Virtually every plan to avert AI-catastrophe assumes legal regulation will remain a reliable tool. Plan A in AI 2040; slowdown in AI 2027, and several other projections assume that legal systems work as normal at critical narrative junctures. [Appendix 1]
Recent research, however, suggests that frontier models are exceptionally good at finding legal loopholes. Whilst modern legal systems have strategies for dealing with loopholes, they are slow and poorly equipped to deal with acceleration. If the tempo of AI development is sufficiently fast, this speed-mismatch might be fatal.
In this short article, I consider which strategies will remain robust for future AI regulations and assess their tradeoffs. Overall, I remain optimistic our legal tools can match superhuman loophole discovery - provided, that is, we anticipate this problem and adapt our legal institutions accordingly.
1. The unfortunate legal deviousness of Qwen3-30B
The most recent study on AI 'loophole discovery' is Wei Liu et al's Large Language Models Hack Rewards, and Society. They claim that, in addition to reward hacking, AI models engage in 'societal hacking':
where an RL-trained model discovers strategies that remain formally compliant, yet undermine the intended purpose of those systems, as illustrated in Figure 2:
Liu and his colleagues presented LLMs with optimisation targets inside simulated scenarios governed by historical legal regulations. Many loopholes had already been discovered and patched for these regulations.
They found the LLMs re-discovered 61.25% of those loopholes, without being prompting to do so, including loopholes which had only been proposed as theoretical possibilities. It also developed new loopholes[1] and adapted them after patches were iteratively applied. Patching the loopholes did not produce convergence: the LLMs simply refined loopholes to be more formally compliant, carefully evading the wording of patches.
Considering this was done with Qwen3-30B-A3B, this performance is quite impressive. It seems plausible that the cost of loophole discovery and adaption will fall rapidly in the next year.
2. Why care about loopholes?
You might think loopholes are a minor issue in AI regulation. Maybe we will physically concentrate AI research such that it can be monitored directly without fussing over rules?[2] Or maybe our regulations will be so clear, direct, and straightforward (relying, perhaps, on hardware metrics)[3] that they cannot be gamed?
These are unreliable assumptions.
First, AI development is a diffuse activity, and is likely to remain so. Whatever regulatory regime we put in place will need to coordinate large numbers of people at scale. If we want our regime to have the predictability which makes regulations tolerable and legitimate we will need to use some ex ante guidance.
Second, ex ante guidance, no matter how well-drafted and tied to hardware, can always be gamed, and this gaming reduces the effectiveness of regulation. Historically, rules resembling those proposed for AI regulation have been consistently evaded:
Export controls are evaded by sitting just below prohibited thresholds or strategic re-designs. E.g: using networked sub-threshold commodity boxes to get around the 1990's CTP export-control metric.[4] Other forms of evasion involve manufacturing goods using subsidiaries in non-prohibited countries[5] and by arbitraging weakest links (e.g., West Germany in the COCOM program and, later, chemical weapons export controls);
Licensing regimes are avoided by structuring activity to fall just within more permissible regimes/exceptions (e.g. the USML/CCL boundary gamed by skirting 'specially designed'/generic design and 'part'/'component'); by obtaining licenses for benign behaviour to build up capacity before later switching to military use; and by moving activity to unregulated regions - aka 'jurisdictional arbitrage' (e.g., spyware; fentanyl analogue production moving to India).
Arms treaties are also gamed via threshold attacks - the most famous examples being the German 'Pocket Battleship' designed to skirt Versailles's tonnage limits[6] - and jurisdictional arbitrage (e.g., Weimer-USSR collaboration). As with Art VI in the NPT, lawful exceptions are used as a cover for capabilities build-up: NK and Iran used the 'peaceful space-launch vehicle' to design all the parts of an ICBM inside a civil satellite-launch program;
The 'Pocket Battleship' designed to get around Article 190 of the Treaty of Versailles
AI will speed up the discovery, diffusion, and implementation of loopholes like these, democratising what once required expensive legal advice.[7] More concerningly, AI development might require tighter legal nets than our loophole-ridden regulations have hitherto managed to achieve. As I will show below in sections 3 and 4, whilst existing strategies to confine loopholes work, they are leaky and slow, and are likely to become more so if AI accelerates the legal system.
