AI Stack Fragmentation: Critical Decisions Under Geopolitical and Regulatory Divergence
A three-way contest over the future of AI infrastructure is reshaping the conditions of global business. The way companies navigate overlapping regulatory and geopolitical frameworks will determine whether large-scale capital investments translate into sustained value creation or structural constraint.
Brussels, Beijing, and Washington are each developing distinct legal frameworks — AI laws, data regulations, export controls, national security powers, and investment screening mechanisms — that collectively govern the technology stack defining the next decade of economic activity. These instruments reflect individual policy priorities, and in several important respects produce incompatible obligations for businesses operating across all three jurisdictions.
For firms deploying AI across borders, the result is not limited to incremental compliance complexity, but structural divergence in operating conditions. Decisions on architecture, vendor ecosystems, data geography, and market access increasingly sit at the intersection of capital allocation and regulatory exposure. Today, these represent enterprise design choices that define what the business can do, where it can operate, and what risks it is structurally willing to absorb.
I. The Brussels-Beijing-Washington Trilemma in AI Investment Decisions
At its core, AI governance is about safety. Every jurisdiction frames its AI regulation in those terms. But what “safety” means in practice diverges fundamentally across Brussels, Beijing, and Washington. Companies operating globally must navigate three major approaches that individually fluctuate.
AI systems are inherently borderless, designed to be developed, deployed, and accessed across multiple jurisdictions simultaneously. The current fragmentation along national lines makes firms operate under mutually incompatible rule sets across markets. In practice, this forces companies to localize models, data, and operations. While companies attempt to optimize across jurisdictions, incompatible requirements increasingly make effective arbitrage impossible, shifting competitive advantage from innovation to the capacity to absorb the cost of fragmented operations.
The intensifying focus on AI supply chains further compounds this fragmentation as states extend scrutiny beyond deployment into data, compute, and infrastructure layers itself. This effectively turns each layer of a single company’s system into a potential point of jurisdictional control.
Recent developments illustrate this trajectory. The issue of AI models associated with surveillance use cases has been spotlighted through Anthropic’s designation as a supply chain risk to national security due to usage restrictions. In the United States, AI remains governed primarily through sectoral instruments, and in this case procurement frameworks, rather than a unified federal statute. Brussels has a comprehensive regime under the EU AI Act, with exclusions for defense applications. China, in contrast, has moved toward explicit enablement of AI systems aligned with state-defined surveillance and content objectives.
These divergences are beginning to extend beyond regulatory philosophy into the practical design of digital systems and corporate operating models. As AI becomes embedded in enterprise software, cloud infrastructure, and data-intensive workflows, differences in rules governing data residency, model oversight, infrastructure access, and state authority increasingly shape how firms deploy and scale technology across jurisdictions. In some cases, companies can no longer assume that a single globally integrated AI platform will satisfy the requirements of the United States, the EU, and China through incremental localization alone. Instead, firms may need regionally segmented architectures, distinct governance processes, or locally controlled infrastructure in order to maintain market access and compliance. The result is that geopolitical and regulatory fragmentation is becoming not only a legal and operational issue, but also a strategic and architectural one for technology providers and enterprises alike.
II. Legal Instruments Are Shaping Strategic Outcomes
The regulatory environment is highly dynamic. Each jurisdiction is actively refining its instruments, and the pace of change is accelerating without convergence across regimes.
Brussels has built the most structurally complete framework. The EU AI Act is in phased enforcement, with prohibited practices in force since February 2025. Obligations for general-purpose AI models came into effect in August 2025, and requirements for high-risk systems will follow in August 2026. High-risk classification carries substantive obligations including conformity assessments, technical documentation, human oversight requirements, and registration in a public EU database — requirements that will demand significant operational preparation for businesses that have not yet begun. GDPR remains the data layer underneath all of it.
Beijing has introduced mandatory rules across several fronts. Three generative AI standards covering training data security, service security, and content labeling came into force in November 2025, applying to any company offering AI services to Chinese users. The regulatory focus is concentrated on training data provenance, content alignment with state-defined values, and systemic security certification.
Investment screening and merger reviews have become more active in transactions involving AI capabilities. The late-stage block of Meta’s $2billion purchase of Manus, a Chinese developer of autonomous AI agents, is the most recent reported move.
Washington operates through sectoral rules in the absence of a comprehensive federal AI law. Active instruments are primarily executive and administrative in nature, including semiconductor export controls, ICTS supply chain restructuring authority, entity listings, and outbound investment restrictions. These tools are being applied with increasing frequency across AI-related technologies and corporate relationships. Procurement frameworks and national security designations are increasingly shaping access to infrastructure and markets.
III. Risk Surprises Cascade Through the Stack and Supply Chain
Regulatory exposure under all three frameworks is determined not just by geography but by position in the AI value chain. The AI stack is also a dependency stack where constraints imposed at the semiconductor and infrastructure layers can propagate upwards through interconnected systems and supply chains.
Infrastructure layer (chips, cloud, compute)
This layer defines the outer limits of what can be built and where it can be run. It includes semiconductor supply, data centres, cloud infrastructure, and compute providers. The main policy tools are export controls, investment screening, and supply chain restrictions.
