Digital Economy Dispatch #291 -- Why the Regulator's Limited Grasp of AI is Your Problem Too

When AI regulation comes up in a room full of digital leaders, it tends to get discussed like the weather. Something that happens to you. You forecast it, you grumble about it, but there’s little you can do besides carry an umbrella or a sun hat. The unspoken model is that regulation is a brake, your job is to make progress despite it, and the best you can hope for is that the brake is applied gently.

I want to argue that this thinking is dangerously upside down. The competence of the people governing AI is one of the largest single influences on whether your own AI adoption moves quickly, and on whether you can deliver meaningful value to your customers.

I do not come to this as a neutral observer. Over the years, I have worked in a number of countries advising a variety of regulatory bodies, and I have played a role in interpreting and applying those regulations with several large organizations in the public and private sectors. So, I carry the scars. The good ones were never the obstacle. They made the work possible by creating shared frameworks to understand technology risks and rewards, and by setting expectations we could plan around, and by holding public confidence that no single organisation can build on its own. But that wasn’t always the case, and much of my time has been spent figuring out the difference.

Weak regulators, not strong rules, are the real brake

Let’s start with the obvious. Regulators can slow adoption. But the mechanism is the opposite of the one most people assume. It is a weak understanding, far more than strict rules, that does the damage.

An under-equipped regulator tends to fail in one of two directions. The first is that it freezes. Unsure what good looks like, it hedges its bets and over emphasises protecting against every possible risk, and that hedging reaches the market as uncertainty. Uncertainty is precisely the thing that keeps promising projects stuck in pilot purgatory and gives finance directors a reason to defer the spend for another year. Facing backlash from stakeholders for “stalling innovation, the second is that it waves things through without governing the risk, until something goes wrong in public. Then comes a second backlash, and with it a clampdown heavier and clumsier than careful rules would ever have produced. Either way, thin understanding makes adoption both slower and worse.

What I’ve seen in practice is that a capable regulator does the reverse. Because it can tell a real risk from a hypothetical one, it identifies meaningful priorities and offers clear rules that businesses are able to plan around to allow investment to flow. Just as important, it protects the one ingredient no product plan can manufacture on its own: public trust.

Here the evidence is blunt. In the 2025 Ada Lovelace Institute and Alan Turing Institute survey, a nationally representative study of more than three thousand people, 72% of the UK public said laws and regulations would make them more comfortable with AI, up from 62% two years earlier.

Read that again, because it cuts against the instinct that the public simply wants AI held back. People are not asking to be shielded from the technology so much as asking for help to establish guardrails for the conditions under which they would accept it. The same survey found that only 18% knew AI was already being used to assess welfare benefits, even though most had heard of driverless cars. This means that the AI use cases that touch people most directly are the least understood, which is exactly the ground in which a backlash takes root.

Trust, then, is not a courtesy added at the end of a project. It is infrastructure, in the way that roads are. The much-discussed AI trust deficit turns out, on inspection, to be as much an adoption problem as an ethics issue.

What policy makers need to know

So, the question “what do policymakers and regulators actually need to understand about AI” is far from academic. It is a direct input to an organization’s delivery timelines. And the answer is more reachable than the common myths suggest. It is not the mathematics. It is enough to ask the right questions, weigh the answers, and recognise when something does not add up.

In the work I have been carrying out with policymakers, I have found it useful to come back to three plain questions about any AI system. Is it responsible: governed, accountable, and fair? Is it robust: secure, reliable, and able to fail safely? Is it responsive: able to adapt as the world keeps moving? A regulator who can hold those three in mind can have a useful conversation with a vendor. One who cannot will either rubber-stamp or freeze, and we have just seen where both of those can lead.

The lesson behind this is hard-won and not new. What I have seen work best in the UK public sector is when that capability lives inside the state rather than being rented by the day from consultancies. The same principle applies now. A smart buyer can specify what it wants, judge what it is offered, and walk away from a bad deal. A body that has outsourced its understanding can do none of those things and ends up governing AI through press release and reaction. Capability is not a nice-to-have extra alongside the regulation or statute. It is the thing that makes it work at all.

The honest objection is that building this capability is slow and expensive, and that the technology will outrun any team you assemble. There is truth in that. But the alternative, governing by reaction, is slower and more expensive still. It simply arrives on a delay, often with a scandal attached.

Why this is your problem, not just theirs

In this regard, the UK is in an interesting position. Rather than write detailed AI law, as the EU has, or leave the question largely to the market, as the United States tends to, the UK government asks existing regulators to apply shared principles in their own areas. That is a defensible approach. But it only pays off if those regulators are genuinely equipped, and there are signs the gap is real. The long-promised AI legislation has yet to arrive, even as public demand for it climbs. The danger here is not over-regulation. It is a vacuum, filled eventually by a reactive clampdown that serves no one.

Where does this leave us? If you lead digital change in a company, a hospital, or a council, you have a stake in the state being good at this, not merely a grievance about it being in your way. A capable regulator is often the difference between your next AI project scaling and your next AI project becoming a cautionary tale. That is worth more than forecasting the weather and complaining about it. It is worth engaging with by responding to consultations, sharing what you are learning, lending good people to the institutions that need them, and being straight in public about both the value and the risks.

The real question, in other words, is not "how should we regulate AI". It is "how AI-capable is the state doing the regulating, governance, and auditing”, and that is a question about investment in people and institutions as much as about law. Consider the implications of this. In your own sector, is the body that oversees you equipped to tell a good AI system from a dangerous one? And if it is not, what would it take to change that, and what part might you play in closing the gap?