3. How do legal systems deal with loopholes?
Whilst eliminating loopholes is probably impossible, they are not an intractable problem. Legal systems have traditionally used two methods to handle them:
First, they improve ex ante drafting. Law-makers spend more time during drafting to anticipate loopholes and creative compliance; they also amend existing statutes to catch common workarounds. This is expensive, however, and slows down the drafting process. it also incentivises regulated actors to find new workarounds, requiring more ex ante amendment, increasing the complexity (and cost) of law-following. Examples:
MTCR Category 1 defined as "complete delivery systems with ≥300km "range" & ≥500kg "payload" (Guidelines and Annex);
EAR ECCN 3A090, Part 774. List of Items Controlled: "integrated circuits having one or more digital processing units having either of the following: a.1. A `total processing performance' of 4800 or more; or... "
Second, they implementex post standards. These are vague and unpredictable[8] - although not necessarily unprincipled - and bite once a breach has been committed.[9] Unlike rules, standards move authority from the law-maker to the judge. Leaving the law partially unspecified - typically for unusual and uncommon activities - deters actors from inventing new edge-cases but provides little guidance to good-faith actors. Examples:
Principles like 'substance over form'; underlying purpose; catch-all clauses like 'economic groups', 'participating interests', 'actual dominant interests';
Broad definitions, e.g., BWC Art 1: "Microbial or other biological agents, or toxins whatever their origin or method of production, of types and in quantities that have no justification for prophylactic, protective or other peaceful purposes."
Legal systems tend to use a combination of both.[10] The former provides certainty for the most high-frequency activities, whilst the latter is deployed on a case-by-case basis for low-frequency, anomalous activities.[11]
4. Does AI change the equilibrium?
AI might appear to produce symmetrical advantages in offence and defence: the same technology which discovers loopholes can be used to anticipate and patch them.
On balance, it seems there are overwhelming defensive advantages for regulators - provided, that is, that they use them. The default scenario, where the legal system barely changes , seems like it will produce a considerable offensive advantage to regulatees.
Defensive Asymmetries
A. Environmental Control: Legal Systems control the legal landscape
The legal system defines the conditions for success in a lawsuit. Whilst denying legal challenges altogether might be impossible given various constitutional protections, and is unlikely to be acceptable for an international treaty, regulators could take actions to screen off the influence of AI-enhanced litigants.
One possible system, at least in the context of AI-regulation, would be to set up an independent body (domestically, a subset of the legal profession)[12] which verifies and adjudicates disputes. Whether this would be acceptable will depend on whether AI is perceived as being closer to the internet or nuclear weapons.
B. Environmental Control: Legal systems control the behaviour landscape
Something regulators have been doing for a long time is making behaviour more regulation-shaped. When it comes to loopholes, some of the most effective tools in reducing the 'attack surface' of the law involve restricting where and how AI research can be carried out.
In general, there is a tradeoff between autonomy and possibility for loophole-discovery. Creative compliance requires the freedom to be creative. The most effective ways to reduce loopholes are to implement a restrictive licensing regime (forbidden unless permitted) and to implement extensive transparency and monitoring rules.
C. Asymmetric Expertise: Capital and Frontier Restriction
Legal and political systems will, in some jurisdictions, have access to far greater resources than the vast majority of private actors. In a world where capital can be directly transformed into legal expertise, this directly translates into legal asymmetry.
The US government in particular could secure exclusive access to Frontier models, as was done with the June 2026 order, and, if it wanted, could impose monitoring restrictions on usage and inference caps. In this scenario, the legal-political system could race far ahead of regulatees when drafting its ex ante regulations.
