The Regulatory Playbook That Always Wins
In 2024, the EU passed the AI Act. The stated goal: prevent harm, ensure transparency, and curb the unaccountable power of Big Tech. The actual outcome: a 200-page compliance checklist that only Google, Microsoft, and Meta can afford to implement at scale.
Welcome to the regulatory irony: the laws designed to break up monopolies are the very mechanisms that entrench them.
I've watched this pattern repeat across GDPR, SOC 2, PCI-DSS, and every major regulatory framework of the last two decades. The playbook is always the same:
- Step 1: Public outcry over tech power abuse (Cambridge Analytica, discriminatory algorithms, etc.)
- Step 2: Legislators draft sweeping rules with lofty goals
- Step 3: Compliance becomes a full-time job requiring teams of lawyers and engineers
- Step 4: Startups burn 30% of their runway on compliance; incumbents absorb it as a rounding error
- Step 5: Market consolidation accelerates
The winners aren't the citizens. They're the companies with the deepest legal benches.
Compliance as a Competitive Moat
Let's get concrete. Under the EU AI Act, deploying a "high-risk" AI system (anything from credit scoring to resume screening) requires:
- Risk management systems with documented mitigation strategies
- Data governance frameworks ensuring training data quality and bias audits
- Technical documentation including model architecture, training procedures, and performance metrics
- Human oversight mechanisms for decision review
- Continuous monitoring and incident reporting
For OpenAI or Google DeepMind, this is a Tuesday. They already have compliance teams, legal departments, and mature MLOps pipelines. Adding a few more process layers is annoying but manageable.
For a 10-person startup trying to disrupt HR tech with a novel matching algorithm? This is a death sentence. You're choosing between:
- Option A: Hire a compliance officer (€100k/year), slow down shipping by 6 months, and hope your runway survives
- Option B: Don't operate in the EU and forfeit 450 million potential customers
- Option C: Get acquired by a large player who can absorb your tech into their compliant infrastructure
Guess which option most founders choose?
The Illusion of "Leveling the Playing Field"
Regulation advocates often argue that rules level the playing field—that without them, Big Tech runs unchecked. But in practice, regulation raises the barrier to entry, not the ceiling.
Consider GDPR. Yes, Facebook got fined €1.2 billion. Did it hurt them? Barely. Their legal budget for 2023 was over $5 billion. The fine was 6% of one quarter's revenue.
Meanwhile, every European startup I know spent 2018-2019 in "GDPR panic mode"—rewriting privacy policies, implementing consent workflows, and hiring data protection officers they couldn't afford. The companies that survived were the ones that could raise enough capital to build compliance infrastructure before they had product-market fit.
The result? Fewer European competitors to challenge the American giants. Fewer weird, experimental ideas that might've violated some clause but could've unlocked massive value. More sameness.
Why Startups Can't Lobby Their Way Out
Here's the asymmetry that kills innovation: when regulation is being drafted, the loudest voices in the room are the incumbents.
Google, Amazon, and Microsoft have entire government relations teams in Brussels, Washington, and Beijing. They write white papers. They testify before committees. They offer "technical advisory" services to policymakers who don't understand token limits or gradient descent.
Startups don't have that. They're too busy trying to ship v1.0.
The result is regulation that sounds neutral but is designed—intentionally or not—to favor scale. Requirements like "continuous third-party audits" or "red-teaming by independent evaluators" are trivial when you have a $200M compliance budget. They're existential when you're bootstrapped.
The Real Alternative: Liability, Not Permission
I'm not arguing for zero regulation. Left unchecked, AI can absolutely cause harm—discriminatory lending, biased hiring, privacy violations, deepfake abuse. These are real problems.
But there's a difference between permission-based regulation (you must comply with 50 checkboxes before you can launch) and liability-based regulation (you can launch, but if you cause harm, you're accountable).
The current approach is permission-based. It assumes every AI system is guilty until proven compliant. This kills velocity and favors incumbents.
A liability-based approach would flip the script:
- Launch your AI product freely
- If it discriminates, you're sued
- If it violates privacy, you're fined
- If it misleads users, you face penalties
This model rewards agility and punishes actual harm—not theoretical risk. It's the same framework we use for cars, pharmaceuticals, and financial products (with some upfront safety standards, yes, but mostly post-market accountability).
Would some bad actors slip through? Sure. But the current model doesn't prevent bad actors either—it just ensures that only well-funded bad actors survive.
The Incumbents Are Counting on Regulation
Here's the uncomfortable truth: the loudest proponents of "AI regulation" are often the incumbents themselves.
Sam Altman testified before Congress calling for regulatory oversight. Sundar Pichai published an op-ed on "responsible AI governance." They're not being altruistic—they're being strategic.
They know that every new compliance burden is another nail in the coffin of potential competitors. They know that if the barrier to entry is high enough, they'll never face a credible challenger.
It's regulatory capture 101: invite the rules, then use your scale to absorb them while your competitors drown.
What This Means for Builders
If you're building in AI right now, here's my advice:
1. Build compliance infrastructure from day one. Don't treat it as a "later" problem. If you're raising capital, show investors your governance roadmap. If you're bootstrapping, carve out 20% of your budget for legal/compliance.
2. Pick your jurisdiction carefully. The US is still more permissive than the EU. Singapore, UAE, and parts of Asia are actively courting AI companies with lighter regulatory environments. Where you incorporate matters more than ever.
3. Lobby, even if you're small. Join industry coalitions. File public comments on proposed regulations. Don't let the incumbents be the only voice in the room.
4. Build for liability, not permission. Design your systems to be auditable, explainable, and accountable—not because the law says you must, but because it's the right way to build. If you can demonstrate good-faith harm prevention, you'll survive the liability regime that should replace the permission regime.
5. Consider the "boring" verticals. Highly regulated industries (healthcare, finance, defense) are already compliance-heavy. Adding AI compliance is incremental, not existential. If you're going to fight the regulatory battle, fight it where everyone else is already fighting it.
The Irony Isn't Going Away
We're about to see a decade of AI regulation. Some of it will be thoughtful. Much of it will be theater. Almost all of it will favor the giants.
The irony is baked in: the very forces trying to constrain Big Tech are giving them the greatest competitive advantage they've ever had—a regulatory moat so wide that no startup can cross it.
If you're building in this space, your job isn't to complain about it. It's to navigate it, shape it where you can, and build systems that can thrive despite it.
Because the alternative—waiting for regulation to "fix itself"—is a losing strategy. The incumbents are already writing the rules.
Follow the journey
Subscribe to Lynk for daily insights on AI strategy, cybersecurity, and building in the age of AI.
Subscribe →