AI alignment isn't just about science fiction scenarios, but about the daily question: does this system truly do what we intend, within boundaries that fit human values, fundamental rights and safety?
Two levels of alignment: There's a difference between organizational alignment (processes, responsibilities, monitoring) and fundamental alignment (the deeper safety question around increasingly capable models and emergent behavior). European legislation is strong on that first layer. The second layer remains partly dependent on soft law, emerging standards and technology-driven safety practices.
What the EU AI Act Does Address on Alignment
The EU AI Act isn't an "alignment law" in the technical sense, but it does address components that organizations often experience as alignment problems: drift, unintended output, bias, manipulation, opacity and insufficient human intervention.
1) Prohibited Practices as Hard Boundaries
The AI Act draws a line at AI applications considered unacceptable, precisely because they can steer behavior or affect rights. This first set of obligations already came into effect early in the phased implementation. (EUR-Lex AI Act)
2) High-risk Requirements as "Alignment-by-Design"
For high-risk systems (such as in employment, education, critical infrastructure, healthcare, credit and public contexts) the AI Act builds a package of requirements that can be read as a set of organizational alignment controls:
The alignment controls for high-risk systems
- Risk management: Systematic identification and mitigation of risks
- Data governance: Requirements for training datasets and data quality
- Documentation: Technical documentation and logging of use
- Transparency: Clear information to users about limitations
- Human oversight: Effective human oversight mechanisms
- Accuracy and robustness: Requirements for performance and cybersecurity
These requirements are precisely designed to prevent a system from "performing well" on paper but proving unreliable or harmful in reality. (EUR-Lex AI Act)
3) General-purpose AI and 'Systemic Risk'
The AI Act recognizes that generic models (GPAI) end up downstream in countless applications, making alignment not just an "application question" but also a "model question". Therefore, specific obligations exist and a GPAI Code of Practice has been published that makes compliance concrete, with separate attention to safety and security for models with systemic risk. (EC Digital Strategy)
This is an important point: Europe tries to place alignment not just with the end user or the deployer, but also to organize it upstream through documentation, transparency and safety practices for the more powerful model category.
Where Legislation Falls Short
Even with the AI Act, there remains a gap between "compliance" and "alignment" in the fundamental sense.
1) Legislation Cannot Fully Regulate Goal Misalignment
A law can require you to manage risks, organize oversight, document and monitor. But if a model learns unexpected strategies, or if capability jumps lead to new behavior, that's not fully coverable with process obligations. The AI Act pushes organizations toward mature governance, but doesn't guarantee intrinsic "value alignment" of models.
2) Timing and Enforceability Remain Variable
In theory, the phased implementation is precisely meant to give parties time. In practice, it also creates a period where the strongest obligations haven't yet "landed" everywhere.
Risk of delay: If such shifts proceed, that simply means: living longer with alignment risk without the full set of legal incentives and enforcement.
3) Liability: A Missing Link
Alignment isn't just about prevention, but also about incentives after the fact: who pays the damage when things go wrong? Precisely there, the European route is mixed.
| Instrument | Status | Impact on alignment incentives |
|---|---|---|
| AI Liability Directive | Withdrawn | Specific AI liability instrument (for now) unavailable |
| Product Liability Directive | Renewed (transposition end 2026) | Made suitable for software and digital products, but primarily product-focused (EP Research) |
In short: Europe does have a solid product and safety track, but a specific civil AI liability track has dropped off, making the total incentive structure less complete.
Alignment is Also "Encircled" by Other Laws
The AI Act doesn't stand alone. Part of alignment-like risks is addressed elsewhere:
The broader European regulatory network
DSA (Digital Services Act): For very large platforms and search engines, there's an obligation to assess and mitigate systemic risks, including risks to fundamental rights. This directly touches on recommendation systems, content distribution and manipulation effects. (Digital Services Act)
GDPR (and the interplay with DSA): When AI decision-making strongly affects individuals, or when profiling and data minimization are at stake, this runs through privacy and data protection rules. The EDPB also published guidance in 2025 on the DSA-GDPR interplay. (EDPB)
Cybersecurity (NIS2 and Cyber Resilience Act): Alignment often fails not just through "wrong goals", but also through attacks, prompt injections, supply chain issues and misuse. NIS2 requires risk management and incident reporting for many sectors. (EC Digital Strategy) The Cyber Resilience Act sets requirements for digital products across the lifecycle. (EC Digital Strategy)
This whole makes the European response broader than just "the AI Act", but also more fragmented: alignment components are spread across multiple regimes.
Three Practical Situations: What's Covered and What Isn't
1) HR and Recruitment with a Generic Model Under the Hood
Suppose: an organization uses a tool that summarizes application letters, ranks candidates and suggests interview questions. Alignment questions then are: does the system rank on relevant criteria, is there bias, do recruiters understand the limits, and can they deviate with justification?
The AI Act pushes toward risk management and human oversight (certainly if it falls under high-risk), while upstream GPAI documentation and transparency help to better understand downstream risks. But: if the tool stays "just under" high-risk or is purchased as a feature through a gray area, much remains dependent on internal governance.
2) Healthcare Triage and Prioritization
With triage, it's not just about accuracy, but also about failsafes, escalation, audit trails and accountability. The AI Act helps primarily by requiring structure: document, monitor, take incidents seriously, and make human decision-makers truly authorized.
The human-machine interaction: Legislation doesn't prevent a model from becoming "too convincing" in practice and professionals falling into automation. That's alignment as a human-machine interaction issue that goes beyond what a law can enforce.
3) Recommendation Algorithms on Platforms
Here "alignment" touches societal effects: polarization, disinformation, manipulation and harmful engagement loops. The DSA places obligations around risk assessment and mitigation of systemic risks for very large players, including fundamental rights risks. (Digital Services Act)
The AI Act isn't always the primary instrument here. As a result, you get: strong obligations for a subset of platforms, but less clear grip on comparable effects at smaller players or new distribution forms.
What This Comes Down To
The core of the European approach
Europe today addresses the AI alignment problem primarily as a governance, product and fundamental rights question. That's valuable: much AI damage doesn't come from science fiction scenarios, but from predictable things like bad data, too little monitoring, unclear responsibility, and lack of human intervention.
At the same time, "alignment" in the deeper safety sense remains only limitedly legally enforceable. The EU is taking steps through GPAI obligations and the Code of Practice, but part remains dependent on technical state-of-the-art, supervisory capacity and the political choice of how strictly and quickly the rules are actually applied.
And because a specific AI liability directive was withdrawn, the incentive mechanism after the fact is less specifically developed than originally intended.
Practical lesson for organizations: Those who wait for "the law to solve everything" miss the point. Alignment is already primarily something you must organize with governance, evidence, monitoring and a mature escalation chain. Legislation is more the floor than the ceiling.
Sources
Bronnen
🎯 More on Responsible AI: Check out the Responsible AI Implementation Guide for practical frameworks and best practices.