The AI regulatory space is a rapidly developing and maturing one, and while a lot of work has recently been done to draft new bills and establish new frameworks, there’s still a ton we don’t know about the space. This post aims to quantify and qualify some of the “known unknowns” about the space, including what I believe to be one of the most consequential unknown variables: The lag time from when new AI capabilities are announced to when regulatory bodies acknowledge or pass legislation targeted at them.
My research into this topic covered six different categories:
1) Regulatory adequacy
2) Regulatory causality
3) Soft law effectiveness
4) Incremental vs novel capabilities
5) Preceding disasters
6) Regulatory lag
7) Miscellaneous Measurement Gaps
The Definition of “Regulatory Adequacy”
As far as I can tell, there’s no definition of “regulatory adequacy”. That is, there’s no agreed on definition for what “adequate” governance would actually look like.
Granted, it’s quite hard to know what “adequate” looks like in governance as you’re generally trying to optimize for something not happening. But the lack of any real standard does have costs as it makes claims about “widening gaps” between capability development and governance rather fuzzy. No standardized metrics exist for determining if a framework or law actually improves the public trust, increases model safety, or reduces AI-related harms. And without legible standards for what counts as success it’s difficult to work backwards and determine what types of advocacy or legislation campaigns are actually effective at achieving their goals.
Most databases or indices of AI governance such as OECD.AI or Stanford HAI measure just the quantity of governance, like the number of laws passed or how many strategies/frameworks have been published. For instance, the OECD.AI Index combines 28 indicators that track OECD’s AI principles, but these measure only policy implementation and capacity. They don’t track how effective policies are at achieving their goals.
Similarly,The Stanford HAI AI Index is likely the gold standard for legislative activity tracking, with longitudinal data covering legislative proceedings for 75 different countries, U.S. state and federal legislation, and global AI safety institute proliferation. Ultimately though it tracks legislative activity, enforcement actions, and compliance costs, essentially counting the volume of governance but not quality. Meanwhile, Georgetown CSET’s AGORA catalogs more than 950 AI governance documents.Finally, the Oxford Insights Government AI Readiness Index covers 195 governments over roughly 40 different indicators, but it measures prerequisites for governance and not actual outcomes.
In the regulatory theory literature, there are some approximations, suggested techniques for assessing adequacy and efficacy. Cary Coglianese suggests using a relevant framework that tracks three regulatory dimensions: inputs/activities (rules adopted, resources deployed), behaviors (compliance by regulated entities), and outcomes (changes in the underlying problem). He argues that the best indicators of regulatory efficacy will “almost always be those that measure the ultimate problem the regulation or process was intended to solve.”
For governance in general, the World Bank’s Worldwide Governance Indicators does have a “Regulatory Quality” dimension that might be worth adapting, but even it captures perceptions of government capacity and not outcomes.Are we starting to notice a theme?
There’s some intuitive causes for the field’s failure to define adequacy.
The first is just how nascent the field is. AI governance is essentially less than a decade old, and most frameworks simply haven’t been around long enough for outcome evaluation. There’s also a problem of competing values. Different jurisdictions define “adequate” differently based on what they value, so while the EU prioritizes rights protection, the US emphasizes innovation, and China is focused primarily on state control.
Of course, there’s measurements problems as well. The causal chain that runs regulation to behavior change to outcome improvement is genuinely difficult to measure.
Finally, there’s a political economy problem. In order to measure whether regulation works, you also need to measure whether regulators are doing their jobs. This isn’t an unsolvable problem, you could come up with some quantitative metric that would track regulator activity and effectiveness, like how in the finance regulation context the Basel accords define capital adequacy.
The Basel Accords work by translating abstract goals like “banks should be safe” into hard numbers that are auditable. No such framework has been proposed for AI thus far.But you might define thresholds for institutional function like investigation velocity, enforcement ratio, guidance issues lag, staffing adequacy, incident rate per user-exposure-hour, severity-weighted harm index, and similar.
I consider this to be one of the most important gaps to fill in the regulatory landscape, and a lot more research is required to move from counting “governance inputs” to measuring “governance outcomes”.
Causality: What Actually Drives Regulation?
While we do know that the number of laws and governance frameworks have surged in recent years, we don’t know what the actual causal mechanism is.
Based on my research I can make some educated guesses. The driving force behind new regulation for AI is most likely some combination of high-salience technological breakthroughs combined with a surge in public attention and/or historical patterns of crisis-response.
We generally see that novel capabilities drive media coverage, and media coverage does tend to correlate with increased regulation. While most people have an intuition that it’s actually alarmist news that drives regulation, it could be that any coverage leads to more regulation.
I analyzed over a decade of global media coverage for two transformative technologies: artificial intelligence and nuclear energy. I made use of the GDELT database, which tracks hundreds of thousands of news articles worldwide. These database entries were then combined with Google Trends search data and a hand-coded database of regulatory events spanning 2015 to 2025. At the end, three findings jumped out, and two of them cast doubt on the typical story.
Panel C shows AI regulatory events shot up from 0.15 to 1.00 per month after ChatGPT's launch (Nov 2022). This coincides with the most positive sustained AI coverage and the largest spike in public search interest in the dataset.
While there's a plausible causal chain where media coverage with a positive tone drives public search interest, which in turns leads to attention and regulatory action... My analysis of search data and regulatory action found that when you consider search interest, the actual volume of coverage added no predictive value. That suggests the relationship between news and policy is mediated by attention.
In my data, the most enthusiastic period of AI journalism coincided with the sharpest acceleration in regulatory activity. It’s possible that regulators just respond to technologies being prominent on the public agenda and framed as national strategic priorities, rather than responding solely to danger signals…
That said, statistical tests were inconclusive regarding if public attention genuinely predicts regulation or if laws, media, and new capabilities are all just rising together at the same time.
Likewise, the second finding is that it’s unclear if journalists themselves are leading the public (a type of elite agenda-setting) or if they’re following audience enthusiasm. The idea that journalists lead public opinion is agenda-setting in the classic sense, and my results don’t really back that up. In my tests public search interest actually predicted more positive media coverage (p=0.006), while positive media coverage didn’t predict search interest. So basically, public interest leads to journalist coverage. Not the reverse, AI media coverage didn’t predict public search interest (p=0.905).
I can say that media and public attention are tightly coupled (r = 0.538–0.641), and an agenda-setting theorist might argue that the correlation reflects journalist working through channels the analysis doesn’t capture like framing effects that don’t show up in search volume but still influence elite opinion instead of mass public attention. This seems possible. There’s a kind of mutually reinforcing feedback loop going on where both public attention and media coverage co-evolve together… [1]
Notable disasters heavily predict regulation. In most other industries, we see that effective regulation typically follows some kind of disaster, such as the Chernobyl and Fukushima incidents for nuclear power or the sulfanilamide disaster for the pharmaceutical industry. But AI regulation has uniquely accelerated without a major disaster… Although, it remains heavily dependent on existing legal infrastructure and geopolitical competition.
Technical milestones like the announcement of AlphaFold or the release of ChatGPT function at catalysts that drive attention, and with it, regulation. My own investigation into the distribution of regulatory events over time found that the number of regulatory events (of any kind) rose from 0.15 per month to 1.00 per month following the launch of ChatGPT.
The EU AI Act is probably the cleanest example of new products forcing legislative revision. While the original proposal (April 2021) didn’t have provisions for general-purpose AI models,ChatGPT’s appearance during negotiations forced co-legislators to draft an entirely new chapter. The Center for Democracy and Technology noted it was “after the surge in popularity of ChatGPT… that the co-legislators drafted a dedicated chapter.”
Regulatory responses to AI capability advances were minimal or nonexistent before the Gen AI era. The early breakthroughs like AlexNet breakthrough (2012) and AlphaGo (2016) generated no direct regulatory responses (that I’m aware of). Only GPT-2’s staged release in 2019 is a notable governance action, and note that it was industry-led self-governance rather than government regulation.
There’s also a geopolitical angle to this whole thing. Regulatory activity can be pushed by a desire to respond to the efforts of geopolitical rivals or strengthen national leadership. Part of the rationale for the Biden Executive Order was to position the US ahead of Chinese and EU regulatory efforts.
