EU-US Regulatory Divergence on AI Creates Structural Compliance Gaps for Multinational Enterprises
What happened
The Oxford Internet Institute published Global AI Governance - Part 3: A Fragmented Future and a Trump Twist in December 2024 as part of a multi-part series on the global AI governance landscape. The analysis examines how the incoming Trump administration's posture toward AI deregulation diverges sharply from the EU's structured, risk-tiered approach under the AI Act and its associated Code of Practice for general-purpose AI models. The paper identifies agentic AI as a specific regulatory blind spot where EU and US frameworks are developing on incompatible tracks, creating compliance uncertainty for enterprises deploying autonomous AI systems across both jurisdictions. The authors position ISO and OECD standards as the most viable cross-border coherence mechanism available to organizations that cannot wait for intergovernmental alignment, and they flag third-party vendor risk and model risk management as the operational domains most immediately exposed to fragmentation-driven compliance gaps.
Why it matters
- ·Regulatory exposure: Enterprises operating in both the EU and US cannot rely on a single compliance program to satisfy both regimes, particularly for general-purpose AI and agentic systems, where the two jurisdictions are developing materially different requirements with no harmonization mechanism currently in place.
- ·Operational impact: The absence of agreed international rules on agentic AI means that compliance teams must build parallel governance tracks for the same deployed systems, increasing documentation burden, audit complexity, and the likelihood of contradictory obligations emerging over the next 12 to 24 months.
- ·Organizational risk: Third-party vendor risk programs are especially exposed, because AI vendors often operate across jurisdictions under different regulatory assumptions, and a vendor compliant in the US may not satisfy EU general-purpose AI Code of Practice obligations, creating undetected risk in enterprise AI supply chains.
Governance controls affected
What to do now
- ☐Map each deployed AI system against both EU AI Act requirements and applicable US federal or state rules to identify jurisdiction-specific compliance gaps, with priority given to general-purpose and agentic AI deployments.
- ☐Update third-party AI vendor due diligence questionnaires to require vendors to disclose which regulatory regime they are designing for compliance and whether their EU AI Act Code of Practice participation status has changed.
- ☐Adopt ISO/IEC 42001 and OECD AI Principles as the baseline cross-border governance standard for any AI system deployed across EU and US jurisdictions, and document this adoption rationale in your AI governance program charter.
- ☐Establish a dedicated monitoring workflow for the EU Code of Practice for general-purpose AI, including sign-up deadlines, obligations for deployers versus providers, and how those obligations interact with US vendor contracts currently in place.
- ☐Brief your board or AI governance committee on the structural nature of EU-US fragmentation, framing it not as a temporary gap but as a durable compliance architecture challenge that requires ongoing resource allocation.
What to watch next
Compliance teams should monitor the finalization and implementation timeline of the EU Code of Practice for general-purpose AI, which will impose specific obligations on GPAI model providers and may indirectly affect enterprise deployers through contractual and audit requirements. The trajectory of US federal AI policy under the new administration, including any executive guidance on federal preemption of state AI laws, will determine whether a coherent domestic US baseline emerges or whether the multi-state patchwork deepens. Progress or stagnation in G7 and OECD AI governance dialogues will signal whether voluntary international standards are hardening into de facto compliance requirements for multinational enterprises.