The question of who governs artificial intelligence is usually framed as a contest between governments. A more uncomfortable answer is emerging: the rules that will shape how most organisations use AI are increasingly written not in statute books but in the model weights, system prompts and deployment policies of a handful of private laboratories. For UK businesses, that shift matters more than any domestic white paper, because it means the operating constraints on the AI you buy are being set by people you will never elect and a regulator that does not yet exist.
The contest nobody is clearly winning
A recent essay by Dr Alina Polyakova, President and CEO of the Center for European Policy Analysis (CEPA), captures the moment well. Her starting point is that three power blocs are now openly competing to define how AI is governed — the United States, China and the European Union — and that none of the traditional approaches is keeping pace with the technology.
The American move is toward a light, largely voluntary federal posture that leaves room for later review. China is pouring state investment into every layer of the so-called AI stack — data, energy, data centres, advanced chips and talent — whilst a tentative US-China understanding hints at some future coordination on safe development. Europe took the opposite path, becoming in 2024 the first jurisdiction to legislate a comprehensive, risk-based framework through the EU AI Act.
Critical Context: Three blocs, three philosophies. Washington bets on markets, Beijing on the state, Brussels on law. The UK sits inside none of them — and trades heavily with two.
For UK decision-makers, the relevant insight is not who is ahead. It is that all three models are visibly straining, and the UK’s own position depends on borrowing credibility from approaches it has chosen not to fully adopt.
The real story: regulation cannot keep pace with capability
Polyakova’s sharpest argument is about timing. Top-down regulation worked for railways, pharmaceuticals and finance because those sectors changed slowly enough for legislators to study, draft and enforce. AI does not grant that luxury. The EU AI Act was barely two years old before agentic systems and frontier generative models had outrun its assumptions. Laws written by people who are not technologists, aimed at capabilities that did not exist when drafting began, arrive close to obsolete.
The second problem she identifies is the cost of a risk-first posture. By treating the technology primarily as a hazard to be contained, Europe slowed adoption, discouraged American firms from deploying their best models to European customers, and left its own companies struggling to build at the frontier.
Strategic Reality: A regulatory regime that frames AI as the problem rather than part of the solution does not just constrain risk — it constrains the upside. The same rule that blocks a harm can block a productivity gain.
This is the trap any government faces. Move too slowly and the rules are irrelevant before they bind. Move too aggressively on risk and you suppress the adoption that creates economic value. Neither the American nor the European answer has resolved that tension.
How the three approaches compare
| Approach | Core mechanism | Strength | Weakness for business |
|---|---|---|---|
| United States | Voluntary frameworks, market-led | Speed, room to innovate | Uncertainty; rules may harden later |
| China | State investment across the stack | Scale, strategic coordination | Limited transparency; access constraints |
| European Union | Comprehensive risk-based law (AI Act) | Legal clarity, rights protection | Slows adoption; rules age quickly |
| United Kingdom | Sector-led, principles-based | Flexibility, lighter compliance | Patchwork; firms still face external rules |
What is really happening: governance moves into the models
The most important shift in Polyakova’s analysis is not between governments at all. If states are poorly equipped to lead, she asks, who fills the gap? Increasingly, the laboratories themselves.
Anthropic has publicly argued for safety protocols embedded directly in models as capabilities grow. OpenAI has published security and safety frameworks it describes as going beyond current legal requirements. Across the industry, evaluation regimes, permissions, refusal behaviours and usage constraints are being written into code, compute infrastructure and deployment architecture. These technical design choices — not statutes — now determine how open a model is, what it will and will not do, and what counts as acceptable use.
Strategic Insight: The most consequential AI race may not be for the highest-performing model, but over which principles get baked into the models everyone else builds on. Whoever sets those defaults sets the rules by proxy.
For a UK business, this is the practical reality. When you adopt a frontier model, you inherit its provider’s safety thresholds, content policies and refusal logic. Those are governance decisions. They were made in San Francisco, not Westminster, and they will shape your product, your liability exposure and your customer experience regardless of what any UK regulator eventually publishes.
The UK’s position: a third way that depends on others
The UK has deliberately chosen not to copy the EU. Rather than a single horizontal AI act, it has pursued a pro-innovation, context-based model in which existing regulators apply cross-sector principles to their own domains, supported by a national institute focused on frontier model safety and evaluation. The pitch is a third way: more permissive than Brussels, more structured than a purely market-led approach.
