AI Regulation and Human Rights: A Global Trilemma

The views expressed below are those of the author and do not necessarily reflect those of the Carr-Ryan Center for Human Rights or Harvard Kennedy School. These perspectives have been presented to encourage debate on important public policy challenges. 

A Commentary on Why Global AI Governance is Failing Human Rights

1. None of the Three Major Regulatory Regimes on AI Genuinely Serves Human Rights 

For AI regulation to genuinely serve human rights, three conditions must be met simultaneously. First, there must be governance reach: the practical capacity to make and enforce rules over the main developers and deployers of AI—jurisdictional scope, enforcement authority, and enough geopolitical and market leverage to ensure that rules are not simply circumvented. 

Second, there must be technological power: a meaningful concentration of frontier AI development, compute infrastructure, and data ecosystems within, or subject to, the regulating jurisdiction. Without this, a regulator is always chasing systems it did not build and does not fully control. 

Third, there must be rights commitment: a credible, institutionally embedded dedication to human rights—privacy, non-discrimination, freedom of expression, due process, and human dignity—that is not conditional on the interests of the state or the market, but functions as a genuine constraint on both.

These three conditions are not merely desirable features of governance. They are indeed jointly necessary for AI regulation to genuinely serve human rights. 

These three conditions are not merely desirable features of governance. They are indeed jointly necessary for AI regulation to genuinely serve human rights. Governance reach without rights commitment produces enforced repression. Technological power without governance produces unaccountable systems whose harms are distributed invisibly across populations. Rights commitment without technological power produces principled regulation of systems the regulator does not build and cannot fully steer.

The global landscape of AI regulation presents a troubling picture precisely because no single jurisdiction combines all three. (Also see here my 2018 piece on the urgent need for a bigger agenda around human rights and AI: this commentary is a way of taking stock of where things stand.) Looking at the three major regulatory regimes—China, the United States, and the European Union—one finds that each actor possesses at most two of these conditions, and in each case the missing element is critically damaging. This trilemma reflects deeper structural features of each jurisdiction—the political logic of party-state authoritarianism, the political economy of corporate-driven innovation, and the industrial constraints of a trade bloc without a dominant technology sector of its own. 

Let me clarify why I call this phenomenon a “trilemma.” A trilemma is a situation in which there are three options or goals, and you cannot fully achieve all three at once; at least one must be sacrificed or weakened. In our case, however, the good news is that all three criteria can, in principle, be satisfied together, and for each of the three regimes one can imagine concrete steps to achieve that.

I still use the language of a trilemma because these three regimes are the main politically significant regulatory models that currently exist in the world, and this configuration is relatively stable. From the perspective of countries outside these three major blocs, the differences in AI regulation among them present a genuine trilemma. These countries must decide how to position themselves in relation to each bloc—and whatever choice they make carries real costs and trade-offs. Moreover, it will be difficult to reform any of them from within so that they fully meet all three criteria—though it is not impossible. In principle, each regime could be reformed to do so.

2. China: Governance Reach Without Rights Commitment

China has governance reach and significant technological power, but its regulatory framework is in ongoing tension with human rights—and perhaps even fundamentally incompatible with them. Over the last twenty years, China has updated its governance system to keep pace with fast-moving digital developments—but has done so in loyalty to the principle of party rule. 

This is not a failure of regulatory ambition; China has enacted an extensive body of digital law, including the Cybersecurity Law (2017), the Data Security Law (2021), and the Personal Information Protection Law (2021), which on paper bears resemblance to Europe's GDPR. But all of these instruments are explicitly subordinated to the requirements of "national security" and "social stability," which in practice means the requirements of Communist Party control. 

Regulation includes provisions preventing technology from being used for subversive purposes, meaning that rights protections exist only where they do not conflict with political control. Data protection norms apply horizontally between citizens and corporations, but vertical state access to data is preserved without meaningful independent oversight. The result is a system that provides the appearance of rights-oriented governance while maintaining the infrastructure of surveillance and control intact.

The consequences are concrete and severe. The social credit system — an interlocking set of financial blacklists, regulatory scoring, and local government experiments—makes algorithmic governance of citizens pervasive and operational. Whatever the distance between the system as it actually operates and the more lurid descriptions sometimes offered in Western media, the direction of travel is clear: automated, data-driven evaluation of citizen behavior by the state, with real consequences for mobility, employment, and access to services, and with minimal procedural safeguards or avenues for meaningful challenge.

