What is sectoral and horizontal AI regulation?
AI regulation: concepts, institutions and standards
Sectoral AI regulation means AI is governed mainly through existing industry-specific rules and supervisors, such as medical device, financial services or transport regulators. Horizontal AI regulation means a cross-sector framework applies common rules across many uses of AI, for example baseline duties on transparency, risk management, documentation or prohibited practices. In practice, most systems are hybrids: a horizontal layer sets broad rules, while sector regulators add stricter context-specific duties where safety, rights or market integrity are at stake.
What this means
An omnibus or horizontal AI framework asks a broad question: what minimum rules should apply wherever AI is developed, supplied or used? It usually creates common definitions, common duties and common governance expectations across more than one sector.
Sectoral AI regulation asks a different question: what extra controls are needed in a specific domain such as healthcare, banking, transport or employment? It normally works through existing laws, existing supervisors and existing approval or oversight channels in that sector.
Most organisations do not face a pure choice between the two. They face layers. A cross-sector layer may set baseline duties, while sector law, product safety law, consumer law, data protection law or professional rules add more specific requirements depending on the use case. There can also be issue-based rules that cut across sectors without being a standalone AI law.
Why it matters
This distinction matters because many teams ask the wrong first compliance question. They ask, "Is there an AI law here?" The better question is, "Which horizontal rules, sector rules and existing legal duties attach to this use of AI, in this jurisdiction, with this business role?"
That shift changes practical governance. A founder needs to know whether a product fits inside a medical device pathway, a buyer needs to know whether a vendor's paperwork is enough for regulated use, and a board needs to know which regulator could expect records, testing evidence, human oversight, incident handling or explainability. If you map the model but not the context, you can miss the rules that matter most.
It also matters for strategy. Horizontal frameworks can simplify governance across a portfolio, but sector supervision often sets the hardest edge cases because specialist regulators already control safety, prudential soundness, market conduct or professional practice. Mature organisations therefore build one reusable governance spine, then tune it for each regulated use.
How it works
<strong>Horizontal, sectoral and omnibus are related but not identical</strong>
"Horizontal" means cross-sector. It describes scope. The same baseline rules can apply across many industries or applications. "Omnibus" usually means those cross-sector rules are gathered into one broad framework, such as a statute, treaty or policy architecture. A regime can be horizontal without being a single all-purpose law. NIST's AI RMF, for example, is cross-sector and voluntary rather than a binding omnibus statute.
This is also a different question from whether a regime is risk-based, principles-based or technology-neutral. Either a horizontal or a sectoral model can be risk-based. Either can rely on principles. Either can be written as AI-specific rules or applied through broader technology-neutral law.
<strong>Horizontal frameworks set common baseline duties</strong>
A horizontal framework usually starts by defining the actors and the common controls expected across many uses of AI. Those controls may include transparency duties, risk management, technical documentation, record keeping, human oversight, testing, governance arrangements and, in some systems, prohibited practices or special duties for higher-risk uses. The point is consistency: similar baseline expectations apply even when the AI is used in different sectors.
Horizontal instruments also allocate responsibility across the value chain. A mature framework often distinguishes between those who build, adapt, place on the market, procure, deploy or import AI. That matters because the compliance burden is rarely identical for a model developer, a product manufacturer, a downstream deployer and a buyer using a third-party tool.
<strong>Sectoral supervision works through domain law and specialist institutions</strong>
Sectoral regulation does not wait for a state to pass a single AI law. It uses existing legal hooks and specialist supervisors. In healthcare, that may mean medical device review, safety and effectiveness evidence, quality systems and post-market controls. In consumer credit, it may mean fair lending, reasons for adverse decisions and conduct supervision. The core idea is that the risk is inseparable from the domain in which the system is deployed.
This approach can be more demanding than a general AI framework because sector supervisors already understand the harms they are policing. They know what counts as acceptable evidence, what documentation must be kept, what human review is needed and what reporting routes exist when something goes wrong.
<strong>Most real regimes are hybrids</strong>
In practice, the split is rarely clean. Current example: the EU AI Act is horizontal in structure because it lays down common rules across the Union and assigns duties to providers, deployers, importers and distributors. But where AI is part of a product already governed by listed EU product laws, the Act folds its requirements into existing conformity assessment and market surveillance channels, and in some cases the relevant sectoral procedures continue to apply instead.