D. Pre-preparation: Legal systems control the regulatory cycle
The legal system controls the pace of the regulatory cycle. A legal system can spend considerable time drafting its regulations (perhaps in private) and creating new regulatory institutions before releasing them. In addition, it can also undo previous regulations, amend them, or re-work them through creative interpretation.
Where access to Frontier models is restricted, this would produce a durable lead: a frontier model, given six months, may produce non-linear advantages over smaller models when drafting regulation.
E. New Affordances: predictable standards, flexible rules
AI could provide new affordances for the legal system. It might be possible, for instance, to escape the predictability-flexibility tradeoff inherent in the rule/standard divide.
One proposal is devise standards which are superhumanly scaleable via judicial emulation. Whilst this doesn't avoid the problem of legitimacy (judges remain unconstrained), it would render standards predictable.
Alternatively, another is to create rules which are infinite in number and adaptability. The 'regulation space' is not infinite: provided a regulator has enough data and processing ability, the entire behaviour space could be covered.
Offensive Asymmetries
A. Agency gap: private actors can adopt new technology more freely
Legal and political institutions are constrained by bureuacracy and are likely to have delayed, uneven, and outdated adoption of AI. Further, as a matter of institutional bias, they are typically risk averse.
In contrast, private actors will have much greater autonomy in adopting AI. They will be faster, less bound by procedure, likely more technically competent, and are less risk-averse. Unless the legal system adapts, it is likely to be outpaced in the same manner legacy IT systems in the public sector are being outpaced by new AI cybercapabilities.
B. Speed gap: legal systems are slow by design
Legal and political systems are designed to be deliberately slow. It takes time to create new laws, and even more time to alter the process by which laws are made. This is known generally as the pacing problem:
AI exacerbates this problem by speeding up the pace of change.Regulation takes a long time to draft, pass, and amend, whilst AI development is continually accelerating. Say a bill is drafted with a frontier model in 2027: 3 months later, by the time it comes into force, countless loopholes are discovered by newer models.
Standards are also challenged: they work best for low-frequency behaviour which can be handled on a case-by-case basis. AI changes this dynamic: many independent actors can spin up their own plausible workarounds, all of which need to be taken on their merits. It takes weeks to go through their arguments, during which they continue their activity. In both cases the tempo of the legal system is too slow.
C. Success Conditions: the regulatees may only need to succeed once
Traditionally, there have always been asymmetries in breaking the law. Fraudsters can use their illictly-obtained money to pay lawyers to contest the legal actions taken against them; commercial actors breaking the law can scale up fast enough to produce political capital, along with resources for lobbying and lawyers for legal challenges, which deters regulation.
AI may present a more extreme version of this dynamic if the regulated activity directly produces legal expertise. Rather than having to make money and convert it into legal advice - which presents problems of selection, alongside the transaction costs of hiring lawyers - the regulated product itself can create elite legal arguments. A single loophole could thus compound into an industrial loophole-finding machine.
D. Information Asymmetry: the regulatees know more about the regulator than vice-versa
The regulator slowly drafts and promulgates their regulations in public, providing a wide attack surface. The regulatee, however, is changing their behaviour in private. I suspect when you apply AI to both sides, the regulator's advantage in ex ante drafting will fall behind the regulatee's advantage using AI in conjunction with private information.
This asymmetry is made worse by the plausible introduction, following the falling cost of legal advice, of new actors which regulators have hitherto mostly ignored. These actors can take advantage of previous loopholes discovered by existing large firms, whilst providing unseen challenges to regulators.
E. Enormous attack surface: the legal system is huge and largely unsystematised
Countless areas of law work solely because the cost of hiring lawyers to avoid the rules is prohibitively expensive. This will change as AI reduces the cost of legal advice. Furthemore, large chunks of the law will become increasingly outdated as AI analysis is applied in areas previously 'unlawyered.'
The legal system thus offers a both large attack surface, and one which, like most public IT systems, has large sections which have not been subjected to intensive red-teaming. Even if specific AI regulations are insulated from AI pressure, it is likely large portions of the law will become unreliable. Nor, at present, are systems in place to correct these problems.
