Abstract

The pervasive integration of Artificial Intelligence (AI) across global sectors mandates the urgent establishment of comprehensive regulatory frameworks. These frameworks are pivotal for guiding the ethical deployment of AI systems, fostering innovation, and effectively mitigating a spectrum of associated risks, including algorithmic bias, privacy erosion, and issues of accountability. This expanded report offers an exhaustive analysis of the emergent landscape of global and regional AI-specific legislation and their profound implications. It scrutinizes their direct impact on critical domains such as data protection, robust governance structures, the formidable compliance challenges encountered by stakeholders, and the paramount ethical considerations that underpin the responsible development and use of AI. Key regulatory instruments subjected to in-depth examination include the European Union’s landmark AI Act, Italy’s pioneering national AI Law, and the critical application and interaction of established privacy frameworks such as the General Data Protection Regulation (GDPR) within the EU and the Health Insurance Portability and Accountability Act (HIPAA) in the United States, particularly as they relate to AI. The report further delves into the nuanced concept of the ‘right to explanation’ as enshrined in GDPR and subsequently reinforced by the AI Act concerning automated AI decisions, the strategic risk-based approach championed by the EU AI Act, and prognoses for the future trajectory and potential harmonization of international AI governance standards, acknowledging the diverse geopolitical and ethical landscapes.

1. Introduction

Artificial Intelligence, a constellation of technologies enabling machines to perceive, comprehend, act, and learn with human-like intelligence, has unequivocally permeated nearly every facet of modern society. From revolutionizing healthcare diagnostics and financial trading algorithms to optimizing logistics and personalizing educational experiences, AI’s transformative potential is immense, promising unprecedented advancements in productivity, efficiency, and human well-being. However, this profound technological evolution is not without its attendant complexities and challenges. The rapid pace of AI development has outstripped the capacity of traditional legal and ethical frameworks to adapt, leading to a landscape characterized by significant ethical dilemmas, novel legal ambiguities, and profound societal concerns.

The absence of cohesive, globally recognized regulatory frameworks has, until recently, resulted in a fragmented patchwork of approaches to AI governance. This fragmentation has created an environment rife with uncertainty, posing considerable risks to individual rights, democratic values, and economic stability. Concerns range from the subtle yet pervasive issue of algorithmic bias perpetuating and amplifying societal inequalities, to the erosion of personal privacy through pervasive data collection and analysis, the potential for job displacement, and the complex moral implications of increasingly autonomous decision-making systems. Furthermore, the potential for AI misuse by malicious actors, alongside questions of accountability when AI systems cause harm, underscore the urgent imperative for robust and coherent regulatory intervention.

This comprehensive report undertakes a meticulous exploration of the nascent evolution of AI regulations across key jurisdictions. It meticulously examines their far-reaching implications for data protection, the intricate compliance challenges faced by developers and deployers, and the fundamental ethical considerations that must guide AI’s trajectory. A particular emphasis is placed on the European Union’s groundbreaking AI Act, Italy’s proactive national AI Law, and the critical interplay of these new regulations with venerable existing privacy laws, specifically the General Data Protection Regulation (GDPR) in the European context and the Health Insurance Portability and Accountability Act (HIPAA) in the United States, illustrating the confluence of sector-specific and horizontal regulatory efforts. By dissecting these frameworks, this report aims to illuminate the pathways towards fostering trustworthy, human-centric AI systems that maximize societal benefits while rigorously safeguarding fundamental rights and democratic principles.

2. The European Union’s AI Act: A Pioneering Regulatory Framework

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2.1 Overview of the AI Act

The European Union’s AI Act, formally adopted in June 2024, stands as a monumental achievement, representing the world’s first comprehensive legal framework specifically designed for Artificial Intelligence. Its genesis can be traced back to the European Commission’s 2020 White Paper on Artificial Intelligence, which outlined a vision for a trustworthy, human-centric approach to AI. This initial document initiated a broad public consultation, paving the way for the legislative proposal in April 2021. Following extensive negotiations and refinements among the European Parliament, the Council of the European Union, and the European Commission (the ‘trilogue’ process), the Act reached its final political agreement in December 2023, culminating in its formal adoption. This journey underscores the EU’s proactive stance in shaping global digital governance.

The Act’s primary objective is dual-faceted: to foster the development and uptake of trustworthy AI in the EU, while simultaneously ensuring a high level of protection of health, safety, fundamental rights, democracy, the rule of law, and environmental protection from the potential adverse impacts of AI systems. This underlying philosophy is rooted in the EU’s commitment to fundamental rights and its ambition to position itself as a global leader in ethical technology governance, often referred to as the ‘Brussels Effect.’ The Act establishes a harmonized legal framework, ensuring that AI systems placed on the EU market or otherwise affecting individuals within the EU adhere to a common set of stringent requirements.

Crucially, the AI Act employs a novel, proportionate, and risk-based approach to regulation. It classifies AI systems into four distinct risk levels, imposing varying obligations commensurate with the potential harm they might inflict. These categories are:

1. Unacceptable Risk: AI systems deemed to pose a clear threat to fundamental rights, and thus outright prohibited.
2. High-Risk: AI systems identified as having significant potential to cause harm to health, safety, or fundamental rights. These are subject to rigorous regulatory requirements.
3. Limited Risk: AI systems presenting specific transparency risks, necessitating certain disclosure obligations.
4. Minimal or No Risk: The vast majority of AI systems, such as spam filters or AI-powered video games, which are subject to very light-touch regulation, primarily encouraging voluntary codes of conduct. (digital-strategy.ec.europa.eu)

The scope of the Act is broad, applying to providers placing AI systems on the EU market, deployers using AI systems within the EU, and providers and deployers of AI systems located outside the EU whose AI system’s output is used in the EU. Key definitions within the Act include ‘AI system’ (a machine-based system that operates with varying levels of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments), ‘provider’ (any natural or legal person, public authority, agency or other body that develops an AI system or has an AI system developed and places it on the market or puts it into service under its name or trademark), and ‘deployer’ (any natural or legal person, public authority, agency or other body using an AI system under its authority).

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2.2 Risk-Based Approach and Compliance Requirements

The AI Act’s stratified risk-based approach is central to its regulatory philosophy, focusing compliance efforts where the potential for harm is greatest.

