/Insights

Choose your market,
choose your rules

What businesses need to know about bringing AI products to international markets

In August 2024, a Deaf and Indigenous employee of Intuit known as D.K. applied for a Seasonal Manager position after strong performance as Tax Lead. Her interview took place through software provided by HireVue, an AI hiring platform. A month later, she received an automated rejection with personalized feedback including the suggestion that she "practice active listening."

A 2025 complaint filed by the ACLU to state and federal civil rights authorities alleged that HireVue's AI failed to capture the nuances of a deaf speaking accent, resulting in lower scores and a failure to meet its civil rights obligations.¹ An AI system that was supposed to evaluate job candidates had instead filtered out a qualified one—through a technical limitation that no one had built the product to account for.

In the EU, HireVue hit an entirely separate wall. Its emotion recognition feature, a feature which reads applicants' emotional responses from video, worked exactly as designed and was categorically banned. The EU's 2024 AI Act forbids the use of emotion recognition software in hiring.² HireVue had anticipated this three years earlier when it rolled back its facial analysis features;³ the company's Master Services Agreement positions itself as a provider rather than a deployer of AI, shifting compliance responsibility to its customers.⁴ It adheres to the US-EU Data Privacy Framework, running a unified transatlantic cloud architecture.⁵ But that architecture cannot extend to China, where data localization rules require that data on Chinese citizens be stored on Chinese infrastructure.

One company, navigating all three regimes at once. HireVue rolled back features, restructured its contracts, and redesigned its compliance posture—and still ended up with a product that can't operate the same way in any two of the three major markets. The question facing every AI company selling across borders is whether that kind of fragmentation is a transitional cost or a permanent condition. So far, the evidence points toward permanent.

For most of the last decade, companies had a workable answer to the question of global tech regulation: build to the strictest standard and sell everywhere. The EU's General Data Protection Regulation, which took effect in 2018, applied to any company processing EU residents' data regardless of where it was headquartered.⁶ Columbia professor Anu Bradford called this the "Brussels Effect:" corporations found it easier to build once to Europe's stringent requirements than to maintain separate systems for every jurisdiction.⁷ GDPR imposed real costs, but it offered a single target. Build to Europe's standard and you could then sell everywhere.

AI regulation offers no such convenience. The major regimes don't disagree about how strict to be. They disagree about what the technology is for. The EU AI Act demands transparency and explainability—developers must document how their models make decisions and ensure that automated decisions can be reviewed by humans.⁸ China's 2023 Generative AI Measures require that AI services filter outputs for political alignment and undergo security assessment reviews.⁹ The EU wants AI that can be audited. China wants AI that can be controlled. Satisfying both with a single product is an engineering contradiction.

And the United States is no longer willing to defer to European standard-setting. During the GDPR era, American tech companies were unhappy with compliance costs but ultimately built to the European standard. That calculus is shifting. In 2025, Meta became the only major AI provider to refuse to sign the EU's voluntary AI code of practice.¹⁰ Vice President Vance traveled to Paris for the AI Action Summit and declined to sign the final declaration, telling the audience that "excessive regulation of the AI sector could kill a transformative industry just as it's taking off."¹¹ The old consensus—that someone would set the standard and everyone else would follow—is gone.

engraving — ²⁷The Tower of Babel / Gustave Doré - Engraving - French - 1866.

The United States

/Acceleration without consistency

In October 2023, eleven months after the release of ChatGPT, President Biden issued the most comprehensive federal AI guidelines to date with Executive Order 14110, requiring sector-specific guidance, civil rights protections, anti-bias measures, and safety testing.¹² Trump's tech allies characterized this as overreach that would hamstring American innovation against China. He reversed the order on his first day in office¹³ and later released an AI Action Plan focused on adoption and infrastructure buildout.¹⁴

The regulatory energy moved to the states. California and New York raced to enact safety-oriented AI legislation.¹⁵¹⁶ State bills began expanding liability across consumer protection, healthcare, deepfakes, and algorithmic pricing. It's a patchwork of policy that could make products navigate dozens of overlapping regimes.¹⁷

Trump moved to override these efforts. Executive Order 14365, issued in December 2025, called for an investigation into state AI regulations, threatening to withhold federal funding and challenge states in court over what the administration considers regulatory obstruction.¹⁸ But the states are not backing down. Laws like Colorado's SB 24-205 banning algorithmic discrimination remain in force, directly defying the federal posture.

