Lecture 4—The "Rights State"; The E.U. Approach --for the Lecture Series: AI Governance in Comparative Perspective, Theory and Practice: China, U.S. and E.U.

 

Pix Credit here

I was delighted to have had the opportunity to present a series of Lectures hosted by the East China University of Political Science and Law (ECUPL) at the end of May 2026.

The overall theme (and thus the title) of the lectures was AI Governance in Comparative Perspective, Theory and Practice: China, U.S. and E.U, With a Sideways Glance at the U.N. The subject of the lectures requires little by way of introduction: Artificial intelligence is the broad term that has come to represent a growing cluster of non-human and digitalized processes and operations that has as its primary task the constitution of non-human systems capable of performing tasks that were once thought to require human intelligence. And so is the impulse to manage, control, exploit, embed, understand, and regulate these processes, systems, and perhaps eventually non-human consciousness with a huge potential to undertake many of the computational tasks (the mathematical and logical processing of data) that were once the sole domain of and perhaps defined what it meant to be human. That is the point where things get interesting. It is at the point where the development of machines, that is of non-human systems, capable of performing tasks that were once thought to require human intelligence, collide with regulatory structures meant to manage, contain, constrain, liberate, embed, project and exploit such non-human systems, whether they are traditional or emerging, public or private regulatory systems, that human collectives and the machine-systems they have created now find themselves.

The eight lectures progress sequentially from conceptual and theoretical frameworks (lectures 1 and 2, the objects and subjects of AI regulation), through a deeper consideration of regulatory systems in three distinguishable regulatory regimes--the US, EU, and China (Lectures 3, 4.5). The last two lectures consider judicial efforts to embed AI within traditional legal orders (Lecture 6), and the way in which the object of regulation (in the form of the owners of the larger AI enterprises) understand the relationship between AI, the state, and society (Lecture 7) . Lecture 8 summarizes and draws larger themes going forward.

In a previous post introducing Lecture 1 (From Algorithms to Foundation Models: What Contemporary AI is “Made of”) I suggested that perhaps a useful way of approaching the issue of AI regulation is to start by considering the nature and characteristics of the regulatory subject--what we euphemistically refer to as "AI." It then occurred to me that it might be useful as well to see if that regulatory object had views of their own respecting their nature character and, more importantly, the relationship of regulation projects to that (self) perception of their nature and character. So I approached Google's Gemini with a series of questions which I thought, in the process of what might pass for a conversation, might help humans begin to understand how at least one AI program thinks of itself. That conversation was incorporated into Lecture 1A. In Lecture 2 we moved from the object to the subjects of regurgitation. Like its regulatory objects, regulatory subjects  are functionally differentiated and can be disaggregated. In either case the connection between object and subject becomes complicated. 

This post includes a summary of the Lecture 4 Notes, as well as the link to the Lecture 4 PPT. Those interested may reach out to me to discuss availability of audio of the lecture and the full text of the Lecture 4 notes

Given the nature of the project I thought it might be useful to engage with an commercially available AI service for the production of a summary of the Lecture 1 materials. After some back and forth with Grok (Lecture 3 used Anthropic's Claude; Lecture 2 used Chat GPT; Lecture 1 and 1A used Google's Gemini), we came up with the following abstract of Lecture 4. 

 

Pix Generated through Grok

 Abstract: The European Union’s Risk-Based Supervisory Governance of Artificial Intelligence

The European Union has constructed a comprehensive regulatory architecture for artificial intelligence centered on the Artificial Intelligence Act (AI Act), a risk-based instrument that classifies systems according to their potential effects on health, safety, fundamental rights, and the internal market. This framework integrates with the General Data Protection Regulation (GDPR) on data privacy and automated decision-making, the Digital Markets Act (DMA) addressing gatekeeper conduct, and the Digital Services Act (DSA) concerning platform accountability. The EU model embeds AI governance within a broader regulatory imagination in which markets are constituted through law, high-impact systems receive ongoing supervision, and technological development aligns with fundamental rights.

The lecture’s central thesis holds that the EU renders AI legally legible through ex ante classification, risk assessment, and lifecycle obligations rather than primarily ex post responses to harm. This supervisory governance model contrasts with the more fragmented, market-oriented U.S. approach, which often translates harms into existing legal categories after deployment via agencies, litigation, and standards. The EU architecture identifies prohibited practices, high-risk systems, transparency obligations, and general-purpose AI requirements, allocating responsibilities among providers, deployers, importers, and distributors.

