AI Law

How AI Laws Are Structured

AI laws vary in scope and approach, but most share a common structure.

• Jurisdiction and applicability: A law applies within a defined territory, such as national, regional, or municipal, and typically specifies which organizations and AI use cases fall under its scope. 
• Risk-based classification: Many AI laws organize their requirements around risk tiers. Higher-risk AI applications that are used in healthcare, critical infrastructure, employment, or law enforcement face stricter obligations around transparency, documentation, human oversight, and testing. Lower-risk applications face lighter requirements or none at all.
• Obligations and rights: AI laws typically impose obligations on AI developers and deployers, such as maintaining technical documentation, conducting impact assessments, or registering systems with a regulatory authority, while establishing corresponding rights for individuals, such as the right to explanation or the right to contest an automated decision.
• Enforcement mechanisms: Laws are backed by enforcement, with regulatory bodies empowered to investigate, impose fines, and require remediation. The scale of penalties varies significantly; for instance, the EU AI Act sets maximum fines based on a percentage of global annual revenue.

Why AI Law Matters in Governance

For organizations building or deploying AI, law sets the floor. Internal AI policies and voluntary standards may go further, but legal requirements represent the minimum threshold below which an organization cannot operate without risking liability.

Understanding the legal landscape is foundational to AI risk management. Non-compliance doesn't just mean fines; it can mean forced suspension of AI systems, reputational damage, and loss of customer or partner trust. 

As AI laws multiply across jurisdictions, organizations operating globally face the challenge of tracking overlapping and sometimes conflicting requirements simultaneously.

Law also shapes what governance structures organizations need to have in place. Many AI laws require organizations to designate responsible parties, maintain audit trails, conduct conformity assessments, and document how systems work; these are the requirements that need to be operationalized through internal governance programs, not just legal review.

Real-World Examples

Example 1: EU AI Act 

The EU AI Act is the most comprehensive AI-specific law enacted to date. It categorizes AI systems by risk level - unacceptable, high, limited, and minimal and imposes tiered compliance obligations accordingly. 

High-risk AI systems, such as those used in hiring, credit scoring, and biometric identification, must meet requirements around data governance, transparency, human oversight, and accuracy before they can be deployed in EU markets. 

The Act also prohibits certain AI practices outright, such as real-time remote biometric surveillance in public spaces for law enforcement purposes.

Example 2: NYC Local Law 144 

New York City's Local Law 144 requires employers using automated employment decision tools to conduct annual bias audits and publish the results publicly before using such tools in hiring or promotion decisions affecting New York City residents. 

It is one of the first laws in the United States to impose specific technical and transparency requirements on AI used in employment, illustrating how AI law is emerging at the municipal level, not just nationally.

Law vs. Regulation vs. Policy in AI

These three terms are often used interchangeably, but they mean different things in practice.

Understanding this distinction matters because compliance requires navigating all three layers: what the law requires, what regulations specify, and what internal policies must implement.