2.2.1 Unacceptable Risk AI Systems

These systems are explicitly prohibited because they are considered a clear threat to fundamental rights and democratic values. Examples include:

• Cognitive behavioural manipulation: AI systems that deploy subliminal techniques beyond a person’s consciousness or purposefully deceptive or manipulative techniques to materially distort a person’s behaviour in a manner that causes or is likely to cause significant harm.
• Social scoring by public authorities: Systems used to evaluate or classify the trustworthiness of natural persons based on their social behaviour, potentially leading to detrimental treatment.
• Real-time remote biometric identification systems in public spaces for law enforcement purposes: With limited exceptions (e.g., searching for specific crime victims, preventing specific serious threats), these are banned due to their potential for pervasive surveillance and infringement on privacy and freedom of movement. Post-remote biometric identification is subject to strict safeguards.
• Predictive policing based on profiling: Systems that predict the likelihood of a person committing a criminal offence based on profiling, rather than objective and verifiable data.
• AI systems that exploit vulnerabilities of specific groups: Such as age or physical or mental disability, to materially distort their behaviour, causing or likely to cause significant harm.

The rationale behind these prohibitions is to prevent AI from being used in ways that fundamentally undermine human autonomy, dignity, and democratic principles.

2.2.2 High-Risk AI Systems

This category forms the core of the Act’s regulatory burden. High-risk AI systems are those intended to be used as a safety component of a product, or as a product itself, covered by EU harmonization legislation (e.g., medical devices, aviation), or falling into specific areas crucial for fundamental rights. The latter includes AI systems used in:

• Critical infrastructure: Such as water, gas, electricity, and road traffic management, where a malfunction could endanger life and health.
• Education and vocational training: For assessing students, determining access, or evaluating learning outcomes, which could impact life chances.
• Employment, worker management, and access to self-employment: For recruitment, selection, promotion, task assignment, or performance evaluation, potentially leading to discrimination.
• Access to and enjoyment of essential private services and public services and benefits: Including credit scoring, dispatching emergency services, or evaluation of eligibility for benefits, which can have profound societal implications.
• Law enforcement: For assessing the risk of re-offending, evaluating evidence, or profiling individuals.
• Migration, asylum, and border control management: For assessing eligibility for asylum or visa applications, or border surveillance.
• Administration of justice and democratic processes: For assisting judicial authorities in researching facts and law, or influencing election outcomes.

For providers of these high-risk AI systems, the compliance requirements are extensive and span the entire AI lifecycle:

• Robust Risk Management System: Providers must establish, implement, document, and maintain a risk management system throughout the entire lifecycle of a high-risk AI system. This includes identifying and analysing foreseeable risks, evaluating their likelihood and severity, and adopting appropriate mitigation measures. This is a continuous process, not a one-time assessment. (euairisk.com)
• Data Governance: Stringent requirements apply to the quality and relevance of training, validation, and testing datasets. These datasets must be subject to appropriate data governance and management practices, ensuring they are representative, relevant, sufficiently large, and free from errors or biases that could lead to discriminatory outcomes. Particular attention is paid to data collection, processing, and management practices to ensure compliance with GDPR and other data protection laws.
• Technical Documentation: Providers must draw up and keep up-to-date comprehensive technical documentation. This documentation must cover the system’s general description, design specifications, underlying algorithms, development processes, training methodologies, detailed testing procedures, performance metrics, and instructions for deployers regarding appropriate human oversight. This ensures traceability and accountability.
• Record-keeping and Logging: High-risk AI systems must be designed and developed with capabilities to automatically log events throughout their operation. These logs should enable the monitoring of the system’s functioning, the tracking of decisions made, and the investigation of potential harms or compliance breaches.
• Transparency and Information to Users: Deployers of high-risk AI systems must provide clear, concise, and understandable information to natural persons affected by the system. This includes details about the system’s capabilities and limitations, its intended purpose, the characteristics of its outputs, and how human oversight is exercised.
• Human Oversight: High-risk AI systems must be designed to allow for effective human oversight. This involves implementing appropriate technical and organisational measures to ensure that humans can effectively monitor, interpret, and intervene in the AI system’s operation, particularly in critical situations. Human oversight should ensure that the system does not override human decision-making or autonomy.
• Accuracy, Robustness, and Cybersecurity: High-risk AI systems must achieve an appropriate level of accuracy, robustness, and cybersecurity. Robustness ensures that the system performs consistently under varying conditions and resists errors, while cybersecurity measures protect against external threats such as adversarial attacks or data breaches.
• Conformity Assessment: Before a high-risk AI system is placed on the market or put into service, it must undergo a conformity assessment procedure to demonstrate compliance with all the Act’s requirements. For certain systems, this may involve third-party assessment by a notified body. Upon successful assessment, systems will receive a CE marking.
• Post-market Monitoring: Providers must establish a post-market monitoring system to continuously collect and analyse data on the performance and compliance of their high-risk AI systems throughout their lifecycle, allowing for prompt corrective actions if necessary.

2.2.3 Limited Risk AI Systems

These systems are subject to specific transparency obligations, primarily to inform users that they are interacting with an AI. This category includes:

• AI systems intended to interact with natural persons: Users must be informed that they are interacting with an AI system, unless this is obvious from the context.
• Emotion recognition systems and biometric categorisation systems: Users must be informed about the use of such systems.
• Deepfakes and other AI-generated content (e.g., audio, video, image): Users must be informed that the content has been artificially generated or manipulated.

2.2.4 Minimal or No Risk AI Systems

The vast majority of AI systems fall into this category, such as AI-powered video games, spam filters, or recommender systems that do not have significant impacts on users’ rights. The Act imposes minimal obligations on these systems, primarily encouraging providers to adhere to voluntary codes of conduct, promoting ethical development and use without stifling innovation.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2.3 Ethical Considerations and the ‘Right to Explanation’

The EU AI Act is deeply rooted in a set of ethical principles designed to ensure AI serves humanity’s best interests. Beyond the risk categorisation, the Act formalises these principles into actionable requirements. These include:

• Human agency and oversight: AI systems should support human decision-making, not replace it, ensuring humans remain in control.
• Technical robustness and safety: AI systems must be resilient, reliable, and secure.
• Privacy and data governance: Strict adherence to data protection principles and quality.
• Transparency: Clarity regarding AI system capabilities, limitations, and decision-making processes.
• Diversity, non-discrimination, and fairness: AI systems should be inclusive and avoid perpetuating biases.
• Societal and environmental well-being: AI should contribute positively to society and minimize environmental impact.
• Accountability: Clear lines of responsibility for AI system outcomes.