The AI Act functions as a risk pyramid. Prohibited practices—certain manipulative techniques, social scoring, and biometric applications—embody non-negotiable limits grounded in EU values. High-risk systems, used in employment, education, critical infrastructure, law enforcement, and essential services, trigger extensive lifecycle obligations: risk management, data governance, technical documentation, logging, human oversight, accuracy, robustness, cybersecurity, post-market monitoring, and incident reporting. Lower tiers impose transparency duties for chatbots or synthetic content, while minimal-risk systems face few burdens. This scaling acknowledges differential stakes but raises classification challenges for multi-purpose or context-shifting systems.

The provider-deployer distinction seeks to close accountability gaps: providers handle design and documentation; deployers manage contextual use and oversight. For general-purpose AI and foundation models, upstream obligations address technical documentation, systemic-risk mitigation, and downstream information flows, recognizing their infrastructural role beyond single use cases. Complementary provisions emphasize AI literacy for personnel and staged implementation from February 2025 to August 2027.

The EU approach fuses product-safety logics (conformity assessment, market surveillance) with fundamental-rights supervision (non-discrimination, dignity, autonomy). Strengths include regulatory harmonization, the “Brussels effect” on global compliance, and explicit lifecycle accountability. Weaknesses encompass classification complexity, compliance burdens on smaller entities, potential formalism, enforcement variability, and the risk that managerial techniques displace deeper contestation over power and democracy. Rapid technical evolution further tests adaptability.

Comparatively, the EU and U.S. systems organize shared concerns—innovation, safety, rights—through divergent logics: supervisory risk governance versus monitored market governance. The EU AI Act represents an ambitious effort to make AI governable through legal classification and obligation. Its success depends on whether this architecture can sustain coherence amid rapid change while protecting rights and supporting innovation.

 

 

Links to Lectures:

Lecture 0 -- Introduction
Lecture 1—From Algorithms to Foundation Models: What Contemporary AI is “Made of”
Lecture 1A--A Computation/Conversation With Google's "Maschinenmensch" Gemini:
Lecture 2—What Are We Actually Governing When We Govern AI?
Lecture 3—The “Markets State”: U.S. Approach
Lecture 4—The “Rights State”: EU Approach
Lecture 5—The “Guided State”: The Chinese Approach
Lecture 6—Courts, Companies, and the Legal Construction of AI
Lecture 7—AI Narratives: Palantir; Anthropic; Open AI; and Leopold Aschenbrenner
Lecture 8—Putting It All Together: Trends, Trend Lines, and Regulatory Dialectics

Lecture 4 The “Rights State”—The European Union Approach

 

**Executive Summary: The European Union’s Risk-Based Supervisory Governance of Artificial Intelligence**

 

The European Union has developed one of the most ambitious and structurally coherent frameworks for the governance of artificial intelligence. At its center stands the Artificial Intelligence Act, a risk-based regulation that classifies AI systems according to their potential impacts on health, safety, fundamental rights, and the functioning of the internal market. This instrument operates alongside and in coordination with other foundational measures, including the General Data Protection Regulation (GDPR), which addresses data privacy and automated individual decision-making; the Digital Markets Act (DMA), which disciplines major technology gatekeepers to preserve competitive conditions; and the Digital Services Act (DSA), which imposes obligations of safety and accountability on online platforms and intermediaries.

 

The EU approach transcends narrow technology policy. It reflects a distinctive European regulatory imagination in which markets are constituted and disciplined through law, high-impact systems are subjected to continuous supervision, and technological trajectories are required to remain compatible with the Union’s commitments to fundamental rights. The central thesis of the lecture is that the EU constructs AI as an inherently risk-bearing system that must be rendered legally legible prior to and throughout its deployment. This legibility is achieved by systematic inquiry into an AI system’s category, its provider and deployer, the risks it generates, the quality of its documentation, the adequacy of human oversight mechanisms, and the capacity of supervisory authorities to enforce compliance.

 

This model stands in deliberate contrast to the United States’ monitored market governance described in the preceding lecture. Where the U.S. system typically translates emergent AI harms into existing legal categories after deployment—relying on a diffuse array of agencies, litigation, procurement policies, standards bodies, and state-level measures—the EU seeks to establish an ex ante and lifecycle-oriented governance architecture. Rather than waiting for harm to materialize, the EU framework classifies risk, allocates duties across actors, and demands affirmative evidence of control. Both systems pursue innovation, safety, and rights protection, yet they organize these objectives through fundamentally different institutional logics. The U.S. approach remains fragmented; the EU model is deliberately formalized and harmonized.

 

The EU regulatory architecture identifies prohibited practices, high-risk systems, transparency obligations, and specific duties for general-purpose AI models. It distinguishes among providers (who develop or place systems on the market), deployers (who use them under their authority), importers, distributors, and other actors. Obligations encompass risk management, data governance, technical documentation, logging, human oversight, accuracy, robustness, cybersecurity, post-market monitoring, and incident reporting. Beyond its character as statute, the AI Act embodies a theory of governance. It presumes that AI systems can and should be classified, documented, supervised, and controlled across their entire lifecycle, treating legal compliance as an intrinsic design requirement rather than an afterthought.