5. What does a robust regulator look like?
Regulators and policymakers should think carefully about how AI will alter the legal system, rather than simply assuming it will continue as usual.
From the discussion of offensive and defensive asymmetry above, the two most important lessons are:
The legal system defines the conditions of success and can therefore harden its regulations against AI-enhanced loopholes;
Without exclusive access to Frontier models, the legal system faces a huge deficit in tempo compared to private actors.
Provided legislators are alive to this problem, and we think ahead of time what sort of special legal regimes are realistic, the first of these is achievable when it comes to high-stakes regulations. It is not, however, scalable across the entire legal system.
More broadly then, the system must be ready to change to meet new circumstances; it must possess 'Radical Optionality.' A successful regulator will do the following:
Create channels in which frontier models can be used toimprove ex ante regulations, and thus offset possible asymmetries in loophole discovery
Build mechanisms for adaptive re-drafting so that new legislative drafting tools can be used to outpace loophole production; [13]
Build in flexibility to legal regulations, using broad standards, such as catch-all lists and purposive definitions, to ensure regulators are not hemmed-in by misspecified laws;
Modify courts, or implement specialised adjudicatiors, to handle potentially enormous volumes of adjudication.
As it stands, most inside and outside the legal system hold law as a constant in their forecasts of the future. Whilst we have no idea what happens to legal doctrine when it is accelerated, we do have a good idea what happens when regulators are outmatched in legal expertise: exports slip through the net, tax is uncollected, and nuclear weapons proliferate.
Appendix: Proposals relying on law
A brief survey of policy proposals for AI safety shows their high reliance on conventional legal systems. For instance:
The' Incremental AI Policy Wishlist includes a range of policies enforced legally: disclosure obligations on firms; export controls; R&D verification;
Plan A includes chip manufacturing monitoring; pauses on training runs; and transparency in monitoring;
Plan A also seems to assume tax law is working more or less as usual in 2032, with the main hiccup being mass automation rather than a change to how the law works.
A cycle repeated after Nvidia designed the A800/H800 series to get around the 2022 interconnect-bandwidth limits prompting a renewed limit in 2023, the H20 in response, and a new 2025 licensing scheme. Another angle of attach is Chinese firms skirting the restrictions by renting cloud access in Indonesia, with the 2025 AI Diffusion Framework and the proposed Remote Access Security Act as regulatory responses.
Met in turn by Foreign Direct Product rules, and more gaming of their triggers. Huawei, for example, spun up countless entities to get around FDP's Entity list. Redefinitions to include entities 50%+ owned were evaded with 49.9%-owned shells, and so BIS responded with a "significant minority ownership" red flag.
Other examples include the treaty cruisers designed to get around the Washington Naval Treaty in the 1920s, and the torpedo boats to evade the 1930 London Naval Treaty. Note that all of these examples also involved cases of misstating and underestimating tonnage limits. In general, loophole discovery tends to go alongside deceptive non-compliance.
A good survey of the economics of loophole discovery is Fleischer, Victor, Regulatory Arbitrage (March 4, 2010). U of Colorado Law Legal Studies Research Paper No. 10-11, Available at SSRN: https://ssrn.com/abstract=1567212 or http://dx.doi.org/10.2139/ssrn.1567212. Briefly, Fleischer notes the main economic constraints on tax avoidance are transaction costs; opacity costs; agency costs; and information costs/counterparty risk, all of which are lowered by AI.
There is some disagreement over this point. The canonical statement of the tradeoffs between rules and standards is Louis Kaplow, Rules Versus Standards: An Economic Analysis, 42 Duke Law Journal 557-629 (1992). C.f. McBarnet, D., & Whelan, C. (1991). The Elusive Spirit of the Law: Formalism and the Struggle for Legal Control. The Modern Law Review, 54(6), 848–873, which suggests that rules are not, in fact, more predictable and are themselves ex post devices. I have tended towards Kaplow's account, at least in the context of technical legal regulations, because I believe legal reasoning can produce determinate guidance, and that following this guidance is often necessary for logistics and legitimacy.
