AI governance

For multinational companies, AI governance is becoming less like a single compliance project and more like air traffic control.

The European Union is progressing with implementation of the AI Act. The United States continues to rely on a mix of federal agency rules, state legislation, sector-specific guidance and voluntary frameworks. China has pursued a more interventionist model through regulations covering algorithms, deep synthesis and generative AI. South Korea has introduced its AI Basic Act, while Singapore has advanced AI Verify. Standards bodies are adding another layer through the NIST AI Risk Management Framework (AI RMF) and ISO/IEC 42001.

The result is not a single global AI rulebook but a regulatory mosaic.

That is becoming a strategic challenge for companies operating across multiple markets. An AI system used in hiring, credit, customer service, healthcare, cyber security or employee productivity may face different regulatory expectations depending on where it is deployed, whose data it processes, whether it is classified as high risk, how much autonomy it has and whether it is developed internally or supplied by a third-party vendor.

The pace of policy activity is accelerating. Stanford HAI's 2025 AI Index found that US federal agencies introduced 59 AI-related regulations in 2024, more than double the number in 2023, while legislative references to AI rose by 21.3% across 75 countries compared with the previous year. The International Association of Privacy Professionals' (IAPP) Global AI Law and Policy Tracker now tracks AI legislative and policy developments across multiple jurisdictions, reflecting how quickly the governance landscape is fragmenting.

For boards and CEOs, the message is clear: AI governance can no longer be treated as a domestic compliance issue. It has become a global operational challenge.

The Compliance Map Is No Longer Linear

For years, enterprises could often manage technology compliance by assigning obligations to familiar categories: privacy, cybersecurity, financial services, healthcare, product safety, or labor law. AI disrupts that approach because the same system can raise issues across all of them.

A customer analytics model may implicate privacy, discrimination, consumer protection, and model transparency. A workplace productivity tool may trigger labor, surveillance, and data protection questions. A fraud detection model may involve financial regulation, explainability, and human review. An AI agent may raise cybersecurity, product liability, access control, and auditability concerns at the same time.

The EU AI Act is the most visible example of risk-based AI regulation, but it is not the only framework companies need to track. NIST's AI Risk Management Framework, released in 2023, is voluntary but influential, especially for organisations looking for a structured way to govern AI risk. ISO/IEC 42001 is the world's first AI management system standard and provides a certifiable path for organisations seeking a formal AI management system. ISO/IEC 42001

The challenge is that these frameworks do not operate in isolation. A global company may need to align with NIST for risk management, ISO/IEC 42001 for management-system discipline, the EU AI Act for market access, sector-specific rules for regulated industries and internal board expectations for assurance.

That is why AI governance is becoming a translation problem.

The New Industry Response

The market is beginning to organise around different layers of the problem.

Hyperscalers and platform companies are building governance and security capabilities into their AI ecosystems. Microsoft is extending governance, identity and security controls into agentic AI through Agent 365. IBM is positioning watsonx.governance as an enterprise AI assurance layer across multi-vendor environments. Google's Secure AI Framework focuses on security standards for building and deploying AI responsibly. Microsoft Agent 365 IBM watsonx.governance Google SAIF

Consulting firms such as Deloitte, KPMG, PwC and Accenture are turning AI governance into boardroom advisory work. GRC and AI governance platforms are building systems for inventories, controls, documentation, monitoring and evidence. Standards bodies are providing the language of accountability.

EC-Council's proprietary Adopt. Defend. Govern. AI Framework, or ADG, sits in this market as an operating model layer. Its value is not that it replaces NIST, ISO or the EU AI Act. Its value is that it helps enterprises translate those expectations into a common operating floor.

According to EC-Council's ADG launch announcement, ADG was developed with input from practitioners and advisory board members across organisations including Citi, JPMorgan Chase, Microsoft, KPMG, Deloitte, NTT Data, GE Healthcare, GlobalLogic, Prudential and Salesforce. The framework is built around three pillars, 12 minimum controls and nine governance surfaces, and is designed to align with the EU AI Act, ISO/IEC 42001, NIST AI RMF, OWASP Top 10 for LLM and Agentic AI and MITRE ATLAS.

That alignment matters because multinational companies do not need another disconnected checklist. They need a way to manage overlapping obligations without creating a separate governance program for every jurisdiction.

The Real Risk Is Fragmentation Inside the Company

The patchwork problem is not only external. It appears inside companies as well.

Legal teams may track the EU AI Act. Risk teams may map controls to ISO. Security teams may use MITRE ATLAS or OWASP guidance. Data teams may focus on privacy and provenance. Business units may care most about deployment speed. Boards may ask for evidence but not prescribe the operating mechanism.

Without a shared model, each function can be technically right and still collectively fragmented.

ADG addresses that internal fragmentation through its three-pillar model. Adopt covers business value, use-case framing, architecture and deployment. Defend covers threat modeling, red-teaming, runtime guardrails, model and data integrity, detection and incident response. Govern covers policy, decision rights, regulatory alignment, assurance, audit and board-level evidence. The ADG framework describes it plainly: Adopt builds and operates, Defend breaks and protects, Govern authorises and oversees.

For a global company, that structure is useful because it separates the problem into accountable functions without separating them into silos. It also recognises that compliance cannot be achieved through legal review alone. If an AI system lacks telemetry, has unclear decision rights, carries excessive tool permissions or cannot be red-teamed properly, the compliance position may be weak no matter how strong the policy language is.

The EU regulatory picture itself shows why organisations need adaptable models. Reuters reported in May 2026 that EU countries and lawmakers reached a provisional agreement on changes that would delay enforcement for certain high-risk AI systems and simplify overlapping digital rules. Whether companies view that as relief or uncertainty, the lesson is the same: AI governance cannot be designed as a one-time compliance project. It has to be able to absorb regulatory change.

The Boardroom Test

The boardroom does not need every director to become an AI regulation specialist. It does need management to answer a more practical set of questions.

Which AI systems are in production? Which jurisdictions do they touch? Which systems are high risk? Which standards have they been mapped to? What evidence exists? Who owns the decision? How are security risks tested? What happens when the law changes?

EC-Council's AI Readiness Self-Assessment Tool gives organisations a starting point by assessing maturity across the 12 ADG controls and identifying gaps through a 30-, 60- and 90-day roadmap. The tool is not a substitute for legal analysis or technical validation, but it reflects the direction the market is moving: from policy awareness to operational evidence.

That evidence layer will matter more as AI systems become embedded into business operations. A multinational company cannot govern AI effectively through regional memos and fragmented dashboards. It needs a common language that can travel across geographies, business units, and risk functions.

Global AI regulation will remain uneven. Some jurisdictions will emphasise safety, some innovation, some national security, some consumer protection, and some industrial competitiveness. The companies best positioned for this environment will not wait for global harmonisation. They will build internal governance models strong enough to operate across the patchwork.

In that sense, the future of AI compliance will not belong to companies that simply track the most laws. It will belong to those who can turn changing rules into repeatable controls, evidence, and decisions.