A critical aspect of the AI Act, which significantly reinforces and expands upon existing data protection rights, is the ‘right to explanation.’ While Article 22 of the GDPR grants individuals the right not to be subject to a decision based solely on automated processing which produces legal effects concerning him or her or similarly significantly affects him or her, the AI Act strengthens this by mandating comprehensive transparency for high-risk AI systems. It explicitly grants individuals the right to obtain clear, meaningful, and intelligible explanations of decisions made by high-risk AI systems that significantly affect them. This provision seeks to achieve several objectives:

• Enhance Transparency: Individuals should understand how an AI system arrived at a particular decision, especially when that decision impacts their fundamental rights or opportunities (e.g., loan applications, employment decisions, access to public services).
• Promote Accountability: By requiring explanations, the Act pushes developers and deployers to design AI systems that are inherently more auditable and interpretable. It forces them to consider the decision-making logic of their AI systems from the outset.
• Enable Contestability and Redress: An explanation provides the necessary information for an individual to challenge an AI-driven decision they believe to be unfair, inaccurate, or discriminatory. Without an explanation, seeking redress would be a formidable, if not impossible, task. (artificialintelligenceact.eu)

Practically, achieving this ‘right to explanation’ requires significant advancements in the field of Explainable AI (XAI). Techniques such as Local Interpretable Model-agnostic Explanations (LIME) or SHapley Additive exPlanations (SHAP) are being developed to provide post-hoc explanations for ‘black box’ AI models. However, the Act encourages a shift towards inherently interpretable models where possible, or robust documentation of decision logic. The challenge lies in providing explanations that are both technically accurate and understandable to a layperson, avoiding overly technical jargon. Furthermore, the Act specifies that explanations should cover factors such as the input data used, the main factors that contributed to the decision, and the system’s overall reliability.

To ensure effective implementation and oversight, the AI Act establishes a robust governance structure, including a European Artificial Intelligence Board (EAIB), composed of representatives from national supervisory authorities and the European Commission. The EAIB will facilitate consistent application of the Act, advise on emerging issues, and develop guidelines, fostering a unified European approach to AI governance.

3. Italy’s AI Law: National Initiatives in AI Regulation

Many thanks to our sponsor Esdebe who helped us prepare this research report.

3.1 Introduction to Italy’s AI Law

In September 2025, Italy distinguished itself by becoming the first European Union member state to adopt a comprehensive national AI law, known as Law No. 132/2025. While the EU AI Act provides a foundational and overarching framework, national laws like Italy’s are crucial for several reasons. Firstly, they allow member states to refine and adapt the broader EU provisions to their specific national legal traditions, administrative structures, and cultural contexts. Secondly, a national law can pre-emptively establish national governance structures and prepare domestic industries for the full implementation of the EU AI Act, which has a phased entry into force. Thirdly, it provides an opportunity for national governments to articulate specific strategic priorities and allocate resources for AI development and ethical deployment within their borders.

Italy’s motivation stemmed from a recognition of the transformative potential of AI for its economy and public services, coupled with a deep awareness of the inherent risks. The legislative process involved extensive consultations with academic experts, industry representatives, civil society organizations, and the Italian Data Protection Authority (Garante per la protezione dei dati personali). The resulting legislation, therefore, aims to create a cohesive national strategy for AI that not only aligns with the principles and requirements of the EU AI Act but also addresses specific Italian public interest considerations, such as the use of AI in cultural heritage, public administration, and critical national infrastructure.

This national law serves as a vital bridge, translating the general principles of the EU AI Act into concrete national obligations and mechanisms, demonstrating Italy’s commitment to being at the forefront of responsible AI innovation. It sets the stage for a coordinated national response to the challenges and opportunities presented by AI, ensuring that Italian businesses and public bodies are well-prepared for the future of AI governance.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

3.2 Key Provisions and Compliance Challenges

Italy’s AI Law (Law No. 132/2025) largely mirrors the EU AI Act’s risk-based approach, emphasizing core principles such as transparency, accountability, and human oversight. However, it introduces several national specificities and elaborations that require careful attention from organizations operating within Italy:

• National AI Strategy: The law mandates the development of a comprehensive national AI strategy, outlining Italy’s vision for AI research, development, deployment, and ethical governance. This strategy includes provisions for funding innovation, promoting AI education, and developing national technical standards.
• Public Sector AI Use: It places particular emphasis on the use of AI systems by public administrations. This includes requirements for rigorous impact assessments before deploying AI in public services, ensuring non-discrimination, fairness, and transparency in public sector applications. For instance, AI systems used in processing citizenship applications or allocating social benefits are subjected to heightened scrutiny.
• Ethical Guidelines and Sandboxes: The law encourages the development of sector-specific ethical guidelines for AI use in areas like healthcare, justice, and culture. It also promotes regulatory sandboxes, allowing companies to test innovative AI solutions in a controlled environment, under the supervision of regulators, to foster innovation while ensuring compliance with ethical and legal standards.
• Role of the Garante per la protezione dei dati personali: The Italian data protection authority (Garante) is vested with significant powers in overseeing AI systems that process personal data, reinforcing its role beyond GDPR compliance to encompass AI-specific risks. The Garante is empowered to issue guidelines, conduct audits, and impose penalties for non-compliance, particularly in areas intersecting with data privacy.
• Specific Provisions for Critical Infrastructure: Given Italy’s extensive critical infrastructure, the law includes detailed requirements for the security and resilience of AI systems deployed in energy, transport, and telecommunications sectors, ensuring continuity of essential services and protection against cyber threats.

Organizations must navigate several compliance challenges to meet the requirements of Italy’s AI Law:

• Data Collection and Processing: The law reiterates the importance of GDPR-compliant data collection and processing for AI training and operation. Organizations must demonstrate robust data governance frameworks, including data minimization, anonymization, and robust consent mechanisms, especially when dealing with sensitive data for AI model development.
• Documentation and Traceability: Aligning with the EU AI Act, Italy’s law mandates detailed documentation of AI system development, deployment, and performance. This includes comprehensive records of design choices, data sources, testing methodologies, and human oversight protocols. Maintaining a clear audit trail for AI decisions is critical for demonstrating compliance.
• Risk Assessment tailored to National Context: While the EU AI Act sets the general framework for risk assessment, Italian organizations must interpret and apply these principles in light of specific national contexts and regulations. This involves conducting thorough impact assessments that consider the particular socio-economic and cultural factors within Italy.
• Talent and Expertise: A significant challenge lies in acquiring and retaining the necessary technical and legal expertise to interpret and implement these complex regulations. Organizations often struggle to find professionals with a dual understanding of advanced AI technologies and evolving legal requirements.
• SME Compliance Burden: Small and Medium-sized Enterprises (SMEs), which form the backbone of the Italian economy, may face disproportionate compliance costs and complexities due to limited resources and expertise. The law attempts to address this through support initiatives and simpler compliance pathways where appropriate, but it remains a considerable challenge.

