Methodology

Classification logic & editorial process

How PAI turns a noisy world of regulator websites, draft bills, consultation papers, and court decisions into structured intelligence. Written plainly, because the value is in the judgement calls, not the pipeline.

Regulatory approach: the rubric

Every jurisdiction page carries a one-word label summarising how that country regulates AI. It's an editorial call made against this rubric, not a score, and we show the evidence so you can argue with it.

Comprehensive
A horizontal, AI-specific statute is in force covering multiple sectors. Examples: EU AI Act, Colorado AI Act, China's Interim Measures for Generative AI.
Sectoral
No horizontal AI law, but binding rules touching AI exist inside sector regimes: data protection, financial services, employment, product safety. Examples: US federal (SR-11-7, EEOC guidance), Japan, most of the Gulf.
Principles-based
Government has published a framework, white paper, or national strategy directing existing regulators to act, but no new statute. Examples: UK pre-2026 white paper, Australia's AI ethics framework, Singapore's Model AI Governance Framework.
Emerging
A draft AI bill or consultation is live. Nothing binding yet, but something is moving. Examples: Brazil PL 2338, India DPDP-adjacent proposals, Canada post-AIDA.
Not yet classified
We haven't identified a dedicated framework, sectoral overlay, or active bill. Either the jurisdiction genuinely hasn't moved, or our coverage is incomplete. Flag it and we'll look.
How we apply it. The label is derived from structured Airtable fields (in-force status, hierarchy, subject tags, pending bills) with a human editor reviewing the edge cases. When the computed label disagrees with a practitioner's gut — which happens most often for the UK, Singapore, and Japan — we sit on the editor's call and document why in the evidence panel. The goal isn't a clever algorithm; it's a defensible call that a regulated firm can take to a board meeting.

How we scan the world

PAI monitors just over 450 official sources across 250+ jurisdictions. The pipeline has machines in it, but the editorial decisions are made by people. Here's the flow:

  1. Source curation Human
    Our research team maintains the list of regulators, ministries, courts, and agencies we watch. A source only enters the list after an editor confirms it publishes primary material (statutes, decisions, consultations, guidance) rather than secondary commentary. Law firm blogs are not sources.
  2. Continuous collection Machine
    Every hour, scrapers check each source for new publications. We dedupe by canonical URL against what we've already seen.
  3. First-pass triage Machine, supervised
    New items are scored against our three practitioner personas (AI governance, privacy, cybersecurity) to decide whether they clear the relevance bar. The rubric is public to the team and adjusted whenever an editor overrides it.
  4. Editorial writeup Human-reviewed
    Items that pass triage get a structured Alert: what happened, why it matters, who it affects, what to do this week. Machine drafts are permitted; an editor signs off before anything reaches the platform. No opinion, no advice. We report and distil, we don't advocate.
  5. Structured extraction Machine
    Each Alert is linked to the underlying primary record (a Decision, a Guidance Document, a Case, a Consultation) so you can cite the source, not our summary.
  6. Continuous QC Human + machine
    An always-on agent rechecks published records for link rot, missing authorities, contradictions between the Alert and its linked source. Flags land in a queue an editor works daily.

The short version: machines surface what's new, humans decide what matters, humans write the words, and machines make sure the citations still work.

What we can't do, and how we handle it

Every regulatory intelligence product has blind spots. Pretending otherwise wastes your time and ours. Here are ours:

Official sources only. You won't read gossip here
Every record on PAI is sourced from a primary official publication: the regulator's own website, the court filing, the official journal, the parliamentary text. Law firm blogs, trade gossip, and unverified commentary are not sources.
A small exception — a handful of regulator and legislature websites are routinely unavailable, slow, or publish only in formats we can't reliably parse. In those cases we read a narrow set of community and academic databases as pointers to the primary source. The two we currently rely on are GDPRhub, a case-law and guidance database maintained by noyb and the University of Vienna that reproduces official DPA decisions verbatim alongside the original regulator link, and LegiScan, which mirrors every US state legislature's bills and is our fallback when a state portal is broken, migrated, or rejects access. We only publish once an editor has opened the primary document itself and confirmed the record.
Things regulators never publish
A lot of enforcement happens in settlement letters, supervisory dialogue, and confidential guidance. We can't see what isn't published, and we won't speculate about what's happening behind closed doors.
We label what we know and what we don't. Silence from a regulator is surfaced as "no public activity this quarter", not as "nothing is happening".
The line between guidance and law
In most common-law jurisdictions, regulator guidance isn't binding until a court treats it as authoritative, or a regulator enforces as if it were. Our structured tables (Law / Guidance / Decision / Case Law / Consultation) force a choice that the world doesn't always respect.
An Alert is a single narrative, not a single category. A document that is both guidance and an enforcement signal links to both structured tables, so it appears in each filter view with the same underlying story. The Alert body explains the dual character in plain English.
We are not your lawyer
PAI identifies what's happening and distils it accurately. We don't interpret it for your specific circumstances, and we don't tell you what to do.
Every page links to the primary source so you can form your own view, and our framing always separates "what the rule says" from "what a firm might do about it".
Mistakes
We will make them. A mis-tagged record, a bill marked "in force" that isn't, a citation that goes stale the week after we publish it.
Every page carries a flag-this link, corrections are logged in the changelog, and repeat patterns go into the QC agent's ruleset so the same mistake doesn't happen twice.
Why this page exists
Most regulatory trackers hide their methodology behind a "we use AI" label. We think that's backwards. The machines find the haystack; the humans find the needle. If you're relying on PAI for a compliance decision, you should know which bits we trust to whom, and where we've drawn a line because we'd rather be honest than complete.
Important — read alongside our Terms
PAI is an informational service only. Not legal or compliance advice. Don't rely on it for decisions affecting you or your organisation. Always seek professional advice for your specific circumstances. Full terms and our limitation of liability are in our Terms of Service.
Last reviewed April 2026 · Questions about classification? research@principlesai.org