Transatlantic AI Governance: Two Philosophies, One Control Map

Washington and Brussels spent the same week walking in opposite directions, and any organisation running AI across both now carries the cost. On 2 June 2026 the White House signed an executive order that builds a voluntary, standards-referenced federal approach to advanced AI in cybersecurity. Two days later a bipartisan House draft proposed freezing state rules on AI model development. Brussels, meanwhile, adopted CADA, a regulation that scores cloud and AI sovereignty on a four-level ladder. Transatlantic AI governance has stopped sharing one mental model, and a deployer cannot simply choose the version it prefers.

The American turn favours voluntary controls

The executive order reads as a deliberate rejection of hard rules. It directs the Treasury, the NSA and CISA to stand up an AI cybersecurity clearinghouse with industry, alongside a classified benchmarking process that decides when a model counts as a “covered frontier model”. Developers can then give the government up to thirty days of pre-release access to those models before wider release. The order also says, in plain terms, that none of this creates a mandatory licensing or pre-clearance requirement. So the design is pre-emptive and collaborative rather than statutory.

The House bill pushes the same instinct toward law. Released on 4 June as a discussion draft, it would pre-empt state laws that specifically regulate AI model development for three years, while leaving states free to regulate how AI is used. Members from both parties put their names to it, which tells you the pre-emption appetite is bipartisan. For a European deployer the signal matters more than the text: the United States is consolidating model oversight at federal level and resisting binding obligations on developers.

The European turn treats sovereignty as a graded test

CADA moves the other way. Adopted as a proposal on 3 June and sitting inside the wider European Technological Sovereignty Package, it defines cloud and AI sovereignty across four assurance levels. Level 1 asks only that data sits in EU infrastructure. At Level 2, the provider must add independence from third-country control and transparency over the software supply chain. Move up again and Level 3 requires EU ownership and control of the provider, with criteria such as personnel citizenship. Top of the ladder, Level 4 demands full supply-chain transparency and no third-country interference.

The levels are written for public sector bodies to match a workload to a level after a risk assessment, yet they work as a scoring frame for any buyer. Draft criteria reported by Reuters could shut Amazon, Microsoft and Google out of the most sensitive state tenders, partly because of CLOUD Act exposure. So the European instinct is graded, conditional and openly protective of strategic autonomy.

Transatlantic AI governance no longer shares a mental model

Put the two side by side and transatlantic AI governance reveals a gap that is philosophical, not cosmetic. One regime rewards voluntary cooperation and federal consolidation; the other rewards demonstrable independence and graded assurance. A deployer that standardises on the American model will under-document its sovereignty position in Europe. A deployer that standardises on the European one will over-engineer for a US regime that is, for now, asking for very little. Neither shortcut survives contact with an auditor. We made a related point when the Pentagon’s clash with Anthropic turned provider availability into a continuity question rather than a compliance footnote.

Standards carry transatlantic AI governance across the divide

There is one piece of common ground, and it is the most useful thing in the picture. Both regimes lean on the same recognised frameworks as their evidence layer. The American order points repeatedly to the NIST AI Risk Management Framework; the European approach assumes the kind of management-system maturity that ISO/IEC 42001 codifies. So the practical hedge against divergence in transatlantic AI governance is standards literacy: evidence built to either framework travels in both directions. The four functions that anchor the NIST framework, govern, map, measure and manage, give you a vocabulary an EU regulator and a US benchmarking team both recognise.

Reading vendor evidence against the frameworks

Most vendors already hold some of this. Ask whether their documentation maps to recognised standards rather than to a marketing claim, and you separate the providers who can show their work from those who cannot. A model card, a published evaluation, an audit trail tied to a management system: each is portable evidence. A glossy “enterprise-grade governance” page is not.

One control map a deployer can run

The fix is not two parallel compliance programmes; it is one control map with two triggers per control. Build it so a single artefact answers an EU sovereignty question and a US standards question at the same time. Three controls do most of the work. A graded scoring frame, which the SEAL-level guide we published earlier already demonstrates in practice, gives you the EU column without inventing anything new.

Three controls, two triggers

Your next thirty days

Three moves are enough to start. First, score your critical cloud and AI services against CADA’s levels and write down the one change that would lift each by a level; that becomes your negotiation ask. Then check whether existing vendor evidence maps to the NIST framework or to ISO/IEC 42001, and flag anything resting on marketing language alone. Finally, read your procurement file for the silent assumption that one jurisdiction’s approach will hold, because this week shows it will not.

Transatlantic AI governance will keep diverging; the standards layer is the part that does not. Build the control map around it, and put a single version in front of your board before the next announcement forces the question.