Italy’s AI Law therefore represents a crucial step in operationalizing EU-level AI governance at the national level, offering both opportunities for responsible innovation and significant compliance obligations for all stakeholders operating within its jurisdiction. (jdsupra.com)

4. Interplay Between AI Regulations and Existing Privacy Frameworks

Many thanks to our sponsor Esdebe who helped us prepare this research report.

4.1 GDPR and AI: Data Protection Implications

The General Data Protection Regulation (GDPR), effective since May 25, 2018, established a globally influential benchmark for data protection and privacy within the European Union. Its principles of transparency, accountability, data minimization, and purpose limitation are not merely complementary to ethical AI deployment; they are foundational. The GDPR’s provisions profoundly intersect with AI applications, necessitating careful consideration to ensure compliance, particularly concerning the processing of personal data.

Here’s a detailed analysis of specific GDPR articles and their implications for AI:

• Article 5: Principles relating to processing of personal data: This article sets out the core principles that all data processing, including that for AI, must adhere to:

  • Lawfulness, Fairness, and Transparency: AI systems must process personal data lawfully (with a valid legal basis such as consent, contract, legitimate interest), fairly (without adverse or discriminatory effects), and transparently (data subjects must be informed about the AI’s data processing activities).
  • Purpose Limitation: Data collected for one specific, explicit, and legitimate purpose cannot be used for a different, incompatible purpose by an AI system without a new legal basis or demonstrable compatibility. This is particularly challenging for AI, where data collected for one model might be useful for another, seemingly unrelated one.
  • Data Minimisation: AI systems should only process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This challenges the ‘more data is always better’ paradigm often associated with machine learning.
  • Accuracy: Personal data processed by AI must be accurate and, where necessary, kept up to date. Inaccurate data fed into AI models can lead to biased or incorrect outputs, with significant consequences.
  • Storage Limitation: Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. This impacts the retention of training datasets, especially for models requiring continuous learning.
  • Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. This applies to the entire lifecycle of an AI system, from data ingestion to model deployment and monitoring.

• Article 25: Data Protection by Design and by Default: This is crucial for AI development. It mandates that data protection safeguards must be integrated into the design of AI systems from the earliest stages (by design) and that, by default, AI systems should only process personal data necessary for each specific purpose. This encourages a privacy-first approach to AI architecture.

• Article 35: Data Protection Impact Assessments (DPIAs): The GDPR requires DPIAs for processing activities ‘likely to result in a high risk to the rights and freedoms of natural persons.’ Many AI systems, especially high-risk ones under the AI Act, will necessitate a DPIA due to their scale, use of sensitive data, or potential for automated decision-making. A DPIA for AI should assess risks related to bias, discrimination, lack of transparency, and security vulnerabilities.

• Article 22: Automated individual decision-making, including profiling: This article is perhaps the most direct link between GDPR and AI. It states that data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. There are exceptions, such as explicit consent, contractual necessity, or legal authorisation, but even then, safeguards must be in place, including the right to obtain human intervention, to express one’s point of view, and to contest the decision. The AI Act’s ‘right to explanation’ significantly reinforces these GDPR provisions, providing a more robust framework for understanding and challenging AI-driven decisions. (euairisk.com)

Examples of GDPR enforcement impacting AI include investigations into facial recognition systems used in public spaces, the use of AI for personalized advertising without adequate consent, and algorithmic recruitment tools that exhibited discriminatory biases. The GDPR ensures that even as AI technologies advance, the fundamental rights of individuals concerning their personal data remain paramount.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

4.2 HIPAA and AI: Healthcare Sector Considerations

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, and its subsequent amendments and rules (e.g., the HITECH Act, Omnibus Rule), provides a stringent framework for the protection of Protected Health Information (PHI). PHI includes individually identifiable health information transmitted or maintained in any form or medium. The integration of AI in healthcare, from diagnostic tools and personalized treatment plans to administrative efficiency systems, raises profound questions about data privacy, security, and consent. Compliance with HIPAA is not merely essential but legally mandated when deploying AI systems that process or access health-related data.

HIPAA’s core components are central to AI in healthcare:

• The Privacy Rule: Sets national standards for the protection of PHI, outlining how PHI can be used and disclosed. This impacts how health data can be aggregated for AI training, requiring strict controls and often patient authorization for uses beyond treatment, payment, or healthcare operations.
• The Security Rule: Establishes national standards for protecting electronic PHI (ePHI). It mandates administrative, physical, and technical safeguards. For AI systems, this means ensuring secure infrastructure, encrypted data transmission, access controls for AI models and associated datasets, and robust audit trails.
• The Breach Notification Rule: Requires covered entities and their business associates to provide notification following a breach of unsecured PHI. If an AI system processes PHI and experiences a security incident leading to a breach, stringent reporting obligations apply.

Specific challenges and considerations for AI systems under HIPAA include:

• De-identification: To use health data for AI training and research without direct patient authorization, the data must be de-identified according to HIPAA’s standards (either the ‘Safe Harbor’ method by removing 18 identifiers, or the ‘Expert Determination’ method). However, advancements in AI and re-identification techniques pose ongoing challenges to the efficacy of de-identification, requiring constant vigilance.
• Business Associate Agreements (BAAs): If an AI vendor or service provider creates, receives, maintains, or transmits PHI on behalf of a HIPAA covered entity (e.g., hospitals, clinics), that vendor becomes a Business Associate (BA) and must enter into a BAA. The BAA legally binds the BA to HIPAA’s rules, ensuring data protection throughout the AI supply chain.
• Data Aggregation and Secondary Use: AI models thrive on large datasets. Aggregating clinical data from various sources for model training, while maintaining patient privacy and obtaining appropriate consents or de-identifying data, is a significant hurdle.
• Consent: While HIPAA permits certain uses of PHI for treatment, payment, and healthcare operations without explicit patient consent, novel AI applications often require specific patient authorization, particularly for research or marketing purposes.
• Security of AI Infrastructure: Beyond data at rest and in transit, the AI models themselves and the infrastructure running them must be secured. This includes protecting against model poisoning, adversarial attacks, and unauthorized access to AI outputs or the intellectual property embedded in the models.
• Accountability in Clinical Decision Support: When an AI system provides clinical decision support, clear lines of accountability must be established. Who is responsible if an AI makes an error in diagnosis or treatment recommendation that leads to patient harm? Typically, the human clinician remains ultimately responsible, but the liability of the AI developer or deployer is a developing area of law.