Current example: the UK's published model is different. It uses cross-sector principles, then expects existing regulators to interpret and apply them within their own remits and under existing law. The practical result is that organisations often need both a common AI governance layer and sector-specific controls.
At the international level, the same pattern appears again. Some instruments are horizontal because they set broad principles for AI across domains, but they still leave implementation to domestic law, existing authorities or alternative compliance routes for the private sector. So the real world is not horizontal or sectoral. It is horizontal plus sectoral.
<strong>Standards make the model operational</strong>
Law tells organisations what must or should be controlled. Standards and frameworks make those controls usable in day-to-day governance. NIST AI RMF 1.0 is voluntary and non-sector specific. Its Generative AI Profile is a cross-sector companion resource for general-purpose and generative systems. ISO/IEC 42001 adds a management-system structure that can be used across industries.
Together, these instruments help organisations produce repeatable evidence such as policies, inventories, testing records, escalation paths, supplier controls, review records and management accountability. They do not replace law, but they help teams show that governance is systematic rather than improvised.
<strong>The real trigger is the use context, not just the model type</strong>
The same underlying model can sit under very different rule sets depending on what it is doing, for whom, and in which market. A general-purpose model used for internal drafting support may mainly engage internal governance and contract controls. The same model used to deny credit, support a clinical decision or act as a safety component in a regulated product can trigger much heavier supervisory attention.
That is why the first scoping exercise should map intended use, affected people, regulated sector, geography and business role before anyone argues about whether the model is "the same" as another deployment. In regulatory terms, the surrounding workflow often matters more than the abstract capabilities of the model in isolation.
Examples
Current example: in the EU, a manufacturer placing AI inside a product covered by listed EU product legislation, such as a medical device, does not treat the AI Act as a completely separate compliance universe. The AI Act requires its high-risk requirements to be built into the relevant conformity assessment, and for certain product-linked systems the existing sectoral market surveillance procedures continue to apply.
Current example: a creditor in the United States cannot avoid fair lending and adverse action duties by saying a model is too complex to explain. The CFPB has said that ECOA and Regulation B apply regardless of the technology used, and that creditors must still provide specific and accurate reasons when adverse action is taken. That is sectoral supervision using existing financial law rather than a new general AI rule.
Current example: an FDA-regulated device maker using an AI-enabled device software function is being asked for lifecycle documentation that supports FDA review of safety and effectiveness. That is sectoral AI regulation in practice. The regulator is not asking for a generic "responsible AI" statement. It is asking for evidence framed by medical device review and total product lifecycle controls.
Common misunderstandings
Misunderstanding: horizontal AI regulation always means one central AI regulator. Correction: a framework can be horizontal because the rules are cross-sector, even if enforcement is shared across existing authorities.
Misunderstanding: sectoral regulation means AI is mostly unregulated until a sector writes AI-specific rules. Correction: existing sector laws can already govern AI use, sometimes very strictly.
Misunderstanding: standards are the same thing as law. Correction: frameworks such as NIST AI RMF or ISO/IEC 42001 help organise controls and evidence, but legal duties still come from legislation, regulation, supervision, contract or procurement terms.
Misunderstanding: once a model is classed as low or high risk, that label follows it everywhere. Correction: risk and obligation often depend on the deployment context, intended purpose and affected people.
Misunderstanding: a horizontal law removes the need to understand sector rules. Correction: in many important use cases, sector supervisors still control the approval path, reporting route or review standard.
Risks and boundaries
This distinction is a governance map, not a complete legal test. Real compliance usually sits in overlapping layers: horizontal AI rules, sector law, product law, data protection, consumer protection, discrimination law, cybersecurity and contract.
Both models have limits. A purely horizontal regime can miss domain nuance and push too much interpretation onto guidance or future standards. A purely sectoral regime can fragment expectations, create gaps for general-purpose tools that travel across sectors, and make it harder for suppliers to maintain one common control set.
Legal status also varies, and can move. The EU AI Act is binding EU law with staged application, beginning with the prohibited practices and AI literacy duties from 2 February 2025 and the general-purpose model and governance rules from 2 August 2025. The high-risk obligations were originally set for 2 August 2026, but a provisional political agreement reached in May 2026 under the Digital Omnibus would defer them: the use-based Annex III obligations move to 2 December 2027 and the obligations for AI embedded in regulated products such as medical devices move to 2 August 2028. As at mid-2026 that agreement is provisional and takes legal effect only on formal adoption and publication, so until then the original 2 August 2026 date technically still governs. The point for this article is that the horizontal layer itself carries live timing uncertainty, so verify the current legal position before relying on any specific date. The UK's published framework documents describe a regulator-led, non-statutory and context-specific approach. The Council of Europe Framework Convention is a binding treaty for parties, but it leaves states choices about how to implement its obligations for the private sector. Supporting standards and guidance can also move over time. For example, FDA's cited medical device text is draft guidance, not final law, so organisations should separate confirmed duties from developing supervisory expectations.