Concentration in specific regions or single providers creates structural exposure that may not be visible in commercial contracts but becomes binding under geopolitical or regulatory change. Control over upstream inputs such as gallium, germanium, and graphite reinforces this dynamic.
Cloud providers that extend beyond basic infrastructure — for example through managed AI services or integrated model offerings — may also be more deeply scrutinized as AI providers, beyond their infrastructure role.
Model layer (foundation and frontier systems)
A small number of players dominate this layer globally, but its regulatory reach extends far beyond them. Model providers are increasingly treated as part of national security-relevant supply chains across jurisdictions.
Under the EU AI Act, general-purpose AI models, especially those deemed to present systemic risk, carry significant obligations relating to risk management, technical documentation, evaluation, and ongoing oversight. In parallel, the United States and China are tightening controls through procurement rules, licensing regimes, and security-linked usage restrictions.
Application and deployment layer
Risk does not remain confined to model developers. In this layer, it can extend to any company that embeds foundation models into products or workflows, particularly where those systems are used in regulated or high-impact contexts such as hiring platforms, insurance underwriting, banking infrastructure, healthcare diagnostics, law enforcement analytics, border control systems, or critical public-sector services.
In the EU, obligations increase where companies act as a “provider” by developing or substantially modifying and deploying AI systems. In parallel with GDPR requirements governing large-scale personal data processing, this is also typically the layer where regulatory scrutiny, disputes, and reputational risk first materialise, as AI systems begin directly affecting individuals at scale.
Data layer
A single unified data architecture spanning EU and China environments is often difficult to operate in practice under current regulatory regimes. Chinese requirements under the PIPL and related data security laws can impose localisation obligations or strict approval processes for cross-border transfers, while the GDPR regulates international data transfers through adequacy mechanisms and safeguards.
As a result, companies frequently need to implement jurisdictional controls or segmented data flows across training and operational datasets. A single unified data architecture spanning EU and China environments is increasingly difficult to sustain under current rules. Chinese localisation requirements under PIPL and EU transfer requirements under GDPR require separation of datasets by jurisdiction, including training and operational data.
V. Leadership Decisions: Weighing the Options
The potential opportunities and mitigations to the scenarios above are essentially a set of critical choices about capital allocation, strategic positioning, and acceptable risk.
The architecture decision is the most consequential. A single global AI platform is not a neutral default — it is a position that assumes the three jurisdictions’ requirements will remain sufficiently compatible and that infrastructure options will remain available across all markets. Those assumptions are difficult to defend.
A possible mitigation in the form of federated architecture with distinct stacks for China and global operations, built to EU standard as the baseline — is more expensive and more complex. However, it is the most likely to be defensible across all three jurisdictions. In the absence of prescribed methodology, ISO/IEC 42001, the AI management system standard recognised by both EU and Chinese standards bodies, is the most practical starting point. The capital expenditure and timeline requirements for federated architecture should be weighed against the cost of being unable to serve certain markets, blocked deals, or lost procurement bids.
The vendor and supply chain decision requires aggregating and mapping current supplier relationships by jurisdictional concentration. Companies should look at all their critical dependencies together (cloud provider, model, data sources, compute infrastructure) to see how heavily they are clustered within one country. If there is significant concentration, the question is whether alternatives are available and at what cost and disruption. Existing contracts need to be assessed against the scenarios in the current environment.
The decoupling scenario exercise. Scenario planning is worth running now as it determines the degree to which companies are prepared to respond to volatility. This exercise is especially critical for companies with significant cross-border data and AI integration, exposure to regulatory divergence across jurisdictions, limited visibility over internal dependency structures, and business models that rely on shared platforms or infrastructure spanning multiple regions, particularly in regulated sectors such as finance, insurance, healthcare, and critical infrastructure. It forces a clear view of the time and cost required to fully separate operations in any jurisdiction from a global stack if compelled to do so, bearing in mind that orders to unwind integrated operations or spin off business units may be imposed by authorities even years after transactions have closed.
The board briefing. A briefing that extends well beyond operational reporting or a compliance update should be brought to the board as a matter of strategic necessity. Decisions taken — or deferred — on AI architecture, supplier dependencies, and regulatory positioning are already embedding long-term structural exposure into the business. Strategy-level board discussion should therefore focus on the trade-offs between choices made proactively versus those imposed by regulatory intervention, and how current architectural decisions either preserve or erode future flexibility.
As boards place greater emphasis on AI governance and control frameworks, there is a corresponding expectation that management articulates a clear investment case for proactive structural preparedness. This is now a leadership imperative: to move the conversation from compliance assurance to strategic resilience, and to ensure the business is positioned to act rather than react as regulatory and geopolitical constraints tighten.
VI. Conclusion
The central challenge for leaders is how to design and scale AI in an environment where regulatory and geopolitical alignment is continuously shifting alongside technological and business model change. Competitive advantage will increasingly accrue to companies capable of operating across mutually incompatible regulatory regimes without sacrificing operational continuity and strategic flexibility. In this context, AI architecture decisions are not technical implementation choices — they are long-term strategic commitments that will define market access, cost structure, and speed of execution over the coming decade.