Effective AI governance depends on infrastructure beyond laws alone. As governments worldwide race to regulate artificial intelligence, a critical gap is emerging: the systems needed to actually enforce those rules don't yet exist. Experts now argue that without testing frameworks, evaluation standards, and assurance mechanisms, even well-intentioned regulations will fail to protect the public.

Why Laws Aren't Enough for AI Governance?

Lee Tiedrich, the inaugural fellow at the University of Maryland's Artificial Intelligence Interdisciplinary Institute and a visiting professor at the College of Information, has spent nearly 30 years working at the intersection of technology, law, and policy. Her conclusion is straightforward: "Sometimes having a law when nobody knows what to do to implement it doesn't help as much," she explained.

Tiedrich's work on the International AI Safety Report, a landmark effort commissioned at the first AI Safety Summit and chaired by Turing Award winner Yoshua Bengio, reinforces this point. The report, supported by more than 30 countries, seeks to establish a shared scientific foundation for understanding advanced AI risks and mitigation strategies. The most recent edition was released in February and presented at the India AI Impact Summit, where Tiedrich moderated a panel of global ministers and researchers.

The challenge mirrors a familiar historical precedent. Public trust in prescription drugs doesn't depend on every individual understanding the chemistry behind them. Instead, it rests on the existence of a system for testing, review, and oversight managed by the Food and Drug Administration (FDA). For AI, the equivalent governance infrastructure is still being built.

What Infrastructure Does AI Governance Actually Need?

Tiedrich's central thesis is that law alone cannot do all the work many people expect it to. For rules to be implemented effectively, several supporting systems must exist in parallel:

• Testing Frameworks: Standardized methods to evaluate AI systems for safety, security, and compliance before and after deployment.
• Evaluation Systems: Mechanisms that allow institutions to determine whether regulatory requirements are being followed and to identify emerging risks.
• Shared Standards: Common definitions, benchmarks, and protocols that enable consistent governance across organizations and jurisdictions.
• Assurance Mechanisms: Processes that provide accountability and transparency, allowing policymakers and the public to verify that rules are being enforced.

This infrastructure also gives policymakers in different regions the flexibility to decide whether such rules should be voluntary or mandatory, and it helps foster regulatory interoperability when leaders in different jurisdictions disagree on the need for mandatory requirements.

The healthcare sector is taking this approach seriously. The Health Sector Coordinating Council recently published the "Health Industry AI Cyber Governance Framework Implementation Guide," which addresses the unique cybersecurity and privacy challenges as healthcare organizations adopt AI across clinical and operational use cases. The framework emphasizes that effective governance requires integrating cybersecurity into every stage of the AI lifecycle, including assessment, development, deployment, monitoring, and decommissioning.

How Should Organizations Build AI Governance Systems?

The healthcare framework offers a scalable model that other sectors can adapt. Organizations should structure their governance based on size and complexity:

• Small Healthcare Organizations (fewer than 200 beds): AI governance responsibilities can be incorporated into existing committees such as Quality, Patient Safety, or Compliance, with an AI governance liaison coordinating activities across these bodies.
• Medium-Sized Organizations (200 to 500 beds): A standing AI Governance Subcommittee should be established under an existing governance structure, with representatives from clinical operations, cybersecurity, privacy, and legal functions.
• Large Healthcare Organizations (more than 500 beds): A dedicated AI Governance Committee with a formal charter, clearly defined decision-making authority, and direct reporting to the board or a board-level committee is necessary.

Regardless of size, AI governance must include clinical decision-makers when patient care is affected, cybersecurity leadership when security implications exist, and privacy or compliance officers when protected health information is involved.

The healthcare sector also recognized a critical gap: the absence of shared, sector-specific language for AI terminology. The HSCC Cybersecurity Working Group developed an "AI Cyber Glossary," a living reference document establishing consistent, governance-ready definitions for AI terminology across the health sector. As AI adoption accelerates, inconsistent terminology creates real risk across procurement decisions, vendor contracts, regulatory submissions, policy development, and patient safety oversight.

What Role Does Existing Law Play in AI Governance?

Tiedrich emphasizes that accountability does not begin only when new AI-specific legislation is passed. Existing legal frameworks already apply in many cases. Anti-discrimination law, consumer protection, and copyright law are all being tested in relation to AI. Litigation involving data scraping and fair use is expanding, and cases involving harms linked to AI interactions are beginning to reach the courts. Congress has also acted in at least one area, passing the Take It Down Act to address non-consensual intimate imagery.

"To bring a lawsuit, you don't need a new AI law," Tiedrich noted, adding that states are increasingly seeking to regulate AI given the federal government's deregulatory approach.

Lee Tiedrich, Visiting Professor of the Practice at the College of Information, University of Maryland

At the federal level, President Donald Trump signed an executive order on June 2 that establishes a framework for the federal government to vet the national security risks of the most advanced AI systems for up to 30 days before their public release. Participation by AI developers would be voluntary. The order creates a process for frontier labs, including companies like Anthropic, OpenAI, and Google, to voluntarily share cutting-edge AI models to secure critical infrastructure and strengthen the government's cyber defenses.

However, the voluntary nature of the framework has drawn scrutiny. Juan Londoño, a policy analyst at the libertarian-leaning Cato Institute, said the order is imperfect but "a step in the right direction to prepare the nation for the release of advanced AI systems." He applauded the voluntary approach but expressed concern about the vagueness of how the government, led by the director of the National Security Agency, will decide which AI models qualify for scrutiny.

Why Does This Matter Now?

The urgency of building governance infrastructure has intensified as AI capabilities advance rapidly. Anthropic's April announcement of its most advanced AI model, called Claude Mythos, prompted Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell to convene an urgent meeting with Wall Street CEOs, warning them about the risks posed by Mythos' apparent ability to find cybersecurity vulnerabilities in the world's software. Anthropic has limited access to Mythos to only a small group of trusted partners, though it expanded that group by another 150 organizations as of early June.

The challenges of the next few years will unfold in a field where the rules are still being written, and where the people writing them matter enormously. Through initiatives like the University of Maryland's Artificial Intelligence Interdisciplinary Institute, academic institutions are ensuring they have a seat at the table as governance frameworks take shape. The goal is clear: build the infrastructure that allows laws to work, not just pass laws and hope they stick.