Opinion & CommentaryLaw & Policy
Nine Blind Spots in the EU AI Act: Why the World's First Comprehensive AI Regulation Is Not Enough
The EU AI Act is a landmark, but three recent studies reveal nine structural blind spots—from information asymmetry to jurisdictional gaps—and show how OpenAI's own documents confirm the drift from 'ethics' to 'safety' rhetoric. CSR frameworks and geopolitical risk taxonomies may fill what law alone cannot.
By Sean K.S. Shin
This blog summarizes research trends based on published paper abstracts. Specific numbers or findings may contain inaccuracies. For scholarly rigor, always consult the original papers cited in each post.
The EU AI Act entered into force in 2024, establishing the world's first risk-based regulatory framework for artificial intelligence. It was celebrated as a watershed moment—proof that democratic governance could keep pace with technological change. But celebration should not preclude scrutiny. Three recent studies, approaching AI governance from corporate responsibility, geopolitical risk, and organizational discourse respectively, converge on an uncomfortable conclusion: the Act contains structural blind spots that no amount of enforcement can fully address.
The question is not whether the EU AI Act is good legislation. It is. The question is whether legislation alone is sufficient—and the evidence suggests it is not.
The Research Landscape
Nine Regulatory Gaps and the CSR Bridge
Brown, Harmon, and Yaacoub (2025), writing in the Journal of Business Ethics, identify nine specific regulatory gaps in the EU AI Act. These are not minor oversights but structural limitations inherent in the attempt to regulate a rapidly evolving technology through static legal categories.
The nine gaps include: (1) information asymmetry between developers and regulators—companies know far more about their systems than any regulator can verify; (2) jurisdictional limitations that leave global AI supply chains partially outside EU authority; (3) black-box opacity where even developers cannot fully explain model behavior; (4) risk classification rigidity that may misclassify novel AI applications; (5) liability ambiguity across the AI value chain; (6) enforcement resource constraints; (7) innovation deterrence from compliance costs; (8) cross-border coordination failures; and (9) temporal lag between technological change and regulatory updates.
Their proposed solution is not more regulation but a complementary framework: Corporate Social Responsibility (CSR) structured around transparency, accountability, and sustainability principles. The argument is that CSR can operate in the gaps between legal requirements—companies can commit to transparency standards beyond what the law mandates, adopt accountability mechanisms faster than legislation can be amended, and integrate sustainability considerations that the Act largely ignores.
A Geopolitical Risk Taxonomy
Arda (2024) approaches the same problem from a different angle: the geopolitical forces that shape how AI risks manifest and how regulation responds to them. The paper proposes a 12-category taxonomy of AI risks organized along four dimensions: geopolitical pressure, malicious use, environmental-social-ethical impact, and privacy erosion.
Three findings are particularly relevant to the EU AI Act's blind spots. First, the open-source exemption—the Act largely exempts open-source AI models from regulation, but open-source models can be weaponized just as easily as proprietary ones. Second, the military exclusion—AI systems developed for military purposes fall outside the Act's scope, creating a parallel unregulated ecosystem. Third, the Brussels Effect uncertainty—the assumption that EU regulation will become a global standard, as GDPR did, is far from guaranteed. Unlike data protection, AI development is concentrated in the US and China, where regulatory philosophies differ fundamentally.
The Ethics-to-Safety Drift at OpenAI
Wilfley, Ai, and Sanfilippo (2026) provide the most empirically grounded evidence of why regulation alone cannot ensure ethical AI development. Their study analyzes 454 publicly available OpenAI documents using computational text analysis, revealing a dramatic discursive shift.
Of the 424 web articles in the corpus, only 3.8% mention "ethics"---roughly 16 articles. The 30 OpenAI-authored and co-authored publications fare better at 17.2%, but even there, ethics language appears peripherally. Meanwhile, "safety" and "risk" dominate both corpora, functioning as gravitational hubs in the organization's semantic network. The authors identify this as evidence of ethics washing—the strategic replacement of ethical commitments with narrower safety rhetoric that is more amenable to corporate control. "Safety" can be defined operationally by the company itself; "ethics" implies external normative standards that constrain corporate autonomy.
The study concludes that governance must be "exogenously imposed"—it cannot emerge from within organizations that have economic incentives to define the boundaries of their own ethical obligations.