Beyond HIPAA, other US frameworks such as the National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF) offer voluntary guidance for managing risks associated with AI. State-level privacy laws like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) also influence how AI systems process personal data, including some health-related data that may not fall under HIPAA’s strict definition of PHI. The interplay of these frameworks creates a complex compliance landscape for AI in US healthcare.

5. Compliance Challenges in AI Deployment

The effective deployment of AI systems, particularly high-risk ones, is fraught with complex compliance challenges that demand meticulous planning, robust technical infrastructure, and a sophisticated understanding of evolving regulatory landscapes. These challenges extend beyond mere legal adherence, touching upon foundational aspects of AI development and operational ethics.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5.1 Documentation and Transparency

Comprehensive documentation is not merely a bureaucratic requirement but a cornerstone for demonstrating compliance with AI regulations and fostering trust. Organizations must maintain detailed records of every stage of an AI system’s lifecycle:

• System Architecture: Clear diagrams and descriptions of the AI system’s components, interfaces, and overall design.
• Development Processes: Documentation of methodologies used, software libraries, version control, and model evolution.
• Data Processing Activities: Detailed records of data sources, data collection methods, pre-processing steps, data cleaning, labelling, and augmentation. This includes justifying data relevance, representativeness, and freedom from bias.
• Training Data and Hyperparameters: Exhaustive descriptions of datasets used for training, validation, and testing, including their provenance, characteristics, and any inherent limitations or biases. Documentation of hyperparameters, model weights, and optimization algorithms is also crucial.
• Testing Procedures and Performance Metrics: Records of all testing protocols, performance metrics (e.g., accuracy, precision, recall, fairness metrics), and the results obtained across various use cases and demographic groups.
• Risk Assessments: Documentation of all identified risks, their assessment (likelihood and severity), and the mitigation strategies implemented.
• Human Oversight Protocols: Clear guidelines for human intervention, review, and override capabilities.
• Post-Market Monitoring: Records of continuous monitoring activities, incident reporting, and corrective actions taken.

The challenge of ‘black box’ AI models, where the internal workings are opaque even to developers, directly confronts transparency requirements. While some complex models (e.g., deep neural networks) inherently lack straightforward interpretability, regulations demand some level of explanation, even if it’s a post-hoc approximation. Organizations must invest in Explainable AI (XAI) tools and techniques (e.g., LIME, SHAP) to provide insights into model decisions. Furthermore, documentation needs to be kept up-to-date throughout the AI system’s operational life, which is a continuous and resource-intensive task, particularly for models that undergo frequent retraining or updates. The goal is to move beyond simply documenting what an AI does to explaining how and why it does it, in a way that is understandable to both technical experts and affected individuals.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5.2 Data Quality and Integrity

Ensuring high standards of data quality and integrity is paramount for the reliability, fairness, and safety of AI systems. Poor data quality is a leading cause of AI failure and ethical breaches. Organizations must implement robust data governance practices to mitigate risks associated with biased, inaccurate, incomplete, or irrelevant data.

• Algorithmic Bias: AI systems learn from the data they are fed. If this data reflects existing societal biases (historical bias) or is collected in a way that skews representation (measurement bias, representation bias), the AI will inevitably perpetuate and amplify these biases, leading to discriminatory outcomes. Examples include facial recognition systems performing poorly on non-white individuals, AI recruitment tools favouring male candidates, or medical diagnostic AI exhibiting different accuracy rates across ethnic groups. Addressing bias requires a multi-pronged approach:
  • Diverse Data Collection: Actively seeking out and incorporating representative datasets across various demographic groups.
  • Bias Detection Tools: Employing algorithms and statistical methods to identify and quantify bias in datasets and model outputs.
  • Debiasing Algorithms: Applying techniques (e.g., pre-processing, in-processing, post-processing) to mitigate detected biases.
  • Continuous Monitoring: Regularly auditing AI system performance for disparate impact on different groups.
  • Human Review: Integrating human experts to validate AI decisions and identify subtle biases.
• Data Lineage and Provenance: Organizations must track the origin and transformations of data from its source to its use in AI models. This ‘data lineage’ is vital for understanding data quality, assessing potential biases, and ensuring compliance with data protection regulations.
• Data Validation and Verification: Implementing rigorous processes to validate data accuracy, consistency, and completeness before it is used for AI training. This often involves automated checks coupled with human review.
• Synthetic Data and Privacy-Preserving AI: To address privacy concerns and expand dataset diversity, organizations are increasingly exploring synthetic data generation (creating artificial data that mimics real data characteristics but contains no actual personal information) and privacy-preserving AI techniques (e.g., federated learning, differential privacy) which allow models to be trained on decentralized data without sharing raw information.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5.3 Human Oversight and Accountability

Establishing effective mechanisms for human oversight is essential to prevent unintended consequences, mitigate risks, and ensure that AI systems remain aligned with human values and intentions. This goes beyond simply having a human ‘in the loop’ and requires defining clear roles and responsibilities:

• Human-in-the-Loop (HITL) vs. Human-on-the-Loop (HOTL):
  • HITL: Humans are directly involved in every decision or critical step of the AI process (e.g., reviewing all flagged cases, validating all AI recommendations). This provides maximum control but can be resource-intensive.
  • HOTL: Humans monitor the AI system’s overall performance and intervene only when the system deviates from expected behaviour, encounters novel situations, or exceeds predefined confidence thresholds. This allows for greater automation but requires robust monitoring and alert systems.
• Defining the Role of Human Oversight: Human oversight must include:
  • Validation of Critical Decisions: Humans must review and validate AI decisions that have significant impact on individuals (e.g., medical diagnoses, loan approvals, hiring recommendations).
  • Intervention and Override Capabilities: Humans must have the technical and procedural means to intervene, override, or disable an AI system that is malfunctioning, behaving unethically, or producing harmful outputs.
  • Understanding Model Limitations: Human operators must be trained to understand the specific capabilities and limitations of the AI system, including scenarios where it is likely to fail or produce unreliable results.
  • Contextual Judgment: Humans provide the common sense, ethical reasoning, and contextual understanding that AI systems currently lack, especially in complex or ambiguous situations.
• Clear Accountability Structures: Defining clear lines of accountability is one of the most significant challenges in AI governance. When an AI system causes harm (e.g., incorrect medical diagnosis, discriminatory hiring), who is legally responsible?
  • AI Provider: The entity that develops and places the AI system on the market is responsible for ensuring the system’s compliance with regulatory requirements (e.g., proper risk management, data governance, conformity assessment).
  • AI Deployer: The entity that uses the AI system in its operations is responsible for its correct installation, configuration, monitoring, and appropriate human oversight, as well as ensuring compliance with privacy laws regarding its use of personal data.
  • Liability Allocation: In complex AI supply chains, where multiple parties contribute to an AI system, assigning liability can be exceedingly difficult. The AI Act aims to clarify some of these responsibilities, but legal frameworks for civil liability for AI-induced harm are still evolving.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5.4 Technical Robustness and Security

