AI Compliance Standards Lag Behind Regulation, Leaving Firms to Self-Certify

The Standards Gap in AI Regulation

A structural problem is emerging across AI regulation: the technical standards that would make legal requirements enforceable don't exist yet, and the companies being regulated are filling the void themselves.

The European Union's AI Act requires providers of high-risk systems to certify compliance with harmonized technical standards. Those standards were supposed to arrive by August 2025. They didn't. The European Commission has now proposed delaying parts of the Act's enforcement until 2027 and 2028. In the interim, providers are interpreting general legal requirements—accuracy, fairness, robustness, human oversight—without official guidance on what those terms mean in practice.

This pattern extends beyond Europe. U.S. employment law prohibits discriminatory hiring practices, but the technical guidelines that define what counts as discrimination date to 1978 and were written for paper tests, not machine learning models. The Equal Employment Opportunity Commission has not updated them. Companies deploying AI hiring tools are defining compliance standards internally, and those internal documents are becoming the de facto interpretation of what the law requires.

Why it matters

When providers certify their own systems against vague legal language, they effectively write the rules they're measured against. That creates an accountability gap: regulators lack the technical benchmarks needed to challenge self-assessments, and the people affected by AI decisions have no way to know whether the standards applied actually protect their interests. The first court cases testing these regulations will likely rely on provider-written documentation as the operational meaning of compliance.

The Two-Community Problem

The delay stems from a mismatch between two expert communities. AI safety specialists think in terms of system failures, testing protocols, and pre-deployment risk measurement. Legal and governance experts think in terms of liability, procedural rights, and post-decision remedies. Standards bodies need to synthesize both perspectives, but few people operate fluently in both domains.

The AI Act illustrates the friction. Article 14 requires that high-risk systems be designed for human oversight—a legal framing. Article 15 mandates accuracy, robustness, and cybersecurity—technical goals that may conflict with effective human oversight. Reconciling those requirements is specification work the Act delegates to standards that remain unwritten.

Real-World Consequences

The Dutch childcare benefits scandal demonstrated the risks. The Tax and Customs Administration used a risk-scoring algorithm to flag fraud, wrongly accused approximately 26,000 families, and disproportionately targeted immigrant parents. No published standard existed to define acceptable error rates or adequate human review, so no external benchmark triggered a correction before harm accumulated.

Canada's proposed Artificial Intelligence and Data Act collapsed in 2025 after critics noted it defined compliance obligations in general terms and delegated substantive specifications to future regulations. Without those specifications, neither industry nor civil society could evaluate what the Act would actually require.

What Needs to Change

Regulatory drafting processes should integrate technical and legal expertise at the provision design stage, not in sequential review. Research funders could require deliverables that produce frameworks usable by both communities. Both approaches aim to create shared technical-legal categories that let regulators substantively evaluate provider claims rather than accept them by default.

The standards gap will close eventually—either through deliberate institutional work or through litigation after major failures force corrections. The current trajectory points toward the latter.

These findings were detailed in an analysis published by Just Security.