YARF (Yet Another Regulatory Framework)
Introduction
Artificial intelligence governance, at least right now, feels less like a system and more like trying to assemble IKEA furniture while the instructions keep updating themselves mid-sentence. One week there is a new federal signal coming out of Washington. The following week, Brussels published another clarification under the EU Artificial Intelligence Act. Somewhere in between, the National Institute of Standards and Technology continues to refine its Risk Management Framework, quietly, methodically, almost as if it expects no one outside a compliance department to notice.
In addition, as if the above is not confusing enough, any account of AI governance that focuses solely on AI-specific frameworks risk overlooking a more immediate and, most times, more consequential reality. Much of what is currently enforced against AI systems does not arise from AI law, but from data and privacy protection regimes that were not originally designed with AI in mind.
Changing AI Regulatory Frameworks
The just-announced White House 2026 National Policy Framework for Artificial Intelligence gestures toward coherence, or at least toward the idea of coherence. It emphasizes federal leadership, hints at preemption of state laws, and speaks in a tone that is both optimistic and strangely cautious. Realistically, it represents strategic ambiguity, not policy clarity. Here are the key elements of the framework:
Don’t panic, it is not binding and cannot be without congressional action (don’t hold your breath). Artificial intelligence has been studied and developed since the mid-twentieth century, yet Congress has only intermittently developed the technical fluency necessary to regulate it effectively. Discussions of large language models in Congress often reflect an uncertain grasp of their underlying mechanics, characterizing them at times both as autonomous agents and as deterministic tools.
Across the Atlantic, the EU AI Act is the opposite. It is dense, prescriptive, and unapologetically regulatory. It classifies systems into risk tiers and attaches obligations accordingly. It imposes documentation, conformity assessments, and potentially severe fines. It is, in a word, actual law. See Regulation (EU) 2024/1689 (Artificial Intelligence Act), or at least it was for a short time. Any initial impression that the EU AI Act would deliver regulatory certainty now appears somewhat optimistic. Rather than a fixed legal framework, it is already functioning as a “living” regulation, evolving in real time as implementation challenges and competing interests emerge.
Even the most “rigid” AI law currently in force is adapting in real time, which reinforces a broader thesis: governance is not a fixed system, but an evolving process.
Then there is NIST. Not law. Not quite policy either. Something in the middle. A framework that practitioners use, which is perhaps the highest compliment one can give.
See Exhibit A for a list of other frameworks in case this wasn’t enough:
The Problem with Static Compliance (and Why It Keeps Failing Anyway)
There is a certain comfort in traditional compliance. You identify the rules. You implement the controls. You document the process. Now you can rest! Of course, that does not exist with the current state of AI governance.
AI governance disrupts this rhythm.
First, the rules are not stable. The White House framework is aspirational and politically contingent. It could harden legislation. Or it could dissolve into a different administration’s priorities. Meanwhile, state laws continue to proliferate, particularly in areas like automated decision-making (agentic AI) and consumer protection. California, Colorado, and others. Each slightly different, each asserting relevance.
Second, jurisdiction does not behave. AI systems do not respect borders. A model trained in one country, deployed in another, and accessed globally creates overlapping legal exposure that is, frankly, not worth trying to map.
Third, and this is where things become a bit difficult, technology itself resists legal categorization. AI systems are probabilistic, especially LLMs. They fail in ways that are not always predictable. Try explaining that in a courtroom where causation still prefers inductive or deductive reasoning. Static compliance, under these conditions, begins to look like a ritual. Reassuring, perhaps. But insufficient.
We need a more flexible approach instead of static compliance.
We might look at this approach in three separate layers:
Attorneys and mediators must move beyond identifying what the law is, toward anticipating what it might become. Something that is often done in futuring, called cross impact analysis. Although this might seem uncomfortable to people in compliance-oriented professions, it is necessary.
A living/flexible regulatory matrix is one practical tool. Not a static memo, but something maintained, updated, argued over. It includes binding obligations under instruments like the EU AI Act, but also policy signals from the United States, including the White House framework. It tracks state developments. It notes contradictions. More importantly, it anchors governance in shared principles. Ideas like transparency. accountability, and human oversight. These appear, in one form or another, across all major frameworks. Even when politicians disagree on specifics, they tend to agree on these abstractions. (Abstractions are politically convenient that way.)
Contracts become central here, functioning less as formalities and more as the mechanism by which governance is actually implemented. They convert broad principles into specific, enforceable duties between parties, who must document what, who bears risk, and who is accountable when something goes wrong. Where public law leaves gaps, contracts quietly fill them. In practice, much of AI governance will not be written in legislation at all, but in negotiated clauses between companies, often settled in long drafting sessions that stretch well past the point where the coffee is still helping.
This is where NIST becomes useful. The AI Risk Management Framework provides a structure that is, if not perfect, at least usable. It emphasizes lifecycle governance. Design. Development. Deployment. Monitoring.