The technical resilience and security of AI systems are crucial for their trustworthiness and compliance.

• Adversarial Robustness: AI models, particularly deep learning models, can be susceptible to ‘adversarial attacks’ where small, imperceptible perturbations to input data cause the model to make incorrect predictions. Ensuring adversarial robustness means designing AI systems that are resistant to such deliberate manipulation, which could have catastrophic consequences in sensitive applications.
• Model Drift and Decay: AI models trained on historical data can degrade in performance over time as real-world data distributions change (‘model drift’). This necessitates continuous monitoring of model performance and regular retraining or recalibration to maintain accuracy and fairness. Failure to address drift can lead to outdated, inaccurate, or biased outcomes.
• Cybersecurity of AI Systems: Protecting AI systems from cyber threats is multifaceted. This includes securing the training data, the AI model itself (e.g., against model extraction or inversion attacks), the inference infrastructure, and the communication channels. AI systems can also be weaponized, requiring robust cybersecurity defences against AI-powered attacks.
• Data Poisoning: Malicious actors could inject corrupted or biased data into an AI system’s training dataset, leading the model to learn undesirable behaviours or make incorrect predictions. Strong data governance and secure data pipelines are essential to prevent this.

These challenges underscore that AI compliance is not a static checkbox exercise but an ongoing, dynamic process requiring continuous investment in technology, expertise, and robust governance frameworks.

6. Ethical Considerations in AI Regulation

AI regulation is fundamentally driven by a set of core ethical considerations designed to ensure that technological advancement aligns with human values and societal well-being. These considerations form the normative bedrock upon which robust regulatory frameworks are built.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6.1 Bias and Discrimination

One of the most pressing ethical challenges in AI is the potential for bias and subsequent discrimination. AI systems learn from data, and if that data reflects existing societal inequalities, historical prejudices, or flawed collection methods, the AI will not only perpetuate these biases but can also amplify them at scale. This can lead to systematically unfair or harmful outcomes for certain groups of people.

• Types of Bias: Bias can manifest in various forms: historical bias (reflecting past societal injustices in training data), representation bias (when training data does not accurately reflect the diversity of the population the AI will interact with), measurement bias (when features are measured inconsistently across groups), aggregation bias (when a model performs well on average but poorly for specific subgroups), and evaluation bias (when evaluation metrics or benchmarks are not suitable for all groups).
• Societal Impact: The impact of discriminatory AI extends beyond mere inaccuracy. It can lead to unequal access to opportunities (e.g., biased hiring algorithms), disproportionate surveillance or punishment (e.g., flawed predictive policing), denial of essential services (e.g., discriminatory loan applications), or exacerbation of health disparities (e.g., AI diagnostic tools performing worse for certain demographics). Such outcomes undermine social justice and trust in institutions.
• Legal Implications: Discriminatory AI systems can lead to violations of existing anti-discrimination laws (e.g., equal opportunity legislation). Regulatory frameworks like the EU AI Act directly address this by mandating fairness assessments, bias mitigation strategies, and requiring providers to ensure that high-risk AI systems do not produce discriminatory outputs. The challenge lies in defining and measuring ‘fairness’ in an objective and universally accepted manner, as different mathematical definitions of fairness can be contradictory.
• Intersectionality: Biases often intersect, disproportionately affecting individuals who belong to multiple marginalized groups (e.g., a Black woman, an elderly person with a disability). AI systems must be rigorously tested across intersecting demographic categories to ensure equitable performance.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6.2 Transparency and Explainability

Transparency and explainability are fundamental to building trust in AI systems and ensuring accountability. Without understanding how an AI system arrives at a decision, it becomes difficult to identify errors, challenge unfair outcomes, or assess its reliability. However, these concepts are distinct and pose different challenges.

• Transparency of Process: This refers to the openness and clarity about how an AI system was designed, developed, and deployed. It involves documenting data sources, model architectures, training methodologies, and governance structures. This type of transparency enables external auditing and verification of compliance.
• Explainability of Outputs: This refers to the ability to provide intelligible reasons for a specific decision or output generated by an AI system. The ‘right to explanation,’ as enshrined in GDPR and reinforced by the AI Act, seeks to provide individuals with meaningful insights into AI decision-making processes. This is particularly challenging for complex ‘black box’ models where the decision logic is not human-interpretable.
• The ‘Explainability Paradox’: There is often a trade-off between model performance (accuracy) and interpretability. Highly complex models that achieve superior performance can be less transparent. Regulations must balance the need for high-performing AI with the imperative for understanding and trust.
• Communicating Explanations: Explanations need to be tailored to the audience. A technical explanation suitable for an AI engineer will be incomprehensible to a layperson affected by an AI decision. The challenge is to provide clear, concise, and relevant explanations that empower individuals to understand and, if necessary, contest AI outcomes.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6.3 Human Rights and Fundamental Freedoms

AI regulations must proactively safeguard human rights and fundamental freedoms, ensuring that AI technologies do not infringe upon core individual liberties. The potential for AI to both enhance and undermine these rights necessitates a human-centric approach to governance.

