AI and the Governance Trap We’ve Seen Before
One of the most common concerns I hear whenever AI regulation comes up is that governments are going to overreact.
It’s not an unreasonable concern. History contains plenty of examples of regulations that created unintended consequences, slowed innovation, protected incumbents, or failed to keep pace with technological change. Anyone working in technology long enough has encountered policies that made little sense in practice or governance frameworks that created more overhead than value.
What I find interesting, however, is that most discussions seem to assume this is the most likely outcome. The concern is almost always focused on what happens if governments intervene too aggressively.
I find myself wondering whether the greater risk is the opposite.
Over the course of my career, I’ve worked in organizations of various sizes and levels of maturity. The details differ, but the pattern is remarkably consistent. Governance is almost never implemented because everything is working perfectly. Security reviews, architecture review boards, change management processes, development standards, disaster recovery planning, segregation of duties, release management controls, and countless other governance mechanisms tend to appear after an organization has experienced the consequences of not having them.
The story is usually the same. A process is viewed as unnecessary overhead because there hasn’t yet been a significant failure. Teams prioritize speed because speed is producing visible results. Risks are acknowledged but considered manageable. Then an incident occurs. Sometimes it’s a security breach. Sometimes it’s a major outage. Sometimes it’s a compliance issue. Sometimes it’s simply a project that becomes far more expensive to fix than it would have been to govern properly in the first place.
Only then does everyone suddenly agree that governance is important.
The problem is that governance designed during a crisis rarely represents its best form.
When organizations are responding to an incident, the objective is not careful design. The objective is preventing the incident from happening again. That pressure often leads to controls that are broader than necessary, processes that become more cumbersome than intended, and decisions that prioritize immediate risk reduction over long-term effectiveness.
I’ve seen this happen often enough that it feels less like an exception and more like a predictable phase of organizational maturity.
When I look at AI, I see many of the same ingredients.
Today, most discussions about AI governance remain largely theoretical. Researchers debate future risks. Policymakers debate appropriate oversight. Technology companies debate what obligations they should have and which capabilities should trigger additional scrutiny. At the same time, businesses are rapidly adopting AI because the potential benefits are increasingly difficult to ignore.
That combination creates an interesting dynamic. The technology is advancing quickly, adoption is accelerating, and governance frameworks remain relatively immature.
The assumption seems to be that this situation can continue indefinitely.
History suggests otherwise.
Transformative technologies eventually experience failures. Sometimes those failures are technical. Sometimes they are operational. Sometimes they are security-related. Sometimes they are simply examples of human beings deploying tools in ways that nobody anticipated. The specifics are impossible to predict, but the existence of future incidents feels far less speculative.
That observation is not unique to AI. It is true of almost every technology that has been adopted at scale.
What concerns me is not that governments will eventually regulate AI. What concerns me is the possibility that we spend years arguing about whether regulation is necessary and fail to develop credible frameworks before circumstances force the issue.
At some point there will likely be a significant incident involving AI. It may involve misinformation. It may involve cybersecurity. It may involve autonomous decision-making. It may involve something nobody is currently discussing. Whatever form it takes, the public conversation will change immediately.
Questions that are currently academic will become urgent.
Questions that are currently nuanced will become political.
Questions that are currently being explored thoughtfully will be answered under pressure.
That is rarely when societies make their best decisions.
One of the lessons I’ve learned as an architect is that governance works best when it is introduced before it becomes necessary. Security controls are easier to implement before a breach. Recovery plans are easier to create before an outage. Development standards are easier to establish before technical debt accumulates. Once a problem becomes visible, the range of acceptable responses narrows considerably.
I suspect AI governance may follow a similar path.
The irony is that many of the people arguing most strongly against regulation today may ultimately contribute to more aggressive regulation tomorrow. Not because their concerns are invalid, but because governance vacuums rarely remain empty forever. When institutions fail to establish clear rules and expectations, those rules tend to emerge later in response to events.
The resulting frameworks are often less thoughtful than the ones that could have been developed beforehand.
That is why I don’t think the future regret will be that we regulated AI.
The future regret may be that we waited until everyone agreed regulation was necessary before deciding what it should look like.
By then, the conversation will no longer be about designing good governance.
It will be about responding to a crisis.
History suggests those are rarely the same thing.