Many jurisdictions use 'General Anti-Avoidance Rules", or GAAR. These are statutory provisions which allow courts to re-determine the tax liability of avoidance transactions to neutralise any tax savings. The US and UK tend to use common law anti-avoidance rules, which are more contextual.
David A. Weisbach, "Ten Truths about Tax Shelters" (John M. Olin Program in Law and Economics Working Paper No. 122, 2001). Legal systems also use institutional devices like delegating authority to fast-moving agencies, and disclosure rules for new legal structures (e..g UK's DOTAS rules and EU DAC6).
Noting that the line between the two is often fuzzy: bright-line rules have a tendency to become more 'standard-like' over time (and vice-versa). See Schauer, Frederick. "The Convergence of Rules and Standards." New Zealand Law Review (2003): 303-328.
There are precedents for this in military contexts: the US CIPA (1980) rules on classified trials; UK special advocates for SIAC; and Atomic Energy Act hearings.
A possible model here is the 'regulate first, collect comments later' approach of the Bureau of Industry and Security (BIS) and the Office of Foreign Assets Control (OFAC). These come with their own costs in terms of compliance chaos and definitional ambiguity.
Virtually every plan to avert AI-catastrophe assumes legal regulation will remain a reliable tool. Plan A in AI 2040; slowdown in AI 2027, and several other projections assume that legal systems work as normal at critical narrative junctures. [Appendix 1]
Recent research, however, suggests that frontier models are exceptionally good at finding legal loopholes. Whilst modern legal systems have strategies for dealing with loopholes, they are slow and poorly equipped to deal with acceleration. If the tempo of AI development is sufficiently fast, this speed-mismatch might be fatal.
In this short article, I consider which strategies will remain robust for future AI regulations and assess their tradeoffs. Overall, I remain optimistic our legal tools can match superhuman loophole discovery - provided, that is, we anticipate this problem and adapt our legal institutions accordingly.
1. The unfortunate legal deviousness of Qwen3-30B
The most recent study on AI 'loophole discovery' is Wei Liu et al's Large Language Models Hack Rewards, and Society. They claim that, in addition to reward hacking, AI models engage in 'societal hacking':
Liu and his colleagues presented LLMs with optimisation targets inside simulated scenarios governed by historical legal regulations. Many loopholes had already been discovered and patched for these regulations.
They found the LLMs re-discovered 61.25% of those loopholes, without being prompting to do so, including loopholes which had only been proposed as theoretical possibilities. It also developed new loopholes[1] and adapted them after patches were iteratively applied. Patching the loopholes did not produce convergence: the LLMs simply refined loopholes to be more formally compliant, carefully evading the wording of patches.
Considering this was done with Qwen3-30B-A3B, this performance is quite impressive. It seems plausible that the cost of loophole discovery and adaption will fall rapidly in the next year.
2. Why care about loopholes?
You might think loopholes are a minor issue in AI regulation. Maybe we will physically concentrate AI research such that it can be monitored directly without fussing over rules?[2] Or maybe our regulations will be so clear, direct, and straightforward (relying, perhaps, on hardware metrics)[3] that they cannot be gamed?
These are unreliable assumptions.
First, AI development is a diffuse activity, and is likely to remain so. Whatever regulatory regime we put in place will need to coordinate large numbers of people at scale. If we want our regime to have the predictability which makes regulations tolerable and legitimate we will need to use some ex ante guidance.
Second, ex ante guidance, no matter how well-drafted and tied to hardware, can always be gamed, and this gaming reduces the effectiveness of regulation. Historically, rules resembling those proposed for AI regulation have been consistently evaded:
The 'Pocket Battleship' designed to get around Article 190 of the Treaty of Versailles
AI will speed up the discovery, diffusion, and implementation of loopholes like these, democratising what once required expensive legal advice.[7] More concerningly, AI development might require tighter legal nets than our loophole-ridden regulations have hitherto managed to achieve. As I will show below in sections 3 and 4, whilst existing strategies to confine loopholes work, they are leaky and slow, and are likely to become more so if AI accelerates the legal system.
