Mathias Risse, the philosopher who runs Harvard’s Carr-Ryan Center for Human Rights, has written what amounts to a structural diagnosis of the global AI governance problem. Three conditions, he argues, are jointly necessary for AI regulation to genuinely serve human rights: governance reach, the practical capacity to enforce rules over those who build and deploy these systems; technological power, a meaningful concentration of frontier development within the regulating jurisdiction; and rights commitment, a credible, institutionally embedded dedication to privacy, non-discrimination, due process, and human dignity that functions as a genuine constraint on both state and market. Each of the world’s three major regulatory blocs — China, the United States, the European Union — has, on Risse’s reading, at most two. The missing condition, in each case, is the one that turns the rest into something other than what it claims to be.
↑ N° 04 · What “Brussels in Denver” tracked as a constitutional fight over Colorado’s algorithmic-discrimination law, Risse names as the structural condition of the U.S. case: technological power without governance, with state-level efforts standing in for federal action that has not arrived.What human-rights-compatible AI requires — all three
The three conditions Risse names are not merely desirable. They are jointly necessary, and the trilemma is that no jurisdiction currently combines them.
The argument’s first move is the move that does the most work. Risse insists that governance reach, technological power, and rights commitment are not three items on a checklist of which two will do. They are jointly necessary. Governance reach without rights commitment produces enforced repression. Technological power without governance produces unaccountable systems whose harms are distributed invisibly across populations. Rights commitment without technological power produces principled regulation of systems the regulator does not build and cannot fully steer. Each pairing fails differently, but each fails.
This is why Risse calls the configuration a trilemma, and why he is careful to name the precise sense in which he uses the word. In its strict sense — the version familiar from international economics, where you cannot have free capital flows, fixed exchange rates, and an independent monetary policy at once — a trilemma describes a logical impossibility. Risse’s trilemma is not that. The three conditions are mutually compatible in principle. There is no contradiction in imagining a jurisdiction that combines real enforcement, real technological capacity, and a real human rights framework. The trilemma is political, not logical: it describes a stable configuration in which the three major regulatory regimes that actually exist each lack a different one of the three.
For everyone outside those three blocs, that configuration produces a genuine choice with real costs. A country deciding how to position itself in relation to AI governance must pick which kind of failure to import. The terms of that choice are what the rest of the commentary lays out.
The matrix is faithful to Risse’s headlines for each bloc. It is not, by his own admission, the whole story. He notes elsewhere that the United States’ rights commitment is itself contested, and that the European Union’s governance reach operates partly through extraterritorial market access — what scholars call the Brussels Effect — rather than through direct authority. The matrix shows where the structural pressure points are. The prose that follows is where the qualifications live.
China: governance reach, without rights
China has built the most ambitious regulatory architecture of any major jurisdiction over digital systems — and the most consequential gap between that architecture and the human rights of the people it governs.
Over twenty years, Beijing has assembled a body of digital law that on paper resembles the most sophisticated frameworks in the world. The Cybersecurity Law of 2017, the Data Security Law of 2021, and the Personal Information Protection Law of 2021 cover much of the same regulatory ground as the GDPR. They impose obligations on data handlers, give citizens nominal rights against corporate misuse of their data, and require risk assessments and security audits.
What they do not do is what GDPR does, which is to impose those obligations on the state itself. Each of the Chinese instruments is explicitly subordinated to the requirements of “national security” and “social stability” — categories that, in practice, mean the requirements of Communist Party control. Data protection norms apply horizontally between citizens and corporations. Vertical state access to data is preserved, without meaningful independent oversight. The result, Risse argues, is a system that delivers the appearance of rights-oriented governance while keeping the infrastructure of surveillance and control intact.
The concrete consequences are pervasive. The social credit system — what Risse describes as an interlocking set of financial blacklists, regulatory scoring, and local government experiments — makes algorithmic governance of citizen behavior operational at scale. He is careful to note the distance between the system as it actually operates and the more lurid Western descriptions of it. There is no single national score. There are many overlapping experiments, sectoral compliance regimes, and blacklists for specific violations, varying enormously across localities. The structural diagnosis does not depend on the lurid version. The direction of travel is what matters: automated, data-driven evaluation of citizen behavior by the state, with real consequences for mobility, employment, and access to services, and minimal procedural recourse.