Critical Analysis
<
| Claim | Evidence | Verdict |
|---|
| The EU AI Act contains nine structural regulatory gaps | Systematic analysis of Act provisions against known AI governance challenges | ✅ Supported — gaps are real and well-documented across multiple sources |
| CSR can complement regulation where law falls short | Theoretical framework mapping CSR principles to specific regulatory gaps | ⚠️ Plausible but unproven — voluntary CSR has a mixed track record in technology sectors |
| The Brussels Effect may not apply to AI regulation | Comparison with GDPR adoption patterns; AI development concentrated in US/China | ⚠️ Uncertain — too early to assess, but structural differences from data protection are real |
| OpenAI has shifted from ethics to safety rhetoric | Computational analysis of 454 documents; "ethics in 3.8% of web articles vs 17.2% of publications; safety/risk dominate both corpora | ✅ Supported with strong empirical evidence — though rhetoric does not necessarily equal practice |
| AI governance must be externally imposed | Case study of single organization's discursive evolution | ⚠️ Reasonable inference but based on one case — generalizability to the industry requires broader evidence |
The most striking convergence across these three studies is that regulation, corporate self-governance, and geopolitical dynamics each fail on their own. The EU AI Act cannot reach global supply chains; CSR is voluntary and susceptible to ethics washing; geopolitical competition creates incentives to lower standards. The implication is that effective AI governance requires all three layers operating simultaneously—legal floors, corporate commitments above those floors, and international coordination to prevent regulatory arbitrage.
Open Questions
- Enforcement capacity: The Act creates obligations, but do EU member states have the technical expertise and institutional resources to verify compliance with AI-specific requirements?
- Open-source governance: Can regulation address the risks of open-source AI models without stifling the collaborative development that drives much of AI progress?
- CSR credibility: How can CSR commitments be made binding enough to matter without becoming de facto regulation?
- Global coordination: If the Brussels Effect fails for AI, what alternative mechanism could prevent a race to the bottom in AI governance standards?
- Temporal dynamics: Given that AI capabilities advance faster than legislative cycles, is risk-based regulation inherently backward-looking?
What This Means for Your Research
For researchers working on AI governance, these three papers collectively suggest that the field needs to move beyond single-mechanism analyses. Studying regulation in isolation from corporate governance and geopolitical dynamics will produce incomplete accounts. The Wilfley et al. methodology—computational analysis of organizational documents—offers a replicable approach for tracking how AI companies' stated commitments evolve over time. For policy researchers, the gap between the Act's ambitions and its structural limitations provides a rich research agenda: each of the nine gaps identified by Brown et al. represents an empirical question about how regulation performs in practice.
The EU AI Act entered into force in 2024, establishing the world's first risk-based regulatory framework for artificial intelligence. It was celebrated as a watershed moment—proof that democratic governance could keep pace with technological change. But celebration should not preclude scrutiny. Three recent studies, approaching AI governance from corporate responsibility, geopolitical risk, and organizational discourse respectively, converge on an uncomfortable conclusion: the Act contains structural blind spots that no amount of enforcement can fully address.
The question is not whether the EU AI Act is good legislation. It is. The question is whether legislation alone is sufficient—and the evidence suggests it is not.
The Research Landscape
Nine Regulatory Gaps and the CSR Bridge
Brown, Harmon, and Yaacoub (2025), writing in the Journal of Business Ethics, identify nine specific regulatory gaps in the EU AI Act. These are not minor oversights but structural limitations inherent in the attempt to regulate a rapidly evolving technology through static legal categories.
The nine gaps include: (1) information asymmetry between developers and regulators—companies know far more about their systems than any regulator can verify; (2) jurisdictional limitations that leave global AI supply chains partially outside EU authority; (3) black-box opacity where even developers cannot fully explain model behavior; (4) risk classification rigidity that may misclassify novel AI applications; (5) liability ambiguity across the AI value chain; (6) enforcement resource constraints; (7) innovation deterrence from compliance costs; (8) cross-border coordination failures; and (9) temporal lag between technological change and regulatory updates.
Their proposed solution is not more regulation but a complementary framework: Corporate Social Responsibility (CSR) structured around transparency, accountability, and sustainability principles. The argument is that CSR can operate in the gaps between legal requirements—companies can commit to transparency standards beyond what the law mandates, adopt accountability mechanisms faster than legislation can be amended, and integrate sustainability considerations that the Act largely ignores.
A Geopolitical Risk Taxonomy
Arda (2024) approaches the same problem from a different angle: the geopolitical forces that shape how AI risks manifest and how regulation responds to them. The paper proposes a 12-category taxonomy of AI risks organized along four dimensions: geopolitical pressure, malicious use, environmental-social-ethical impact, and privacy erosion.
