Table of Contents

1. Where I started

When I first tried to read about AI governance, I found myself in an alphabet soup. There’s a pile of names to learn: the EU AI Act, NIST, Bletchley, the OECD Principles, Korea’s Basic Act, “the omnibus,” Singapore’s framework, the UK’s different one, a treaty and the abbreviations stack up faster than the understanding does. If you’ve tried, you’ve probably hit the same wall.

Then there was this other problem. Almost everything I came across on popular media discourses about governance, the commentary, the threads, the posts, the summaries are all framed as fundamentally about risk: what could go wrong, and how to hold it back. But when I went and read the actual acts, that wasn’t quite what they said. Several of them diverged from that risk-first story. Some were built to enable AI, not restrain it. The discourse and the documents didn’t line up, and at first I couldn’t tell why.

What helped was small. Instead of reading each framework as a block of obligations to memorize, I started asking each one the same two things: what is it actually for, and how does it go about it. The rest of this piece is those two questions, applied.

2. Why, what, and how

Forget AI for a second (Can you imagine I made AI write that! Now Claude has existentialism positionally encoded). Let’s take an analogy: think about a speed limit.

At first it’s just a sign but underneath the sign are three layers.

  • First, the why: Establishes the need for the rule. Cars are fast and heavy, and people die when they crash. That danger is the need — the reason a rule exists at all.

  • Given that need, the what: the rule picks a goal. Keep people from dying.

  • And the how: it picks a method: a posted number, police, fines.

Every rule works this way, because every rule is a response to some need: a building code, a food-safety inspection, even a recipe. AI governance isn’t an exception; it only seems muddled because it arrives wrapped in acronyms. A sketch diagram summarizing the ‘what’ and ‘how’ questions in AI governance frameworks

Here’s the part that matters for reading frameworks. For AI, almost everyone agrees on the why: the technology is consequential enough that something is warranted. The differences you actually want to see live one floor down, in the what and the how.

So those are the two questions we carry through the rest of the piece.

💡 WHAT is a framework for, and HOW does it act.

A rule can aim to protect people and still act with a feather touch; it can aim to encourage a technology and still act through hard law. That independence is why the question people reach for first: “is this pro or anti-innovation?” — is a tricky place to start since it bundles a what and a how into one word.

I gave myself a challenge that I’ll try to categorise some of the existing framework just from these 2 intuitive questions.

3. From two questions to a map

We need to add some dimensions to these 2 questions now.

Start with WHAT is it for? Read enough of these documents OR let AI summarize it for you (which is was what I did) and the goals, broadly speaking, collapse into three.

Some frameworks are built mainly to prevent harm: Easy!

Some are built mainly to protect rights : dignity, fairness, not being discriminated against, a say in decisions that affect you. This overlaps with harm, but it points at something different: what people are owed, not only what might hurt them.

And some are built mainly to enable the technology : treating governance as a way to unlock AI rather than hold it back and aid it’s adoption (safely).

Most frameworks touch more than one. But almost all of them lead with one, and that leading choice is the answer to WHAT. It already does work: a framework that leads with “enable” is a different animal from one that leads with “prevent harm,” before you’ve read a single line of obligations.

That’s one of the two questions placed. Next, the harder and more revealing one: HOW.

HOW does it act? The “act” hides three separate choices.

  • How hard does it push? It’s not binary. There’s a range in which it operates.A speed limit pushes hard: break it and you pay. A “Drive Safely” billboard pushes softly: it asks, and that’s all. Frameworks run the same range, from a voluntary set of principles nobody can fine you over to a binding law with real penalties. Call this the weight.

  • Who does the pushing? One national authority or from a group of countries signing a shared treaty. Call this the authority.

  • What sets the obligation off? This is the subtle one. A speed limit can be triggered by where you are — a school zone, a motorway — which is the road’s use. It can be triggered by what you’re driving — trucks face limits cars don’t, because of what the vehicle is. Or you might simply opt in to a voluntary standard, like a recommended speed on German Autobahns. Frameworks have the same three triggers:

    • the use an AI is put to

    • the choice to adopt a voluntary code

    • the model’s sheer scale, governed for what it could do simply by being big.

    Call this the trigger.

Diagram: the ‘WHAT’ and ‘HOW’ dimensions in AI governance frameworks

Every framework does NOT reduce to these. The real ones are richer but because reading each through WHAT and HOW is what finally gave me a mental model I could hold, I decided to share that approach.