Once a desire to create legislation is present, the speed of a government’s regulatory response is influenced by how effectively it can repurpose existing laws/legal frameworks. It’s notable that Italy responded to the unveiling of ChatGPT in around 120 days because it leveraged powers that existed under the GDPR, while the EU AI Act took years to finalize. Compare that to: China’s proposed generative AI rules that came roughly 170 days later and were enacted within 258 days,the Biden Executive Order followed after 334 days, and the EU AI Act that was finalized after 373 days (though it had been under development since 2021).
Italy’s response was the fastest because it deployed GDPR powers, not new AI legislation. Meanwhile, China’s iterative approach was built on regulation of prior algorithms and deep synthesis and the U.S. used Defense Production Act authority. Existing legal infrastructure determines response speed.
The Effectiveness of Soft Law
In order that a regulation is effective and not just symbolic, it typically requires independence from both promotional mandates and the industry it regulates. We can look at incidents like the Fukushima disaster and other catastrophic failures in history that were often caused by regulatory capture, where the body in charge of safety was the same one promoting the technology.
Soft law is essentially codes of conduct and voluntary guidelines rather than legal frameworks enforced by liability and other punitive measures, and its voluntary nature cuts against independence as enforcement is left to the industry itself.
The primary advocate for soft law in AI technology governance is Gary Marchant at ASU and he has built out a fairly comprehensive directory of AI soft law. Alongside Gutierrez, he identified 634 AI governance programs globally, and it’s notable that around 90% of them were created between 2017–2019. Of these soft law programs, government institutions created 36%, which is actually more than industry created alone.
There are typically two categories of rebuttal to Marchant’s position. First, the institutional capture argument argues that voluntary commitments like these often just serve to cover firms while they go about business as usual. Second, the critique that soft law actually forestalls the passage of binding regulation (ex. The VW emissions and Boeing 737 MAX cases all demonstrated failures of self-regulation that ultimately required regulatory intervention).
This raises the question: "How effective are soft law arrangements, in reality?" One does wonder how effective these soft law schemes are without enforcement mechanisms, which most of them lack. Marchant’s own data reveals that in terms of enforcement “only 30% of programs publicly mention an enforcement or implementation mechanisms”.
In 2024 Flankova et al. released a meta-analysis that rounded up 103 studies covering a combined 23 VEPs (Voluntary Environmental Programs). It finds that in certain conditions voluntary programs actually can improve outcomes, provided there’s quality standards and clear reporting mechanisms. High quality VEPs will have clear objectives, independent monitoring, and meaningful sanctions. Programs lacking these features won’t have success.
We know that there’s some meaningful blind spots when it comes to corporate assessments of risk. An analysis of more than 9400 papers regarding generative AI found that just 4% of papers from corporate sources analyzed risks like misinformation, persuasion, disclosures, medical and financial contexts, or other core safety related topics. Furthermore, most corporate AI research focuses on AI in pre-deployment contexts, with relatively little attention paid to models post-deployment.
The quality and stringency of the program really matters. Programs without stringent requirements and monitoring are joined to greenwash firms, and firms exploit information asymmetries to join these lenient programs. This tracks with other findings that non-binding NGO pressure along doesn’t lead to reliable changes in corporate behavior. [2]
There’s some evidence that suggests simply asking people to abide by a Code of Ethics doesn’t work. McNamara et al. (2018) ran a randomized experiment with 63 students and 105 professional developers and found that telling them to consider the ACM Code of Ethics had “no observed effect” compared to a control group.The sample size here is just too small to really draw too much from it, although I guess it’s consistent with voluntary agreements having a small effect that this study was too under-powered to see. I’d be willing to buy that a one time exposure to a code doesn’t meaningfully shift behavior by itself, and if we want effects it probably has to be combined with the kinds of actual standards and accountability mechanisms described above.
Even Marchant acknowledges that traditional soft law methods are quite often “too vague and general to have any real impact“, and is advocating instead for what he calls “Soft Law 2.0“. This is basically soft law combined with various enforcement mechanisms to try and make it effective, with internal levers (like dedicated budgetary allocations, mandatory employee training, and internal auditing committees) combined with external levers like third-party verification and public rankings. This reads like an admission that traditional soft law schemes don’t work.
It does seem like under certain conditions, soft law can work. If there’s a credible background threat of regulation such as the gaming industry’s ESRB, that can work fairly well. Also consider access to valued resources gated by compliance (like stem cell research guidelines enforced via journal publication requirements), or technical interoperability leading to self-enforcing incentives (IETF/W3C internet standards).
The Marchant “Soft Law 2.0” toolbox is roughly based on the conditions found in these successes, but it remains a proposal, untested at the time of this writing.
What remains unknown is the degree to which AI-specific soft laws have actually produced behavioral changes in the companies and developers they claim to affect. We can make some reasonable guesses at how effective they will be. Meta-analyses done on soft law in other industries find that these voluntary programs can work, but only when the objectives are clear, there’s independent monitoring, and the threat of meaningful sanctions exists. And based on the figures above, it’s thought that about 70% of current AI soft law programs don’t meet the conditions.
Asymmetries Regarding Incremental vs. Novel Capabilities
There’s a few asymmetries that make creating effective regulation harder.
Effective regulation is dependent on technical expertise to inform regulators, and a major dependency for “regulatory adequacy” is addressing the knowledge gap that exists between AI development companies and regulatory bodies.
I don’t believe that the governance literature currently, explicitly distinguishes between incremental capability improvements and net-new capability types. I couldn’t find any documents explicitly using this separation as a consideration framework for regulatory design. Which is concerning, as the evidence suggests the two types of capability changes create different governance challenges.
You can see this in the case of the EU AI Act, where legislators had to work overtime to respond to the arrival of ChatGPT on the scene. The result was a two-tiered system, one that had basic transparency obligations for all GPAI models and a series of additional requirements for models that exceeded a 10²⁵ FLOPs training compute threshold. The July 2025 Guidelines would then further distinguish between substantial modifications that made changes to a high-risk AI system, and lesser modifications that were regulatory continuations of the same model.
Agentic AI is the current frontier of capability governance challenges. Many previous governance frameworks are focused on AIs “creating content”, but this moves the relevant consideration to “accomplishing complex tasks autonomously”, also undercutting the assumption of human-in-the-loop oversight most existing frameworks have. Some frameworks are emerging, such as the OWASP Foundation identifying “Excessive Agency” as a distinct vulnerability category, but these remain largely aspirational.
You can also see this dynamic at play in the pharmaceutical regulatory framework, where small-molecule drugs go through the well-established New Drug Application pathway, where generic equivalents only need to show bioequivalence. The emergence of Biologics necessitated the creation of a different drug class along with a new licensing application process (BLA vs. NDA), a separate FDA center (CDER),and distinct rules for handling of biosimilars.
The pattern is pretty familiar by this point. Incremental improvements in known categories of technology are handled through established pathways, but genuinely novel modalities require the painstaking process of creating entirely new regulatory categories, evaluation frameworks and institutional structures.
This gets even more complicated when you talk about the possibility of emergent capabilities. Wei et al. (2022) defined them as capabilities “not present in smaller models but present in larger models” that “cannot be predicted simply by extrapolating.” The implication is that incremental scaling could result in new, unforeseen capabilities, which would blur the very boundaries needed to make this distinction. This is controversial though as Schaeffer et al. (2023) argued this as largely a measurement artifact.
CSET Georgetown attempts a pragmatic resolution, arguing that whether or not emergence is “real”, what we care about for governance is capability predictability. In this sense, the EU AI Act’s compute threshold is a bet on where novel capabilities may arise.
…And so currently there’s no systematic way to reliably distinguish between incremental improvements like the common scaling of existing models vs the establishment of new capability types like agentic AI systems. The failure to distinguish between them means governance frameworks often have to scramble to address new capabilities that emerge during the writing process for new regulations. Better delineation between capability types and improvements could help regulators respond quicker and draft anticipatory regulation. [3]
Can Regulation Precede Disaster?
Most regulation occurs because some sort of crisis happens, some disaster (or near disaster) that forces society to pay attention. This is the crisis-response pattern of regulation. In most other high-risk industries such as pharmaceuticals, effective regulation was only catalyzed by a major disaster, so the question is if AI can be the exception to this trend.
There are some rare examples of industries or disciplines essentially self-regulating, when faced with technologies that could genuinely be devastating in the right hands. While the 1975 Asilomar Conference is sometimes seen as a template for proactive scientific self-governance, it’s not clear it can be replicated in an AI industry due to different dynamics.