 

This imagination manifests in the EU’s longstanding practice of conditioning market access on satisfaction of legal criteria—a pattern evident in product safety, data protection, consumer law, competition policy, and platform regulation. For AI, the decisive question is not merely whether harm has occurred but whether a system may lawfully be placed on the market or put into service, and under what conditions. The framework is usefully described as combining product-safety logics with fundamental-rights supervision. The former appears in requirements for conformity assessment, technical documentation, robustness, and market surveillance; the latter surfaces in protections against discrimination, inappropriate biometric identification, and risks in sensitive domains such as employment, education, public services, law enforcement, and migration.

 

Central to the architecture is the risk pyramid. Prohibited practices occupy the apex—uses deemed incompatible with EU values or intolerably dangerous, including certain manipulative or exploitative techniques, forms of social scoring, applications targeting vulnerable groups, and specified biometric practices, subject to defined exceptions. These prohibitions express the EU’s rights-based orientation: some risks cannot be mitigated through documentation or oversight; they offend core commitments to autonomy, dignity, and non-discrimination.

 

Below the prohibitions lie high-risk AI systems, the operational core of the regime. These systems—deployed in employment, education, critical infrastructure, law enforcement, migration, and access to essential services—are permitted but subjected to stringent obligations. When AI supports consequential decisions, providers and deployers must demonstrate control through a comprehensive lifecycle approach: risk management by design, data governance, technical documentation, automated logging, human oversight mechanisms, standards for accuracy and robustness, cybersecurity safeguards, post-market monitoring, incident reporting, and a supporting quality management system. This proactive stance marks a sharp divergence from U.S. tendencies toward reactive enforcement.

 

The distinction between provider and deployer is structurally significant. Providers bear responsibility for design, intended purpose, and foundational compliance; deployers manage contextual application, suitability for specific populations, and operational oversight. This allocation seeks to prevent accountability gaps in which each actor deflects responsibility onto the other. In the example of an AI hiring tool, the vendor ensures technical compliance while the employer ensures appropriate deployment, monitoring, and respect for worker rights.

 

General-purpose AI models and foundation models presented a conceptual challenge to the originally use-case-oriented risk model. Large language or multimodal systems resist neat classification because they serve as adaptable infrastructure rather than singular applications. The AI Act therefore imposes upstream obligations on such models, with heightened requirements for those presenting systemic risk, including technical documentation, downstream information flows, evaluation, risk mitigation, and incident reporting. These rules represent an evolution in EU thinking, acknowledging the infrastructural character of frontier models while raising enduring questions: measurement of systemic risk, treatment of open-source systems, disclosure limits balancing security and transparency, and responsibility division between upstream providers and downstream deployers.

 

Transparency obligations apply to lower-risk systems, requiring disclosure when individuals interact with chatbots, encounter synthetic content, or are subject to emotion recognition or biometric categorization. Such measures address the capacity of AI to generate misleading impressions of humanity, authenticity, neutrality, or objectivity. Yet the framework recognizes transparency’s limitations: disclosure alone may not prevent deception or empower meaningful contestation, particularly for high-risk applications where stronger controls are mandated.

 

A notable innovation is the emphasis on AI literacy. Providers and deployers must ensure that relevant personnel possess sufficient understanding of AI systems, calibrated to context, technical background, and role. This requirement underscores that effective governance cannot rely solely on technical or documentary controls; it demands institutional competence. Human oversight is meaningful only when humans comprehend system limitations. AI literacy thus contributes to both operational integrity and public legitimacy, mitigating risks of over-reliance or unexamined adoption.

 

Implementation proceeds on a phased timeline. Core provisions, definitions, AI literacy requirements, and prohibitions took effect in February 2025. Governance structures and general-purpose AI obligations followed in August 2025. Most high-risk and transparency rules apply from August 2026, with certain embedded systems phased in later, targeting full application by August 2027. This staging reflects the recognition that successful regulation requires more than statutory text: competent authorities at member-state and EU levels, harmonized standards, compliance programs, regulatory sandboxes, and enforcement capacity must mature. The gap between legislative ambition and institutional readiness constitutes a central implementation challenge.

 

The EU model offers notable strengths. It provides regulatory unity across the internal market, scales obligations to risk, embeds ex ante controls, centers fundamental rights, and leverages the “Brussels effect” whereby global operators often align practices to EU standards for efficiency. At the same time, it faces significant weaknesses. Classification decisions are contestable and complex, compliance burdens may weigh heavily on smaller enterprises, documentation risks becoming formalistic, enforcement may vary across member states, and the framework may struggle to keep pace with rapid technological evolution—particularly as low-risk systems migrate into high-stakes contexts or foundation models are repurposed unpredictably. A deeper critique suggests that risk-based governance can transform inherently political questions about power, surveillance, labor, and democratic order into managerial exercises, potentially managing symptoms without confronting underlying structural issues.

