TL;DR for operators
AI governance is usually treated as oversight: write the policy, assign the committee, run the audit, update the spreadsheet when legal asks why nobody can find the spreadsheet. Charming, in the way filing cabinets were charming.
The stronger operational idea is governance with memory. Not memory in the sentimental sense. Memory as structured continuity: which AI systems exist, which rules bind them, which evidence proves compliance, which incidents changed the risk picture, which obligations were revised, and which executive promise quietly expired the moment political weather changed.
The target paper, Comparing Apples to Oranges: A Taxonomy for Navigating the Global Landscape of AI Regulation, provides the useful starting point.1 It maps AI regulation across five early movers: the EU, the United States, Canada, China, and Brazil. Its contribution is not a grand theory of machine-speed lawmaking. It is more practical and less theatrical: a taxonomy for comparing regulatory frameworks that otherwise look similar only because everyone insists on calling them “AI regulation.”
For business leaders, the lesson is blunt. A compliance programme that remembers only the current rulebook will fail in AI. The rules differ by jurisdiction, legal force, enforcement model, regulatory layer, stakeholder participation, and stage of maturity. They also change. Governance therefore needs an evidence layer, not just a policy layer. The company should be able to answer: what system is affected, by which obligation, under which jurisdiction, with which artefacts, reviewed when, and updated because of what new evidence?
The uncertain part is enforcement. A taxonomy can expose fragmentation; it cannot make regulators competent, independent, or well-funded. Nor can it turn voluntary frameworks into law through sheer optimism, which remains an unfortunately popular compliance strategy.
The policy folder is not a governance system
Ask a large organisation where its AI governance lives and the answer is often a document repository. There will be a policy, a risk rubric, a vendor checklist, a responsible AI statement, and a slide deck explaining that humans remain “in the loop.” The loop, on inspection, is usually a human approving things they do not have the telemetry to understand.
That is the starting problem. AI governance is not failing because organisations lack declarations of intent. It is failing because declarations decay. Models are updated. Use cases migrate. Vendors change their terms. Regulators revise guidance. New incidents reveal failure modes that were not in the original risk assessment. A static governance artefact can look mature while being operationally stale. Excellent formatting, weak memory.
The paper’s value is to shift attention from individual legal texts to the structure of comparison. It asks a deceptively boring question: when different jurisdictions say they regulate AI, what exactly are they doing?
That question matters because the phrase “AI regulation” now covers very different instruments. A voluntary risk framework, a binding statute, a sectoral enforcement action, a government procurement rule, and a national strategy can all be described under the same public label. This semantic fog is not harmless. It can produce false confidence, dilute standards, and let industry-friendly voluntary commitments wear the costume of binding oversight. One must admire the efficiency: compliance theatre with international distribution.
The paper builds a map, not a regulatory machine
The article being revised previously leaned toward the idea of a self-updating “regulatory memory system.” That is an attractive phrase. It is also more than the paper actually claims.
The paper develops a taxonomy for comparing AI regulation across jurisdictions. It selects frameworks with meaningful regulatory weight and applies structured criteria to five cases: the EU AI Act, US Executive Order 14110, Canada’s proposed AI and Data Act, China’s Interim Measures for Generative AI Services, and Brazil’s AI Bill 2338/2023.1 The authors also use expert consultation and visualisation to make dense legal texts more comparable.
The important move is methodological. Instead of asking whether one jurisdiction is “stricter” than another in the abstract, the taxonomy decomposes regulation into dimensions that can be tracked.
| Taxonomy dimension | What it asks | Why operators should care |
|---|---|---|
| Legal status and novelty | Is this adopted law, proposed law, executive action, or something softer? | Determines whether obligations are enforceable or merely reputational. |
| Maturity of digital legal landscape | Does the jurisdiction already have adjacent rules on data, platforms, content, privacy, or liability? | AI compliance rarely sits alone; it inherits legal plumbing. |
| Reach | Does the framework cover industry, government, individuals, or some mix? | A system can be low-risk in one role and regulated in another. |
| Enforcement and sanctions | Who checks compliance, and what can they do? | A rule without enforcement is often a suggestion wearing a tie. |
| Operationalisation | Are there standards, audits, technical expertise, or sandboxes? | This is where legal language becomes work orders. |
| Stakeholder consultation | Who helped shape the framework, and whose input is visible? | Capture risk often hides in the translation from principle to requirement. |
| Regulatory approach | Is oversight ex ante, ex post, or both? | Determines whether firms must prove readiness before deployment or defend themselves after harm. |
| Regulatory focus | Does the law target technology, applications, or both? | Foundation-model obligations and use-case obligations require different evidence. |
This is the “memory” in the article’s title. Not a magical regulator that learns autonomously. A stable schema for remembering what changed, what differs, and what obligations mean in context.
The costly distinction is hard law versus soft law
The easiest mistake is to treat governance maturity as the number of frameworks a jurisdiction has published. That metric rewards paperwork. Naturally, bureaucracy is flattered.
