ARTICLE
20 May 2026

Managing AI Risk In A Fragmented Regulatory World

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
A fragmented global rulebook is raising the compliance bar. Businesses benefit from embedding governance early and closing the gap between AI developers and users.
Worldwide Technology
Kwok Tang,Emma Iles,Morris Schonberg
+5 Authors
 Your Author LinkedIn Connections
Herbert Smith Freehills Kramer LLP are most popular:
  • within Technology, Wealth Management and Employment and HR topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives

Key takeaways

  1. AI governance is becoming part of day-to-day risk management, not a separate issue, and is best built into existing legal, compliance and operational frameworks.
  2. Adopting a single standard according to the strictest rules, such as the EU’s AI Act, to minimise risk, may mean that advantages of operating in pro-innovation jurisdictions are not realised.
  3. Using third-party AI does not remove responsibility, and businesses remain accountable for understanding, monitoring, and overseeing how these systems are used.

Artificial intelligence (AI) is spreading rapidly through business operations, promising productivity gains, new business models and efficiencies across sectors. But with the technology advancing faster than the rules designed to govern it, companies must contend with a fragmented global landscape of legislation, regulatory guidance and dispute risks.

How can businesses fold AI regulation into their broader risk strategy?

For many organisations, the first step is recognising AI governance should not exist in isolation: the risks associated with AI systems are closely intertwined with existing compliance frameworks around data protection, consumer protection and operational risk. 

“Businesses should treat AI as part of their overall risk programme, not as a separate project,” advises Jaime Bofill, a Madrid-based partner in our litigation and arbitration practice. “The first thing to do is start by listing where AI is used and what decisions it affects.”

That basic exercise can be surprisingly difficult. In many organisations, AI tools have been adopted informally or embedded within existing systems, making it harder to get a clear view of where and how they are being used. Even once this is understood, companies need to apply governance in a practical way.

“AI regulation is new and requires specific focus,” says Morris Schonberg, a Brussels-based partner with expertise in competition, regulation and trade. “But the tools and methodologies are not new. The idea is not to reinvent the wheel, but to take existing compliance systems, like those used for data protection or cybersecurity, and adapt them to these new requirements.”

As adoption scales, governance also needs to move beyond central teams and into the business. “Some organisations initially stood up AI governance committees to deal with the specific risks around AI,” observes Christine Wong, a commercial litigation partner based in Sydney, Australia. “But as AI adoption increases and proliferates through organisations, that’s not really sustainable. You want to push that governance back through the business lines.”

How can businesses comply with a global patchwork of AI regulation?

Even once governance frameworks are in place, multinational organisations must manage a regulatory environment that varies widely between jurisdictions. While some governments have introduced comprehensive legislation, others like the UK are experimenting with lighter-touch approaches or relying on existing legal frameworks.

“There has been a concern that the default may end up being the strictest regime,” notes London-based knowledge counsel Jasveer Randhawa. “If companies decide it’s too complicated to operate under different regulatory requirements across their business, they might simply follow the most stringent one. And that means they won’t feel the benefits of lighter regimes.”

In practice, this means many multinational businesses may align their internal governance frameworks with the EU’s AI Act, treating it as a global baseline rather than operating under different standards across jurisdictions. Even so, companies still need a clear way to allocate effort and resources across different uses of AI.

“Adopting a risk-based strategy allows organisations to build a durable foundation and balance compliance with innovation,” explains Michelle Virgiany, director at Prolegis LLC in Singapore. “It allows businesses to focus the most rigorous controls on high-risk AI applications while taking a lighter-touch approach for lower-risk use cases.”

How are different regions approaching AI regulation?

But even where companies choose to follow the strictest regime, they still need to understand how different regulatory frameworks apply across the markets in which they operate. “Companies first need to understand the legal framework in each jurisdiction,” suggests Pietro Pouché, a Milan-based commercial and litigation partner. “Then they can identify the basic standardised tools that should be present in almost all systems.”

In Europe, policymakers have taken the most ambitious route. The EU’s AI Act is widely considered the world’s first comprehensive legal framework for AI. It introduces a risk-based system that categorises AI systems according to their potential impact, with strict obligations for “high-risk” applications and outright bans on certain uses, such as social scoring.