4. Reading the frameworks

With WHAT and HOW in hand, each framework stops being a wall of obligations and becomes a quick reading. I’m no expert in the field of policy drafting and governance so I won’t be explaining the frameworks in details + there are already really good references for that, linked at the end.

The point is to place them, and to notice that once you do, they mostly explain themselves.

4a. The EU AI Act

The European Union’s law for artificial intelligence, passed in 2024 and the first comprehensive AI law anywhere. The strict one, and the one everyone’s heard of.

WHAT

  • Leads with: preventing harm, with a strong lean toward protecting rights. It sorts AI by how much damage a given use could do, and bans or tightly controls the uses it judges dangerous.

HOW

  • Weight: Heavy. A binding law with real fines.
  • Authority: a single central regime: one set of rules for the whole EU.
  • Trigger: mostly the use : a hiring filter or a credit-scoring model is caught for what it decides.

PS: the EU also bolts a scale trigger onto the very largest general-purpose models. The newest idea, tucked inside the oldest-style law. Keep it at the back of your head for now; it comes back.

4b. NIST’s AI Risk Management Framework

NIST is the US government’s standards agency; in 2023 it released this as a voluntary set of practices for any organization building AI. Not a law but rather a playbook a company runs on itself.

WHAT

  • Leads with: preventing harm. BUT aimed at how an organization builds and runs its AI rather than at the product itself. The goal it names is “trustworthy AI.”

HOW

  • Weight: light. Voluntary, no fines, no certificate to earn. Its force comes from being adopted, not enforced.
  • Authority: The organization runs it on itself, with no regulator or sector body in the loop.
  • Trigger: you opt in. It applies when a company chooses to pick it up, and not otherwise.

The catch: NIST never says how much risk is too much. It tells you to find, measure, and manage your risks but you set the bar yourself. That makes it fit any industry, and also easy to satisfy at a low bar.

4c. The OECD AI Principles

The OECD is an international economic organization of ~38 mostly-wealthy democracies; in 2019 (updated 2024) it published these shared AI principles, since signed by around 47 countries. It’s to be seen as a common reference point, not a rulebook.

WHAT

  • Leads with: protecting rights and values. Human-centered fairness, transparency, accountability along with a pro-innovation streak that fits an economic body.

HOW

  • Weight: light. Voluntary, no enforcement.
  • Authority: a club of states agreeing on common ground.
  • Trigger: you opt in. A country or company chooses to align with it.

Why is this one important?: What makes it matter is not enforcement but vocabulary. Later laws, including the EU Act, borrowed its definitions and language. So it shapes the hard rules downstream without binding anyone itself.

At this point, I’d also like to refer to another framework that kind of falls under similar block for me with some noteworthy differences.

UNESCO’s Recommendation on the Ethics of AI (2021): This is the same kind of instrument as the OECD’s: voluntary, values-led, agreed by many states BUT far broader, adopted by all 193 member states, including much of the Global South the OECD club leaves out. Its one distinct move: it ships practical tools to help countries actually implement it, where OECD mostly stops at principles.

4d. The UK’s pro-innovation approach

Rather than pass an AI law, the UK chose (from 2023) to steer AI through its existing regulators and an openly pro-growth stance.

WHAT

  • Leads with: enabling the technology: getting AI adopted and keeping the country competitive is the stated goal; safety principles ride along, but the framing is growth.

HOW

  • Weight: light. Non-binding principles, no single law. (Binding rules are floated only for the very largest models, and keep getting delayed.)
  • Authority: No central AI regulator. The existing sector regulators: finance, health, data protection — each applying the principles in their own patch.
  • Trigger: Whatever already governs your sector. There’s no AI-specific trigger; you’re caught by the rules that already apply to your domain.

🚀 The bold move: In 2025, the “AI Growth Lab” launches — sandboxes where specific rules can be temporarily switched off so a company can pilot something. This is a rare instance where governance is used to clear a path, not block one! (Pretty wild, right? 😲)

The sting in the tail: a successful pilot can make that relaxation permanent, with less scrutiny than a normal law.

The UK approach pairs well with what Singapore is doing.