Several unique circumstances made Asilomar possible, which would probably not recur today. Katja Grace’s deep dive on the Asilomar Conference covers this all in more detail, but the short version is that some combination of the geopolitical environment along with the threat of legal liability and the knowledge that Congress was already actively considering legislation made self-governing seem attractive.
Matthew Cobb also called out that there were two considerations that didn’t make it into the conversation: commercialization and bioweapons.The Soviet Union’s massive bioweapons program did use recombinant DNA techniques, which was something Asilomar explicitly excluded from discussion. Had either topic surfaced the history of the event might have been pretty different.
What does seem clear is that the environment in which Asilomar happened is radically different from the environment AI is being developed in. The AI industry is globally distributed and driven by massive private commercial interests, as opposed to the small group of academics that made up the Asilomar Conference.
The better reference for policy wonks and regulators looking to craft regulation before a disaster might be the aviation industry. The first federal regulation happened in 1926 with the Air Commerce Act, and somewhat unusually the aviation industry itself lobbied for federal regulation. It was believed “the airplane could not reach its full commercial potential without federal action to improve and maintain safety standards”. Specifically, President Calvin Coolidge appointed a board to study aviation safety and the role the federal government had to play, at the best of aviation industry leaders, which led to the passing of the Air Commerce Act later on.
The combined FAA + NTSB + ICAO system that we have today is widely regarded as the most successful safety regulatory regime in technology history, responsible for reducing the commercial aviation fatality rate by orders of magnitude. In fact, the CSIS (2023) explicitly recommends an ASIAS-like (Aviation Safety Information Analysis and Sharing) system for AI incident reporting.
What’s the Capability-Governance Divergence?
There’s some kind of divergence between AI governance and AI capabilities, but the exact form and magnitude of the divergence isn’t clear.
Obviously AI capabilities have accelerated dramatically over the past few years, with huge increases on benchmark performance, to the point some people are wondering if benchmarks are dead. And in terms of adoption, adoption among U.S. businesses rose from 5.2% in January 2023 to 43.8% by September 2025.
In terms of growth rates, AI Adoption in the hits 8.4× while regulation reaches 2.4× Adoption grew approximately 3.5× faster than the number of binding-rules since 2023.
The Chatham House 2026 report predicts that “regulatory divergence will intensify through 2027, with the EU-US gap widening.”Meanwhile, the UNDP predicts that asymmetries in governance capacity might widen inequality between countries. The four major AI governance regimes -- The US, the UK, the EU, and China -- are adopting different governance approaches commensurate with their value, and the differences between these schemas are likely widening, not converging.
There’s work to be done standardizing dimensions to measure governance capability.
Geographic and Sectoral Data Gaps
There are substantial gaps in the literature when it comes to geography and specific industrial sectors.
Most research and data regarding regulation and governance focuses on the Global North, leaving thin data on capacity and activity in the Global South.
According to the Stanford AI Index 2026, 2024 saw many countries, primarily emerging economies across-Sarah Africa, the Middle East, and Central Asia actively develop regulatory strategies, but most of these appear to be non-binding, and infrastructure to support these agreements isn’t keeping pace with the rate these strategies are being developed. Africa is the clearest documented gap. During March of 2024, only seven African countries had drafted national AI strategies, and none of those strategies included comprehensive AI regulations.
This lack of infrastructure capacity likely explains some of the governance gap.
The structural bias in the literature is likely due, at least in part, to the Brussels Effect, which is the assumption that due to the EU AI Act’s regulatory dominance its standards will diffuse internationally. In other words, it’s assumed that the completeness of the EU standards will make other countries conform to these standards. Yet this establishes a feedback loop where Global North frameworks get studies because they exist while frameworks in the Global South don’t get studies due to the fact that they’re sparse. This actually continues their thinness in the literature.
Much of the regulatory research also tends to aggregate AI regulation data across all sectors. This could obscure relevant differences in how AI unfolds across specific fields like healthcare, biosecurity, criminal justice, and energy.
Healthcare is the most studied sector by far, having a fair amount of dedicated literature and binding regulatory activity.
The EU’s AI Act (March 2024) and Council of Europe’s Framework Convention on AI and Human Rights, Democracy and the Rule of Law (September 2024) both have provisions covering AI and health services. Meanwhile, the US has the FDA’s Predetermined Change Control Plan guidance (December 2024). AI regulation in healthcare is genuinely more developed than other sectors , but many other sector aren’t as developed when it comes to coverage.
Compare other industries such as criminal justice, where despite AI deployment being common place for tasks like recidivism prediction and predictive policing, binding regulation has lagged far behind the healthcare industry. While the EU AI Act classifies remote biometric identification and recidivism prediction tools as high-risk applications of AI, there’s no equivalent federally binding instrument in the US.
Probably the most consequential regulatory gap is the domain of biosecurity. Proteins generated by AI could be functionally equivalent to known hazardous proteins, like toxins, but undetectable by current bio-security methods. Homolog-based screening is the primary method of potentially dangerous synthetic DNA orders, done by comparing the ordered sequences against databases of known toxins and pathogens. However, AI models could lower the barrier to discovery and procurement of similarly hazardous proteins not in these databases.
The Paraphrase Project confirmed that this vulnerability existed. By using a tool called EvoDiff the researchers were able to generate thousands of variants of known toxins that went undetected by the major commercial screening methods. The detection rate was as low as 23%, although after collaborative patching, detection did improve up to 97%. A 3% gap persists.
There’s been almost no binding regulatory responses addressing this issue. In 2024, there was the OSTP Nucleic Acid Synthesis Screening Framework, which set a deadline for the proposals of regulatory frameworks to address new capabilities in DNA printing. However, the deadline has passed and no new frameworks have been announced. While the July 2025 America’s AI Action PLan mentioned DNA synthesis as a consideration for regulation, no new binding regulations have been issued.
The one notable exception to the pattern of no regulation around biosecurity is the EU AI Act’s dual-use amendment. This amendment did include AI-driven gene synthesis platforms as an item for control, though it doesn’t specifically target protein structure prediction tools like RFdiffusion or AlphaFold.
The Energy sector appears particularly sparsely covered in terms of regulation. I find almost no peer-reviewed publications that actually discussed AI regulatory strategies in the energy domain, which itself seems notable.
As previously mentioned, corporate AI research is biased towards pre-deployment areas. This exacerbates the sector aggregation issue described above. As safety research is biased towards pre-deployment and regulatory counts pool sectors together, there’s actually little evidence on what regulation affects real-world deployments across these different sectors.
The Brookings Institute argues for regulatory approaches that are comprehensive but also enable granular rule creation for specific applications, simply because the proliferation of AI in different socioeconomic contexts creates unique challenges in those specific contexts.
What is the average regulatory lag?
Quantitative estimates of “regulatory lag”, the time it takes between a new AI capability being established and the creation of laws that regulate that capability, are pretty scarce.
The best available data is basically just extrapolation from mentions of AI in regulatory contexts. The Stanford HAI AI index tracks legislation across 75 different countries and finds that mentions of AI in regulatory contexts and legislative proceedings have multiplied ninefold since 2016 while federal regulations have doubled, going from 25 in 2023 to 59 in 2024. This tells us that regulators are paying more attention to AI but we don’t know how long it takes for them to take notice or act on new AI developments.
In my research I found that there doesn’t seem to be any formal method of quantifying “regulatory lag”. This is problematic for various reasons, but the main one being that it reduces our ability to estimate how quickly society will adapt to new AI technologies. Many things are downstream from this estimation, including determining when regulatory rules will become outdated and need updating, how to speed up regulatory changes, and how many improvement cycles will occur between rounds of regulation.
For this reason, I attempted to establish a framework that quantifies two different types of regulatory lag: The lag between recognition of a new AI capability and the creation of binding laws meant to deal with that capability.
Under this T0/T1/T2 framework, every lag is measured from a given capability milestone (T0). Recognition lag is defined as T1−T0, while response lag is defined as T2−T1. Negative recognition lag happens when a governance framework predates the capability, indicating anticipatory regulation.tion.
I did this by defining a number of specific AI capability announcements and milestones, searching for formal recognition of capabilities/binding regulations, then calculating the differences between the regulatory related events and the announcements. I investigated how the lag changed across different AI subdomains and different regulatory jurisdictions -- The US, the UK, EU, and China.
