Multinationals do not get one AI regulator. They get all of them at once: the EU, the US state patchwork, China, the UK, Singapore, and more, each writing different rules for the same technology. This part of the series is about the architecture that lets one company run agents everywhere it operates: regional gateways, regionally approved models, and local-law policy overlays, all under a single global policy and identity plane.
The first two parts of this series looked at single industries: manufacturing and insurance. This one looks at a dimension that cuts across every industry: geography. Because the moment a company operates in more than one jurisdiction, its AI program stops being one program. It becomes several programs wearing the same badge, each answering to a different set of laws, and each drifting away from the others unless something structural holds them together.
AI regulation is not converging into a single global standard. It is converging into a family of standards that rhyme but do not match.
The EU AI Act imposes risk-tiered obligations: logging, transparency, human oversight, and data governance, with reach into any system serving EU users. GDPR sits underneath it, governing what personal data may feed a model at all.
PIPL localizes personal data. The generative AI measures regulate what models may be offered and how content is handled. In practice, Western frontier models are unavailable, and in-country models are the working option for local teams.
No single federal AI law; instead a growing patchwork of state statutes, sector rules, and FTC enforcement positions. What is permitted in one state may carry disclosure or testing obligations in another.
The FCA reaches algorithmic decisions affecting customer outcomes. Singapore's MAS publishes fairness and explainability expectations. Data-residency requirements appear across the Gulf, India, and Southeast Asia in sector-specific forms.
Each regime is manageable on its own. The failure mode is what happens when a company handles them separately: a different AI stack per region, a different policy per stack, and no way to state, let alone prove, what the company's AI is doing globally.
The sharpest version of the problem is the region where the global stack simply does not reach. A multinational's teams in China cannot use the frontier models the rest of the company runs on, so they use capable in-country alternatives. That usage then happens entirely outside the company's governance perimeter: no policy enforcement, no caching, no telemetry, no audit trail. From headquarters it is a black hole. Traffic goes in, and nothing comes back.
Three approaches get tried, and all three fail structurally.
Policy that lives inside each application is policy that forks. Policy that lives in the layer every application passes through is policy that holds.
The structural answer mirrors how multinationals already run networks and identity: local presence, central control.
A governed gateway deploys in each region, inside infrastructure that satisfies local law: the company's own facilities or an in-region cloud. Every agent, application, and user in that region reaches AI through the regional gateway. Above all the gateways sits a single global policy and identity plane: one place where policy is defined, one corporate identity source, one audit format, one cost ledger.
The division of labor is precise:
The overlay mechanism deserves its own section, because it is what turns "we comply with local regulations" from an aspiration into a control.
A regional overlay is a small, reviewable set of policy statements layered onto the global baseline. Examples of what an overlay expresses:
Personal data classes that must not leave the region, enforced by redaction or refusal on the request path, not by trust in application developers.
The EU overlay might exclude models that cannot meet logging obligations. The China overlay routes to Qwen, DeepSeek, Kimi, or locally served models. The US overlay may differ by state-sensitive workflow.
Which actions require a verified human approval in this jurisdiction, reflecting local requirements for consequential or automated decisions.
Per-region logging depth, retention windows, and disclosure formats, so a local data call is answered from local records in the expected shape.
Because overlays are configuration on one shared policy engine, three things become possible that forked stacks can never do. Legal can read the actual difference between regions as a diff, not a discovery project. A new regulation lands as an overlay change, not a re-platforming. And the global baseline, the floor no region may drop below, is enforced by the same machinery everywhere.
"Show me your company's AI controls in every country you operate in, and prove they were actually applied." With forked regional stacks, that question takes a quarter to answer badly. With one policy plane and regional overlays, it is a report, generated from the same records the enforcement path produced.
Routing every region through a governed gateway does not just satisfy local law. It closes the visibility gap that regional AI created in the first place.
Every model call in every region produces the same usage, cost, and audit records. The black-hole region becomes just another region on the dashboard.
Per-team, per-region, per-workflow cost attribution in one ledger, with caps and routing rules applied consistently. Semantic caching serves repeated traffic locally, which also matters where in-region model capacity is constrained.
A single tamper-evident audit format worldwide. Local regulators get local records; the board gets the global picture; both come from the same chain.
Each region's traffic can distill into small, specialized local models served inside that region's perimeter, cutting cost and latency while keeping data home. Governance stays constant regardless of which model answers.
The architecture holds when the organization around it is explicit, and the multinational version adds one rule the single-market version does not need.
One global function owns the policy baseline and the shared plane. Each region owns its overlay, with local legal and compliance review, inside limits the baseline sets. That split respects the reality that local teams know local law best, without letting local knowledge become global fragmentation.
Every region's approved model and tool catalog is published, versioned, and visible. Teams building agents know what they may use where, before they build, and an agent promoted from one region to another is re-validated against the destination overlay as a routine step.
When the next AI act lands, the response is a policy review and an overlay update, shipped through the same review process as any other change. That is the difference between a governance program that absorbs regulatory motion and one that is re-architected by it.