3. How do legal systems deal with loopholes?
Whilst eliminating loopholes is probably impossible, they are not an intractable problem. Legal systems have traditionally used two methods to handle them:
First, they improve ex ante drafting. Law-makers spend more time during drafting to anticipate loopholes and creative compliance; they also amend existing statutes to catch common workarounds. This is expensive, however, and slows down the drafting process. it also incentivises regulated actors to find new workarounds, requiring more ex ante amendment, increasing the complexity (and cost) of law-following. Examples:
Second, they implement ex post standards. These are vague and unpredictable[8] - although not necessarily unprincipled - and bite once a breach has been committed.[9] Unlike rules, standards move authority from the law-maker to the judge. Leaving the law partially unspecified - typically for unusual and uncommon activities - deters actors from inventing new edge-cases but provides little guidance to good-faith actors. Examples:
Legal systems tend to use a combination of both.[10] The former provides certainty for the most high-frequency activities, whilst the latter is deployed on a case-by-case basis for low-frequency, anomalous activities.[11]
4. Does AI change the equilibrium?
AI might appear to produce symmetrical advantages in offence and defence: the same technology which discovers loopholes can be used to anticipate and patch them.
On balance, it seems there are overwhelming defensive advantages for regulators - provided, that is, that they use them. The default scenario, where the legal system barely changes , seems like it will produce a considerable offensive advantage to regulatees.
Defensive Asymmetries
A. Environmental Control: Legal Systems control the legal landscape
The legal system defines the conditions for success in a lawsuit. Whilst denying legal challenges altogether might be impossible given various constitutional protections, and is unlikely to be acceptable for an international treaty, regulators could take actions to screen off the influence of AI-enhanced litigants.
One possible system, at least in the context of AI-regulation, would be to set up an independent body (domestically, a subset of the legal profession)[12] which verifies and adjudicates disputes. Whether this would be acceptable will depend on whether AI is perceived as being closer to the internet or nuclear weapons.
B. Environmental Control: Legal systems control the behaviour landscape
Something regulators have been doing for a long time is making behaviour more regulation-shaped. When it comes to loopholes, some of the most effective tools in reducing the 'attack surface' of the law involve restricting where and how AI research can be carried out.
In general, there is a tradeoff between autonomy and possibility for loophole-discovery. Creative compliance requires the freedom to be creative. The most effective ways to reduce loopholes are to implement a restrictive licensing regime (forbidden unless permitted) and to implement extensive transparency and monitoring rules.
C. Asymmetric Expertise: Capital and Frontier Restriction
Legal and political systems will, in some jurisdictions, have access to far greater resources than the vast majority of private actors. In a world where capital can be directly transformed into legal expertise, this directly translates into legal asymmetry.
The US government in particular could secure exclusive access to Frontier models, as was done with the June 2026 order, and, if it wanted, could impose monitoring restrictions on usage and inference caps. In this scenario, the legal-political system could race far ahead of regulatees when drafting its ex ante regulations.
D. Pre-preparation: Legal systems control the regulatory cycle
The legal system controls the pace of the regulatory cycle. A legal system can spend considerable time drafting its regulations (perhaps in private) and creating new regulatory institutions before releasing them. In addition, it can also undo previous regulations, amend them, or re-work them through creative interpretation.
Where access to Frontier models is restricted, this would produce a durable lead: a frontier model, given six months, may produce non-linear advantages over smaller models when drafting regulation.
E. New Affordances: predictable standards, flexible rules
AI could provide new affordances for the legal system. It might be possible, for instance, to escape the predictability-flexibility tradeoff inherent in the rule/standard divide.
One proposal is devise standards which are superhumanly scaleable via judicial emulation. Whilst this doesn't avoid the problem of legitimacy (judges remain unconstrained), it would render standards predictable.
Alternatively, another is to create rules which are infinite in number and adaptability. The 'regulation space' is not infinite: provided a regulator has enough data and processing ability, the entire behaviour space could be covered.
