There is no universal legal definition of artificial intelligence. And for governance teams, that gap is the whole problem. A system that triggers compliance obligations under the EU AI Act may fall outside scope under Connecticut’s SB 1103. A risk scoring tool that qualifies as “AI” under the OECD definition may not meet the autonomy threshold in another jurisdiction. Getting the scoping wrong in either direction has real consequences.
Trustible’s AI Compliance Frameworks module was built for exactly this problem: map your AI systems against every applicable definition once, then maintain compliance as new frameworks emerge. This article examines where definitions actually diverge, compares major laws and standards side by side, and covers what changed between 2024 and 2026.
TL;DR: Most frameworks converge on “machine-based systems” that produce “predictions, recommendations, or decisions.” They split on four dimensions: mimicry of human thought, influence on environments, inputs and outputs, and degree of autonomy. The same system may qualify as AI under one framework and fall outside scope under another.
How major frameworks define AI: a side-by-side comparison
The table below shows how major frameworks and laws define AI. Most converge on the concept of a “machine-based system” that generates predictions, recommendations, or decisions, but they diverge significantly on scope, inputs, and what triggers regulatory obligations.
| Framework / Law | Year | Key definitional language | Themes emphasized |
|---|---|---|---|
| U.S. federal (15 U.S.C. § 9401) | 2020 | “A machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments” | Human cognition, environmental influence, inputs/outputs |
| EU AI Act (Article 3(1)) | 2024 | “A machine-based system… that may exhibit adaptiveness… and that infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions” | Autonomy, environmental influence, inputs/outputs |
| OECD (updated definition) | 2024 | “A machine-based system that, for explicit or implicit objectives, infers… how to generate outputs such as predictions, recommendations, or decisions that can influence physical or virtual environments” | Environmental influence, inputs/outputs, autonomy |
| NIST AI RMF | 2023 | Emphasizes systems that make predictions, recommendations, or decisions; references human-like cognitive abilities | Human cognition, inputs/outputs |
| ISO/IEC 22989 | 2022 | “Engineering discipline… to build systems that provide outputs such as predictions, recommendations, or decisions for a given set of objectives” | Inputs/outputs, environmental influence |
| Connecticut SB 1103 | 2023 | Emphasizes human-like cognitive abilities: learning, reasoning, self-correction | Human cognition, autonomy |
| Colorado SB 26-189 | 2026 | Focuses on “automated decision-making technology” (ADMT) that materially influences “consequential decisions”; imposes notice, disclosure, and human review obligations | Environmental influence, inputs/outputs |
The pattern is clear: frameworks anchored in U.S. federal statute and the OECD definition cast a wide net, while those rooted in technical standards like the International Organization for Standardization’s approach focus on engineering characteristics. The four sections that follow analyze each dimension of divergence. For a deeper comparison of how these frameworks operate in practice, see our analysis of NIST AI RMF, EU AI Act, and ISO 42001 compared.
Mimicry of human thought
Technical definitions of AI tend to focus on the machine’s ability to process information or perform functions similar to humans. AI definitions from the International Electrotechnical Commission and NIST’s AI Risk Management Playbook glossary emphasize a machine’s ability to replicate human intelligence. Connecticut’s SB 1103 also uses an AI definition that centers on human-like abilities: learning from experience, reasoning, and self-correction.
These definitions aren’t as concerned with the system’s inputs or outputs. The language narrows the scope of what counts as AI because it focuses on human-like function. A generative AI chatbot aligns with this framing because the interaction between user and system is human-like, and the system can learn from interactions to produce more refined outputs.
Conversely, definitions from bodies like the Organisation for Economic Co-operation and Development (OECD) emphasize input data, intended purpose, and resulting outputs. These definitions downplay abstract “human-like” functions and prioritize the system’s impact. This approach casts a wider net because it focuses on measurable effects: a product recommendation algorithm, a generative AI system, and a risk scoring tool would all fall within scope.
The distinction matters for governance teams. Laws like SB 1103 may exclude systems whose primary function isn’t human-like cognition, while frameworks following the OECD model capture nearly any system producing predictions, recommendations, or decisions. Start by identifying the intended goals of each system and clearly defining whether it’s meant to supplant or support human decision-making.
Influence on environments
Several AI definitions address how a system can influence a given environment, whether physical or virtual. The EU AI Act’s definition (modeled after the OECD’s) covers systems that “generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.” The NIST AI Risk Management Framework and the U.S. federal definition use similar language.