Hong Kong is the limiting illustration. When Beijing imposed the National Security Law in 2020, it did so over a city that had been promised, in the 1997 handover, fifty years of distinct legal culture — common law protections, judicial independence, press freedom. Since then, prosecutions of pro-democracy activists, lawmakers, and journalists have proceeded steadily. In March 2024, Article 23 expanded the 2020 framework, broadening the definitions of espionage and external interference in ways that further narrowed the space for dissent.
In February 2026, the courts delivered the limit case. Jimmy Lai, the seventy-eight-year-old founder of Apple Daily and the most visible face of the city’s pro-democracy press, was sentenced to twenty years in prison on charges of colluding with foreign forces under the National Security Law. The sentence was within the harshest tier the law provides. Given Lai’s age and health, it functions effectively as a life sentence. Risse takes the case as a structural illustration: the same legal framework used to silence Lai also governs data access, platform regulation, and the subordination of algorithmic tools to party authority. Where regional difference has come into conflict with central authority, central authority has won. The lesson for AI governance is the lesson for civil liberties.
The Xinjiang case is the second illustration, and the more directly AI-anchored. UN human rights bodies have described the mass surveillance of Uyghurs in Xinjiang — Integrated Joint Operations Platforms, predictive policing, networks of facial recognition cameras, DNA collection and voice-print databases, compulsory installation of monitoring software on personal devices, applied to a Muslim minority population of some twelve million people — as potentially constituting crimes against humanity. The U.S. State Department has used the term genocide. The role of AI is central, not incidental: as the infrastructure of surveillance and as the mechanism for generating the risk scores that trigger detention.
Beyond its borders, China is exporting the model. As far back as 2019, the Carnegie Endowment documented Chinese AI surveillance technology deployed in at least seventy-five countries — not just hardware and software but governance templates, designed to maximize state visibility over populations with limited rights protections built in. Huawei alone supplied surveillance infrastructure to fifty countries in that 2019 count. The figure is now older than the Cybersecurity Law itself.
Risse pauses to acknowledge what would be missing from a purely critical account. The Chinese government in recent decades has lifted hundreds of millions of people out of poverty. The ruling party is genuinely committed, in its own terms, to a public good shaped by Communist and Confucian traditions, and the integration of AI throughout Chinese society can be understood as one expression of that commitment. Acknowledging this, he argues, is entirely consistent with the central critique: that a regulatory framework subordinated to political control cannot, by construction, place rights above the requirements of the system it serves.
Where governance reach and AI capability are high but rights commitments are absent, regulation becomes a force multiplier for repression rather than a constraint upon it. — Mathias Risse
The line names what the China case does to the standard pro-regulation intuition. Effective governance is not inherently beneficial from a human rights standpoint. Everything depends on what it governs for.
The United States: technological power, without governance
The United States hosts the most concentrated frontier AI industry in the world and the most sparse federal AI law. Risse argues the gap is structural, not merely contingent.
The numbers, by Risse’s reading and the Stanford AI Index he cites, are unambiguous. The majority of frontier foundation model labs are headquartered in the United States. The dominant cloud infrastructure providers are American. The largest pools of venture capital directed at AI are American. Whatever else is true about the global distribution of compute and capital, the center of the frontier is on the U.S. west coast and in a small number of east coast research hubs.
The governance picture is the inverse. The United States lacks, alone among major democracies, a comprehensive federal privacy law. As of 2025, more than 140 countries have enacted national data protection legislation. The U.S. has not. The vacuum has been partially filled by state-level efforts — California’s Consumer Privacy Act, the Privacy Rights Act that strengthened it, equivalent statutes in Colorado, Connecticut, Virginia, and a growing list of others — but these are fragmented by design. Different jurisdictions, different definitions, different remedies. Easier to navigate for large well-resourced companies than for small actors or individuals, with large categories of data and processing left outside their scope.
Behind the policy fluctuation sits something more durable: a political economy in which technology firms have operated with extraordinary freedom from regulatory constraint, an ideology of innovation as inherently beneficial that has held across most of the political spectrum, and a corporate lobbying apparatus that has successfully blocked federal privacy and platform-accountability legislation for over two decades. The Biden-era frameworks were genuine but visibly fragile — vulnerable, by design and by political circumstance, to exactly the rescission that occurred.
The result is a system in which technological power is enormous, governance is fragmented and incomplete, and human rights protections are largely left to the market — which has shown no particular interest in supplying them. Risse cites two book-length studies as the documentary record. Kate Crawford’s Atlas of AI tracks the material and human costs of AI systems as they are actually deployed in hiring, benefits administration, criminal justice, and content moderation — outcomes that are systematically racialized and that fall hardest on those with the least power. Virginia Eubanks’s Automating Inequality makes the parallel argument about automated welfare and public services systems, showing how digital tools reproduce and amplify pre-existing patterns of discrimination while insulating decision-makers from accountability.