The paper’s more useful distinction is between soft law and hard law. Soft law includes voluntary principles, guidelines, national strategies, and risk management frameworks. Hard law includes binding obligations, enforceable rules, sanctions, and formal regulatory powers. Both can matter. They do not matter in the same way.
NIST’s AI Risk Management Framework, for example, is explicitly a voluntary framework for organisations designing, developing, deploying, or using AI systems.2 It is operationally useful because it gives firms a vocabulary around governing, mapping, measuring, and managing risk. But its usefulness is not the same as legal compulsion. The EU AI Act, by contrast, is Regulation (EU) 2024/1689, a binding legal instrument laying down harmonised rules on artificial intelligence.3
For enterprises, confusing those categories produces two bad behaviours. First, teams under-prepare for binding obligations because everything is flattened into “responsible AI.” Second, they overstate compliance by pointing to voluntary alignment where legal evidence is required. A board may enjoy the phrase “aligned with best practice.” A regulator may prefer documents, logs, conformity assessments, incident processes, and proof that someone competent looked at them before the system harmed people.
The taxonomy helps because it forces a governance team to preserve the distinction.
| Reader belief | Correction | Operational replacement |
|---|---|---|
| “We have an AI policy, so we have AI governance.” | A policy is an intent record, not a control system. | Maintain a control register linked to systems, jurisdictions, owners, evidence, and review dates. |
| “All AI regulation is converging.” | Some principles converge; enforcement models and legal force diverge sharply. | Track obligations by jurisdiction and role, not by slogan. |
| “Voluntary frameworks solve compliance.” | They help structure risk management but do not automatically satisfy binding law. | Use voluntary frameworks as design scaffolding, then map them to legal duties. |
| “The EU model is the global template.” | It is influential, but other jurisdictions use technology-focused, sectoral, centralised, or hybrid approaches. | Build a comparative regulatory map rather than copying one jurisdiction’s architecture. |
This is not pedantry. It is risk control.
Regulatory memory has four enterprise layers
Cognaptus’ inference is that enterprises need a governance memory layer. This is not directly proposed as a technical architecture by the paper. It follows from the paper’s evidence that AI regulatory frameworks differ across legal status, enforcement, maturity, focus, and participation.
A useful enterprise version has four layers.
First, there is system memory. The firm must know which AI systems exist, who owns them, which vendors or models they depend on, which data they use, which business processes they affect, and whether they make, support, or merely inform decisions. Without this, governance begins with archaeology.
Second, there is obligation memory. Each system needs a maintained map of applicable duties: EU high-risk obligations, sectoral rules, privacy requirements, procurement conditions, consumer protection exposure, model documentation duties, and internal policy requirements. These duties should be versioned. “Applicable as of Q2” is not a detail. It is the difference between compliance and nostalgia.
Third, there is evidence memory. A governance programme should preserve artefacts: risk assessments, model cards, dataset documentation, testing results, human oversight procedures, incident logs, vendor attestations, audit trails, and change approvals. Evidence has to be connected to obligations. A folder full of screenshots is not evidence architecture; it is a cry for help.
Fourth, there is failure memory. AI incidents and near misses should update the risk model. External incident databases show why this matters. Research on the AI Incident Database notes that incident cataloguing is increasingly used to study and mitigate AI harms, and recent work has explored retrieval-based methods for associating new reports with prior incidents to improve failure tracking at scale.4 That is a governance clue: risk taxonomies need feedback from deployment, not only principles from launch day.
Together, these layers turn governance from periodic review into a maintained institutional memory.
The paper’s evidence is comparative, not predictive
The paper does not prove that any specific regulatory model will succeed. It does not rank jurisdictions by effectiveness. It does not show that the EU will enforce better than the US, or that China’s centralised model will produce safer outcomes, or that Brazil’s proposed architecture will survive implementation intact.
Its evidence is comparative and structural. That matters.
The taxonomy shows that jurisdictions vary along dimensions that are often hidden by public summaries. The EU leans toward a horizontal, risk-based model with strong ex ante obligations and specific rules for general-purpose AI. The US has historically relied more on sectoral and ex post mechanisms, though EO 14110 introduced ex ante features for advanced models before being revoked. China uses a more centralised and technology-focused approach for generative AI and related systems. Brazil and Canada illustrate hybrid, developing frameworks with their own institutional uncertainties.
The conclusion is not that one system wins. The conclusion is that “AI regulation” is not a comparable unit unless decomposed. That is the whole point of “apples to oranges.” The fruit salad is global policy.
For business practice, the distinction is immediate. A multinational AI programme cannot maintain one generic compliance checklist and call it global governance. It needs a living map of how obligations change by deployment context.
Why memory beats one-off oversight
Oversight asks: did someone review the system?
Memory asks better questions.
When was it reviewed? Under which rules? Against which version of the model? Using which evaluation evidence? By whom? What changed after deployment? Which incidents updated the assessment? Which jurisdiction treats the system as high-risk, high-impact, general-purpose, dual-use, sector-specific, or mostly someone else’s problem until the lawsuit arrives?