The concept isn’t as straightforward as it sounds. These definitions don’t specify the degree to which an output must influence its environment. A product recommendation algorithm may not influence a real environment if the user ignores the suggestions. A risk scoring tool used in insurance underwriting, by contrast, directly shapes a consequential decision.
Some definitions do address this gap. Colorado’s law restricting insurers’ use of external consumer data and the U.S. federal definition both consider how an output informs a person’s decisions or actions. Under this framing, both the recommendation system and the risk scoring system qualify because they produce outputs that inform a decision.
For governance teams, the key question is whether a system’s outputs inform, support, or directly drive a decision. Map each system’s output chain to determine where “influence” begins under the frameworks that apply to your organization.
Inputs and outputs
An AI system requires inputs with an expectation of some output. The range of AI definitions offers differing perspectives on both.
On the input side, there is no consensus about sources. The U.S. federal definition addresses inputs generated from both humans and machines, whereas the EU AI Act and Canada’s Artificial Intelligence and Data Act (AIDA) didn’t focus on those distinctions. (Note: Canada’s Bill C-27, which contained AIDA, died when Parliament was prorogued in January 2025. No federal AI legislation is currently pending in Canada.) Some definitions, like the NIST AI RMF and SB 1103, exclude input specifications entirely.
Where input sources are not defined, other aspects of the definition must carry the weight. A product recommendation system relies on both user input (browsing history) and machine input (stored purchase logs). It aligns with defined input sources under the EU AI Act, but the NIST AI RMF definition offers no comparable anchor.
On the output side, definitions generally agree that AI systems produce predictions, recommendations, or decisions. The divergence is whether that list is closed or open-ended. AIDA covered only systems that “generate content or make decisions, recommendations or predictions.” The EU AI Act and ISO leave the outputs list open-ended, potentially capturing a broader range of system behaviors.
Risk scoring tools illustrate the ambiguity well. A final risk score may represent a prediction about future behavior, or it may simply be a snapshot of current lifestyle data. Most laws intend to capture such systems, but the definitional language can create loopholes depending on how “prediction” is interpreted. Document input sources and intended output types to assess where each system sits under each framework.
Degree of autonomy
AI systems generally function with some degree of autonomy, and most definitions capture this without drawing hard boundaries. The EU AI Act, ISO, and AIDA all referenced systems operating along a spectrum of autonomy without specifying a required level. Under these frameworks, a product recommendation algorithm, a generative AI system, and a risk scoring tool would all qualify.
Connecticut’s SB 1103 draws a firmer line. Its definition ties autonomy to human-like abilities: learning from experience and improving performance based on inputs. A risk scoring system that applies static weights may not meet this autonomy threshold. A product recommendation system may or may not qualify depending on whether it actively learns and improves from its data.
While the general consensus avoids defining AI based on a specific degree of autonomy, SB 1103 demonstrates that the issue can surface in regulatory frameworks. Document each system’s learning capabilities and adaptive behavior now. Preparing for both broad and narrow definitional approaches is faster than retrofitting documentation after a new law takes effect.
What changed in 2024-2026
Since this article was first published in February 2024, the regulatory environment around AI definitions has shifted significantly.
EU AI Act entered into force. The EU AI Act was published in the Official Journal on July 12, 2024, as Regulation 2024/1689, and entered into force on August 1, 2024. The Article 3(1) definition is now binding law. The first enforcement provisions, covering prohibited AI practices, took effect on February 2, 2025. General-purpose AI model obligations followed on August 2, 2025, and the most operationally significant deadline, full compliance requirements for high-risk AI systems, arrived August 2, 2026.
U.S. Executive Order replaced. President Biden’s Executive Order 14110 was revoked on January 20, 2025. It was replaced by EO 14179, “Removing Barriers to American Leadership in Artificial Intelligence” (signed January 23, 2025), which shifts the federal focus from prescriptive requirements to competitiveness. The underlying statutory definition at 15 U.S.C. § 9401 remains unchanged.
Canada’s AIDA died. Bill C-27, which contained the Artificial Intelligence and Data Act, died when Parliament was prorogued on January 6, 2025. Canada currently has no federal AI legislation pending.