Offensive Asymmetries
A. Agency gap: private actors can adopt new technology more freely
Legal and political institutions are constrained by bureuacracy and are likely to have delayed, uneven, and outdated adoption of AI. Further, as a matter of institutional bias, they are typically risk averse.
In contrast, private actors will have much greater autonomy in adopting AI. They will be faster, less bound by procedure, likely more technically competent, and are less risk-averse. Unless the legal system adapts, it is likely to be outpaced in the same manner legacy IT systems in the public sector are being outpaced by new AI cybercapabilities.
B. Speed gap: legal systems are slow by design
Legal and political systems are designed to be deliberately slow. It takes time to create new laws, and even more time to alter the process by which laws are made. This is known generally as the pacing problem:
AI exacerbates this problem by speeding up the pace of change. Regulation takes a long time to draft, pass, and amend, whilst AI development is continually accelerating. Say a bill is drafted with a frontier model in 2027: 3 months later, by the time it comes into force, countless loopholes are discovered by newer models.
Standards are also challenged: they work best for low-frequency behaviour which can be handled on a case-by-case basis. AI changes this dynamic: many independent actors can spin up their own plausible workarounds, all of which need to be taken on their merits. It takes weeks to go through their arguments, during which they continue their activity. In both cases the tempo of the legal system is too slow.
C. Success Conditions: the regulatees may only need to succeed once
Traditionally, there have always been asymmetries in breaking the law. Fraudsters can use their illictly-obtained money to pay lawyers to contest the legal actions taken against them; commercial actors breaking the law can scale up fast enough to produce political capital, along with resources for lobbying and lawyers for legal challenges, which deters regulation.
AI may present a more extreme version of this dynamic if the regulated activity directly produces legal expertise. Rather than having to make money and convert it into legal advice - which presents problems of selection, alongside the transaction costs of hiring lawyers - the regulated product itself can create elite legal arguments. A single loophole could thus compound into an industrial loophole-finding machine.
D. Information Asymmetry: the regulatees know more about the regulator than vice-versa
The regulator slowly drafts and promulgates their regulations in public, providing a wide attack surface. The regulatee, however, is changing their behaviour in private. I suspect when you apply AI to both sides, the regulator's advantage in ex ante drafting will fall behind the regulatee's advantage using AI in conjunction with private information.
This asymmetry is made worse by the plausible introduction, following the falling cost of legal advice, of new actors which regulators have hitherto mostly ignored. These actors can take advantage of previous loopholes discovered by existing large firms, whilst providing unseen challenges to regulators.
E. Enormous attack surface: the legal system is huge and largely unsystematised
Countless areas of law work solely because the cost of hiring lawyers to avoid the rules is prohibitively expensive. This will change as AI reduces the cost of legal advice. Furthemore, large chunks of the law will become increasingly outdated as AI analysis is applied in areas previously 'unlawyered.'
The legal system thus offers a both large attack surface, and one which, like most public IT systems, has large sections which have not been subjected to intensive red-teaming. Even if specific AI regulations are insulated from AI pressure, it is likely large portions of the law will become unreliable. Nor, at present, are systems in place to correct these problems.
5. What does a robust regulator look like?
Regulators and policymakers should think carefully about how AI will alter the legal system, rather than simply assuming it will continue as usual.
From the discussion of offensive and defensive asymmetry above, the two most important lessons are:
Provided legislators are alive to this problem, and we think ahead of time what sort of special legal regimes are realistic, the first of these is achievable when it comes to high-stakes regulations. It is not, however, scalable across the entire legal system.
More broadly then, the system must be ready to change to meet new circumstances; it must possess 'Radical Optionality.' A successful regulator will do the following:
As it stands, most inside and outside the legal system hold law as a constant in their forecasts of the future. Whilst we have no idea what happens to legal doctrine when it is accelerated, we do have a good idea what happens when regulators are outmatched in legal expertise: exports slip through the net, tax is uncollected, and nuclear weapons proliferate.
