The real question behind “AI governance.”

AI governance is often framed as a question of volume. How many countries have passed laws? How many frameworks exist? How many principles have been endorsed?

By that measure, the last few years have been remarkably productive. Governments, standards bodies, and companies have released a steady stream of policies and guidelines. The sheer volume creates a sense of momentum.

Volume is not the same as coverage, and coverage is not the same as protection.

But volume is not the same as coverage, and coverage is not the same as protection.

A more useful set of questions is simpler, yet harder at the same time: what do these documents actually govern? Which risks are addressed in meaningful depth, and which receive only passing attention? Which sectors, stages of development, and actors are accounted for and which are not?

A new report from the MIT AI Risk Initiative and Georgetown's Center for Security and Emerging Technology (CSET) takes that question seriously. Instead of counting governance documents, the team maps them.

Drawing on more than 1,000 policies from CSET’s AGORA dataset, the report offers one of the most systematic efforts to understand where AI governance is concentrated, and where it isn’t.

From counting policies to mapping coverage

The study analyzes governance documents across a set of structured taxonomies: the types of risks they address, the sectors they apply to, the actors involved, and the stages of the AI lifecycle they cover.

It also distinguishes between hard law, soft law, and other forms of governance, while tracking what kinds of AI systems are actually referenced.

This approach shifts the conversation in an important way. Rather than asking whether governance exists, it asks how it is distributed. And whether the distribution turns out to be uneven.

A pattern of concentration and omission

Across the dataset, governance is clustered around familiar concerns. Risks like model safety, security vulnerabilities, transparency, and robustness are consistently addressed. These are areas where definitions are relatively mature and regulatory approaches are more established.

By contrast, socioeconomic risks, such as the devaluation of human labor or the concentration of power, appear less frequently and often with less depth. Emerging areas, including multi-agent system risks or questions around AI welfare, remain largely peripheral.

Most documents focus on downstream stages such as deployment and monitoring.

A similar pattern appears at the sector level. Governance documents disproportionately focus on public administration, national security, and scientific research. Sectors closer to everyday economic and social life—housing, food, local services—are much less visible in the policy landscape. 

The imbalance extends across the AI lifecycle as well. Most documents focus on downstream stages such as deployment and monitoring. Earlier stages, particularly data collection and system design, receive far less attention. This pattern suggests that governance documents are often oriented toward managing the consequences of AI systems rather than shaping them upstream. 

Actors, enforcement, and legislative churn

The report also surfaces a structural pattern in how responsibility is distributed. Developers and deployers are the primary targets of regulation, while enforcement and monitoring roles are largely assigned to public institutions. Actors like end users and affected stakeholders play a more limited role in formal governance structures.

At the same time, the legal landscape itself appears unstable. While a large share of documents are classified as “hard law,” fewer than half are actually enacted. A comparable proportion is already defunct, with the remainder still in proposal stages. For practitioners, this raises a practical concern: the frameworks they rely on may not be durable, cumulative, or even in force.

Finally, most governance documents regulate AI in broad terms—“AI systems” or “AI models”—rather than targeting specific technologies. While generative AI and other categories are mentioned, more technically specific areas such as frontier models, open-weight systems, or compute thresholds receive limited attention. The risk is that systems with very different properties and impacts are governed as if they were the same.

What this means for policymakers

The report is careful not to overinterpret these patterns. Gaps in documentation do not necessarily mean gaps in practice, and the dataset itself reflects a particular slice of the global landscape, heavily weighted toward U.S. federal policy.

But the value of the work lies in what it enables: a more precise diagnostic lens.

For those working on AI governance, the findings surface a third set of questions worth interrogating:

• Are certain sectors underrepresented because they are less exposed to AI risk, or because they have been overlooked?
• Are governance efforts overly focused on downstream oversight at the expense of upstream design choices?
• Are enforcement structures keeping pace with the scale and complexity of deployment? 

Perhaps most importantly, the report raises questions about alignment between governance and technological change. If policy continues to operate at a high level of abstraction, can it effectively address systems with increasingly distinct and specialized risk profiles?

These are not questions the report answers. But questions that are hard to ignore.

How the research works and its limits

Methodologically, the study combines human review with large language model classification. Earlier phases of the research compared LLM outputs to human consensus across a small set of documents, finding agreement comparable to that of humans. The updated analysis scales this approach across a much larger dataset and includes additional validation through targeted human review.

The authors are transparent about the limitations. LLMs tend to over-attribute coverage when governance-related language is present, and discrepancies between human and model classifications cluster in specific areas. The dataset itself is also skewed toward English-language, U.S.-based documents, which means the findings reflect patterns in that ecosystem more than a truly global picture.

As a result, the output should be read as indicative rather than definitive; a map of patterns, not a precise measurement of coverage.

Why this matters now

AI governance is expanding rapidly. But this report suggests that expansion is not evenly distributed and that unevenness warrants closer diagnostic attention.

One possible explanation is that what gets governed tends to follow what is already legible to policymakers: well-defined risks, established sectors, familiar institutional roles. What falls outside those categories—emerging technologies, diffuse socioeconomic impacts, cross-sector effects—lags behind. 

If AI is becoming part of the infrastructure of public life, then knowing where governance is thin is fundamental. 

If AI is becoming part of the infrastructure of public life, then knowing where governance is thin and where it isn't is a fundamental, practical exercise. 

An open resource for the field

The dataset and report are publicly available and designed for reuse. Interactive tools allow users to explore governance coverage across risks, sectors, and actors, and future updates aim to expand beyond the current U.S.-centric scope.   

👉 Explore the full report: https://airisk.mit.edu/ai-governance. Feedback is welcome via this form.