Colorado’s AI law rewritten. Colorado signed SB 24-205 into law in May 2024, but the law never took effect as written. After two legislative sessions failed to produce amendments, a special session in August 2025 extended the effective date to June 30, 2026. On April 9, 2026, xAI filed a federal lawsuit challenging the law’s constitutionality, and the U.S. Department of Justice intervened in support, the first time the federal government has moved to invalidate a state AI law. A federal magistrate judge stayed enforcement on April 27, 2026. Rather than defend the original statute, the Colorado legislature rewrote it entirely. Governor Polis signed SB 26-189 on May 14, 2026, replacing SB 24-205 with a narrower disclosure-and-transparency framework covering “automated decision-making technology” (ADMT) used in consequential decisions. The new law drops the original’s risk management programs, impact assessments, and algorithmic discrimination duty of care in favor of targeted notice, adverse-outcome disclosure, correction rights, and meaningful human review obligations. It takes effect January 1, 2027, with enforcement contingent on rulemaking completion. See our full breakdown: everything you need to know about Colorado SB 205.
State-level proliferation. Multiple U.S. states have introduced or passed AI-related legislation since 2024, each with their own definitional approaches. The result is an increasingly fragmented regulatory map where a single AI system may meet the definition of “AI” under some state laws but not others. For more on what this fragmentation means for governance programs, read what the global pause on AI laws means for AI governance.
How Trustible helps organizations navigate AI definitions
The definitional divergence analyzed in this article is exactly the problem Trustible was built to solve. Organizations facing the EU AI Act, NIST AI RMF, ISO 42001, Colorado SB 26-189, and a growing list of state and international frameworks don’t need to track each definition manually. Trustible’s platform was purpose-built for this challenge.
Trustible’s AI Compliance Frameworks module applies a “document once, comply at scale” approach. Teams map a single set of governance controls across every applicable framework. When a new regulation introduces a new AI definition or when Trustible adds new frameworks to its library, existing documentation automatically maps to the updated requirements. Organizations don’t start from scratch each time the regulatory picture shifts.
Trustible’s Insights Taxonomies module provides continuously updated, expert-curated intelligence including a Regulations taxonomy that tracks evolving definitions across jurisdictions. Instead of monitoring legislative changes manually, governance teams get structured, current intelligence on which definitions apply to which systems and where new obligations are emerging.
What to do next
Use the comparison table above to identify which definitions apply to your AI systems today. Document each system’s inputs, outputs, and degree of autonomy, as these are the three dimensions where definitions diverge most consistently. If you operate across multiple jurisdictions, adopt an inclusive internal definition that covers the broadest regulatory scope you face, then narrow per framework as needed.
The organizations scaling AI adoption with confidence aren’t waiting for definitional clarity to arrive. They’re building governance programs that can absorb it when it does.
Request a demo to see how Trustible manages multi-framework compliance.
FAQ
The most cited U.S. federal definition comes from 15 U.S.C. § 9401, which defines AI as a machine-based system that can make predictions, recommendations, or decisions influencing real or virtual environments. Other jurisdictions define AI differently. There is no single universal legal definition.
Article 3(1) of the EU AI Act defines an AI system as a machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness, and that infers from its inputs how to generate outputs such as predictions, content, recommendations, or decisions. This definition became binding law when the EU AI Act entered into force on August 1, 2024.
Most modern AI legislation uses “artificial intelligence” as an umbrella term that includes machine learning, deep learning, and other computational techniques. Some older frameworks and technical standards distinguish between them, but the regulatory trend is toward broad definitions that capture any system producing predictions, recommendations, or decisions regardless of the underlying technique.
The definition determines whether your system falls under a regulation’s scope and triggers compliance obligations. A system classified as “AI” under one framework may fall outside scope under another. Getting the definitional mapping wrong means either over-investing in compliance for systems that aren’t covered, or missing obligations for systems that are.
NIST uses a broad, technology-neutral definition focused on systems that make predictions, recommendations, or decisions. The NIST AI RMF emphasizes the system’s ability to process information similarly to human cognitive functions while also considering the system’s intended impact, making it one of the more inclusive definitional approaches among major frameworks.
Yes. Colorado’s replacement law (SB 26-189, signed May 14, 2026) uses the term “automated decision-making technology” (ADMT) rather than “artificial intelligence,” and anchors scope in whether a system materially influences a “consequential decision.” The EU AI Act’s definition is broader, covering any system that generates predictions, recommendations, or decisions with varying levels of autonomy, regardless of whether it affects a consequential decision. An AI system could trigger EU AI Act compliance without falling under Colorado’s ADMT framework, and vice versa. Colorado’s new law takes effect January 1, 2027.