Table of the six capability milestones tracked in the analysis. Includes different AI sub-fields: LLMs, autonomous vehicles, and protein prediction. Each capability milestone is coded across four jurisdictions (US, EU, UK, China) for both first recognition (T1) and binding rules (T2). The results discussed in the following section reflect these specific milestones (meaning it’s not "AI regulation" in general).
I found that the median expected lag between a new AI capability’s announcement and the creation of binding laws varies substantially across regulatory jurisdictions. Based entirely on data from 2017 to the end of 2025, the median total lag for regulation is 10.2 months for China, while the EU’s lower bound is 32.1 months and the upper bound 62.2 months.
This table describes the time from the first announcement of a capability (T0) to the first binding rule (T2), across all four jurisdictions. Bold text marks the fastest completed observation. Arrows mean that cases are right-censored, so no binding rule had gone into effect by Dec 31/2025. Note that China is fastest on every completed milestone.
At the moment of writing, many laws haven’t yet taken effect, so the lag data was subject to have “right-censoring”.
In greater detail:
Governments often recognize capabilities rather quickly, but the transition to binding law is the main bottleneck:
China: China had a median total lag of 31 months in a collapsed milestone analysis, the fastest regulatory cycle out of the four jurisdictions. China responded to GPT-4 in just 5.0 months and to ChatGPT in just 8.5 months.
European Union: The EU’s median lag is estimated to have a lower bound of 62 months. Consider that the EU AI Act’s provisions for general-purpose AI (GPAI) are expected to take 51 months (roughly 4.3 years) from the formal proposal to the passing of binding law.
United States and United Kingdom: These jurisdictions did not reach a median within the study’s observation window (which ended December 2025) because most binding AI regulations are still pending or have been deferred in favor of soft law and voluntary commitments.
These modern AI timelines are rather compressed when you compare them to historical technological precedents. Mature regulation for these fields took decades, if not years:
Aviation: It was 23 years from the first flight to federal regulation, and 55 years before a dedicated agency was created.
Telecommunications: It took 58 years from the first telephone patent to the creation of the FCC.
Nuclear Power: A notable outlier that reached regulation in 4 years due to its government origins and combined existential urgency, though an independent safety regulator would take 33 years to create.
However, we should note that the lag time often depends on the exact capabilities in question. Autonomous vehicles are a subdomain of AI, and for this milestone specifically, the lag was relatively short. China reached binding regulation in 9 and half months and the USA in 24-months/2-years.
Meanwhile, biosecurity saw the longest lag. The analysis found no binding regulations specifically addressing biosecurity-adjacent AI, like AlphaFold 2, had taken effect (in any jurisdiction) by the end of 2025. [4]
Why exactly is the timeline so compressed compared to other technologies? Several explanations present themselves:
Pre-existing infrastructure helps scaffold new regulatory frameworks and laws. The EU AI Act was explicitly built on GDPR’s legal architecture, extending the same models of risk-based classification, impact assessments, supervisory authorities, and extraterritorial reach.
Public salience probably plays a role, as issue salience for political movements is well-documented empirically. ChatGPT reached 100 million users in two months, which was one of the fastest consumer technology adoption in history. This forced regulatory responses, and as we saw the EU AI Act required major modifications mid-negotiation to address foundation models appearing during the legislative process.Media attention surged, with media attention on AI rising tenfold in the six months after ChatGPT’s launch. The discourse also shifted toward risks and political leaders.
Institutional memory is plausible, with regulators learning from prior technology governance failures. This seems consistent with the volume and speed of governmental engagement (governments created 36% of all AI soft law programs per Marchant and Gutierrez)...But no empirical study has isolated institutional memory as a causal variable.
Geopolitical competition could have played a role, but the effects are often contradictory: it accelerates EU regulation (first-mover advantage in norm-setting), accelerates specific Chinese regulations, and decelerates US regulation (Trump’s 2025 executive order explicitly prioritized “removing barriers to American AI dominance”).
Still, no peer-reviewed empirical study has compared AI’s regulatory timeline to historical precedents using a consistent methodology.
I recommend further exploration.
Anticipatory Legislation vs Reactive Legislation
It seems meaningful to distinguish between two types of legislation. Reactive legislation merely responds to capabilities or crises, while anticipatory legislation attempts to create the governance frameworks to control these things before capabilities have fully manifested.
In the “T0/T1/T2” framework described above, reactive regulation displays a positive lag (T1 happens after T0). Meanwhile, anticipatory regulation results in a negative recognition lag, meaning the government created a policy document before the capability was demonstrated in public.
It seems that reactive legislation is almost always catalyzed by disaster or high-salience shocks. Consider events like the sulfanilamide disaster for pharmaceuticals or the launch of ChatGPT for AI. In contrast, anticipatory regulation leverages regulatory foresight, with regulatory officials aiming to handle potential developments. Anticipatory efforts must reckon with the “Collingridge Dilemma“ (technologies are easy to influence when young but their impacts hard to foresee, when impacts become clear the technology is often too entrenched to easily influence).
Despite the difficulty inherent in the Collingridge Dilemma, we are seeing more proposed or implemented anticipatory frameworks:
The EU AI Act (Original Proposal): The first draft of the EU AU ACT, dated April 2021, is a significant example of an anticipatory frameworks, coming years before ChatGPT (2022) or GPT-4 (2023), and accordingly recognition lags were 19 to 23 months for those two capabilities.
Singapore’s “Living Document” Model: Singapore publishes governance frameworks as “living documents”, updating these docs every 6–12 months. They most recently released their Model AI Governance Framework for Agentic AI on January 26, 2026. The goal is to empower the regulator to iterate alongside the technology (such as releasing an Agentic AI governance framework in early 2026, shortly after AI agents became prominent in the open source space and the media landscape).
Mechanisms for Creating Anticipatory Legislation
Certain mechanisms may aid governments in “getting ahead” of capability development, in the sense of anticipating how technology is likely to evolve and operationalize:
Horizontal regulatory scope: Anticipatory laws create functional definitions that encompass any AI system meeting certain criteria, rather than specific systems. This “horizontal” approach allowed the proposed 2021 EU AI Act to apply to later-developed LLMs.
Using existing legal infrastructure: Regulators can employ broad, pre-existing infrastructure to respond to new capabilities immediately. Italy’s data protection authority utilized the GDPR powers to ban ChatGPT within 120 days of its launch, effectively “getting ahead” of purpose-built AI laws that would take years to pass. (Though one might argue about the necessity of this.) Utilizing existing legal infrastructure appears to be the most consistent predictor of shorter regulatory timelines.
Government-as-First-Adopter: Singapore involves the state in implementing AI in public services before regulating private use. This builds both technical expertise and internal regulatory capacity, facilitating understanding and anticipation of risks before they reach the broader market.
Iterative “Living Document” approaches: Singapore’s governance strategy is to publish governance frameworks not as set-in-stone legal statutes but as living documents which are updated every 6 to 12 months. This allows regulators to respond to new frontiers, like agentic AI, more expediently by cutting out excess processes and reusing existing documentation.
Tiered risk thresholds: Technical proxies can be used to anticipate future risks, such as the EU AI Act, which used a 10²⁵ FLOPs training compute threshold to identify “systemic risk” in models not yet existing at the moment the Act was drafted. This does necessitate technical expertise.
Strategies to Speed Up Regulation
The regulatory process (and government movement in general) is notoriously slow. However, there are apparently several mechanisms that can reduce the time between a capability’s emergence and a binding response, outside of living document approaches and using existing legal infrastructure:
Layered Targeting: China’s model involves creating targeted regulations, layered on top of one another for specific capabilities (generative AI, algorithmic recommendations, deep synthesis) instead of waiting to pass a single omnibus bill. This is likely part of the reason China had the fastest measured total lags, responding to some milestones in as little as 5.0 to 8.5 months.
Regulating “Chokepoints”: Some experts suggest regulating the infrastructure stack (chips and compute) rather than trying to regulate every specific application, which follows the historical model of telecommunications regulation. You can see this in the EU AI Act’s use of a 10²⁵ FLOPs training compute threshold to label “systemic risk”.