On paper, that posture aligns neatly with Polyakova’s thesis. If bottom-up, model-embedded governance is the future, a flexible regime that does not prematurely freeze the technology looks prescient. The difficulty is what the position rests on.
Reality Check: A light-touch domestic regime does not make UK firms free of rules. It makes them subject to everyone else’s. The lighter your own framework, the more your effective standards are imported.
A UK company selling into the EU still falls under the AI Act’s extraterritorial reach. A UK company building on American models still operates inside those providers’ embedded constraints. A UK company handling personal data still answers to established data protection law. The flexibility is real, but so is the dependence. The UK has positioned itself as a convenor and a safety-research leader without controlling the two things that most determine the rules its businesses live under: the foundational models and the largest single market on its doorstep.
Strategic recommendations: govern your own AI use first
Because the external picture is unsettled, the most reliable lever for UK leaders is internal. You cannot set the principles embedded in a frontier model, but you can decide how your organisation selects, deploys and oversees the AI it uses.
For organisations early in adoption, start with an inventory. Know which AI tools are in use, what data they touch, and whose safety and usage policies you have implicitly accepted by adopting them. Most governance failures begin with not knowing what you already run.
For organisations scaling AI, build provider diversity and exit options into procurement. If a single laboratory’s policy change can break your product, that policy is now your governance whether you like it or not. Contractual clarity on model behaviour, data handling and version changes matters more than headline capability.
For organisations operating across borders, map your regulatory surface deliberately. EU exposure pulls you toward AI Act compliance; US model dependence pulls you toward provider frameworks; UK operation gives you flexibility but little shelter from either. Treat the strictest applicable standard as your baseline rather than waiting for domestic rules to catch up.
Take Action: Write down, for your three most important AI systems, who actually governs them — the provider, a foreign regulator, or you. The blanks in that list are your real exposure.
Hidden challenges UK leaders underestimate
Four difficulties tend to surface only after AI is embedded in operations.
The first is silent rule changes. A model provider can tighten a usage policy or alter refusal behaviour in a routine update, shifting what your product can do overnight. Mitigation lies in version pinning where contracts allow and in monitoring provider policy announcements as seriously as security advisories.
The second is governance by default. Teams adopt whatever the model permits, and the provider’s thresholds quietly become the organisation’s ethics. The fix is an explicit internal use policy that states what your organisation will and will not do, independent of what a model happens to allow.
The third is the compliance gap between jurisdictions. Building to the lightest applicable standard — often the UK’s — leaves a firm scrambling when an EU deal or a US enterprise customer demands more. Designing to the stricter standard from the outset is cheaper than retrofitting.
The fourth is the accountability vacuum. When something goes wrong, “the model did it” satisfies no regulator and no customer. Clear internal ownership of AI outcomes is the one piece of governance no external party will supply for you.
Warning ⚠️: The absence of binding UK AI legislation is not the absence of obligation. Existing law on data, consumer protection, equality and liability already applies to AI decisions today.
The strategic takeaway
Polyakova’s essay closes on a line worth keeping: the central challenge of the AI age is closing the gap between those who build AI and those who govern it. For the UK, that gap is structural. The country has chosen a flexible regulatory path, retained genuine strength in safety research and convening, but ceded the two highest-leverage points of control — frontier model development and the largest nearby market — to others.
For business leaders, the conclusion is not to wait for clarity that may never arrive. It is to accept that AI governance is already happening, mostly outside your control, and to build the part you do control. Three commitments make the difference: knowing exactly which AI systems you depend on and who governs them; designing to the strictest standard you might plausibly face; and owning AI outcomes internally rather than outsourcing responsibility to a model’s defaults.
The contest over who governs AI will continue between Washington, Brussels and Beijing. UK organisations will not decide that contest. They will, however, decide how well prepared they are for whatever it produces.
Success Factor: The firms that thrive will not be those that guessed the winning regulatory model. They will be those that governed their own AI use rigorously enough that the external outcome barely mattered.
Source and attribution
This analysis draws on “Who Will Govern AI?” by Dr Alina Polyakova, President and CEO of the Center for European Policy Analysis (CEPA), published on the CEPA website. The original essay sets out the contest between US, Chinese and European approaches to AI governance and argues that bottom-up, model-embedded governance may become the dominant model. The UK-specific framing, strategic recommendations and analysis of UK business exposure are original to Resultsense.
Resultsense provides analysis to help UK professionals and businesses make sense of AI developments. For more strategic insights, explore our insights and news coverage, or get in touch to discuss how these shifts affect your organisation.