It is worth pausing here to acknowledge that China is not a monolithic regulatory entity. Regional variation in AI governance is real and significant. Beijing, Shanghai, Shenzhen, and Guangdong function as semi-designated innovation zones with their own municipal AI frameworks and somewhat more permissive development environments. The social credit system in particular is frequently mischaracterized in Western accounts as a single, nationally unified scoring mechanism—it is in reality a collection of local experiments, sectoral corporate compliance systems, and national blacklists for specific violations, varying enormously in scope and sophistication across localities. 

Acknowledging this variation is not merely a gesture toward nuance; it is analytically important. But it does not alter the structural diagnosis. Regional variation in China exists within a framework that ultimately reports to central party authority. Innovation zones are centrally authorized experiments, not independently governed spaces, and they can be redirected when political priorities demand it. No region of China has developed institutional checks on party authority over digital systems or rights protections that genuinely constrain state data access. And the direction of variation matters: localities compete to demonstrate technological leadership and alignment with central development goals, not to provide stronger rights protections. 

The case of Hong Kong is the limiting illustration, and since the recent developments in Hong Kong matter greatly in the human rights community, it is worth saying just a bit more on Hong Kong. When the former British colony was handed over in 1997, Beijing promised it would give the city fifty years to keep its capitalist system and enjoy many freedoms not found in mainland Chinese cities. But this promise has not been kept. In 2020, Beijing imposed a sweeping National Security Law on Hong Kong. Since then, authorities have arrested numerous pro-democracy activists, lawmakers, and journalists, and have curtailed voting rights, press freedom, and freedom of speech. In March 2024, Article 23 was passed, an expansion of the 2020 law that broadens the definition of external interference and espionage and thereby further erodes the city’s rights and freedoms. 

The structural implication is significant: where governance reach and AI capability are high but rights commitments are absent or at the very least highly uneven, regulation becomes a force multiplier for repression rather than a constraint upon it. 

Media tycoon and outspoken pro-democracy advocate Jimmy Lai has become one of the best-known faces of this crackdown. Arrested in 2020, he was found guilty years later in a high-profile trial of colluding with foreign forces, namely the United States, under the national security law and sentenced to twenty years in prison at age seventy-eight. 

The same legal framework used to silence Lai and restrict the press also governs data access, platform regulation, and the subordination of algorithmic tools to party authority. The trajectory of Hong Kong illustrates the same structural principle that governs China's entire digital regulatory architecture: formal legal protections — whether for civil liberties, press freedom, or data privacy—persist only until they conflict with the requirements of party control, at which point they are overridden without meaningful institutional check. 

As the single Chinese region with the most genuinely different legal culture—common law protections, judicial independence, press freedom—Hong Kong's experience demonstrates precisely where the ceiling on regional autonomy lies. When regional difference conflicted with central authority, it was eliminated. The lesson for AI governance is the same as the lesson for civil liberties: formal protections and local variation persist only where they do not threaten the requirements of party control.

The mass surveillance of Uyghurs in Xinjiang represents perhaps the best documented case of AI being deployed as a tool of ethnic persecution. (Also see here.) Integrated Joint Operations Platforms, predictive policing systems, dense networks of facial recognition cameras, DNA collection and voice-print databases, and compulsory installation of surveillance software on personal devices have been used to monitor, flag, detain, and control a Muslim minority population of some twelve million people. International observers, including UN human rights bodies, have described what is happening in Xinjiang as potentially constituting crimes against humanity. The U.S. State Department has spoken of a genocide in this context. (Also see here.) The role of AI — both as the infrastructure of surveillance and as the mechanism for generating risk scores that trigger detention — is central, not incidental. (Also see here and here.)

China is actively exporting this surveillance model to other governments. As far back as 2019, the Carnegie Endowment for International Peace documented Chinese AI surveillance technology being deployed in at least seventy-five countries. These exports carry with them not only hardware and software but governance templates—systems designed to maximize state visibility over populations, with limited rights protections built in. The human rights damage is thereby multiplied far beyond China's own borders.

To be sure, the Chinese government over the last several decades deserves enormous credit for lifting hundreds of millions of people out of poverty. The ruling party is genuinely committed to the public good—a commitment shaped partly by the Communist tradition and partly by the Confucian one. China's drive to integrate AI throughout society should be understood in this light, as one expression of that commitment. Acknowledging all of this, however, is entirely consistent with the critique offered above: that China's regulatory framework, including its approach to AI, falls seriously short when measured against basic human rights standards.

