The Bureaucrat’s Revenge: How AI Regulation Wins by Losing
You might think that politicians control policy. I couldn’t possibly comment.
They’ve been quite busy in Washington, haven’t they? Executive orders rescinded, agencies neutered, regulations “paused for review.” The new administration swept in with all the subtlety of a demolition crew, and the AI governance apparatus looked terribly vulnerable. Industry lobbyists celebrated. Libertarian think tanks penned victory manifestos. The adults, they proclaimed, were back in charge.
How delightful. How naive.
You see, dear reader, they’ve made the classic blunder: they’ve confused the appearance of power with its reality. They’ve won the legislative theatre whilst losing the regulatory war. And the truly beautiful part? They won’t realise it until it’s far too late.
Let me explain how this works. You might think that killing a federal AI regulation actually kills it. But regulations, like particularly resilient weeds, don’t die. They simply relocate.
The Federated Fait Accompli
California isn’t waiting. Neither is New York, Colorado, or the EU. When Washington abdicates, Sacramento legislates. When the federal government “streamlines,” state attorneys general sharpen their knives. You might think this creates a patchwork nightmare for industry. Well, yes. That’s rather the point, isn’t it?
Here’s what the deregulation enthusiasts failed to grasp: corporations despise uncertainty more than they despise compliance. A single federal standard, however onerous, is vastly preferable to navigating 50 state-level frameworks plus international obligations. The very chaos created by federal withdrawal makes the original frameworks more attractive, not less.
The NIST AI Risk Management Framework? Still voluntary. Still referenced in every procurement contract, every insurance policy, every due diligence questionnaire. ISO 42001? Growing faster now than when governments were promoting it. Why? Because auditors need something to audit, and nature abhors a vacuum.
The Brussels Effect, Redux
You might think that American companies can simply ignore European regulations. How quaint. Tell me, which Fortune 500 company is prepared to exit the European market? Which AI vendor will forgo GDPR compliance? Which cloud provider will skip ISO 27001 certification?
None, of course.
And here’s the beautiful irony: once you’ve implemented AI governance for your European operations, the marginal cost of applying it globally approaches zero. In fact, the operational complexity of maintaining separate standards often exceeds the cost of universal compliance. The politicians banned federal AI regulation. The bureaucrats in Brussels smiled and continued typing. The AI Act proceeds regardless. American companies will comply regardless. The only thing that’s changed is which flag flies over the regulatory apparatus.
The Procurement Cudgel
But let’s discuss my favourite mechanism: the purchasing power of the state itself.
Federal agencies may not regulate AI, but they certainly can set procurement standards. “We’re not requiring anyone to comply with NIST AI RMF,” they’ll say. “We’re simply choosing not to purchase from vendors who don’t demonstrate conformance.” See the difference? Neither do the vendors.
State and local governments command trillions in purchasing power. Universities, hospitals, municipal services. Each can independently adopt procurement standards. Each can require vendor attestations. Each can demand third-party audits.
You might think this is regulation through the back door. I couldn’t possibly comment.
The Insurance Industry’s Quiet Veto
And then there’s insurance. Lovely, mercenary, utterly predictable insurance.
Underwriters don’t care about political philosophy. They care about actuarial tables and loss ratios. They’ve noticed that AI systems without governance frameworks tend to malfunction spectacularly and expensively. They’ve noticed that courts are increasingly hostile to “we didn’t know” as a defence.
So they’ve quietly begun requiring AI governance attestations for coverage. No ISO 42001 assessment? Higher premiums. No AI risk management programme? Excluded exposures. No ethics review board? Sorry, uninsurable.
The market regulates what the government will not. How wonderfully efficient.
The Professional Class Consolidates
You might think that reducing federal AI oversight would eliminate the compliance industry. Instead, it’s metastasised. Without clear federal guidance, every organisation must navigate independently. Consultants multiply. Certification schemes proliferate. The very absence of standardisation creates opportunities for intermediaries.
The demand for AI governance hasn’t decreased. It’s simply become more sophisticated, more federated, more resilient to political interference. Small and medium businesses can’t afford to ignore these frameworks, but they also can’t afford Big Four consulting fees. The market gap widens. How fortunate that someone recognised this opportunity.
The Long Game
Here’s what the deregulation champions don’t understand: bureaucracies think in decades, not election cycles. The career civil servants didn’t fight the executive orders. They simply updated their guidance documents, shifted their focus to “voluntary” frameworks, and waited. They’ve seen this film before. Administrations change. Priorities shift. But the fundamental infrastructure endures. The same frameworks that are “paused” today will be “reinstated” tomorrow, probably under a different name, certainly with the same substance.
You might think this represents a failure of democratic accountability. You might think unelected bureaucrats shouldn’t have this kind of persistent power. You might think that policy should reflect electoral mandates, not institutional inertia.
I couldn’t possibly comment.
But I will observe this: in the contest between political theatre and bureaucratic persistence, bet on the bureaucrats. They’ll still be filing paperwork long after the politicians have moved on to their next crusade.
The Practitioner’s Advantage
For those of us actually implementing AI systems, this creates opportunity. Whilst politicians debate whether to regulate, we build governance into our architectures. Whilst lobbyists argue about compliance costs, we reduce them through automation. Whilst ideologues fight over frameworks, we deploy them.
The organisations that treated AI governance as a political question are now scrambling. The organisations that treated it as an operational necessity are scaling smoothly. The market, as always, rewards preparation over posturing.
You might think I’m advocating for more regulation. Not at all. I’m simply observing that in the absence of clear federal standards, more complex and costly alternatives emerge. I’m simply noting that political victories often produce strategic defeats. I’m simply suggesting that the regulatory apparatus they thought they killed has merely evolved.
How it all develops remains to be seen. But I suspect, when the histories are written, this period will be remembered not as the death of AI governance but as its federalisation, its privatisation, and its ultimate entrenchment beyond the reach of any single political movement.
The politicians dismantled the federal framework. The bureaucrats, the markets, and the lawyers built something more resilient in its place.
You might call that ironic. I call it inevitable.
The game continues. The pieces move. And as always, the ones who understand the board control the outcome.