The European Union is approaching the final stages of enacting the world’s first comprehensive regulatory framework for artificial intelligence. The Artificial Intelligence Act, initiated in 2018, has now passed a critical European Parliament vote on amendments, setting the stage for trilogue negotiations among the Parliament, Council, and Commission. This process is expected to culminate in early 2024 with legislation that will establish binding rules for AI systems across the bloc.
The AI Act’s architecture reflects a deliberate balance between fostering innovation and embedding safeguards. Notable refinements include a more precise definition of AI and a risk-based regulatory model that scales requirements according to potential harm. This approach is intended to ensure that compliance obligations are proportionate, technically feasible, and capable of building public trust. Policymakers view the Act as a potential cornerstone for a global consensus on AI governance, much as the General Data Protection Regulation (GDPR) became a benchmark for privacy law.
For observers in the United States, the EU’s leadership in technology policy recalls the trajectory of GDPR. Adopted in 2016 and enforced from 2018, GDPR reshaped global privacy practices and influenced legislation far beyond Europe’s borders. The parallel is instructive: absent early federal action, other jurisdictions may again set the terms of engagement for a transformative technology.
Three lessons from the GDPR experience stand out for U.S. AI policy. First, congressional action is essential. While the U.S. has initiated important groundwork—such as directing the National Institute of Standards and Technology to develop the AI Risk Management Framework and establishing the National AI Advisory Committee—these measures stop short of enforceable national standards. As Sayan Chakraborty, co-president of Workday, noted in his personal capacity, the advisory committee’s role is to provide “well-timed advice to the White House.” Yet without legislative follow-through, the U.S. risks ceding regulatory leadership.
Second, international coordination is critical to avoid a patchwork of conflicting rules. The U.S. and EU have already launched the Trade and Technology Council to align on digital policy, and the appointment of Ambassador Nathaniel Fick as the first U.S. Ambassador at Large for Cyberspace and Digital Policy underscores the strategic importance of these efforts. Beyond transatlantic engagement, companies like Workday are participating in AI policy dialogues in Canada, the UK, Singapore, and Australia, recognizing that harmonized principles can reduce compliance friction and support cross-border innovation.
Third, state-level initiatives will not wait for federal consensus. The absence of a national privacy law prompted swift action by state legislatures, and AI is following a similar trajectory. New York City’s law governing AI in employment decisions takes effect imminently, and California’s AB 331 proposes a risk-based framework incorporating established accountability mechanisms such as impact assessments. Legislative activity is also emerging in other states, including New York and California, with more proposals expected in the coming year. For technology developers, this trend underscores the need to engage early with policymakers to shape workable, technically grounded rules.
The impending adoption of the AI Act represents more than a European milestone; it signals a global inflection point in AI governance. The EU’s methodical process—spanning five years of drafting, consultation, and amendment—demonstrates the complexity of translating broad ethical principles into enforceable technical standards. Its risk-tiered model mirrors safety-critical engineering disciplines, where system classification dictates design assurance levels, testing rigor, and operational constraints.
For engineers and technologists, the regulatory trajectory carries practical implications. Risk-based compliance will require robust documentation of model development, data provenance, and validation procedures. High-risk systems, such as those used in employment, healthcare, or critical infrastructure, may face mandatory conformity assessments akin to aerospace certification processes. Transparency obligations could drive the adoption of interpretable model architectures or post-hoc explainability tools, influencing design choices from the earliest stages.
The pace of change is likely to accelerate once the AI Act is in force, just as GDPR catalyzed rapid adjustments in data handling practices worldwide. For the U.S., aligning domestic policy with emerging international norms could help maintain competitiveness while safeguarding public trust in AI-driven systems.