What to do next
Start with a use-case inventory, not a model inventory alone. Record what the system does, who it affects, where it is deployed, and whether it sits inside a regulated product or service.
Map three layers for each important use: the horizontal layer, the sector layer and the existing legal overlays such as product, data, consumer or professional rules.
Choose one reusable control framework for internal governance, then adapt it by context. For many teams, that means using a cross-sector framework such as NIST AI RMF, and where useful an AI management-system approach, so evidence is produced in a consistent way across business units.
Ask suppliers for context-matched evidence. Generic claims about being "responsible" are weak. Ask instead for intended use limits, testing records, human oversight design, change management, incident handling, relevant approvals and any sector-specific documentation.
Assign a named owner for horizon scanning. The hardest failures in AI governance often come from treating every rule, standard and guidance document as if it had the same legal force, or from missing that a low-friction internal tool has moved into a regulated workflow.
FAQs
Is horizontal AI regulation always stricter than sectoral regulation?
No. Horizontal rules create common baselines, but sectoral regimes can be stricter where safety, prudential supervision or professional duties are already mature.
Can one AI system fall under both horizontal and sectoral regulation at the same time?
Yes. That is common. A cross-sector framework may set baseline duties, while a sector supervisor adds domain-specific requirements for the same deployment.
Is an omnibus AI law the same thing as horizontal AI regulation?
Not always. An omnibus law is one way to implement horizontal regulation, but cross-sector governance can also be built through treaties, principles, guidance or standards.
Are NIST AI RMF and ISO/IEC 42001 legally binding?
Not by themselves in the way a statute or regulation is. They are operating frameworks that help organisations structure governance, controls and evidence. Their practical weight can still increase if regulators, contracts or procurement processes rely on them.
Why does the use case matter more than the underlying model?
Because law and supervision usually attach to the function being performed, the people affected and the market in which the system is used. The same model can be low-friction in one setting and heavily regulated in another.
Does sectoral regulation only apply to highly specialised AI?
No. It often applies to ordinary tools used in a regulated activity. What matters is the regulated function, not whether the model itself is novel.
What should a buyer ask before procuring AI for a regulated process?
Ask which jurisdictions and sectors the vendor has mapped, what the intended use and limits are, what testing and monitoring evidence exists, who can override the system, and what documentation supports any regulated deployment.
Sources
Artificial Intelligence Risk Management Framework (AI RMF 1.0) (National Institute of Standards and Technology). Confirms that the AI RMF is voluntary, non-sector specific and intended for organisations across sectors, which is central to explaining horizontal governance tools.
Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile (National Institute of Standards and Technology). Shows that generative AI risk management can be framed through a cross-sector companion profile rather than through a single sector-only rule set.
Regulation (EU) 2024/1689, Artificial Intelligence Act (European Union, EUR-Lex). Supports the description of the EU AI Act as a horizontal framework, its staged application dates, its allocation of duties across actors, and its integration with existing sectoral conformity assessment and market surveillance routes.
A pro-innovation approach to AI regulation, White Paper (UK Government). Supports the explanation of the UK's cross-sector, context-specific and regulator-led model, and its reliance on existing laws and regulators rather than a single omnibus statute.
The Framework Convention on Artificial Intelligence and human rights, democracy and the rule of law (Council of Europe). Grounds the point that horizontal AI instruments can also be treaty-based and technology-neutral, and that implementation for the private sector can be left to different domestic routes.
ISO/IEC 42001:2023, AI management systems (International Organization for Standardization). Supports the operational discussion of cross-sector AI management systems and the role of standards in creating repeatable organisational controls.
Consumer Financial Protection Circular 2022-03: Adverse action notification requirements in connection with credit decisions based on complex algorithms (Consumer Financial Protection Bureau). Supports the financial services example showing that existing sector law applies to AI-driven credit decisions regardless of the technology used.
Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations (U.S. Food and Drug Administration). Supports the healthcare example that AI in medical devices is supervised through sector-specific lifecycle, documentation and safety review mechanisms.