Again though, the success of all of this depends on regulatory independence. Many failures in technology governance can be traced back to a lack of independence from the body the regulation applies to. Ensuring the regulator remains free of influence from both industry and promotional mandates is the most reliable predictor of long-term, effective governance.
Other Miscellaneous Measurement Gaps
Other gaps in the landscape include the following:
What creates new regulatory bodies?
A few different factors seem to predict the creation of new regulatory bodies or frameworks. Agenda-setting is cited as the primary mechanism industry uses to shape policy according to Rand corporation research. Geopolitical competition certainly plays a role as well, with the Biden EO aiming to place US leadership ahead of both EU and Chinese regulatory endeavors. While academic and civil society advocacy can create pressure, it seems they rarely trigger action alone.Capability thresholds appear necessary but not sufficient for the creation of regulatory frameworks.While thresholds like the EU AI Act’s 10²⁵ FLOPs, exist in regulatory frameworks, they likely weren’t the proximate trigger for those frameworks’ creation.
What bridges the gap between adoption and governance?
Corporate governance maturity is typically assessed with survey data from agencies like McKinsey, Deloitte, PwC, IAPP, etc. Regardless of the source, the finding is generally consistent, adoption outpaces governance by a wide margin. There’s strong convergent validity. More specifically, McKinsey’s 2026 AI Trust Maturity Survey introduced a 4-point maturity scale. There’s an average score of 2.3/4.0 across the industry, with only approximately 30% of organizations reaching level 3 or higher.It isn’t clear what tactics decrease the adoption and governance gap, except that organizations which invest $25 million or more in responsible AI consistently report higher maturity along with an EBIT impact above 5%.
What about agenda-setting in the sense of industry actions, or special interest groups? If the AI industry tries to influence policy by advancing anti-regulation narratives, that’s sometimes called second-level agenda-setting or framing. And while my analysis can’t really speak to this, there is one notable finding in the analysis: positive coverage is actually correlated with more regulation, not less. If industry actors were successfully suppressing regulation through positive framing, you’d expect the opposite pattern.
I should point out that there’s a potential self-selection effect here that the analysis doesn’t really deal with; better performing firms might self-select into these kinds of voluntary agreements. The analysis attempts to address this. The effects described are also just aggregate correlation. Despite this, I think it’s likely that firms in stringent voluntary agreements tend to have better outcomes as defined by those standards, though we can’t say why.
…Aside from all of this, there’s also a capacity gap between private investment in AI forms and the relatively small budgets allocated to regulation enforcement by organizations like the EU. Increased funding would likely help narrow the knowledge gap by allowing regulatory bodies to attract more knowledgeable talent and define new standards for measuring effectiveness.
Note that the “acceleration” you can see in later milestones (like GPT-4) is likely a window truncation artifact due to the EU AI Act hitting multiple previously developed capabilities at the same time.
The AI regulatory space is a rapidly developing and maturing one, and while a lot of work has recently been done to draft new bills and establish new frameworks, there’s still a ton we don’t know about the space. This post aims to quantify and qualify some of the “known unknowns” about the space, including what I believe to be one of the most consequential unknown variables: The lag time from when new AI capabilities are announced to when regulatory bodies acknowledge or pass legislation targeted at them.
My research into this topic covered six different categories:
1) Regulatory adequacy
2) Regulatory causality
3) Soft law effectiveness
4) Incremental vs novel capabilities
5) Preceding disasters
6) Regulatory lag
7) Miscellaneous Measurement Gaps
The Definition of “Regulatory Adequacy”
As far as I can tell, there’s no definition of “regulatory adequacy”. That is, there’s no agreed on definition for what “adequate” governance would actually look like.
Granted, it’s quite hard to know what “adequate” looks like in governance as you’re generally trying to optimize for something not happening. But the lack of any real standard does have costs as it makes claims about “widening gaps” between capability development and governance rather fuzzy. No standardized metrics exist for determining if a framework or law actually improves the public trust, increases model safety, or reduces AI-related harms. And without legible standards for what counts as success it’s difficult to work backwards and determine what types of advocacy or legislation campaigns are actually effective at achieving their goals.
Most databases or indices of AI governance such as OECD.AI or Stanford HAI measure just the quantity of governance, like the number of laws passed or how many strategies/frameworks have been published. For instance, the OECD.AI Index combines 28 indicators that track OECD’s AI principles, but these measure only policy implementation and capacity. They don’t track how effective policies are at achieving their goals.
Similarly, The Stanford HAI AI Index is likely the gold standard for legislative activity tracking, with longitudinal data covering legislative proceedings for 75 different countries, U.S. state and federal legislation, and global AI safety institute proliferation. Ultimately though it tracks legislative activity, enforcement actions, and compliance costs, essentially counting the volume of governance but not quality. Meanwhile, Georgetown CSET’s AGORA catalogs more than 950 AI governance documents. Finally, the Oxford Insights Government AI Readiness Index covers 195 governments over roughly 40 different indicators, but it measures prerequisites for governance and not actual outcomes.
In the regulatory theory literature, there are some approximations, suggested techniques for assessing adequacy and efficacy. Cary Coglianese suggests using a relevant framework that tracks three regulatory dimensions: inputs/activities (rules adopted, resources deployed), behaviors (compliance by regulated entities), and outcomes (changes in the underlying problem). He argues that the best indicators of regulatory efficacy will “almost always be those that measure the ultimate problem the regulation or process was intended to solve.”
For governance in general, the World Bank’s Worldwide Governance Indicators does have a “Regulatory Quality” dimension that might be worth adapting, but even it captures perceptions of government capacity and not outcomes. Are we starting to notice a theme?
There’s some intuitive causes for the field’s failure to define adequacy.
The first is just how nascent the field is. AI governance is essentially less than a decade old, and most frameworks simply haven’t been around long enough for outcome evaluation. There’s also a problem of competing values. Different jurisdictions define “adequate” differently based on what they value, so while the EU prioritizes rights protection, the US emphasizes innovation, and China is focused primarily on state control.
Of course, there’s measurements problems as well. The causal chain that runs regulation to behavior change to outcome improvement is genuinely difficult to measure.
Finally, there’s a political economy problem. In order to measure whether regulation works, you also need to measure whether regulators are doing their jobs. This isn’t an unsolvable problem, you could come up with some quantitative metric that would track regulator activity and effectiveness, like how in the finance regulation context the Basel accords define capital adequacy.
The Basel Accords work by translating abstract goals like “banks should be safe” into hard numbers that are auditable. No such framework has been proposed for AI thus far. But you might define thresholds for institutional function like investigation velocity, enforcement ratio, guidance issues lag, staffing adequacy, incident rate per user-exposure-hour, severity-weighted harm index, and similar.
I consider this to be one of the most important gaps to fill in the regulatory landscape, and a lot more research is required to move from counting “governance inputs” to measuring “governance outcomes”.
Causality: What Actually Drives Regulation?
While we do know that the number of laws and governance frameworks have surged in recent years, we don’t know what the actual causal mechanism is.
Based on my research I can make some educated guesses. The driving force behind new regulation for AI is most likely some combination of high-salience technological breakthroughs combined with a surge in public attention and/or historical patterns of crisis-response.
We generally see that novel capabilities drive media coverage, and media coverage does tend to correlate with increased regulation. While most people have an intuition that it’s actually alarmist news that drives regulation, it could be that any coverage leads to more regulation.
I analyzed over a decade of global media coverage for two transformative technologies: artificial intelligence and nuclear energy. I made use of the GDELT database, which tracks hundreds of thousands of news articles worldwide. These database entries were then combined with Google Trends search data and a hand-coded database of regulatory events spanning 2015 to 2025. At the end, three findings jumped out, and two of them cast doubt on the typical story.
Panel C shows AI regulatory events shot up from 0.15 to 1.00 per month after ChatGPT's launch (Nov 2022). This coincides with the most positive sustained AI coverage and the largest spike in public search interest in the dataset.
In my data, the most enthusiastic period of AI journalism coincided with the sharpest acceleration in regulatory activity. It’s possible that regulators just respond to technologies being prominent on the public agenda and framed as national strategic priorities, rather than responding solely to danger signals…
That said, statistical tests were inconclusive regarding if public attention genuinely predicts regulation or if laws, media, and new capabilities are all just rising together at the same time.