“Even though AI is a new type of technology, the regulatory approach the EU has taken is partly similar to what we saw with GDPR,” explains Thies Deike, a counsel in our Frankfurt corporate team focusing on IT matters. “Some of the structures companies need to implement are therefore comparable to those they already have in place.”

Other governments have been more cautious about creating new AI-specific laws. “The approach in Australia has been characterised by ongoing engagement with creators and the technology sector to assess the practical operation of existing laws in the context of AI, rather than implementing sweeping legislative change,” explains Emma Iles, a partner in our intellectual property disputes team in Melbourne. “This contrasts with regions like Europe, which are actively pursuing more direct regulatory interventions.”

In the UK, the position differs to its nearest geographical neighbours in the EU. As Randhawa explains: "The UK has to date taken a sector-specific approach, with the approach to regulation largely left to existing regulators under current legislative regimes. Whilst the lack of specific AI legislation has the advantage of allowing regulation to be more flexible and nimbler, it creates questions about uncertainty for businesses and divergence between different regulators". 

In the US, regulation remains fragmented. Rather than adopting a single federal law, policymakers have relied largely on executive actions, agency guidance and state-level initiatives. This reflects the country’s preference for encouraging innovation while addressing risks through existing legal frameworks.

And in Asia-Pacific, the picture is more mixed. “Regulatory maturity varies significantly, from China’s more prescriptive regulatory framework and South Korea’s recently-enacted AI Basic Act, through to Singapore’s voluntary principles-based governance framework,” reflects Virgiany. “Against this backdrop, it’s a good idea to build a cross-functional AI governance committee to assess AI deployments holistically.”

How can businesses bridge the responsibility gap between AI vendors and deployers?

Another challenge arises from the relationship between AI developers and the organisations deploying their systems. Most companies do not build AI models themselves, but rely on external vendors, ranging from cloud providers to specialised technology companies.

“In the past, companies could rely on a contract with a service provider,” says Deike. “Today, regulators expect organisations to carry out due diligence and monitor outsourced services. That means deployers need oversight, reporting and potentially audit rights.”

The expectation that organisations maintain oversight of outsourced technology providers is already well established in sectors such as financial services. Regulators are increasingly applying the same principle to AI.

“If you’re a large bank or insurer, it won’t be an excuse that something went wrong because the AI came from a third-party vendor and you didn’t really understand how it worked,” warns Wong. “Regulators will still expect deployers to have appropriate risk management systems and oversight in place.”

What regulatory risks do AI vendors face?

While businesses deploying AI systems face operational compliance risks, developers face a different set of legal challenges, particularly around the data used to train their models. Many generative AI systems rely on vast datasets that may contain copyrighted works, raising complex questions about licensing and the limits of existing copyright exceptions.

Vendors face greater risk than deployers, particularly when it comes to how systems are designed, trained and tested.
Jaime Bofill
Partner, Madrid

“This is particularly acute in jurisdictions like the United States, where copyright class action litigation brought by rights holders is creating a changing landscape for the scope and applicability of copyright infringement exceptions,” says Emma. 

As regulators push for greater transparency around training data, those legal pressures are likely to increase. “Vendors face greater risk than deployers, particularly when it comes to how systems are designed, trained and tested,” warns Jaime. “They need strong governance, proper testing of the model’s performance, clear records and guidance for customers on how the systems should be used.”

Towards a clearer future for AI risk and regulation

AI governance is unlikely to be solved through a single regulatory framework or compliance checklist. Instead, businesses will need to keep adapting as governments, regulators and courts respond to a technology whose capabilities and risks are still evolving. This means building AI governance into the risk frameworks they already use, while staying alert to how rules may differ across jurisdictions. The organisations that lead their industries tomorrow will be those that treat AI as a core part of how they manage risk today. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Kwok Tang
Kwok Tang
Photo of Emma Iles
Emma Iles
Photo of Justina Zhang
Justina Zhang
Photo of Morris Schonberg
Morris Schonberg
Photo of Charlie Morgan
Charlie Morgan
Photo of Emmanuel Ronco
Emmanuel Ronco
Photo of Alexander Amato-Cravero
Alexander Amato-Cravero
Photo of Peter Jones
Peter Jones
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More