AI Ethics & Governance · Article 01

AI innovation vs. control: the illusion of a binary choice

The opening essay in BioLiterate's series on AI ethics and governance — on why “move fast” and “regulate” was never the real choice, and what four jurisdictions reveal about where global AI governance is actually heading. An interactive map further down plots each jurisdiction by its regulatory philosophy and pressure, so you can explore the landscape as you read.

The global conversation on artificial intelligence regulation is often framed as a choice: move fast and innovate, or regulate and constrain.

That framing reflects a concern across policy and public debate that premature regulation may inhibit technological developments or weaken global competitiveness, with policymakers also acknowledging that delayed intervention will not preserve optionality. It will simply allow risks to crystallise, often to a point where harms have already materialised and are significantly harder, or impossible, to reverse. In domains such as biomedicine, where technical corrections and retrospective regulatory intervention won’t undo patient harm, this principle is well understood.

In practice, a small but influential group of jurisdictions is actively attempting to intervene early, under conditions of deep uncertainty, while many others are still observing and relying on existing legal frameworks and reactive enforcement rather than developing AI-specific regimes. What may be perceived as more “pro-innovation” or more “restrictive” in fact reflects a different theory of risk, accountability, and institutional capability across jurisdictions, with four broad approaches that are now taking shape for the governance of AI.

The four approaches taking shape
  1. EUPre-emptive system governance — a structured, risk-based regime applied before deployment.
  2. UKPrinciples-based & sector-specific — high-level principles applied through existing regulators.
  3. USState-led with a litigation backstop — sectoral oversight, state laws, and liability as a driver.
  4. SINGAPOREOperational governance playbooks — practical, implementable toolkits over binding law.
01

European UnionThe pre-emptive model of system governance

The European Union has adopted the most structured and anticipatory model with the EU AI Act; it applies a risk-based framework that classifies AI systems and imposes obligations before they are deployed, particularly for high-risk applications such as those used in healthcare.

The logic is familiar, as it mirrors elements of existing product safety regulation, including conformity assessments and, in certain cases, third-party oversight, drawing clear parallels with CE-marking regimes. The ambition is to build trust through harmonisation and legal certainty across the European market.

Yet key elements of the framework depend on harmonised technical standards, many of which are still under development by European standardisation bodies such as CEN and CENELEC. Until these standards are finalised, operational clarity remains limited.

Having recognised the practical limits of a framework without implementing standards, the Commission has proposed postponing the application of parts of the high-risk regime until the supporting compliance framework is actually available. This is important for biomedical AI, since developers of clinical, diagnostic and device-linked AI might consider that they cannot operationalise conformity assessment, documentation and post-market obligations with confidence if the technical standards needed to translate legal requirements are still unfinished.

A pre-emptive model of governance can also prove difficult to apply to complex AI systems that evolve through adaptive learning. For example, developers in biomedicine may be required to rely on conformity assessment pathways for systems that have already been deployed and subsequently re-trained on new patient data, refined to reflect local clinical practices and updated to incorporate emerging biomarkers. At that stage, the system may no longer be meaningfully equivalent to the version originally assessed, raising a fundamental challenge as to whether the initial conformity assessment still captures the risks of what has effectively become a different system.

02

United KingdomPrinciples-based and sector-specific

The United Kingdom has taken a different path. Rather than introducing a single cross-sector AI statute, it has opted for a principles-based framework, implemented through existing regulators.

Authorities such as the Financial Conduct Authority, the Medicines and Healthcare products Regulatory Agency (MHRA), and the Information Commissioner’s Office are expected to interpret and apply high-level principles within their respective domains. The stated objective is flexibility and responsiveness, avoiding the rigidity of a single legislative framework. By leveraging sector expertise, the UK also aims to align governance with real-world use cases, including in healthcare and life sciences.

This model, relying on fragmentation, obviously carries its own risks too. Different regulators may interpret similar concepts such as fairness, transparency, or accountability in different ways. For organisations operating across sectors, this can translate into uneven expectations and increased compliance complexity.

In biomedicine, where data protection, medical device regulation, and clinical governance intersect, this plurality can create uncertainty about which standards ultimately prevail.

03

United StatesA state-led approach with a litigation backstop

In the United States, no single comprehensive federal AI law currently governs the field. Instead, the regulatory landscape is shaped by a combination of sector-specific oversight, emerging state legislation, and general legal principles.

For biomedical AI, the Food and Drug Administration plays a central role, particularly through its regulation of software as a medical device. The FDA has also begun to articulate approaches to adaptive AI systems, signalling an awareness of the challenges posed by continuously learning models.

Beyond sectoral oversight, states are increasingly active. Legislative initiatives, including those addressing automated decision-making and algorithmic accountability, are beginning to fill gaps at the federal level. For example, in California, the Transparency in Frontier Artificial Intelligence Act will be particularly important for developers of large-scale models used in drug discovery or biological research, imposing transparency and safety-reporting obligations on “frontier” AI systems. Colorado’s Consumer Protections for Artificial Intelligence Act will apply to high-risk AI systems and targets algorithmic discrimination mitigation relevant for health-related decisions, including diagnostics and eligibility determinations (though its scope is currently under legislative reconsideration ahead of its June 2026 effective date). Utah, for its part, has adopted the Artificial Intelligence Policy Act, which focuses on disclosure obligations for generative AI interacting with consumers.