I can say that media and public attention are tightly coupled (r = 0.538–0.641), and an agenda-setting theorist might argue that the correlation reflects journalist working through channels the analysis doesn’t capture like framing effects that don’t show up in search volume but still influence elite opinion instead of mass public attention. This seems possible. There’s a kind of mutually reinforcing feedback loop going on where both public attention and media coverage co-evolve together… [1]
Technical milestones like the announcement of AlphaFold or the release of ChatGPT function at catalysts that drive attention, and with it, regulation. My own investigation into the distribution of regulatory events over time found that the number of regulatory events (of any kind) rose from 0.15 per month to 1.00 per month following the launch of ChatGPT.
The EU AI Act is probably the cleanest example of new products forcing legislative revision. While the original proposal (April 2021) didn’t have provisions for general-purpose AI models, ChatGPT’s appearance during negotiations forced co-legislators to draft an entirely new chapter. The Center for Democracy and Technology noted it was “after the surge in popularity of ChatGPT… that the co-legislators drafted a dedicated chapter.”
Regulatory responses to AI capability advances were minimal or nonexistent before the Gen AI era. The early breakthroughs like AlexNet breakthrough (2012) and AlphaGo (2016) generated no direct regulatory responses (that I’m aware of). Only GPT-2’s staged release in 2019 is a notable governance action, and note that it was industry-led self-governance rather than government regulation.
There’s also a geopolitical angle to this whole thing. Regulatory activity can be pushed by a desire to respond to the efforts of geopolitical rivals or strengthen national leadership. Part of the rationale for the Biden Executive Order was to position the US ahead of Chinese and EU regulatory efforts.
Once a desire to create legislation is present, the speed of a government’s regulatory response is influenced by how effectively it can repurpose existing laws/legal frameworks. It’s notable that Italy responded to the unveiling of ChatGPT in around 120 days because it leveraged powers that existed under the GDPR, while the EU AI Act took years to finalize. Compare that to: China’s proposed generative AI rules that came roughly 170 days later and were enacted within 258 days, the Biden Executive Order followed after 334 days, and the EU AI Act that was finalized after 373 days (though it had been under development since 2021).
Italy’s response was the fastest because it deployed GDPR powers, not new AI legislation. Meanwhile, China’s iterative approach was built on regulation of prior algorithms and deep synthesis and the U.S. used Defense Production Act authority. Existing legal infrastructure determines response speed.
The Effectiveness of Soft Law
In order that a regulation is effective and not just symbolic, it typically requires independence from both promotional mandates and the industry it regulates. We can look at incidents like the Fukushima disaster and other catastrophic failures in history that were often caused by regulatory capture, where the body in charge of safety was the same one promoting the technology.
Soft law is essentially codes of conduct and voluntary guidelines rather than legal frameworks enforced by liability and other punitive measures, and its voluntary nature cuts against independence as enforcement is left to the industry itself.
The primary advocate for soft law in AI technology governance is Gary Marchant at ASU and he has built out a fairly comprehensive directory of AI soft law. Alongside Gutierrez, he identified 634 AI governance programs globally, and it’s notable that around 90% of them were created between 2017–2019. Of these soft law programs, government institutions created 36%, which is actually more than industry created alone.
There are typically two categories of rebuttal to Marchant’s position. First, the institutional capture argument argues that voluntary commitments like these often just serve to cover firms while they go about business as usual. Second, the critique that soft law actually forestalls the passage of binding regulation (ex. The VW emissions and Boeing 737 MAX cases all demonstrated failures of self-regulation that ultimately required regulatory intervention).
This raises the question: "How effective are soft law arrangements, in reality?" One does wonder how effective these soft law schemes are without enforcement mechanisms, which most of them lack. Marchant’s own data reveals that in terms of enforcement “only 30% of programs publicly mention an enforcement or implementation mechanisms”.
In 2024 Flankova et al. released a meta-analysis that rounded up 103 studies covering a combined 23 VEPs (Voluntary Environmental Programs). It finds that in certain conditions voluntary programs actually can improve outcomes, provided there’s quality standards and clear reporting mechanisms. High quality VEPs will have clear objectives, independent monitoring, and meaningful sanctions. Programs lacking these features won’t have success.
We know that there’s some meaningful blind spots when it comes to corporate assessments of risk. An analysis of more than 9400 papers regarding generative AI found that just 4% of papers from corporate sources analyzed risks like misinformation, persuasion, disclosures, medical and financial contexts, or other core safety related topics. Furthermore, most corporate AI research focuses on AI in pre-deployment contexts, with relatively little attention paid to models post-deployment.
The quality and stringency of the program really matters. Programs without stringent requirements and monitoring are joined to greenwash firms, and firms exploit information asymmetries to join these lenient programs. This tracks with other findings that non-binding NGO pressure along doesn’t lead to reliable changes in corporate behavior. [2]
There’s some evidence that suggests simply asking people to abide by a Code of Ethics doesn’t work. McNamara et al. (2018) ran a randomized experiment with 63 students and 105 professional developers and found that telling them to consider the ACM Code of Ethics had “no observed effect” compared to a control group. The sample size here is just too small to really draw too much from it, although I guess it’s consistent with voluntary agreements having a small effect that this study was too under-powered to see. I’d be willing to buy that a one time exposure to a code doesn’t meaningfully shift behavior by itself, and if we want effects it probably has to be combined with the kinds of actual standards and accountability mechanisms described above.
Even Marchant acknowledges that traditional soft law methods are quite often “too vague and general to have any real impact“, and is advocating instead for what he calls “Soft Law 2.0“. This is basically soft law combined with various enforcement mechanisms to try and make it effective, with internal levers (like dedicated budgetary allocations, mandatory employee training, and internal auditing committees) combined with external levers like third-party verification and public rankings. This reads like an admission that traditional soft law schemes don’t work.
It does seem like under certain conditions, soft law can work. If there’s a credible background threat of regulation such as the gaming industry’s ESRB, that can work fairly well. Also consider access to valued resources gated by compliance (like stem cell research guidelines enforced via journal publication requirements), or technical interoperability leading to self-enforcing incentives (IETF/W3C internet standards).
The Marchant “Soft Law 2.0” toolbox is roughly based on the conditions found in these successes, but it remains a proposal, untested at the time of this writing.
What remains unknown is the degree to which AI-specific soft laws have actually produced behavioral changes in the companies and developers they claim to affect. We can make some reasonable guesses at how effective they will be. Meta-analyses done on soft law in other industries find that these voluntary programs can work, but only when the objectives are clear, there’s independent monitoring, and the threat of meaningful sanctions exists. And based on the figures above, it’s thought that about 70% of current AI soft law programs don’t meet the conditions.
Asymmetries Regarding Incremental vs. Novel Capabilities
There’s a few asymmetries that make creating effective regulation harder.
Effective regulation is dependent on technical expertise to inform regulators, and a major dependency for “regulatory adequacy” is addressing the knowledge gap that exists between AI development companies and regulatory bodies.
I don’t believe that the governance literature currently, explicitly distinguishes between incremental capability improvements and net-new capability types. I couldn’t find any documents explicitly using this separation as a consideration framework for regulatory design. Which is concerning, as the evidence suggests the two types of capability changes create different governance challenges.
You can see this in the case of the EU AI Act, where legislators had to work overtime to respond to the arrival of ChatGPT on the scene. The result was a two-tiered system, one that had basic transparency obligations for all GPAI models and a series of additional requirements for models that exceeded a 10²⁵ FLOPs training compute threshold. The July 2025 Guidelines would then further distinguish between substantial modifications that made changes to a high-risk AI system, and lesser modifications that were regulatory continuations of the same model.
Agentic AI is the current frontier of capability governance challenges. Many previous governance frameworks are focused on AIs “creating content”, but this moves the relevant consideration to “accomplishing complex tasks autonomously”, also undercutting the assumption of human-in-the-loop oversight most existing frameworks have. Some frameworks are emerging, such as the OWASP Foundation identifying “Excessive Agency” as a distinct vulnerability category, but these remain largely aspirational.
You can also see this dynamic at play in the pharmaceutical regulatory framework, where small-molecule drugs go through the well-established New Drug Application pathway, where generic equivalents only need to show bioequivalence. The emergence of Biologics necessitated the creation of a different drug class along with a new licensing application process (BLA vs. NDA), a separate FDA center (CDER), and distinct rules for handling of biosimilars.
