The Regulation Trap: Why Sweeping AI Rules Will Hurt the People They Claim to Protect

"And where are you going to get those angels to run society for us?"

Milton Friedman

Let's start with something we don't say often enough: the people calling for AI regulation are not crazy. They are looking at a technology that is moving faster than any in our lifetime, watching it reshape jobs, content, elections, education, and creative work in real time, and asking a perfectly reasonable question. Who is in charge here?

The honest answer, today, is no one. And the honest answer to "should anyone be?" is probably yes — at some level. We're not regulation nihilists. Life without any guardrails around any technology would be terrifying. The risks are real, and a fair number of the people running the largest AI companies have done a remarkable job of proving they shouldn't be trusted to govern themselves.

So this isn't an argument for zero rules. It's an argument that the rules being proposed — and in some places already passed — will almost certainly fail at protecting anyone, and will succeed brilliantly at strangling the very things that could make AI a net good for the country. The regulation conversation is going to define the next decade of innovation. We had better get it right.

Here's why we're worried that we won't.

The European Cautionary Tale

If you want to know what happens when a major economy tries to regulate its way to AI safety, you don't need to speculate. The experiment has already been run.

Europe passed GDPR. Then the Digital Services Act. Then the EU AI Act layered on top. The intentions behind each were good. The drafters were not malicious. The constituencies they were trying to protect were real.

And yet here we are. Name a frontier AI lab headquartered in the European Union. Name a major foundation model trained in Europe. Name a European competitor to OpenAI, Anthropic, Google, Meta, or any of the leading Chinese labs. The list is short, and it isn't getting longer. Europe is now consuming AI built elsewhere, on terms set elsewhere, under conditions Europe will have very little say in shaping. That is the opposite of the outcome regulation was supposed to produce.

The mechanism is not mysterious. Every layer of compliance has a fixed cost that a five-person startup cannot absorb and a five-thousand-person incumbent can. The bigger the regulatory burden, the more it favors the company that already exists at the expense of the company that hasn't been founded yet. Europe didn't choose to have no AI industry. It just made it nearly impossible to start one.

That's the trap. Regulation aimed at "Big Tech" almost always lands hardest on the companies that aren't yet big.

The Internet Counterfactual

Now run the opposite experiment. Picture the early 1990s. The internet is brand new, almost no one outside of universities and the military understands it, and you can already see plenty of things to be worried about. Anonymous speech. Unfiltered content. Children with unsupervised access. Foreign actors. Pornography. Crime. Misinformation.

Congress had a choice. It could have regulated heavily — licensed publishers, controlled content, mandated approval processes, required permits to operate certain kinds of online services. There were serious voices arguing for exactly that.

Instead, the United States imposed something close to a regulatory moratorium. Section 230 limited liability for platforms. The government largely got out of the way and let the thing grow. The next thirty years produced the largest creation of economic value in human history, transformed every industry on earth, and made the United States the unrivaled center of the digital economy.

Were there harms? Of course. Some of them were severe. Some of them we are still trying to clean up. The internet today probably is overdue for some thoughtful regulatory rethinking, particularly around platform liability for content. But the point is that the harms emerged in a context where the underlying value of the technology had been allowed to fully manifest, and we now have the wealth, the expertise, and the data to actually regulate it sensibly.

If the regulators of 1994 had succeeded in writing the rules of the internet, we would not have an internet worth regulating today. That is the counterfactual every AI regulator should be required to sit with for a long time before putting pen to paper.

The Regulatory Moat Nobody Wants to Name

Here is the part of this conversation that polite company avoids. The loudest voices currently calling for AI regulation include the CEOs of the largest AI companies. Sam Altman went on a global tour calling for regulation, then quietly resisted virtually every concrete proposal that would have limited what his own company could do.

This is not subtle. It is the oldest play in the regulatory book. Once you are the incumbent, you stop fearing competition from above — you fear competition from below. The cheapest way to prevent that competition is to lock in your position with a thicket of compliance requirements that you can afford and an upstart cannot. It's called a regulatory moat, and it is one of the most reliable patterns in industry history.

You don't have to take our word for it. Look at banking. After 2008, the Dodd-Frank Act was passed with the best of intentions. The result, two decades later, is that you can count the number of new bank charters in the United States on one finger. One. Small community banks have been crushed by compliance costs, while the largest banks — the same ones whose behavior caused the crisis — have grown larger, more concentrated, and more systemically important. The regulation aimed at the giants buried the dwarves and made the giants bigger.

If we let that pattern repeat with AI, we will end up with three or four enormous AI companies, a forest of compliance consultants, and no meaningful new entrants for a generation. That is not what the public asking for "AI safety" thinks it is asking for. But it is what they will get.

The Poorly-Written Law Problem

The other reason to be skeptical of sweeping regulation is more prosaic and more depressing. Most regulators do not understand the technology they are trying to regulate. Most legislators understand it even less. And the resulting laws show it.