The structural implication is significant: where governance reach and AI capability are high but rights commitments are absent or at the very least highly uneven, regulation becomes a force multiplier for repression rather than a constraint upon it. Effective governance, in other words, is not inherently beneficial from a human rights standpoint. Everything depends on what it governs for.

3. The United States: Technological Power Without Governance

The U.S. has the greatest concentration of AI development in the world—home to the majority of frontier foundation model labs, the dominant cloud infrastructure providers, and the largest pools of venture capital directed at AI—but has largely failed to translate that position into meaningful governance. The reasons are not mysterious. They reflect a durable political economy in which technology companies have operated with extraordinary freedom from regulatory constraint, in which the ideology of innovation as inherently beneficial has been hegemonic across much of the political spectrum, and in which corporate lobbying power has successfully blocked federal legislation on privacy, platform accountability, and data protection for over two decades. (For recent developments under Trump, see here.) 

All along, digital technologies in the U.S. have not been used to strengthen democratic governance but rather to build what Shoshana Zuboff has documented as surveillance capitalism—large-scale extraction and monetization of behavioral data, construction of predictive models of human behavior, and deployment of those models to modify behavior at scale. Zuboff's analysis, first developed in her 2019 book The Age of Surveillance Capitalism, has become a reference point because it names something that was happening gradually: a fundamental restructuring of the relationship between individuals and information systems, accomplished largely without democratic deliberation or consent. 

The key move is not merely that data is collected—it is that human experience itself is transformed into a tradeable commodity, with behavioral modification as the product. This represents a quiet but serious assault on human autonomy and self-determination that does not require the overt coerciveness of authoritarian surveillance to be damaging.

The result is a system where technological power is enormous but governance is fairly weak, and where human rights protections are largely left to the market—which has shown no particular interest in providing them.

The United States also lacks any comprehensive federal privacy law—a remarkable and consequential gap. As of 2025, more than 140 countries have enacted national data protection legislation, making the U.S. an outlier among major democracies. The vacuum has been partially filled by state-level efforts, most notably California's Consumer Privacy Act (CCPA), later strengthened by the California Privacy Rights Act (CPRA), and equivalent legislation in Colorado, Connecticut, Virginia, and a growing number of other states. These are meaningful but fragmented: they create different standards across jurisdictions, are easier to navigate for large well-resourced companies than for smaller actors or individuals, and leave large categories of data and processing outside their scope.

There were genuine efforts, under the Biden administration, to address this. The 2022 Blueprint for an AI Bill of Rights articulated non-binding principles around safe and effective AI, protection from algorithmic discrimination, data privacy, notice and explanation, and human alternatives to automated decisions. Executive Order 14110, issued in October 2023, went further: it required developers of powerful foundation models to share safety test results with the federal government, directed agencies to assess civil rights implications of AI in their areas of responsibility, and linked AI governance explicitly to privacy and consumer protection. These were not comprehensive legislation—they were executive actions, carrying the limitations of that form—but they represented a serious attempt to place the federal government's weight behind meaningful AI governance.

The Trump administration subsequently rescinded Executive Order 14110 within days of taking office in January 2025, issuing Executive Order 14179 in its place. The new order reframed the federal government's role as enabling AI development rather than governing it, removed safety reporting requirements, and signaled an explicit turn toward deregulation. Simultaneously, AI safety research within federal institutions—including work at the National Institute of Standards and Technology (NIST)—has been subject to significant disruption and defunding. The trajectory is not simply one of stasis but of active retreat. (See again my earlier commentary.) 

It would be a mistake, however, to describe the United States as having no federal AI governance at all. A patchwork of sector-specific laws—including HIPAA in health, the Fair Credit Reporting Act in finance, COPPA for children's data, and civil rights statutes applied to algorithmic hiring and lending decisions—provides some constraint on specific AI applications in specific domains. The Federal Trade Commission has used its authority over unfair and deceptive practices to pursue AI and data-related cases, and agencies including the EEOC and HUD have issued guidance on algorithmic tools in employment and housing. This is not nothing. 