The pattern is pretty familiar by this point. Incremental improvements in known categories of technology are handled through established pathways, but genuinely novel modalities require the painstaking process of creating entirely new regulatory categories, evaluation frameworks and institutional structures.
This gets even more complicated when you talk about the possibility of emergent capabilities. Wei et al. (2022) defined them as capabilities “not present in smaller models but present in larger models” that “cannot be predicted simply by extrapolating.” The implication is that incremental scaling could result in new, unforeseen capabilities, which would blur the very boundaries needed to make this distinction. This is controversial though as Schaeffer et al. (2023) argued this as largely a measurement artifact.
CSET Georgetown attempts a pragmatic resolution, arguing that whether or not emergence is “real”, what we care about for governance is capability predictability. In this sense, the EU AI Act’s compute threshold is a bet on where novel capabilities may arise.
…And so currently there’s no systematic way to reliably distinguish between incremental improvements like the common scaling of existing models vs the establishment of new capability types like agentic AI systems. The failure to distinguish between them means governance frameworks often have to scramble to address new capabilities that emerge during the writing process for new regulations. Better delineation between capability types and improvements could help regulators respond quicker and draft anticipatory regulation. [3]
Can Regulation Precede Disaster?
Most regulation occurs because some sort of crisis happens, some disaster (or near disaster) that forces society to pay attention. This is the crisis-response pattern of regulation. In most other high-risk industries such as pharmaceuticals, effective regulation was only catalyzed by a major disaster, so the question is if AI can be the exception to this trend.
There are some rare examples of industries or disciplines essentially self-regulating, when faced with technologies that could genuinely be devastating in the right hands. While the 1975 Asilomar Conference is sometimes seen as a template for proactive scientific self-governance, it’s not clear it can be replicated in an AI industry due to different dynamics.
Several unique circumstances made Asilomar possible, which would probably not recur today. Katja Grace’s deep dive on the Asilomar Conference covers this all in more detail, but the short version is that some combination of the geopolitical environment along with the threat of legal liability and the knowledge that Congress was already actively considering legislation made self-governing seem attractive.
Matthew Cobb also called out that there were two considerations that didn’t make it into the conversation: commercialization and bioweapons. The Soviet Union’s massive bioweapons program did use recombinant DNA techniques, which was something Asilomar explicitly excluded from discussion. Had either topic surfaced the history of the event might have been pretty different.
What does seem clear is that the environment in which Asilomar happened is radically different from the environment AI is being developed in. The AI industry is globally distributed and driven by massive private commercial interests, as opposed to the small group of academics that made up the Asilomar Conference.
The better reference for policy wonks and regulators looking to craft regulation before a disaster might be the aviation industry. The first federal regulation happened in 1926 with the Air Commerce Act, and somewhat unusually the aviation industry itself lobbied for federal regulation. It was believed “the airplane could not reach its full commercial potential without federal action to improve and maintain safety standards”. Specifically, President Calvin Coolidge appointed a board to study aviation safety and the role the federal government had to play, at the best of aviation industry leaders, which led to the passing of the Air Commerce Act later on.
The combined FAA + NTSB + ICAO system that we have today is widely regarded as the most successful safety regulatory regime in technology history, responsible for reducing the commercial aviation fatality rate by orders of magnitude. In fact, the CSIS (2023) explicitly recommends an ASIAS-like (Aviation Safety Information Analysis and Sharing) system for AI incident reporting.
What’s the Capability-Governance Divergence?
There’s some kind of divergence between AI governance and AI capabilities, but the exact form and magnitude of the divergence isn’t clear.
Obviously AI capabilities have accelerated dramatically over the past few years, with huge increases on benchmark performance, to the point some people are wondering if benchmarks are dead. And in terms of adoption, adoption among U.S. businesses rose from 5.2% in January 2023 to 43.8% by September 2025.
Governing bodies have taken notice and are responding, but not fast enough to prevent a gap from emerging. The number of national AI safety institutes went from zero to 11+ in under two years. Meanwhile, the number of AI-related regulations in the US went from 11 in 2021 to almost 60 in 2024. Generally though, we expect that governing bodies will struggle to keep up with the pace of AI innovation, especially if traditional governance schemes are relied on.
In terms of growth rates, AI Adoption in the hits 8.4× while regulation reaches 2.4× Adoption grew approximately 3.5× faster than the number of binding-rules since 2023.
The Chatham House 2026 report predicts that “regulatory divergence will intensify through 2027, with the EU-US gap widening.” Meanwhile, the UNDP predicts that asymmetries in governance capacity might widen inequality between countries. The four major AI governance regimes -- The US, the UK, the EU, and China -- are adopting different governance approaches commensurate with their value, and the differences between these schemas are likely widening, not converging.
There’s work to be done standardizing dimensions to measure governance capability.
Geographic and Sectoral Data Gaps
There are substantial gaps in the literature when it comes to geography and specific industrial sectors.
Most research and data regarding regulation and governance focuses on the Global North, leaving thin data on capacity and activity in the Global South.
According to the Stanford AI Index 2026, 2024 saw many countries, primarily emerging economies across-Sarah Africa, the Middle East, and Central Asia actively develop regulatory strategies, but most of these appear to be non-binding, and infrastructure to support these agreements isn’t keeping pace with the rate these strategies are being developed. Africa is the clearest documented gap. During March of 2024, only seven African countries had drafted national AI strategies, and none of those strategies included comprehensive AI regulations.
This lack of infrastructure capacity likely explains some of the governance gap.
The structural bias in the literature is likely due, at least in part, to the Brussels Effect, which is the assumption that due to the EU AI Act’s regulatory dominance its standards will diffuse internationally. In other words, it’s assumed that the completeness of the EU standards will make other countries conform to these standards. Yet this establishes a feedback loop where Global North frameworks get studies because they exist while frameworks in the Global South don’t get studies due to the fact that they’re sparse. This actually continues their thinness in the literature.
Much of the regulatory research also tends to aggregate AI regulation data across all sectors. This could obscure relevant differences in how AI unfolds across specific fields like healthcare, biosecurity, criminal justice, and energy.
Healthcare is the most studied sector by far, having a fair amount of dedicated literature and binding regulatory activity.
The EU’s AI Act (March 2024) and Council of Europe’s Framework Convention on AI and Human Rights, Democracy and the Rule of Law (September 2024) both have provisions covering AI and health services. Meanwhile, the US has the FDA’s Predetermined Change Control Plan guidance (December 2024). AI regulation in healthcare is genuinely more developed than other sectors , but many other sector aren’t as developed when it comes to coverage.
Compare other industries such as criminal justice, where despite AI deployment being common place for tasks like recidivism prediction and predictive policing, binding regulation has lagged far behind the healthcare industry. While the EU AI Act classifies remote biometric identification and recidivism prediction tools as high-risk applications of AI, there’s no equivalent federally binding instrument in the US.
Probably the most consequential regulatory gap is the domain of biosecurity. Proteins generated by AI could be functionally equivalent to known hazardous proteins, like toxins, but undetectable by current bio-security methods. Homolog-based screening is the primary method of potentially dangerous synthetic DNA orders, done by comparing the ordered sequences against databases of known toxins and pathogens. However, AI models could lower the barrier to discovery and procurement of similarly hazardous proteins not in these databases.
The Paraphrase Project confirmed that this vulnerability existed. By using a tool called EvoDiff the researchers were able to generate thousands of variants of known toxins that went undetected by the major commercial screening methods. The detection rate was as low as 23%, although after collaborative patching, detection did improve up to 97%. A 3% gap persists.
There’s been almost no binding regulatory responses addressing this issue. In 2024, there was the OSTP Nucleic Acid Synthesis Screening Framework, which set a deadline for the proposals of regulatory frameworks to address new capabilities in DNA printing. However, the deadline has passed and no new frameworks have been announced. While the July 2025 America’s AI Action PLan mentioned DNA synthesis as a consideration for regulation, no new binding regulations have been issued.
The one notable exception to the pattern of no regulation around biosecurity is the EU AI Act’s dual-use amendment. This amendment did include AI-driven gene synthesis platforms as an item for control, though it doesn’t specifically target protein structure prediction tools like RFdiffusion or AlphaFold.
The Energy sector appears particularly sparsely covered in terms of regulation. I find almost no peer-reviewed publications that actually discussed AI regulatory strategies in the energy domain, which itself seems notable.
