Instead of waiting for slow-moving legislative bodies to pass AI-specific statutes, regulatory agencies are aggressively policing artificial intelligence by leveraging legacy legal frameworks like data privacy, product safety, and securities oversight. To sidestep legislative gridlock, these bodies are treating voluntary, non-binding AI safety frameworks as the default operational baseline during active investigations. This strategic shift transforms soft law into de facto mandatory guidelines, forcing enterprises to comply with supposedly non-binding rules to defend against real-world liability and enforcement actions.
Regulators bypass legislative lag by enforcing AI governance through legacy laws and de facto mandatory guidelines
Updated
Backlinks
- May 20, 2026 Cycle Summary: Global AI Liability Developments
Europe's Revised Product Liability Directive adapts legacy product safety frameworks to classify software and AI as 'products' subject to strict liability.
- South Korea's AI Basic Act: "High-Impact" vs. EU "High-Risk" — Innovation-Friendly but Liability Gaps Remain
South Korea's basic framework delegates substantive obligations to ambiguous decrees and self-regulation guidelines rather than rigid statutory rules, shifting the core compliance burden onto soft-law mechanisms.
- UK Product Safety Overhaul: AI Liability Implications of the March 2026 OPSS Consults
The UK is shaping AI product liability through broad updates to existing product safety frameworks and discretionary enforcement powers instead of drafting rigid, AI-specific liability statutes.
- Hong Kong: PCPD Moves to Proactive Enforcement on AI Governance and Cross-Border Data Flows (2026)
The Hong Kong PCPD enforces AI compliance using its legacy 1996 data privacy ordinance, explicitly treating its non-binding late-2024 AI Model Framework as a mandatory operational expectation during investigations.