But it is structurally inadequate in a way that goes beyond mere incompleteness. The sectoral approach was designed for a world in which discrete industries handled discrete categories of data for discrete purposes. AI is not a sector—it is a general-purpose technology whose most consequential effects arise precisely from the aggregation and cross-domain deployment that sector-specific laws were designed to prevent. A regulatory architecture built on sector boundaries cannot govern a technology that dissolves them. Moreover, these laws are framed primarily around consumer protection and market fairness rather than rights—they are designed to correct market failures, not to protect human dignity, due process, or freedom of expression as constitutional or human rights commitments. The gap is therefore not merely one of coverage but of kind.

The result is a system where technological power is enormous but governance is fairly weak, and where human rights protections are largely left to the market—which has shown no particular interest in providing them. This is not merely an abstract concern. Kate Crawford's Atlas of AI documents in detail the material and human costs of AI systems as they are actually deployed: in hiring, benefits administration, criminal justice, and content moderation, with outcomes that are systematically racialized and that fall hardest on those with the least power. Virginia Eubanks's Automating Inequality makes a similar argument more specifically about automated welfare and public services systems, showing how digital tools reproduce and amplify pre-existing patterns of discrimination, while insulating decision-makers from accountability. 

The structural implication here is the inverse of China's: where technological power is enormous but governance is weak and fragmented, the consequences are not state repression but market-driven erosion of privacy, autonomy, and equality—distributed, less visible, but cumulative and serious.

I have written elsewhere at length about the United States' own serious deficits in rights commitment—see, for example, here or here or here. My claim in this essay is not that each bloc fully satisfies two of the three criteria, but rather that each satisfies at most two. The distinction matters: "at most two" sets a ceiling, not a floor.

4. The European Union: Rights Commitment Without Technological Power

The EU is the most serious of the three actors in its commitment to regulating AI in accordance with human rights, but it exercises limited control over the technology itself. The EU AI Act, formally adopted in 2024, is a genuinely sophisticated instrument. It adopts a risk-tiered approach: prohibiting outright a category of "unacceptable risk" applications—including social scoring systems, AI that exploits psychological vulnerabilities, most forms of real-time biometric surveillance in publicly accessible spaces, and predictive policing based solely on profiling — and imposing strict requirements around transparency, human oversight, data quality, and fundamental rights impact assessments on systems classified as "high-risk," covering applications in employment, education, law enforcement, migration, and access to essential services.

The AI Act is layered onto a broader framework. The General Data Protection Regulation (GDPR), in force since 2018, elevated data protection to the status of a fundamental right under the EU Charter of Fundamental Rights, establishing principles of purpose limitation, data minimization, and the right to explanation of automated decisions that have had real global influence. The Digital Services Act (DSA) adds meaningful platform accountability, requiring large platforms to conduct systemic risk assessments, submit to independent audits, and provide researchers with access to data, with particular attention to recommender systems and the amplification of harmful content. 

The EU is the most serious of the three actors in its commitment to regulating AI in accordance with human rights, but it exercises limited control over the technology itself.

Taken together, these instruments constitute the most developed attempt by any jurisdiction to make human rights commitments operational in the governance of digital technologies.

Yet the EU's framework comes with real challenges. The AI Act was significantly shaped by concerns about narrower, more predictable AI systems—automated decision-making, biometric identification, and the like—and was somewhat overtaken by developments in generative AI before it even came into force. The treatment of general-purpose AI models and foundation models was added relatively late in the legislative process and remains less developed than the rest of the framework. Implementation carries a certain clumsiness: the risk-tiered structure requires ongoing determinations about which systems fall into which categories, and there are genuine concerns about whether national enforcement authorities will have the technical expertise and resources to supervise sophisticated AI systems effectively.

There is also a more fundamental critique. Civil society organizations and scholars have pointed out that the AI Act, despite its prohibitions, still permits significant uses of AI in law enforcement and migration control that carry serious human rights risks—including the use of biometric surveillance under broadly defined national security exceptions, and AI systems in asylum and migration processing where the fundamental rights stakes are especially high. The EU's own institutions—and its member states acting individually—have not always practiced what the AI Act preaches.

Most fundamentally, however, very little large-scale AI development actually happens in the EU. The continent has important research institutions and some notable AI companies. But the frontier foundation models—the systems now reshaping how information is processed, content is generated, work is performed, and decisions are made—are predominantly built by U.S.-headquartered companies (OpenAI, Google DeepMind, Anthropic, Meta) or Chinese ones (Baidu, Alibaba, Huawei). The compute infrastructure—the data centers and specialized chips that make large-scale AI training possible—is similarly concentrated outside Europe. This creates what might be called the Brussels paradox: the jurisdiction with the most thoughtful regulatory intentions has the least power over the technology it is trying to govern.