As previously mentioned, corporate AI research is biased towards pre-deployment areas. This exacerbates the sector aggregation issue described above. As safety research is biased towards pre-deployment and regulatory counts pool sectors together, there’s actually little evidence on what regulation affects real-world deployments across these different sectors.
The Brookings Institute argues for regulatory approaches that are comprehensive but also enable granular rule creation for specific applications, simply because the proliferation of AI in different socioeconomic contexts creates unique challenges in those specific contexts.
What is the average regulatory lag?
Quantitative estimates of “regulatory lag”, the time it takes between a new AI capability being established and the creation of laws that regulate that capability, are pretty scarce.
The best available data is basically just extrapolation from mentions of AI in regulatory contexts. The Stanford HAI AI index tracks legislation across 75 different countries and finds that mentions of AI in regulatory contexts and legislative proceedings have multiplied ninefold since 2016 while federal regulations have doubled, going from 25 in 2023 to 59 in 2024. This tells us that regulators are paying more attention to AI but we don’t know how long it takes for them to take notice or act on new AI developments.
In my research I found that there doesn’t seem to be any formal method of quantifying “regulatory lag”. This is problematic for various reasons, but the main one being that it reduces our ability to estimate how quickly society will adapt to new AI technologies. Many things are downstream from this estimation, including determining when regulatory rules will become outdated and need updating, how to speed up regulatory changes, and how many improvement cycles will occur between rounds of regulation.
For this reason, I attempted to establish a framework that quantifies two different types of regulatory lag: The lag between recognition of a new AI capability and the creation of binding laws meant to deal with that capability.
Under this T0/T1/T2 framework, every lag is measured from a given capability milestone (T0). Recognition lag is defined as T1−T0, while response lag is defined as T2−T1. Negative recognition lag happens when a governance framework predates the capability, indicating anticipatory regulation.tion.
I did this by defining a number of specific AI capability announcements and milestones, searching for formal recognition of capabilities/binding regulations, then calculating the differences between the regulatory related events and the announcements. I investigated how the lag changed across different AI subdomains and different regulatory jurisdictions -- The US, the UK, EU, and China.
Table of the six capability milestones tracked in the analysis. Includes different AI sub-fields: LLMs, autonomous vehicles, and protein prediction. Each capability milestone is coded across four jurisdictions (US, EU, UK, China) for both first recognition (T1) and binding rules (T2). The results discussed in the following section reflect these specific milestones (meaning it’s not "AI regulation" in general).
I found that the median expected lag between a new AI capability’s announcement and the creation of binding laws varies substantially across regulatory jurisdictions. Based entirely on data from 2017 to the end of 2025, the median total lag for regulation is 10.2 months for China, while the EU’s lower bound is 32.1 months and the upper bound 62.2 months.
This table describes the time from the first announcement of a capability (T0) to the first binding rule (T2), across all four jurisdictions. Bold text marks the fastest completed observation. Arrows mean that cases are right-censored, so no binding rule had gone into effect by Dec 31/2025. Note that China is fastest on every completed milestone.
At the moment of writing, many laws haven’t yet taken effect, so the lag data was subject to have “right-censoring”.
In greater detail:
Governments often recognize capabilities rather quickly, but the transition to binding law is the main bottleneck:
These modern AI timelines are rather compressed when you compare them to historical technological precedents. Mature regulation for these fields took decades, if not years:
However, we should note that the lag time often depends on the exact capabilities in question. Autonomous vehicles are a subdomain of AI, and for this milestone specifically, the lag was relatively short. China reached binding regulation in 9 and half months and the USA in 24-months/2-years.
Meanwhile, biosecurity saw the longest lag. The analysis found no binding regulations specifically addressing biosecurity-adjacent AI, like AlphaFold 2, had taken effect (in any jurisdiction) by the end of 2025. [4]
Why exactly is the timeline so compressed compared to other technologies? Several explanations present themselves:
Still, no peer-reviewed empirical study has compared AI’s regulatory timeline to historical precedents using a consistent methodology.
I recommend further exploration.
Anticipatory Legislation vs Reactive Legislation
It seems meaningful to distinguish between two types of legislation. Reactive legislation merely responds to capabilities or crises, while anticipatory legislation attempts to create the governance frameworks to control these things before capabilities have fully manifested.
In the “T0/T1/T2” framework described above, reactive regulation displays a positive lag (T1 happens after T0). Meanwhile, anticipatory regulation results in a negative recognition lag, meaning the government created a policy document before the capability was demonstrated in public.
It seems that reactive legislation is almost always catalyzed by disaster or high-salience shocks. Consider events like the sulfanilamide disaster for pharmaceuticals or the launch of ChatGPT for AI. In contrast, anticipatory regulation leverages regulatory foresight, with regulatory officials aiming to handle potential developments. Anticipatory efforts must reckon with the “Collingridge Dilemma“ (technologies are easy to influence when young but their impacts hard to foresee, when impacts become clear the technology is often too entrenched to easily influence).
Despite the difficulty inherent in the Collingridge Dilemma, we are seeing more proposed or implemented anticipatory frameworks:
Mechanisms for Creating Anticipatory Legislation
Certain mechanisms may aid governments in “getting ahead” of capability development, in the sense of anticipating how technology is likely to evolve and operationalize:
Strategies to Speed Up Regulation
The regulatory process (and government movement in general) is notoriously slow. However, there are apparently several mechanisms that can reduce the time between a capability’s emergence and a binding response, outside of living document approaches and using existing legal infrastructure:
Again though, the success of all of this depends on regulatory independence. Many failures in technology governance can be traced back to a lack of independence from the body the regulation applies to. Ensuring the regulator remains free of influence from both industry and promotional mandates is the most reliable predictor of long-term, effective governance.
Other Miscellaneous Measurement Gaps
Other gaps in the landscape include the following:
What creates new regulatory bodies?
A few different factors seem to predict the creation of new regulatory bodies or frameworks. Agenda-setting is cited as the primary mechanism industry uses to shape policy according to Rand corporation research. Geopolitical competition certainly plays a role as well, with the Biden EO aiming to place US leadership ahead of both EU and Chinese regulatory endeavors. While academic and civil society advocacy can create pressure, it seems they rarely trigger action alone. Capability thresholds appear necessary but not sufficient for the creation of regulatory frameworks. While thresholds like the EU AI Act’s 10²⁵ FLOPs, exist in regulatory frameworks, they likely weren’t the proximate trigger for those frameworks’ creation.
What bridges the gap between adoption and governance?
Corporate governance maturity is typically assessed with survey data from agencies like McKinsey, Deloitte, PwC, IAPP, etc. Regardless of the source, the finding is generally consistent, adoption outpaces governance by a wide margin. There’s strong convergent validity. More specifically, McKinsey’s 2026 AI Trust Maturity Survey introduced a 4-point maturity scale. There’s an average score of 2.3/4.0 across the industry, with only approximately 30% of organizations reaching level 3 or higher. It isn’t clear what tactics decrease the adoption and governance gap, except that organizations which invest $25 million or more in responsible AI consistently report higher maturity along with an EBIT impact above 5%.
What about agenda-setting in the sense of industry actions, or special interest groups? If the AI industry tries to influence policy by advancing anti-regulation narratives, that’s sometimes called second-level agenda-setting or framing. And while my analysis can’t really speak to this, there is one notable finding in the analysis: positive coverage is actually correlated with more regulation, not less. If industry actors were successfully suppressing regulation through positive framing, you’d expect the opposite pattern.
I should point out that there’s a potential self-selection effect here that the analysis doesn’t really deal with; better performing firms might self-select into these kinds of voluntary agreements. The analysis attempts to address this. The effects described are also just aggregate correlation. Despite this, I think it’s likely that firms in stringent voluntary agreements tend to have better outcomes as defined by those standards, though we can’t say why.
…Aside from all of this, there’s also a capacity gap between private investment in AI forms and the relatively small budgets allocated to regulation enforcement by organizations like the EU. Increased funding would likely help narrow the knowledge gap by allowing regulatory bodies to attract more knowledgeable talent and define new standards for measuring effectiveness.
Note that the “acceleration” you can see in later milestones (like GPT-4) is likely a window truncation artifact due to the EU AI Act hitting multiple previously developed capabilities at the same time.