The architecture review should have been straightforward. We'd built web agent infrastructure that ran reliably across fifteen jurisdictions—automated workflows that gathered data, processed it, and delivered results to enterprise customers. Then someone asked: "If we process hotel inventory data in the EU, can we still serve those results to Colorado users?"

The room went quiet. We'd hit a question no one had considered: there wasn't one answer anymore.

At TinyFish, we build enterprise web agent infrastructure—systems that run reliable, auditable workflows on the live web at scale. Which means we've watched a threshold cross in 2025 that most enterprises didn't see coming: the moment when you cannot build one system that satisfies all jurisdictions.

The Incompatibility Emerges

For a while, multi-jurisdictional compliance looked manageable. Document your data handling. Write risk assessments. Build to the most stringent requirements and apply them everywhere. One architecture, one set of controls, compliance achieved.

Then the requirements started diverging in ways architecture couldn't bridge.

The requirements aren't just different—they're incompatible:

• Colorado's AI Act requires impact assessments for algorithmic discrimination and annual reviews to ensure systems don't produce differential treatment of protected groups
• The EU AI Act demands technical documentation and training data summaries for general-purpose AI models
• Trump's December executive order explicitly criticizes Colorado's law for potentially forcing AI systems to "produce false results" to avoid differential impact

You can document all of that. Building one model that satisfies both "prevent differential treatment" and "don't alter outputs to prevent differential treatment"? Impossible. The threshold has been crossed.

When Infrastructure Splits by Jurisdiction

Teams operating web agents across jurisdictions keep hitting the same wall: "deploy everywhere" has become "deploy differently everywhere."

The shift shows up in infrastructure decisions that used to be straightforward. Where should this agent run? Used to be: wherever capacity is available. Now: which jurisdiction owns this workload, and what does that imply for data handling, model behavior, and audit trails?

Organizations are implementing what some call sovereign AI control planes—infrastructure that enforces policies about jurisdiction, data classification, and auditability. Not features added to existing systems, but architectural constraints that reshape what's technically possible.

CI/CD pipelines that used to deploy globally by default now deploy per region, with access policies and observability that are region-aware from the start. Observability must show not just what happened, but where it happened and under which legal framework. Data handling must accommodate that some jurisdictions prohibit cross-border transfers while others require local copies even if you move data elsewhere. Model behavior might need to vary by jurisdiction—not because you want it to, but because conflicting requirements make unified behavior impossible.

Jurisdiction has become a first-class design parameter.

The Permanent Reality

This won't resolve with better documentation. Regulatory fragmentation requires infrastructure bifurcation—that's the permanent architectural reality.

The enterprises adapting fastest aren't the ones with the most comprehensive governance policies. They're the ones who've recognized that the threshold has been crossed—that compliance has moved from documentation layer to architecture layer—and are building accordingly.

What looked like a regulatory collision in 2025 is actually an inflection point in how enterprise infrastructure gets built. The assumption that you can deploy one system everywhere is breaking. It won't come back.