• Right to Privacy: AI systems are inherently data-intensive. Their ability to collect, process, and infer sensitive information from vast datasets poses significant risks to privacy, including mass surveillance, profiling, and the erosion of anonymity. Regulations must mandate strong data protection measures, purpose limitation, and robust consent mechanisms.
• Non-discrimination: As discussed with bias, AI’s potential for discrimination can violate the fundamental right to equal treatment and non-discrimination.
• Freedom of Expression: AI systems used in content moderation can inadvertently or deliberately suppress legitimate speech. Conversely, generative AI could be used to create harmful deepfakes or misinformation, impacting the integrity of public discourse. Regulations must strike a delicate balance between mitigating harm and protecting free expression.
• Dignity and Autonomy: AI systems that employ subliminal manipulation, exploit vulnerabilities, or make critical decisions without human oversight can undermine human dignity and autonomy. The prohibition of unacceptable risk AI systems in the EU AI Act directly addresses these concerns.
• Fair Trial and Due Process: The use of AI in judicial systems, law enforcement, and predictive policing raises serious concerns about fair trial rights, the presumption of innocence, and due process. AI should augment, not replace, human judgment in these sensitive domains, with robust safeguards against algorithmic bias and error.
• Social Justice: AI can either exacerbate or alleviate existing social inequalities. Regulations must guide AI towards contributing to social justice by ensuring equitable access to technology’s benefits and preventing its use in ways that create new forms of marginalization.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6.4 Accountability and Redress

Establishing clear accountability mechanisms and providing effective avenues for redress are critical for building public trust and ensuring justice when AI systems cause harm.

• Who is Liable for AI Harm? This is a complex legal question. Traditional liability frameworks often struggle to assign responsibility when AI systems, with their autonomous capabilities and complex supply chains, cause physical, psychological, or economic harm. Is it the developer, the deployer, the data provider, or the user? Regulations are starting to define roles and responsibilities, but comprehensive liability regimes for AI are still emerging.
• Mechanisms for Redress: Individuals affected by harmful or unfair AI decisions must have clear and accessible pathways to challenge those decisions, seek explanations, and obtain redress (e.g., compensation, correction of data, reversal of decisions). This requires accessible complaint mechanisms, independent oversight bodies, and potentially new legal remedies.
• Role of Independent Oversight Bodies: Independent regulatory bodies (e.g., national data protection authorities, AI supervisory bodies) play a crucial role in enforcing regulations, investigating complaints, providing guidance, and monitoring compliance. Their independence, resources, and technical expertise are vital for effective AI governance.
• Auditing and Certification: Mandating regular audits of high-risk AI systems by independent third parties and establishing certification schemes can help ensure ongoing compliance and provide a degree of assurance to deployers and the public.

By addressing these ethical considerations, AI regulations aim to ensure that AI development and deployment are not just legally compliant but also morally justifiable, fostering a future where AI serves as a force for good.

7. Future Trajectory of International AI Governance Standards

The landscape of AI governance is dynamic and rapidly evolving, marked by a growing recognition of the need for international cooperation and harmonisation. While regional and national initiatives like the EU AI Act and Italy’s AI Law provide crucial frameworks, the borderless nature of AI technology necessitates broader, multilateral engagement to establish coherent global standards.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

7.1 Global Harmonization Efforts

Several significant international initiatives are underway, aiming to foster common principles and standards for AI governance, though often from different perspectives and with varying legal weight:

• Council of Europe’s Framework Convention on Artificial Intelligence and Human Rights, Democracy, and the Rule of Law: Adopted in September 2024, this landmark treaty is the first legally binding international instrument on AI. It explicitly aims to ensure that AI systems respect human rights, democracy, and the rule of law. The convention covers the entire AI lifecycle, from design to deployment, across both public and private sectors. Key principles include transparency, accountability, non-discrimination, privacy, and effective oversight. Its binding nature distinguishes it from many other soft law initiatives, signalling a collective commitment among its signatories to ethical AI development grounded in fundamental values. (en.wikipedia.org)
• OECD AI Principles: Adopted in 2019, the Organisation for Economic Co-operation and Development (OECD) AI Principles were among the first intergovernmental agreements on AI ethics. These five value-based principles (inclusive growth, sustainable development and well-being; human-centred values and fairness; transparency and explainability; robustness, security and safety; accountability) and five recommendations for policy implementation have been highly influential, serving as a foundational reference for numerous national AI strategies and policies worldwide, including the EU’s approach.
• UNESCO Recommendation on the Ethics of AI: Adopted in 2021, this is the first global standard-setting instrument on the ethics of AI. It provides a comprehensive framework of values and principles, aiming to guide countries in developing their own national legal and policy frameworks for AI. It emphasizes human rights, gender equality, environmental sustainability, and cultural diversity, offering a broad ethical compass for AI governance.
• G7 Hiroshima AI Process: Following the G7 Summit in Hiroshima in May 2023, leaders launched this process to promote trustworthy AI development and responsible use. It focuses on developing a common international code of conduct for AI developers and exploring interoperable governance mechanisms, aiming for practical, risk-based policy recommendations.
• United Nations Discussions: The UN system has been actively engaged in broader discussions on the ethical implications of AI, particularly concerning peace, security, and sustainable development goals. Various UN bodies are exploring the impact of AI on human rights, disinformation, and autonomous weapons systems, aiming to foster global dialogue and consensus.
• US Approaches: While the US traditionally favors a more sectoral and voluntary approach to regulation, significant federal initiatives are underway. The NIST AI Risk Management Framework (RMF), released in January 2023, provides a voluntary framework for organizations to manage AI risks. Executive Orders on AI have sought to establish federal standards for safe, secure, and trustworthy AI. Additionally, state-level privacy laws like CCPA/CPRA, though not AI-specific, influence data use for AI.
• China’s Regulations: China has rapidly enacted a series of AI-related regulations, notably on algorithmic recommendation services, deep synthesis technologies, and generative AI. These regulations emphasize ‘socialist core values,’ content moderation, and algorithmic transparency, reflecting a distinct state-centric approach to AI governance compared to the EU’s human rights-centric model.

The concept of the ‘Brussels Effect,’ where the EU’s stringent regulatory standards (like GDPR) become de facto global standards due to the size of its market, is highly relevant to the AI Act. Non-EU companies wanting to operate in the EU market will likely adopt EU-compliant AI systems globally, thereby influencing international norms.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

7.2 Challenges and Opportunities

Achieving true global harmonization in AI governance presents a formidable array of challenges, yet also offers unparalleled opportunities for a safer, more equitable AI future.