Appendix: Proposals relying on law
A brief survey of policy proposals for AI safety shows their high reliance on conventional legal systems. For instance:
As I suggest in Part 1 above, these proposals are plausibly vulnerable to the kind of exploits discussed in this paper.
The validity of these loopholes were assessed by LLM judges and human lawyers.
AI 2040, for instance, seems to assume most AI R&D will be carried out in a few locations which can be monitored directly by a single organisations.
E.g., the robust attempt to define a frontier model here: https://law-ai.org/wp-content/uploads/2024/09/Legal-Considerations-for-Defining-Frontier-Model.pdf; and Caputo's analysis of regulating after the pre-training paradigm ends: https://arxiv.org/abs/2502.15719
A cycle repeated after Nvidia designed the A800/H800 series to get around the 2022 interconnect-bandwidth limits prompting a renewed limit in 2023, the H20 in response, and a new 2025 licensing scheme. Another angle of attach is Chinese firms skirting the restrictions by renting cloud access in Indonesia, with the 2025 AI Diffusion Framework and the proposed Remote Access Security Act as regulatory responses.
Met in turn by Foreign Direct Product rules, and more gaming of their triggers. Huawei, for example, spun up countless entities to get around FDP's Entity list. Redefinitions to include entities 50%+ owned were evaded with 49.9%-owned shells, and so BIS responded with a "significant minority ownership" red flag.
Other examples include the treaty cruisers designed to get around the Washington Naval Treaty in the 1920s, and the torpedo boats to evade the 1930 London Naval Treaty. Note that all of these examples also involved cases of misstating and underestimating tonnage limits. In general, loophole discovery tends to go alongside deceptive non-compliance.
A good survey of the economics of loophole discovery is Fleischer, Victor, Regulatory Arbitrage (March 4, 2010). U of Colorado Law Legal Studies Research Paper No. 10-11, Available at SSRN: https://ssrn.com/abstract=1567212 or http://dx.doi.org/10.2139/ssrn.1567212. Briefly, Fleischer notes the main economic constraints on tax avoidance are transaction costs; opacity costs; agency costs; and information costs/counterparty risk, all of which are lowered by AI.
There is some disagreement over this point. The canonical statement of the tradeoffs between rules and standards is Louis Kaplow, Rules Versus Standards: An Economic Analysis, 42 Duke Law Journal 557-629 (1992). C.f. McBarnet, D., & Whelan, C. (1991). The Elusive Spirit of the Law: Formalism and the Struggle for Legal Control. The Modern Law Review, 54(6), 848–873, which suggests that rules are not, in fact, more predictable and are themselves ex post devices. I have tended towards Kaplow's account, at least in the context of technical legal regulations, because I believe legal reasoning can produce determinate guidance, and that following this guidance is often necessary for logistics and legitimacy.
Many jurisdictions use 'General Anti-Avoidance Rules", or GAAR. These are statutory provisions which allow courts to re-determine the tax liability of avoidance transactions to neutralise any tax savings. The US and UK tend to use common law anti-avoidance rules, which are more contextual.
David A. Weisbach, "Ten Truths about Tax Shelters" (John M. Olin Program in Law and Economics Working Paper No. 122, 2001). Legal systems also use institutional devices like delegating authority to fast-moving agencies, and disclosure rules for new legal structures (e..g UK's DOTAS rules and EU DAC6).
Noting that the line between the two is often fuzzy: bright-line rules have a tendency to become more 'standard-like' over time (and vice-versa). See Schauer, Frederick. "The Convergence of Rules and Standards." New Zealand Law Review (2003): 303-328.
There are precedents for this in military contexts: the US CIPA (1980) rules on classified trials; UK special advocates for SIAC; and Atomic Energy Act hearings.
A possible model here is the 'regulate first, collect comments later' approach of the Bureau of Industry and Security (BIS) and the Office of Foreign Assets Control (OFAC). These come with their own costs in terms of compliance chaos and definitional ambiguity.