The EU's regulatory influence is partly extraterritorial—companies adjust products and practices to comply with European law rather than be excluded from the European market, and the "Brussels effect" of regulation-by-market-access has been widely noted by scholars of global governance. But this mechanism works best when companies have strong incentives to remain in the European market and when the regulated activities are relatively visible. For the most powerful AI systems, and for the training processes and architectural choices that shape them most fundamentally, European leverage is partial at best.

The structural implication is this: the EU supplies normative and legal leadership on human-rights-compatible AI but lacks the industrial leverage to steer the technological trajectory from which its citizens are not insulated.

5. The Trilemma and Its Implications

What emerges from this analysis is not simply a catalogue of failures but a structural map of what would need to change. The trilemma framework is useful precisely because it is generative: each bloc's missing element points directly toward a reform agenda. China's regulatory sophistication in the absence of rights commitment calls for international pressure on transparency and on the conditions attached to AI exports, particularly to the Global South countries that import its surveillance infrastructure. 

The United States' technological power in the absence of governance calls for federal privacy legislation, strengthened agency enforcement, state-level harmonization, and the restoration and strengthening of the Biden-era frameworks that the current administration has abandoned. 

The EU's rights commitment in the absence of technological power calls for serious investment in European AI capacity—compute infrastructure, foundation model development, data ecosystems—without which the most sophisticated regulatory framework in the world governs only the margins of the technology it is meant to steer.

Beyond bloc-specific reform, the case for international coordination remains pressing, even if the prospects for it have dimmed considerably since January 2025. A global moratorium on frontier AI development would be the most serious possible expression of collective responsibility for what is being built—and I continue to believe it would be sensible. But I recognize that arguing for a moratorium without a theory of how it could be achieved is not a prescription; it is a wish. 

What is more immediately achievable—and what should be actively pursued—is a more specific set of international commitments: mandatory incident reporting for significant AI system failures, modeled on aviation safety reporting; agreement on a small set of categorical prohibitions, including AI-enabled mass surveillance for export and fully autonomous lethal weapons decisions; and a dedicated international fund for AI governance capacity in lower-income countries, which currently face the highest risks with the least institutional protection.

These recommendations are made in full awareness of how much ground has been lost. The 2023 AI Safety Summit at Bletchley Park—the first serious multilateral effort to coordinate around frontier AI risks—produced a declaration signed by governments including both the United States and China, acknowledging that AI risks "are inherently international in nature" and committing to cooperative safety research. It was a meaningful beginning. Since the second inauguration of Donald Trump in January 2025, even that beginning has been placed in doubt. As I have argued elsewhere, roughly a decade of advocacy for integrating ethics and human rights into AI governance had followed a period of deliberately curated apathy; Trump's second inauguration has now ushered in a period of active abdication. The window analogy therefore has immediate political force, not merely historical resonance. 

What is more immediately achievable—and what should be actively pursued—is a more specific set of international commitments.

The window analogy deserves to be taken seriously. Nuclear non-proliferation governance was possible in the 1960s partly because it was negotiated before capability had spread irreversibly; that window is now much narrower. Platform regulation became dramatically harder once social media companies had grown into infrastructure—the EU's Digital Services Act is an attempt to close a window that had already partly closed. The cost of delaying climate governance is now measurable in degrees of warming and in lives. AI governance faces the same structural dynamic: the more deeply AI systems embed themselves into economic infrastructure, state functions, and the daily texture of social life, the higher the political and technical cost of subjecting them to meaningful accountability. The window is open now. It will not remain open indefinitely.   

All of this is an argument for urgency, not resignation. The trilemma described in this essay is not a logical impossibility—it is a political condition, and political conditions can change. Each bloc has a clear agenda if it chooses to act on it. The international community has institutions, however imperfect, that could be strengthened and redirected. The normative framework—human rights as a genuine constraint on both state and market power—is available, codified in international law, and ratified by all three jurisdictions under discussion. What is missing is not the tools but the will to use them. Making the cost of that missing will visible—and insisting that it is a cost measured in human rights—is what this commentary has tried to do.