Governed Agentic AI by Industry · Part 3

One policy plane for a company that answers to many laws

Multinationals do not get one AI regulator. They get all of them at once: the EU, the US state patchwork, China, the UK, Singapore, and more, each writing different rules for the same technology. This part of the series is about the architecture that lets one company run agents everywhere it operates: regional gateways, regionally approved models, and local-law policy overlays, all under a single global policy and identity plane.

Multinational · Regional Operations EU AI Act · PIPL · State Patchwork · FCA · MAS Regional policy overlays Data residency by design Product-agnostic patterns
A dark world map with glowing gateway nodes rising from several regions, all connecting into one luminous policy plane floating above, with a shield emblem at its center and a soft data-residency boundary drawn around one region.
Regional gateways, regionally approved models, one global policy plane above them all.

The first two parts of this series looked at single industries: manufacturing and insurance. This one looks at a dimension that cuts across every industry: geography. Because the moment a company operates in more than one jurisdiction, its AI program stops being one program. It becomes several programs wearing the same badge, each answering to a different set of laws, and each drifting away from the others unless something structural holds them together.

1 · The problem: one company, many rulebooks

AI regulation is not converging into a single global standard. It is converging into a family of standards that rhyme but do not match.

European Union

The EU AI Act imposes risk-tiered obligations: logging, transparency, human oversight, and data governance, with reach into any system serving EU users. GDPR sits underneath it, governing what personal data may feed a model at all.

China

PIPL localizes personal data. The generative AI measures regulate what models may be offered and how content is handled. In practice, Western frontier models are unavailable, and in-country models are the working option for local teams.

United States

No single federal AI law; instead a growing patchwork of state statutes, sector rules, and FTC enforcement positions. What is permitted in one state may carry disclosure or testing obligations in another.

UK & Asia-Pacific

The FCA reaches algorithmic decisions affecting customer outcomes. Singapore's MAS publishes fairness and explainability expectations. Data-residency requirements appear across the Gulf, India, and Southeast Asia in sector-specific forms.

Each regime is manageable on its own. The failure mode is what happens when a company handles them separately: a different AI stack per region, a different policy per stack, and no way to state, let alone prove, what the company's AI is doing globally.

The sharpest version of the problem is the region where the global stack simply does not reach. A multinational's teams in China cannot use the frontier models the rest of the company runs on, so they use capable in-country alternatives. That usage then happens entirely outside the company's governance perimeter: no policy enforcement, no caching, no telemetry, no audit trail. From headquarters it is a black hole. Traffic goes in, and nothing comes back.

Split comparison: on the left, regional employees send traffic directly into an ungoverned black hole with no policy, caching, or audit; on the right, the same employees flow through an in-country governed gateway with identity, policy, and cache, producing full telemetry visible to global headquarters.
The regional black hole, and the same traffic through an in-country governed gateway.

2 · Why the usual fixes fail

Three approaches get tried, and all three fail structurally.

Policy that lives inside each application is policy that forks. Policy that lives in the layer every application passes through is policy that holds.

3 · The architecture: regional gateways under one global plane

The structural answer mirrors how multinationals already run networks and identity: local presence, central control.

A governed gateway deploys in each region, inside infrastructure that satisfies local law: the company's own facilities or an in-region cloud. Every agent, application, and user in that region reaches AI through the regional gateway. Above all the gateways sits a single global policy and identity plane: one place where policy is defined, one corporate identity source, one audit format, one cost ledger.

Architecture diagram: one global policy and identity plane spanning global regions and China; each region has its own gateway routing users to regionally approved models, with unified telemetry, cost, and audit flowing to a shared layer below.
One policy and identity plane. Regional gateways. Regionally approved models. Unified telemetry.

The division of labor is precise:

4 · Regional policy overlays: alignment to local law as configuration

The overlay mechanism deserves its own section, because it is what turns "we comply with local regulations" from an aspiration into a control.

A regional overlay is a small, reviewable set of policy statements layered onto the global baseline. Examples of what an overlay expresses:

Residency rules

Personal data classes that must not leave the region, enforced by redaction or refusal on the request path, not by trust in application developers.

Approved model sets

The EU overlay might exclude models that cannot meet logging obligations. The China overlay routes to Qwen, DeepSeek, Kimi, or locally served models. The US overlay may differ by state-sensitive workflow.

Oversight thresholds

Which actions require a verified human approval in this jurisdiction, reflecting local requirements for consequential or automated decisions.

Disclosure & retention

Per-region logging depth, retention windows, and disclosure formats, so a local data call is answered from local records in the expected shape.

Because overlays are configuration on one shared policy engine, three things become possible that forked stacks can never do. Legal can read the actual difference between regions as a diff, not a discovery project. A new regulation lands as an overlay change, not a re-platforming. And the global baseline, the floor no region may drop below, is enforced by the same machinery everywhere.

The question this answers

"Show me your company's AI controls in every country you operate in, and prove they were actually applied." With forked regional stacks, that question takes a quarter to answer badly. With one policy plane and regional overlays, it is a report, generated from the same records the enforcement path produced.

5 · What headquarters gets back

Routing every region through a governed gateway does not just satisfy local law. It closes the visibility gap that regional AI created in the first place.

Unified telemetry

Every model call in every region produces the same usage, cost, and audit records. The black-hole region becomes just another region on the dashboard.

Global cost governance

Per-team, per-region, per-workflow cost attribution in one ledger, with caps and routing rules applied consistently. Semantic caching serves repeated traffic locally, which also matters where in-region model capacity is constrained.

One audit story

A single tamper-evident audit format worldwide. Local regulators get local records; the board gets the global picture; both come from the same chain.

The exhaust flywheel, per region

Each region's traffic can distill into small, specialized local models served inside that region's perimeter, cutting cost and latency while keeping data home. Governance stays constant regardless of which model answers.

6 · The operating model

The architecture holds when the organization around it is explicit, and the multinational version adds one rule the single-market version does not need.

Own the baseline centrally, own the overlays regionally

One global function owns the policy baseline and the shared plane. Each region owns its overlay, with local legal and compliance review, inside limits the baseline sets. That split respects the reality that local teams know local law best, without letting local knowledge become global fragmentation.

Publish the regional catalogs

Every region's approved model and tool catalog is published, versioned, and visible. Teams building agents know what they may use where, before they build, and an agent promoted from one region to another is re-validated against the destination overlay as a routine step.

Treat new regulation as an overlay change

When the next AI act lands, the response is a policy review and an overlay update, shipped through the same review process as any other change. That is the difference between a governance program that absorbs regulatory motion and one that is re-architected by it.

Governed Agentic AI by Industry. This is Part 3. Part 1 covered manufacturing and Part 2 covered insurance. Follow along if you are working out how to expand AI capability without expanding AI risk.