A patchwork of sector-specific laws — HIPAA in health, the Fair Credit Reporting Act in finance, COPPA for children’s data, civil rights statutes applied to algorithmic hiring and lending — does provide some constraint on specific AI applications. Federal Trade Commission enforcement under unfair-and-deceptive-practices authority, EEOC and HUD guidance on algorithmic tools — these are not nothing. But the architecture, Risse argues, is structurally inadequate in a way that goes beyond mere incompleteness. The sectoral approach was designed for a world in which discrete industries handled discrete categories of data for discrete purposes. AI is not a sector. It is a general-purpose technology whose most consequential effects arise precisely from the aggregation and cross-domain deployment that sector-specific laws were designed to prevent. A regulatory architecture built on sector boundaries cannot govern a technology that dissolves them.
The structural inversion of the China case follows. Where the Chinese gap turns governance into a force multiplier for repression, the American gap produces something subtler: a market-driven erosion of privacy, autonomy, and equality, distributed unevenly across the population, less visible than authoritarian surveillance but cumulative and serious.
The European Union: rights, without leverage
The EU has codified more careful thought about AI and human rights than any other jurisdiction. It has correspondingly less power over the technology itself.
The European framework is the most developed in the world. The General Data Protection Regulation, in force since 2018, elevated data protection to the status of a fundamental right under the EU Charter and established principles of purpose limitation, data minimization, and the right to explanation of automated decisions that have shaped data law globally. The Digital Services Act imposes systemic risk assessments, independent audits, and researcher data access on the largest platforms, with particular attention to recommender systems and the amplification of harmful content. The AI Act, formally adopted in 2024, completes the architecture: a risk-tiered framework that prohibits outright a category of “unacceptable risk” applications — social scoring, AI exploiting psychological vulnerabilities, most real-time biometric surveillance in public spaces, predictive policing based on profiling — and imposes strict transparency, oversight, data quality, and fundamental rights impact assessment requirements on systems classified as “high-risk” in employment, education, law enforcement, migration, and access to essential services.
Taken together, these instruments are the most developed attempt by any jurisdiction to make human rights commitments operational in the governance of digital technology.
The framework comes with real difficulties. The AI Act was drafted with a particular generation of AI systems in mind — narrower, more predictable, decision-system-shaped — and was somewhat overtaken by the rise of generative models before it entered into force. The treatment of general-purpose AI was added late in the legislative process and remains less developed than the rest of the framework. Implementation is uneven: the risk-tiered architecture requires ongoing categorical determinations, and there are real concerns about whether national enforcement authorities have the technical expertise and resources to supervise sophisticated AI systems effectively.
There is also a more fundamental critique from civil society. The AI Act, despite its prohibitions, still permits significant uses of AI in law enforcement and migration control that carry serious human rights risks — including biometric surveillance under broadly defined national security exceptions, and AI in asylum and migration processing where the fundamental rights stakes are especially high. The EU’s institutions, and its member states acting individually, have not always practiced what the AI Act preaches.
The most fundamental gap, however, is industrial. Very little large-scale AI development actually happens in the EU. The continent has important research institutions and some notable companies, but the frontier foundation models reshaping how information is processed, content generated, and decisions made are built predominantly by U.S.-headquartered firms — OpenAI, Google DeepMind, Anthropic, Meta — or by Chinese ones — Baidu, Alibaba, Huawei. The compute infrastructure, the data centers and specialized chips that make large-scale training possible, is similarly concentrated outside Europe. This is the Brussels paradox in its sharpest form: the jurisdiction with the most thoughtful regulatory intentions has the least power over the technology it is trying to govern.
The Brussels Effect provides partial compensation. Companies adjust products and practices to comply with European law rather than be excluded from the European market. But the mechanism works best when companies have strong incentives to remain in the European market and when the regulated activities are visible and consumer-facing. For the most powerful AI systems, and for the training processes and architectural choices that shape them most fundamentally, European leverage is partial at best.
The structural implication is the third inversion of the trilemma. Where the Chinese gap turns governance into repression, and where the American gap turns absence of governance into market-driven erosion of rights, the European gap turns sophisticated regulation into something the technology can route around. The EU supplies normative and legal leadership on human-rights-compatible AI but lacks the industrial leverage to steer the technological trajectory from which its citizens are not insulated.