 

In comparison with the United States, the EU prioritizes harmonized lifecycle supervision and rights-compatible market access, while the U.S. relies on flexible, innovation-oriented responses through agencies, courts, and state experimentation (such as Colorado’s high-risk AI provisions). Neither is categorically superior: the U.S. may facilitate faster adaptation and reduced bureaucratic friction; the EU may better prevent foreseeable harms and clarify obligations. A brief bridge to China highlights shared administrative governance tendencies but divergent normative foundations—EU emphasis on rights and internal market versus China’s coordination of development, security, and state-defined values.

 

Ultimately, the EU AI Act constitutes one of the most comprehensive contemporary efforts to render artificial intelligence legally governable. Through classification, duty allocation, documentation mandates, human oversight, transparency, and institutional supervision, it seeks to align technological development with European constitutional commitments. Its ambition, however, generates corresponding vulnerabilities. The decisive question is whether a risk-based legal architecture can maintain coherence and effectiveness in the face of general-purpose, rapidly evolving, and globally deployed AI systems—while simultaneously safeguarding fundamental rights and sustaining conditions for innovation. The European Union governs AI by insisting on its legal classifiability and the attachment of calibrated obligations across risk, role, and lifecycle stages.

 

  

Tabular Comparison of US and EU AI Regulatory Approaches

Aspect	European Union (EU AI Act & Complementary Frameworks)	United States (Primarily Market-Oriented, Fragmented)
Overall Approach	Comprehensive, risk-based supervisory governance. Harmonized binding regulation across the EU internal market with ex ante obligations.	Monitored market governance. Fragmented across federal agencies, executive actions, state laws, litigation, standards, and procurement. Primarily ex post responses using existing legal categories.
Core Instrument	AI Act (Regulation (EU) 2024/1689) – risk pyramid with prohibitions, high-risk obligations, transparency rules. Integrates GDPR, DMA, DSA.	No single comprehensive federal law. NIST AI RMF (voluntary), Executive Orders (e.g., 2025 innovation-focused actions), sector-specific agency rules. Key state examples: Colorado (high-risk/consequential decisions), Utah (transparency), California (frontier models + CCPA ADMT rules).
Risk Classification	Four-tier pyramid: Prohibited, High-risk (extensive obligations), Limited/Transparency (e.g., chatbots, synthetic content), Minimal.	No uniform national classification. Sectoral/voluntary. State examples: Colorado targets “high-risk” AI or ADMT in consequential decisions (employment, housing, healthcare, etc.); California regulates ADMT for “significant decisions” and frontier models (>10²⁶ FLOPS).
Scope & Application	Extraterritorial for EU market impact. Applies to providers, deployers, etc. Lifecycle focus.	Primarily domestic; global influence via markets. Federal: often voluntary for private sector. States: Colorado & California impose obligations on developers/deployers of high-impact systems.
Key Obligations	High-risk: Risk management, data governance, documentation, logging, human oversight, conformity assessment, post-market monitoring, incident reporting, AI literacy. Provider/deployer distinction.	Sectoral (bias, deception, safety). State examples: Colorado (impact assessments, anti-discrimination duties, notices—amended 2026, effective 2027); Utah (disclosures for generative AI interactions); California (pre-use notices/opt-outs for ADMT, frontier model safety frameworks, training data transparency).
Prohibited Practices	Explicit bans on manipulative practices, certain social scoring, untargeted biometric surveillance (with exceptions).	No broad AI-specific bans; addressed via existing laws (civil rights, fraud). Some state deepfake/election rules.
General-Purpose AI/Foundation Models	Specific upstream obligations for GPAI; enhanced for systemic-risk models (documentation, evaluation, mitigation).	Voluntary standards + national security controls. State examples: California’s Transparency in Frontier AI Act (SB 53, 2026) requires safety frameworks and incident reporting for large models.
Enforcement	EU AI Office + national authorities. Fines, market withdrawal. Phased (2025–2027).	Agency actions, litigation, state AGs. States: Colorado AG enforcement (penalties); California CCPA/AG rules.
Philosophy	Markets structured by law; alignment with fundamental rights, safety, prevention.	Innovation-first; flexibility via markets and targeted rules.
Strengths (per analyses)	Harmonization, rights protection, predictability, Brussels Effect.	Flexibility, faster innovation, sector expertise.
Weaknesses (per analyses)	Complexity, compliance burden, classification challenges, formalism.	Fragmentation, uncertainty, gaps. State variation adds complexity for national firms.