California's recent attempt at frontier AI regulation included, among other things, a requirement that model providers comply with "international law" — a phrase with no clear meaning under United States constitutional doctrine, and one that effectively imports the GDPR and the EU AI Act through the back door. It places the burden of proof on the model provider when any complaint is filed, regardless of merit. It would create reporting obligations that don't map cleanly onto how modern AI is actually developed.

This isn't a partisan complaint. It is a craftsmanship complaint. A law that cannot be complied with in good faith isn't a regulation. It's a lottery. And the ticket holders are plaintiff's lawyers, not the public.

When David said on our podcast that "these regulations, as imperfect as they are, it's hard to imagine a world without some of them because the risks are so real," he was right. And when he said it's frustrating that they're "so terribly written and so clumsily conceived," he was also right. Those two statements are not in conflict. The issue is not whether to regulate. It's whether the people writing the rules are competent to write them. The track record is not good.

The China Problem

There is one more reason for caution, and it's the one that should keep policymakers up at night.

AI is no longer a consumer technology with national security implications on the side. It is a national security technology that happens to have consumer applications. China understands this. China is racing — through state policy, through massive industrial subsidy, through aggressive talent recruitment, and yes, through ample IP appropriation — to lead the world in AI, robotics, electric vehicles, and the rare-earth supply chains underneath all of it. The CEO of a major US automaker recently returned from touring Chinese factories and described what he saw as a generational lead in advanced robotics. China is starting AI education in kindergarten.

We can disagree about the geopolitical implications of all of this. What we cannot do is pretend it is irrelevant. Every regulatory burden the United States imposes on its AI industry that China does not impose on its own is a margin of advantage we hand to them, free of charge. Europe has effectively chosen to be a regulatory superpower instead of a technology superpower. That is a defensible choice if you are Europe. It is a catastrophic one if you are the United States.

This is not an argument that anything goes. It is an argument that we should be extraordinarily careful about the cost side of the ledger when we draft these rules, because the cost is being paid in national competitiveness, not in some abstract corporate inconvenience.

Where Regulation Actually Belongs

If we're going to be intellectually honest, we have to acknowledge what the regulatory urge gets right. Some things genuinely do need rules. We just think the right answer almost never looks like a sweeping new AI Act.

Liability should attach to the human or organization that causes the harm, not to the toolmaker. If someone uses an AI tool to commit fraud, defame a person, or generate non-consensual intimate imagery, those are already crimes — and they should be prosecuted as such, vigorously and visibly. We don't need a new AI law to ban what is already illegal. We need to actually enforce what's on the books.

Copyright, antitrust, consumer protection, and product liability law already cover an enormous share of the legitimate concerns being raised about AI. Courts are already working through how to apply them. That is exactly the right venue, and it is moving faster than most people realize. Common-law adaptation is messy but it is also evidence-driven. It does not require Congress to imagine harms in advance — it lets harms surface, then assigns responsibility.

For the genuinely novel risks — model misuse for biological, chemical, or cyber weapons, large-scale election interference, deceptive autonomous systems — narrow, targeted, well-scoped rules are appropriate. Not 400-page omnibus acts. Not laws that try to define "frontier model" by parameter count. Targeted rules, written by people who actually understand the technology, focused on the specific harm, with sunset clauses so we can revisit them as the technology evolves.

And finally — the part the industry doesn't want to hear — self-policing has failed. The AI industry is the architect of its own regulatory predicament. When the leading lab is simultaneously calling for safety regulation and announcing it will enable generation of adult content with the assurance of "trust us, we'll handle it," the regulatory backlash writes itself. If you don't want someone else to make rules for you, the move is to set your own rules and visibly live by them. The industry hasn't done that. The pitchforks are entirely earned.

The Right Question

The right question is not "should we regulate AI?" That framing is a trap. Of course some rules are appropriate. The right question is: what kind of rules, written by whom, aimed at what specific harms, at what cost to what we'd otherwise gain?

The answer almost certainly involves enforcing existing law aggressively, building narrow targeted rules where genuine novel risks exist, and resisting the urge to write broad sweeping AI Acts that will be obsolete before the ink dries and that will hand our remaining advantage in this technology to companies and countries that are not similarly constrained.

We are at a once-in-a-generation moment with a technology that could meaningfully expand human capability and prosperity. We can regulate it the way Europe did and watch the industry build itself somewhere else. Or we can do something harder and smarter — let the technology breathe, hold bad actors accountable through existing law, and intervene narrowly and skillfully where genuinely necessary.

The fallacy is not that AI shouldn't be governed. The fallacy is that more regulation always equals more safety. Sometimes — quite often, in fact — it just equals less freedom, less innovation, fewer choices, fewer jobs, and a worse outcome for the very people the rules were meant to protect.

That's the trap. We should try very hard not to walk into it.