The window that will not stay open
The trilemma is political, not logical. Each bloc has a path. What is uncertain is whether any of them will walk it before the configuration hardens.
The framework’s payoff is reformist, not despairing. Each missing element points toward a concrete agenda. China’s regulatory sophistication in the absence of rights commitment calls for international pressure on transparency and on the conditions attached to AI exports — particularly to Global South countries that import its surveillance infrastructure. The United States’ technological power in the absence of governance calls for federal privacy legislation, strengthened agency enforcement, harmonization of state-level frameworks, and the restoration of the Biden-era frameworks that the current administration has abandoned. The European Union’s rights commitment in the absence of technological power calls for serious investment in European AI capacity — compute infrastructure, foundation model development, data ecosystems — without which the most sophisticated regulatory framework in the world governs only the margins of the technology it is meant to steer.
Beyond bloc-specific reform, Risse argues for international coordination, while acknowledging clearly how much harder this has become since January 2025. He continues to favor a global moratorium on frontier AI development as the most serious possible expression of collective responsibility, while granting that arguing for a moratorium without a theory of how it could be achieved is a wish rather than a prescription. What he proposes as more immediately achievable is a smaller, more concrete set of international commitments: mandatory incident reporting for significant AI system failures, modeled on aviation safety reporting; agreement on a small set of categorical prohibitions, including AI-enabled mass surveillance for export and fully autonomous lethal weapons decisions; and a dedicated international fund for AI governance capacity in lower-income countries, which currently face the highest risks with the least institutional protection.
- GDPR enters into force
- Hong Kong National Security Law
- EO 14110 · Bletchley Declaration
- EU AI Act adopted · HK Article 23
- Trump rescinds 14110 · NIST defunded
- Jimmy Lai sentenced to 20 years
The 2023 AI Safety Summit at Bletchley Park is, in this light, the high-water mark and the inflection point. The declaration was signed by twenty-eight countries plus the EU — including both the United States and China — and it acknowledged that AI risks “are inherently international in nature” while committing signatories to cooperative safety research. It was a meaningful beginning. Since the second Trump inauguration, that beginning has been placed in active doubt. What had followed roughly a decade of deliberately curated apathy on AI ethics, Risse argues, has now ushered in a period of active abdication.
The window analogy carries the weight of the closing argument. Nuclear non-proliferation governance was negotiable in the 1960s in part because capability had not yet spread irreversibly. That window is now much narrower. Platform regulation became dramatically harder once social media companies had grown into infrastructure — the Digital Services Act is a closing-window instrument, an attempt to govern what had already partly hardened. Climate governance bears the same structural lesson, measurable now in degrees of warming and in lives. AI governance faces the same dynamic. The more deeply AI systems embed themselves into economic infrastructure, state functions, and the daily texture of social life, the higher the political and technical cost of subjecting them to meaningful accountability. The window is open now. It will not remain open indefinitely.
What is uncertain is whether any of the three blocs will act on the agenda each one’s missing element implies. The political conditions for reform in each case are real, and they are not getting easier. The current U.S. administration is moving in the opposite direction. The Chinese system is moving toward more, not less, integration of AI with state authority. The European Union has not yet produced the industrial-policy commitment its regulatory ambition would need to be matched by.
What is not uncertain is the structure. Risse’s diagnostic does not require any of the three blocs to be evil or any of them to be incompetent. It requires only that each be politically what it is. The trilemma describes a stable configuration of normal political behavior across three jurisdictions — the EU acting as a normative actor, the U.S. as a market-driven one, China as a party-state — in a world where AI is general-purpose. The configuration is stable because each bloc’s missing element is rooted in the political logic that produces the elements it does have. Reforming any of them is not a small adjustment. It is reaching against the gradient that produced the present arrangement.
What the reader is left with is the essay’s own framing. The trilemma is not a logical impossibility. It is a political condition, and political conditions can change. The normative framework — human rights as a genuine constraint on both state and market power — is available, codified in international law, and ratified by all three jurisdictions under discussion. What is missing, Risse writes, is not the tools but the will to use them. The function of his commentary, by his own account, is to make the cost of that missing will visible, and to insist that it is a cost measured in human rights. Whether that visibility is enough to move any of the three regimes toward the third condition each cannot supply on its own — the answer to that is not in the essay, because it is not yet in the world.