AI is global. Its governance cannot be one size fits all.
A business I work with operates across the UK, Europe, the United States, India and the wider Middle East and Africa region. Like most international organisations at the moment, it is exploring how AI can improve productivity and the way people work.
The interesting question is not which tools it should adopt. It is who should decide how those tools are used, across a business operating in very different legal and cultural environments.
Where this usually starts to unravel
AI tends to move faster than organisational ownership. Employees are already experimenting with it. Different offices adopt different tools, sometimes through proper procurement, sometimes informally because someone found something useful.
The technology spreads through a business before anyone has agreed what is permitted, who approves it, what information can be shared, or who remains accountable if something goes wrong. By the time the question gets asked properly, the answer is already being decided in a dozen small, uncoordinated ways.
The issue beneath the issue
The natural response is to ask whether the business has an AI policy. That is the wrong starting question.
The better one is: who owns AI when the business operates across borders?
Does IT own the technology? Does Legal own the risk? Does HR own workplace use? Does each country simply decide for itself? Or does the board own the overall direction?
In practice, no single function can govern this properly in isolation. And that is where it becomes a leadership issue before it becomes a legal one.
Why neither extreme works
Allowing every country to set its own approach reflects local conditions, but it tends to create inconsistent standards, duplicated effort and gaps that nobody notices until something goes wrong.
The opposite approach, a single global policy issued from head office, has its own problem. It can create a false sense of control. A use of AI that feels commercially ordinary in one market may be legally sensitive or culturally unacceptable in another. The EU's regulatory approach to AI is considerably more developed than most other jurisdictions, particularly around employment related uses, while other markets are still finding their footing. Treating all this as one problem with one answer rarely suffices.
A more workable way to think about it
From a commercial perspective, this tends to work better as layers rather than a single decision.
The board sets the overall appetite for AI, the values guiding its use and where the lines are that the business will not cross. A cross-functional group, drawing on legal, IT, security, data and HR, builds the framework underneath that and makes the calls on anything material. Local leadership then applies that framework against local employment law, privacy rules and cultural expectations. And the team actually using the tool stays responsible for why they are using it and whether it is producing something reliable.
That last point matters more than it sounds. AI governance should not become a way for business leaders to hand ownership to Legal or IT and consider the job done. Legal can help define the boundaries. IT can control the systems. The business still must own the decision.
Some questions worth sitting with
Will employees in every country get the same transparency about how AI is being used on or around them? Will human review be protected everywhere, or only where local law happens to require it? Will the business hold itself to one standard globally, even in markets where the legal bar is lower?
These are not questions with obvious answers, and they should not be rushed. But they are worth asking before the business has already drifted into an answer by default.
Where responsibility ultimately sits
The law will keep developing at different speeds in different places, and businesses cannot wait for every jurisdiction to arrive at the same position. What they can do is decide their own global standard, work out where local variation is genuinely necessary, and be clear about who has the authority to make that call.
AI governance is not really about controlling a piece of technology. It is about how an organisation chooses to use power, information and judgement across its workforce. That makes it a leadership question first, and a legal one second.