The sanctuary city precedent is instructive. Sufficiently motivated states have shown they will risk sustained non-cooperation with federal mandates even under real pressure. With durable coalitions backing AI regulation in blue states, and additional uncertainty introduced by post-Chevron judicial review of agency rulemaking,¹⁹ the fight over US AI policy is unlikely to produce a clean resolution. This is uncertainty built into the structure of American federalism itself, and companies building for the US market should plan accordingly.

China

/Progress within political bounds

China's approach is more internally coordinated and its requirements are functionally incompatible with Western businesses. Generative AI services must produce content reflecting core socialist values, must not subvert state power, and must not spread fake news, as defined by the Chinese Communist Party. Separate regulations govern algorithms, deepfakes, and data localization; data generated in China must be stored domestically.

The barriers are high enough that OpenAI and Anthropic do not operate in China at all.²⁰²¹ But this is not blanket impossibility. Apple Intelligence for iPhone is reportedly close to official release in China. Getting there, however, required partnering with Alibaba, removing dependencies (a use of a Google feature was flagged), and waiting months for approval from the Cyberspace Administration of China.²² China remains an enormous market. But the gates to access it require rebuilding your product from the infrastructure up.

The EU

/A faltering Brussels Effect

The AI Act, which entered into force in August 2024, was designed as the next GDPR—a regulation so comprehensive that the world would build to its standard by default. It organizes AI systems into risk tiers, each carrying escalating documentation, auditing, and oversight requirements, and applies to any company deploying AI to EU users regardless of headquarters.²³ On paper, it was the most ambitious attempt by any government to systematically govern AI.

Then came the Draghi report. In September 2024, former ECB president Mario Draghi argued that EU regulation risked crippling European competitiveness against both China and the United States.²⁴ The Digital Omnibus on AI Regulation followed, softening several AI Act provisions. It extended compliance timelines and reduced obligations for smaller enterprises.²⁵ The core framework remains, but the confidence behind it has cracked. Europe is no longer setting the standard the world builds to. It is negotiating with itself about how much standard-setting it can afford

Beyond these three, the regulatory map is not fully drawn. Gulf states are positioning themselves as a lighter-touch alternative with US-aligned infrastructure. India is building its own risk-based framework. But the trilemma defined by the US, China, and the EU is the competitive reality that shapes most business decisions now.

photograph — ²⁸The Great Wall at Badaling / Alfons von Mumm - Photograph - German - c. 1902, via Wikimedia Commons.

What internationally operating companies need to know

Compliance is now a market access decision

When the cost of meeting a jurisdiction's regulatory requirements is high enough, the question is no longer "how do we comply?" but "is this market worth the cost of entry?" This is a strategic judgment, not a legal one, and it should be made explicitly rather than defaulted into. The three regimes are concerned with different categories of harm—US state legislation tends toward consumer protection, EU regulation is rights-protective, Chinese regulation is concerned with political stability—and these map to different risk profiles for different products. An AI-powered HR tool faces high friction in Europe and lower friction in the US. A general-purpose productivity tool may face low friction everywhere. Know where your product sits before you choose your markets.

Build to governance standards that apply

The three frameworks are incompatible in their specific requirements, but they share underlying governance themes: transparency, data governance, accountability, human oversight. Building internal processes around these shared principles gives your team a flexible foundation that can be adapted when you commit to a specific market. PricewaterhouseCoopers' guidance on the EU Digital Omnibus recommends exactly this—synthesizing governance priorities across frameworks rather than building to a single regime's checklist.²⁶ This is pre-compliance: the organizational infrastructure that makes actual compliance achievable on a reasonable timeline.

Treat your AI supply chain as a compliance surface

Under the EU AI Act, a company deploying a third-party AI tool in a high-risk context inherits compliance obligations even if it did not build the underlying model. Your compliance posture no longer depends only on your own code—it extends to every vendor whose AI touches your product. This means compliance is a procurement question, not just an engineering one. If your vendor's model fails to meet the transparency or documentation requirements of your target market, you carry the regulatory exposure.

HireVue's trilemma is now the baseline condition for any AI company that intends to operate across borders. The Brussels Effect offered a decade in which compliance could be treated as a cost of doing business—annoying, expensive, but ultimately manageable from a single playbook. That era is over. And the companies that adapt fastest will be the ones that recognize what has replaced it: a world in which choosing your markets and choosing your rules is a singular strategic decision.

About the author

Ravi Joseph /@rjkarmayogi

Ravi Joseph writes on AI, enterprise technology, and organizational strategy. He has consulted on AI implementation and marketing for B2B software companies and previously held roles at Strategy, Oracle, and CivicPlus. He is based in the Washington D.C. area. You can find him on X at @rjkarmayogi.