katero
Jun 30, 2026

The Handover of AI Standard-Setting

The public bodies that are supposed to set the standards for AI regulation have, for the most part, not done it yet. AI regulations on both sides of the Atlantic require providers to certify or document that their systems meet general requirements (such as accuracy, fairness, robustness, human oversight). But they leave much of the specification over what those requirements mean to bodies that have not yet produced requirements that match the systems being regulated. 

The European Union’s AI Act delay is a visible example. Under the Act, providers of high-risk AI systems are supposed to certify their systems against harmonized technical standards written by independent bodies in Brussels, but those bodies missed their August 2025 deadline to issue the standards, and the European Commission proposed postponing parts of the Act’s application to 2027 and 2028 because of that delay. In the meantime, providers are working out their own definitions of what compliance requires with, at most, sectoral guidance from non-AI regulators and their own interpretations of general legal requirements. The standard-setting work that the AI Act assumed public bodies and regulators would do, in other words, is being done by the companies whose systems are being regulated. This pattern, as detailed below, is not specific to the AI Act. 

Why Setting the Standards is Difficult

The pattern is the short-term consequence of a long-term problem: the standard-setting that AI regulation requires sits between two communities. The technical and legal vocabularies that AI regulation depends on often do not match in a way that lets regulators push back substantively on self-assessments from providers.

Two knowledge communities write the rules for AI, but they operate at substantial distance from each other. The AI safety community, whose members are trained in computer science and engineering, thinks in terms of how systems fail under different conditions, what counts as effective testing, and how to measure risk before deployment. The AI regulation community, whose members are trained in law and rights-based governance, thinks in terms of who is responsible when something goes wrong, what process people are owed before a decision affects them, and what rights they have to challenge it after the fact. Standards bodies, sectoral regulators, and domain experts need to be familiar with both disciplinary poles. But people who operate natively at both poles are rare, and the questions that fall between the two overlap with those that AI regulations have struggled most to specify.

This distance shows up in the texts. For example, the AI Act requires that high-risk systems be designed and developed so that they can be overseen by natural persons (Article 14): a requirement drafted in language the law community recognizes. But what to do when the optimal system for accuracy, robustness, and cybersecurity mandated elsewhere in the Act (Article 15(1)) is the one humans cannot effectively oversee is specification work of the kind the Act delegates to standards that do not yet exist. A similar pattern appears in U.S. executive orders. The most detailed provisions of the 2023 executive order 14110 (since revoked) focused on testing AI systems for dangerous capabilities, a concept native to the safety community, without specifying how the results of those tests bear on questions about who is liable when the systems cause harm. Each of these provisions treats one community’s framing as primary and the other’s as friction. What falls between the framings is the content that standards are supposed to supply. 

Who Sets the Standards

When the applicability of regulatory texts depends on synthesized technical-legal vocabulary that has not been built, the work of specifying what compliance means falls on whichever actor is closest to the systems being regulated. In current AI regulation, that actor is the provider. Many legal frameworks use general language that gestures at the technical domain, as is the case with the AI Act. When the technical specifications that would let regulators evaluate compliance are delayed or never arrive, providers in practice certify their own systems against legislative texts and partial standards whose language does not always match how they actually build and test their systems.

What providers are doing in the gap is standard-setting. When a provider certifies that its system meets a general regulatory requirement without a published specification of what counts as adequate, the provider is effectively producing the substantive content of what the regulation requires. In the absence of published standards, that documentation tends to become the operational meaning of the regulation, and the first cases that test the meaning are likely to refer back to what providers wrote. 

The AI Act conformity assessment is one instance of this. The Act lists, in its Annex III, categories of high-risk AI, including systems used in employment, education, public benefits, essential services, law enforcement, and border control. It delegates the work of specifying how a provider should evaluate whether their system is performing acceptably within each category to harmonized technical standards that, for most categories, do not yet exist. 

Other posts