The governance of artificial intelligence has emerged as a critical policy challenge across major global economies. The United States, European Union, and China have historically pursued divergent regulatory approaches, yet evidence suggests convergence around shared principles for AI safety and security oversight. This convergence centers on pre-deployment review mechanisms focused on high-risk capabilities, particularly in cybersecurity and biological domains, combined with targeted prohibitions on demonstrably harmful applications.
The three major economic blocs have moved toward alignment on core AI governance principles despite their distinct regulatory philosophies and political systems 1).
Pre-deployment review mechanisms represent a shared foundational approach across jurisdictions. Rather than comprehensive post-hoc regulation of all AI systems, governance frameworks increasingly focus on identifying models with dangerous dual-use capabilities prior to public release. This approach emphasizes proportional oversight—applying heightened scrutiny to systems demonstrating advanced reasoning, autonomous action, or access to sensitive domains while reducing friction for lower-risk applications.
Capability-focused assessment has become the primary organizing principle. Jurisdictions assess whether models present novel risks in critical domains: offensive cyber capabilities including vulnerability discovery and exploitation, biological research acceleration including pathogen design or synthesis optimization, and other weapons-relevant applications. This represents a meaningful shift from input-based regulation (controlling access to training data or compute) toward output-based evaluation (assessing what models can actually do).
The convergence reflects recognition that regulatory divergence creates problematic incentives where developers migrate to jurisdictions with lighter oversight, potentially concentrating high-capability systems in less stringent regulatory environments. Mutual alignment on baseline standards creates more stable, predictable regulatory conditions for responsible developers while reducing arbitrage opportunities for less scrupulous actors.
The UK's AI Security Institute has established institutional and technical frameworks adopted or adapted by all three regions as a reference model 2).
The Institute's approach emphasizes technical evaluation capability rather than purely bureaucratic assessment. Its methodologies include empirical testing of model capabilities, structured red-teaming exercises, and domain-specific evaluation protocols developed in collaboration with technical experts. This evidence-based approach reduces reliance on company self-assessment and creates more consistent evaluation standards across jurisdictions.
Key architectural elements from the UK model include:
* Capability evaluation frameworks that define concrete, measurable criteria for assessing whether models demonstrate dangerous capabilities * Multi-stakeholder review structures incorporating government technical experts, external researchers, and domain specialists in biology and cybersecurity * Iterative assessment protocols allowing staged evaluation where models can be tested at different stages of development * International coordination mechanisms enabling jurisdictions to share evaluation results and avoid duplicative testing
The adoption of UK institutional architecture reflects practical recognition that building credible AI safety evaluation infrastructure requires sustained technical expertise, independent analytical capacity, and mechanisms for international information sharing. Rather than each jurisdiction constructing evaluation capabilities from scratch, reference architecture accelerates institutional development while improving consistency.
All three regions have converged on specific categorical prohibitions rather than broad sectoral bans. These targeted restrictions address applications with limited legitimate use cases and high potential for causing immediate harm.
Biological risk applications represent a primary focus. Jurisdictions increasingly restrict model deployment for applications reasonably expected to significantly accelerate biological weapons development, including pathogen synthesis design, gain-of-function research optimization, or virulence enhancement. These bans acknowledge legitimate biosafety research while constraining dual-use applications where commercial or research benefits are minimal relative to weaponization risks.
Offensive cyber applications similarly face convergent restrictions. Bans target systems specifically optimized for vulnerability discovery, exploit generation, or attack coordination without compensating defensive applications. This reflects recognition that autonomous offensive capabilities present asymmetric risks—attacks require single successful exploitation while defense requires blocking all attack vectors.
The convergent move toward categorical bans rather than wholesale model restrictions reflects both practical constraints and policy sophistication. Banning entire model classes is difficult to enforce in a globalized environment where weights circulate through informal channels. Targeting specific dangerous applications leverages law enforcement and market mechanisms more effectively than attempting to prevent model availability entirely.
The convergence on shared governance principles creates several important implications. Regulatory predictability increases for AI developers, reducing uncertainty about which jurisdictions accept which models. International coordination becomes more feasible when baseline standards align, enabling information sharing and reciprocal recognition of evaluations. Reduced incentives for regulatory arbitrage emerge when multiple major markets apply similar standards, making jurisdictional shopping less attractive.
However, implementation challenges persist. Verification that models comply with application restrictions remains technically difficult, particularly for models deployed through API access where operators can obscure underlying capabilities. Disagreement may emerge regarding which capabilities constitute legitimate research versus weaponizable capabilities, particularly in dual-use domains like synthetic biology and cybersecurity. Enforcement mechanisms across sovereign jurisdictions remain underdeveloped, and compliance incentives differ substantially between commercial actors and state-directed development programs.
The convergence also raises questions about whether pre-deployment review focused on specific dangerous capabilities adequately addresses broader AI risks including deception, value misalignment, and distributional harms. Most frameworks emphasize catastrophic risks from biological and cyber capabilities while addressing other potential harms more peripherally.