In this fragmented context, the December 2025 Executive Order on Artificial Intelligence and the White House’s National AI Legislative Framework (March 2026) were less about regulating AI than about signalling a move toward federal pre-emption of the current state-led patchwork.

In practice, liability exposure through litigation — whether through consumer protection claims, product liability, or class actions — will act as a significant deterrent and governance driver. In effect, the framework will rely heavily on post-deployment accountability, allowing systems to be introduced ahead of settled standards, but with legal risk realised later, sometimes in unpredictable ways. For companies, this may shift the focus from formal compliance to defensibility.

04

SingaporeA set of operational governance playbooks

Singapore offers a more pragmatic and operationally focused model. Rather than prioritising binding legislation, it has developed detailed governance frameworks and practical toolkits.

The Model AI Governance Framework and associated initiatives include testing and assurance tools (AI Verify) which are designed to be directly implementable by organisations. The emphasis is on usability, clarity, and alignment with business processes.

This approach reflects a different philosophy and is really unique globally. Instead of codifying obligations in law or relying on formal certifications, Singapore seeks to shape behaviour through guidance that organisations can adopt, test, and adapt. In biomedical contexts, this can be particularly effective, as organisations are provided with concrete methods to assess risk, document decisions, and embed governance into system development to fit their exact needs and risks.

However, the model relies on voluntary adoption and does not carry the same legal force as statutory regimes. Its effectiveness therefore depends on organisational incentives and market expectations.

Figure 01 · Interactive Map the four approaches: AI governance in a fragmented landscape
How to read it: jurisdictions are mapped by regulatory philosophy (vertical) and regulatory pressure (horizontal); placement reflects governance maturity and implementation architecture rather than solely the binding nature of obligations. Hover or tap any jurisdiction for its status and approach. Despite divergent approaches, all converge around five core expectations — accountability, transparency, risk management, controllability and auditability.
05

The emerging convergence

Despite these differences, a closer examination reveals a notable degree of convergence around the core functions that AI governance must perform.

Accountability Transparency Risk management Controllability Auditability & traceability

Accountability appears consistently, whether through internal responsibility, regulatory obligations, or liability exposure. Transparency also recurs, in different forms: explainability in certain contexts, user-facing disclosures or labelling, and internal documentation. Risk management is similarly embedded — not always through formal classification, but also through testing, mitigation and ongoing monitoring. Systems are expected to remain controllable, through human oversight, operational safeguards, and governance processes.

Alongside all this sits a growing expectation that system behaviour can be evidenced, through records, documentation, or audit trails. Auditability and traceability, once technical concerns, are now recognised as core governance requirements.

At the same time, important divergences persist in how these requirements are structured and enforced. The timing of enforcement varies significantly, from pre-emptive obligations in the EU to more reactive mechanisms in the US. Approaches to liability remain uneven, shaping how risk is allocated between developers, deployers, and users. The balance between non-binding guidance and formal certification also differs across systems.

This combination of convergence and divergence creates a challenge for organisations operating globally — which is not simply about complying with multiple regimes, but how to reconcile them into a coherent internal approach.

06

The biomedical reality

“We are not waiting for regulators, but we are also not confident enough to scale.”

This sentiment captures the current reality for many biomedical organisations, which are operating under simultaneous pressure to accelerate adoption while ensuring that systems remain clinically reliable, explainable and governable.

The absence of fully operationalised regulatory frameworks does not eliminate the need for governance, and companies are therefore developing parallel compliance structures to anticipate future requirements while responding to present constraints. Internal standards are often designed to be acceptable across multiple jurisdictions, even where formal obligations differ.

In this environment, every design decision — whether related to data, oversight, validation, or deployment — aligns more naturally with certain governance models than others. As regulatory frameworks continue to evolve, these implicit choices will shape how easily systems can adapt to enable responsible innovation under conditions of incomplete information. This is where AI ethics can play a key role: to help translate fragmented external expectations into coherent, actionable oversight.

About this series

AI Ethics & Governance

This is the first article in an ongoing BioLiterate series examining how AI ethics and governance are taking shape across the biomedical field — from the global regulatory landscape to the practical decisions organisations face as they move from experimentation to responsible scale. Future instalments will build on the framework introduced here.

Portrait of Iphigénie Fossati-Kotz
Author

Iphigénie Fossati-Kotz

AI Ethics & Regulation Expert · Non-Executive Director, BioLiterate

A senior legal executive with over 15 years as General Counsel, Iphigénie focuses on board-level governance, risk oversight, and the responsible oversight of AI, data, and emerging technologies — pairing cross-jurisdictional regulatory experience with formal training in AI ethics.

Read full bio → LinkedIn →
About
BioLiterate
Founded 2025 · Independent
Join the AIxBio Community → Follow on LinkedIn →

BioLiterate is an independent research and education nonprofit organization founded in 2025 with a focused mission: to equip biomedical professionals with the knowledge and tools to engage with AI critically, confidently, and responsibly.

We produce curated educational content, a quarterly newsletter, and live and online community events — developed in partnership with organizations across the biopharma, clinical, and research ecosystems. Our work is built on a simple conviction: that responsible AI adoption in biomedicine depends not on hype or fear, but on grounded, peer-relevant evidence.