7.2.1 Challenges

• Regulatory Fragmentation: The proliferation of diverse national and regional AI regulations creates a complex and often contradictory compliance landscape for multinational corporations and AI developers. This fragmentation can hinder innovation and increase compliance costs.
• Pace of Innovation vs. Legislation: AI technology evolves at an exponential rate, often outpacing the capacity of legislative bodies to draft and enact timely and relevant regulations. This gap risks either stifling innovation with outdated rules or failing to address emerging harms.
• Defining AI: The very definition of ‘AI system’ is contested and evolving. As AI capabilities expand, determining the scope of regulation becomes challenging, risking either over-regulation of simple systems or under-regulation of complex ones.
• Enforcement Capabilities: Effective enforcement of AI regulations requires significant technical expertise, financial resources, and cross-border cooperation among regulatory bodies, which many jurisdictions currently lack.
• Geopolitical Divides: Fundamental differences in political systems, cultural values, economic interests, and national security priorities create deep divisions in approaches to AI governance (e.g., democratic vs. authoritarian, privacy-first vs. surveillance-oriented). These divides complicate efforts to forge global consensus.
• SME Burden: The complexity and cost of complying with comprehensive AI regulations can disproportionately burden Small and Medium-sized Enterprises (SMEs), potentially stifling innovation from smaller players.
• Data Sovereignty: Concerns about data residency and sovereignty continue to complicate international data flows, which are essential for training and deploying global AI models.

7.2.2 Opportunities

• Standardization and Interoperability: Global harmonization efforts create opportunities for developing common technical standards, ethical guidelines, and conformity assessment procedures, reducing compliance complexity and fostering interoperability between AI systems across borders.
• International Cooperation and Best Practice Sharing: Collaborative initiatives allow nations to share insights, best practices, and lessons learned in AI regulation, accelerating the development of effective governance models globally.
• Ethical Leadership: Jurisdictions that adopt robust, human-centric AI regulations can exert ‘soft power,’ shaping global norms and encouraging other nations to follow suit, leading to a more ethically aligned global AI ecosystem.
• Innovation Ecosystems: Regulatory sandboxes and testbeds can provide controlled environments for developing and testing innovative AI solutions under regulatory guidance, fostering innovation while ensuring safety and compliance.
• Building Public Trust: Consistent and clear global standards for ethical and responsible AI can significantly enhance public trust in AI technologies, leading to broader adoption and greater societal benefits.
• Human-Centric AI: Global efforts can reinforce the imperative to develop AI that prioritizes human rights, fundamental freedoms, and societal well-being, steering AI’s trajectory towards augmenting human capabilities and addressing global challenges.

The future trajectory of international AI governance is likely to be characterized by a multi-stakeholder approach, involving governments, industry, academia, and civil society. While full legal harmonization may remain elusive due to geopolitical realities, convergence around common principles and the development of interoperable frameworks offer the most promising path forward to ensure AI serves humanity responsibly.

8. Conclusion

The advent of Artificial Intelligence marks a profound technological epoch, replete with unparalleled opportunities for societal advancement, yet simultaneously presenting complex ethical, legal, and societal quandaries. The evolving landscape of AI regulation unequivocally reflects a global recognition of the imperative for ethical, responsible, and human-centric AI deployment. From the European Union’s pioneering, risk-based AI Act, which meticulously categorizes systems and imposes proportionate obligations, to Italy’s proactive national law that contextualizes these principles, and the foundational role of existing privacy frameworks like GDPR and HIPAA, a robust, albeit intricate, regulatory ecosystem is rapidly taking shape.

Significant progress has been made in establishing frameworks that address core concerns such as algorithmic bias, ensuring transparency through concepts like the ‘right to explanation,’ mandating rigorous data governance, and defining mechanisms for human oversight and accountability. International instruments, such as the Council of Europe’s Framework Convention on Artificial Intelligence, underscore a collective, legally binding commitment to embedding human rights, democracy, and the rule of law at the heart of AI governance, signaling a global shift towards responsible AI development.

However, the journey towards fully mature and harmonized AI governance is far from complete. Emerging challenges persist, including the unrelenting pace of technological innovation, which constantly strains regulatory adaptability; the complexities of ensuring truly robust data quality and mitigating subtle biases; the formidable task of assigning clear liability in intricate AI supply chains; and the ongoing need to reconcile diverse national interests and geopolitical perspectives. The technical intricacies of AI, such as the ‘black box’ problem and the need for explainability, continue to demand innovative solutions from both technologists and legal scholars.

Looking ahead, ongoing, concerted efforts are indispensable. These must encompass continued international cooperation to foster interoperable standards, investment in regulatory capacity and technical expertise, and a continuous dialogue among policymakers, industry, academia, and civil society. The ultimate goal remains to navigate the transformative potential of AI in a manner that maximizes its benefits for humanity while rigorously safeguarding fundamental rights, promoting equitable outcomes, and upholding democratic values. By striking this delicate balance, society can harness the power of AI to drive progress and foster innovation that truly aligns with universal ethical principles and human well-being.

References

• European Commission. (2024). AI Act. Retrieved from https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
• European Commission. (2024). Artificial Intelligence Act. Retrieved from https://www.consilium.europa.eu/en/policies/artificial-intelligence/
• European Commission. (2024). AI Act vs GDPR: What’s Different? Retrieved from https://euairisk.com/resources/eu-ai-act-vs-gdpr-comparison
• European Commission. (2024). How the EU AI Act Supplements GDPR in the Protection of Personal Data. Retrieved from https://www.inta.org/perspectives/features/how-the-eu-ai-act-supplements-gdpr-in-the-protection-of-personal-data/
• European Commission. (2024). AI Governance Best Practices. Retrieved from https://defined.ai/blog/ai-governance-best-practices
• European Commission. (2024). AI Act Proposal: A New Right to Technical Interpretability? Retrieved from https://arxiv.org/abs/2303.17558
• European Commission. (2024). Data Portability. Retrieved from https://en.wikipedia.org/wiki/Data_portability
• European Commission. (2024). EU Regulatory Ecosystem for Ethical AI. Retrieved from https://link.springer.com/article/10.1007/s43681-025-00749-x
• European Commission. (2024). Global Approaches to Artificial Intelligence Regulation. Retrieved from https://jsis.washington.edu/news/global-approaches-to-artificial-intelligence-regulation/
• European Commission. (2024). A Guide to the EU AI Act. Retrieved from https://www.protiviti.com/it-it/resource-guide/eu-ai-act-regulations-compliance-and-best-practices
• European Commission. (2024). Italy Becomes the First in Europe to Set National AI Rules. Retrieved from https://www.jdsupra.com/topics/data-protection/ai-act/regulatory-requirements/
• European Commission. (2024). Framework Convention on Artificial Intelligence. Retrieved from https://en.wikipedia.org/wiki/Framework_Convention_on_Artificial_Intelligence