The key is proportionality. Not every AI system requires the same level of scrutiny. The EU’s risk-based approach offers a pragmatic baseline. High-risk systems receive intense oversight. Lower-risk systems, less so.
Documentation, again, becomes central. Not because regulators demand it, although they do. But because it becomes the only reliable record of how a system was built, what it was intended to do, and where it might fail.
Disputes are inevitable. Anyone who suggests otherwise is either inexperienced or selling something. Mediators will play a subtle but important role. They will translate between engineers and executives, between technical uncertainty and legal expectation. Arbitration, particularly in cross-border contexts, will provide a forum and can enforce outcomes. It can incorporate technical expertise in ways that traditional litigation sometimes struggles to accommodate. However, the most interesting function of dispute resolution is not resolution itself. It will provide feedback to a governance system. Governance systems, if they are well-designed, absorb this information and adjust. If they are poorly designed, they ignore it. Usually until something breaks in a more public way.
Future-Proofing (Or Trying To)
Futureproofing is an ambitious term. Perhaps too ambitious. Nothing in this space is truly future proof, given the rapid development of new technologies in AI. Of course, modularity will help. If legal requirements change, the regulatory mapping layer can adapt without collapsing the entire structure. If technical standards evolve, operational controls can be updated independently. Principle-based anchoring like transparency, accountability, fairness, etc. provides continuity. Even as specific rules shift, the underlying values remain recognizable.
There is a tendency, in both law and technology, to treat failure as something to be avoided at all costs. But in AI governance, failure is also data. Not pleasant data, certainly. Sometimes expensive data. Occasionally embarrassing. But data nonetheless.
Conclusion (With a Note of Skepticism)
AI governance, as it currently exists, is not a finished system. It is an evolving infrastructure shaped by policy frameworks, binding regulations, and technical standards that do not always align neatly.
The White House framework provides direction, though it stops short of enforceability. The EU AI Act imposes obligations, though it cannot anticipate every technological development. NIST offers operational guidance, though it lacks legal force. Together, they form something resembling a system.
Legal professionals are not merely participants in this system. They must, whether they want to or not, be it’s architects. Because the truth is, many of the individuals shaping AI governance do not fully understand the systems they are regulating. That includes policymakers. It sometimes includes attorneys. It almost certainly includes legislators who speak confidently about technologies they have never used in any meaningful sense. In any case the work must proceed. Not that we have solved AI governance. But that we are building it, unevenly, imperfectly, with a mixture of expertise, intuition, and occasional guesswork.
Adaptive Layered Governance is not a solution in the traditional sense. It is a method. A way of proceeding despite uncertainty. A recognition that the framework is incomplete, and may always be.
Exhibit A: Key Evolving AI Governance Frameworks
| Category | Framework | Jurisdiction / Body | Core Function |
| Global Principles | OECD AI Principles | OECD | Baseline principles for trustworthy AI |
| G7 Hiroshima AI Process | G7 | Voluntary guidance for advanced AI systems | |
| UN AI Initiatives | United Nations | Global coordination and human rights focus | |
| U.S. Policy & Standards | White House AI Framework (2026) | United States | National strategy emphasizing innovation and federal alignment |
| NIST AI Risk Management Framework | United States | Operational risk management and lifecycle controls | |
| FTC AI Enforcement | United States | Consumer protection applied to AI practices | |
| State AI & Privacy Laws | United States (State-level) | Fragmented regulation of profiling and automated decisions | |
| European Frameworks | EU AI Act | European Union | Binding, risk-based AI regulation |
| GDPR | European Union | Data protection and automated decision-making constraints | |
| Council of Europe AI Convention | Europe | Human rights–based AI governance | |
| EU Harmonized Standards | European Union | Technical compliance standards for AI systems | |
| UK Approach | UK AI Regulatory Framework | United Kingdom | Sector-led, pro-innovation governance |
| UK AI Safety Institute | United Kingdom | Evaluation of advanced AI systems | |
| Asia-Pacific Models | China AI Regulations | China | State-controlled AI governance and content rules |
| Singapore AI Framework | Singapore | Practical, business-oriented governance model | |
| Japan AI Guidelines | Japan | Flexible, voluntary AI governance approach | |
| Technical & Industry Standards | ISO/IEC AI Standards (e.g., ISO 42001) | International | AI management systems and certification |
| Partnership on AI | Multi-stakeholder | Best practices for responsible AI | |
| Frontier AI Commitments | Industry (Global) | Voluntary safety and risk mitigation commitments |
That’s right, you have the necessary skills to deal with all the conflict in your life. Sure there are new skills that you can acquire, you can always build on...
By Jason DykstraIndisputablyThis is the first installment of an online mini-course about social science research methods relevant to the Stone Soup Dispute Resolution Knowledge Project. If you want to get all the...
By John LandeThis morning, driving toward the University of Southern California campus, a lot of memories passed through my mind. I recalled attending the High School Debate Institute at USC, in the...
By Alec Wisner