Singapore’s Model AI Governance Framework: Singapore’s tech regulator (the IMDA) issues this as voluntary guidance. Same pole as the UK (pro-innovation, light, opt-in), but with a different distinctive move. Instead of relaxing rules in sandboxes, Singapore builds tools: an open-source testing kit (AI Verify) that turns principles into things you can measure, and it was the first to publish guidance specifically for autonomous AI “agents.” (Anchor the Politician selection in Meritocracy and it does seem to have some benefits, no?)

4e. Frontier (scaling-law) governance

Scaling laws isn’t a new term for tech-people but it’s used here in a different context. The rule is aimed not at how AI is used but at the most powerful models themselves: the “frontier” systems from the biggest labs. It began as voluntary commitments (the 2024 Seoul summit, where major labs pledged safety practices) and has since hardened into law in places (California’s 2025 frontier-AI law; South Korea’s 2026 AI Act).

WHAT

  • Leads with: preventing harm, specifically the large, catastrophic kind a highly capable model might enable.

HOW

  • Weight: all over the map — from voluntary lab pledges with no defined repercussion upon violation to California’s binding law with real penalties.
  • Authority: Mixed. an industry-and-summit handshake in one place, a US state legislature in another, a national government in Korea.
  • Trigger: Not the use, but the scale. A model is governed for what it could do simply by being big enough. (Analogous example to our initial Speed Limit scenario would be trucks: rules for what the vehicle is, not where it’s driven. This is the EU’s “scale” grown into a whole approach.)

The twist worth noticing: this scale-based idea spread just as the political wind shifted. The 2024 summits were about “safety”; by 2025–26 they were about “impact” and “adoption,” and the US federal government swung the other way, rolling back its own safety rules and moving to override stricter state laws. The newest way to govern AI arrived right as the appetite to govern it cooled.

Now, Last one, I promise.

The Council of Europe’s AI treaty (2024): a binding international agreement built around human rights, signed by the UK, US, EU, Canada and others. It’s the rare rights-led and binding combination but it binds countries to uphold principles rather than binding products to meet specs, and so far no country has ratified it, so its teeth remain on paper.

5. What the map shows

Place everything and the map starts talking back. Three things stand out.

Summary map of AI governance frameworks, showing axes for “what” (goal: rights vs. harms vs. adoption) and “how” (method: law vs. voluntary), plotted with key frameworks.

  • Rights get principles; harms get laws.

    • Nearly every framework that leads with preventing harm: the EU Act, California’s frontier law, Korea’s is binding, with real penalties.

    • Nearly every one that leads with protecting rights : OECD, UNESCO is voluntary. The lone rights-led and binding instrument, the Council of Europe’s treaty, isn’t ratified by anyone.

We pass hard rules to stop damage, soft ones to protect rights maybe because damage is concrete and rights are an argument.

  • “Pro- or anti-innovation?” is the wrong question.
    • Call the UK “pro-innovation” and you’ve bundled two facts: it centers on enabling (a WHAT) and pushes lightly (a HOW). The EU is the opposite pair. One word, two questions mashed together. Pull them apart and the debate resolves into coordinates.

Everyone agrees AI needs something, and that’s what the commentary fixates on. But the frameworks differ in the what and the how, and several lead with enabling, not risk.

The discourse was on the shared floor(the WHY?)but the documents were one floor down, where they differ((the WHAT and HOW)); still in the same building though.

6. Where it’s going

Two last notes.

Governing AI by its scale is a new paradigm. Every older rule we had, for cars, drugs, hiring attaches to what something is used for. Governing a model for what it might do simply by being large has almost no precedent. It’s still rare, still aimed mostly at frontier systems, the thresholds crude. But it’s the one move here that isn’t borrowed from how we govern everything else — worth watching.

The other note is direction. Stack the recent changes: the EU delaying its strict rules, the UK switching rules off for pilots, the US rolling back its own safety work, the summits trading “safety” for “impact” and they lean the same way: toward enabling.

Risk built the first wave of AI governance; the current wave is loosening it.

None of this tells you whether a framework is Good or better than othes. The two questions don’t settle that. They just helped me see it from the reference point of what I already knew.

References, by framework

Everything that fed this piece — primary sources plus the explainers, reports, and analyses we leaned on — grouped so you can go deep on any one framework.

EU AI Act

NIST AI Risk Management Framework

OECD AI Principles

UNESCO Recommendation on the Ethics of AI

UK pro-innovation approach

Singapore Model AI Governance Framework

Frontier / scaling-law governance

South Korea AI Basic Act

Council of Europe AI treaty