Three findings are particularly relevant to the EU AI Act's blind spots. First, the open-source exemption—the Act largely exempts open-source AI models from regulation, but open-source models can be weaponized just as easily as proprietary ones. Second, the military exclusion—AI systems developed for military purposes fall outside the Act's scope, creating a parallel unregulated ecosystem. Third, the Brussels Effect uncertainty—the assumption that EU regulation will become a global standard, as GDPR did, is far from guaranteed. Unlike data protection, AI development is concentrated in the US and China, where regulatory philosophies differ fundamentally.
The Ethics-to-Safety Drift at OpenAI
Wilfley, Ai, and Sanfilippo (2026) provide the most empirically grounded evidence of why regulation alone cannot ensure ethical AI development. Their study analyzes 454 publicly available OpenAI documents using computational text analysis, revealing a dramatic discursive shift.
Of the 424 web articles in the corpus, only 3.8% mention "ethics"---roughly 16 articles. The 30 OpenAI-authored and co-authored publications fare better at 17.2%, but even there, ethics language appears peripherally. Meanwhile, "safety" and "risk" dominate both corpora, functioning as gravitational hubs in the organization's semantic network. The authors identify this as evidence of ethics washing—the strategic replacement of ethical commitments with narrower safety rhetoric that is more amenable to corporate control. "Safety" can be defined operationally by the company itself; "ethics" implies external normative standards that constrain corporate autonomy.
The study concludes that governance must be "exogenously imposed"—it cannot emerge from within organizations that have economic incentives to define the boundaries of their own ethical obligations.
Critical Analysis
<
| Claim | Evidence | Verdict |
|---|
| The EU AI Act contains nine structural regulatory gaps | Systematic analysis of Act provisions against known AI governance challenges | ✅ Supported — gaps are real and well-documented across multiple sources |
| CSR can complement regulation where law falls short | Theoretical framework mapping CSR principles to specific regulatory gaps | ⚠️ Plausible but unproven — voluntary CSR has a mixed track record in technology sectors |
| The Brussels Effect may not apply to AI regulation | Comparison with GDPR adoption patterns; AI development concentrated in US/China | ⚠️ Uncertain — too early to assess, but structural differences from data protection are real |
| OpenAI has shifted from ethics to safety rhetoric | Computational analysis of 454 documents; "ethics in 3.8% of web articles vs 17.2% of publications; safety/risk dominate both corpora | ✅ Supported with strong empirical evidence — though rhetoric does not necessarily equal practice |
| AI governance must be externally imposed | Case study of single organization's discursive evolution | ⚠️ Reasonable inference but based on one case — generalizability to the industry requires broader evidence |
The most striking convergence across these three studies is that regulation, corporate self-governance, and geopolitical dynamics each fail on their own. The EU AI Act cannot reach global supply chains; CSR is voluntary and susceptible to ethics washing; geopolitical competition creates incentives to lower standards. The implication is that effective AI governance requires all three layers operating simultaneously—legal floors, corporate commitments above those floors, and international coordination to prevent regulatory arbitrage.
Open Questions
- Enforcement capacity: The Act creates obligations, but do EU member states have the technical expertise and institutional resources to verify compliance with AI-specific requirements?
- Open-source governance: Can regulation address the risks of open-source AI models without stifling the collaborative development that drives much of AI progress?
- CSR credibility: How can CSR commitments be made binding enough to matter without becoming de facto regulation?
- Global coordination: If the Brussels Effect fails for AI, what alternative mechanism could prevent a race to the bottom in AI governance standards?
- Temporal dynamics: Given that AI capabilities advance faster than legislative cycles, is risk-based regulation inherently backward-looking?
What This Means for Your Research
For researchers working on AI governance, these three papers collectively suggest that the field needs to move beyond single-mechanism analyses. Studying regulation in isolation from corporate governance and geopolitical dynamics will produce incomplete accounts. The Wilfley et al. methodology—computational analysis of organizational documents—offers a replicable approach for tracking how AI companies' stated commitments evolve over time. For policy researchers, the gap between the Act's ambitions and its structural limitations provides a rich research agenda: each of the nine gaps identified by Brown et al. represents an empirical question about how regulation performs in practice.
References (4)
[1] Brown, J., Harmon, D., & Yaacoub, C. (2025). Enhancing the EU AI Act Through Strategic CSR. Journal of Business Ethics.
[2] Arda, L. (2024). Taxonomy to Regulation: A (Geo)Political Taxonomy for AI Risks. Digital Society, 3, 38.
[3] Wilfley, K., Ai, R., & Sanfilippo, M. (2026). Competing Visions of Ethical AI: A Case Study of OpenAI. Big Data & Society.
Brown, Harmon & Yaacoub (2025). Enhancing the EU AI Act Through Strategic CSR: A Framework for Addressing Regulatory Gaps in Artificial Intelligence Governance.