiring or deepfakes, and the federal government and states are actively contesting who gets to regulate. The practical consequence is that a US compliance posture must be built jurisdiction by jurisdiction and kept flexible, because the ground is still shifting.
The same AI system can be lightly regulated in one US state and heavily regulated in the one next door. There is no national baseline to fall back on.
3. China: control through registration and content rules
China has taken a third path: not one omnibus law, but a layered stack of targeted measures — covering recommendation algorithms, “deep synthesis” (deepfakes) and generative AI, sitting on top of its foundational cybersecurity, data security and personal information laws. The system is administered chiefly by the Cyberspace Administration of China.
Two features stand out. First, public-facing AI services generally must complete mandatory government filings before launch, there is a registration gate, not just an after-the-fact enforcement risk. Second, content governance is central: providers are responsible for what their systems generate, and AI-generated content must be labeled. For foreign businesses, the threshold question is always whether a service is offered to the public in mainland China, because that drives nearly the entire analysis.
The three models at a glance
| European Union | United States | China | |
| Structure | Single comprehensive law | Patchwork: federal + state + sector | Layered service-specific measures |
| Organizing logic | Risk tiers | Existing law applied to AI | Registration + content control |
| Gate to launch | Conformity assessment for high-risk | Generally none; enforcement after | Mandatory CAC filings for public services |
| Predictability | High | Low – actively shifting | Moderate – locally administered |
| Best first step | Map systems to risk tiers | Adopt a recognized framework (e.g. NIST) | Confirm public-facing status; engage local counsel |
Simplified for orientation. Each regime contains important exceptions and sector overlays.
So how many countries have “mature” AI legislation?
This is the question business leaders ask most, and it deserves an honest answer: there is no single correct number, because “mature” is not a defined category. The count depends entirely on where you draw the line, and the range is wide.
If “mature” means a comprehensive, binding, in-force AI law
On the strictest definition, a broad AI-specific statute substantial enough to build a full compliance program around, and actually in force, the number is very small. The European Union (as a 27-state bloc) and China are the two regimes that clearly qualify. These are, not coincidentally, the jurisdictions where a business genuinely needs a structured compliance program rather than general good practice.
If “mature” means binding AI-specific rules of meaningful scope
Loosen the definition to include countries with enforceable AI-specific rules, even if narrower or newer, and you add a modest handful more, including jurisdictions that have passed framework or sector-specific AI legislation. The United States sits awkwardly here: enormous regulatory activity, but no comprehensive federal law, so it is better described as “active” than “mature.”
If “mature” means any AI law, framework or national strategy
Broaden the lens to any country with an AI policy framework, set of ethics principles, or national strategy, and the number runs into the dozens. Many countries have published national AI strategies, and international bodies tracking AI policy initiatives count well over a thousand measures worldwide. But the great majority of these are non-binding, strategies, principles and guidance rather than enforceable law.
A small handful of binding comprehensive regimes; a growing middle tier of partial and sector-specific laws; and a long tail of strategies and voluntary frameworks.
That distribution, not any headline figure, is what matters for planning. The number you will see quoted depends on the definition behind it, and a responsible answer always states the threshold first. For most multinational businesses, the practical reality is that two regimes (the EU and China) demand dedicated compliance programs today, a growing set of others demand targeted attention, and the rest are worth monitoring but not yet building around.
What businesses should do now
Whatever your footprint, a few steps apply across all three models and will not be wasted effort regardless of how the law evolves:
- Build an inventory. You cannot comply with anything until you know which AI systems you use, build or embed, including AI hidden inside third-party tools.
- Adopt a recognized risk-management framework. Frameworks such as the NIST AI Risk Management Framework or ISO/IEC 42001 are becoming the common currency across jurisdictions, demanded by procurement teams and insurers, and treated as evidence of reasonable care under some laws.
- Map your jurisdictions. Identify every country and, in the US, every state where you operate or affect residents. Obligations frequently reach across borders.
- Treat documentation as a living asset. Across all three models, the ability to show what your systems do, how they were tested and how risks were managed is the connective tissue of compliance.
- Stay flexible and keep watch. This is among the fastest-moving areas of law anywhere. Build a program that can adjust, and reassess regularly.
How we can help
360 Business Law can help businesses turn this shifting landscape into a concrete, manageable compliance plan, from mapping which regimes apply to a particular product, to building jurisdiction-specific checklists, to advising on registrations, contracts and governance. If you are deploying AI across borders and are unsure where to start, we would be glad to talk.
This article is general information current as of June 2026 and does not constitute legal advice. AI regulation is changing rapidly and varies by jurisdiction and sector; obtain specific advice before acting. To discuss how these developments affect your business, contact Robert Taylor, CEO & General Counsel, at r.taylor@360businesslaw.com.