That change in questioning matters because AI risk is longitudinal. Many risks emerge after deployment: drift, user adaptation, prompt abuse, over-reliance, model substitution, silent vendor updates, data contamination, and automation bias. One-off approval cannot capture that movement. A governance memory layer can at least make the movement visible.
The OECD.AI Policy Navigator illustrates the same general direction at the public-policy level: it is maintained as a live database updated by official contact points, international organisations, and OECD experts.5 That does not solve governance, but it acknowledges the underlying reality. AI policy is not a static catalogue. It is a changing system requiring updated provenance.
The enterprise equivalent should not be a quarterly scramble. It should be a maintained record with ownership, triggers, and review logic.
A minimal governance memory model looks like this:
AI system inventory
↓
Regulatory obligation map
↓
Evidence and control artefacts
↓
Monitoring, incidents, and changes
↓
Governance review and obligation updates
↓
Revised deployment decision
This is not glamorous. It is also the part that determines whether “responsible AI” survives contact with operations.
The business value is cheaper diagnosis, not prettier compliance
The practical payoff is not merely that auditors receive cleaner binders. Though auditors do enjoy a nice binder, presumably because every profession needs its small pleasures.
The value is faster diagnosis.
When an AI issue emerges, the firm needs to answer operational questions quickly. Is this a regulated system? Which business unit owns it? Which vendor changed? Which model version was active? Did the risk classification change? Were users notified? Was there human oversight? Which evidence supports that claim? Has a similar incident happened internally or externally? Does the jurisdiction require reporting, remediation, withdrawal, or documentation updates?
A governance memory layer lowers the cost of answering those questions. It also reduces duplicated work. The same evidence may support multiple duties across privacy, cybersecurity, AI regulation, procurement, and sectoral compliance. Without a memory layer, each function rebuilds its own partial map. Legal has one truth, IT has another, compliance has a third, and the product team has a Notion page last edited by someone who now works at a crypto exchange.
The ROI is therefore not “better ethics” in the abstract. It is fewer blind spots, faster incident response, clearer accountability, less duplicated assessment work, and more credible regulatory posture. The moral language is optional. The operational burden is not.
Where the argument should not be overextended
There are three boundaries worth keeping clean.
First, taxonomy is not enforcement. The paper improves comparability; it does not guarantee regulatory capacity. A jurisdiction can have elegant categories and weak implementation. A company can have a beautiful control matrix and no actual control. Symmetry is not always comforting.
Second, regulatory memory is not automatic compliance. Storing obligations and evidence does not mean the evidence is good. Human oversight can be documented and still be meaningless. Bias tests can be performed and still miss the relevant subgroup. Vendor attestations can be collected and still be strategically vague. Memory preserves claims; governance must still test them.
Third, memory can itself create risk. A firm that records system behaviour, user interactions, incidents, and decision traces must govern that stored information. Retention, access control, privacy, privilege, and security all matter. The governance memory layer must not become a beautifully indexed liability warehouse.
These limits do not weaken the case. They define it. The argument is not that memory solves AI governance. It is that governance without memory becomes performance art after the first model update.
The board question is changing
The old board question was: do we have AI oversight?
The better question is: what does our AI governance remember?
A good answer should name the systems, obligations, owners, evidence, incidents, reviews, and changes. It should distinguish binding law from voluntary practice. It should show how global rules differ, not pretend they have politely converged. It should connect policy to deployment artefacts. It should admit uncertainty where enforcement is untested or regulation is pending.
The paper gives a comparative taxonomy for public regulation. The enterprise translation is a memory architecture for internal governance. That translation is not automatic, but it is where the business value sits.
AI governance does not need another slogan. It needs continuity. The regulator may move slowly, the model may move quickly, and the company may move sideways whenever incentives become inconvenient. Memory is what lets the organisation notice.
Cognaptus: Automate the Present, Incubate the Future.
-
Sacha Alanoca, Shira Gur-Arieh, Tom Zick, and Kevin Klyman, “Comparing Apples to Oranges: A Taxonomy for Navigating the Global Landscape of AI Regulation,” arXiv:2505.13673, 2025. https://arxiv.org/abs/2505.13673 ↩︎ ↩︎
-
National Institute of Standards and Technology, Artificial Intelligence Risk Management Framework (AI RMF 1.0), NIST AI 100-1, 2023. https://doi.org/10.6028/NIST.AI.100-1 ↩︎
-
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng ↩︎
-
Diego Russo, Gian Marco Orlando, Valerio La Gatta, and Vincenzo Moscato, “Automating AI Failure Tracking: Semantic Association of Reports in AI Incident Database,” arXiv:2507.23669, 2025. https://arxiv.org/abs/2507.23669 ↩︎
-
OECD.AI Policy Navigator, OECD Artificial Intelligence Policy Observatory. https://oecd.ai/en/dashboards/overview ↩︎