On the 1st of August 2024, the European Union AI Act came into force. The response was mixed. Some celebrated it as a great step towards AI safety. Others insisted the act did not go far enough. Many were convinced it would only further stifle innovation and reduce EU competitiveness. Big tech companies found it too ambiguous to comply with; small ones — too costly. Some researchers complained it would negatively impact their work. For most commentators, it was way too complex.

The loudest voices clustered around two responses: bad for innovation, good for safety. All past technology and safety regulations for food, electronics and pharmaceuticals shared the same two responses. The pattern is the natural business-policy tension.

Business-policy tension

Businesses seek adaptability, experimentation and speed.

Policy seeks predictability, accountability, and safety.

That is how each side describes itself, picking the values that are easiest to justify. A more neutral framing is that businesses seek freedom, either for innovation or simply to find a way to maximize their economic gains, while policy seeks control, either for broader social welfare or in pursuit of political agendas.

The tension is old. It is already visible in the High Middle Ages and intensified with the commercial revolution and the rise of the merchant guilds. Early on, it ran between merchant freedom and feudal oversight, and was partly resolved in the Italian city-states: guilds came to control banking and textiles, while rulers imposed taxes and price ceilings. The same tension recurs at every scale. It was acute between Venice and the papacy over trade with the Muslim world. Rome embargoed commerce with the Levant, above all in war materials such as iron, timber, and arms (Connon 24 of Third Council of Lateran, 1179), while Venice, whose livelihood depended on that trade, lobbied to have the bans lifted and at times ignored the pope outright, keeping its convoys to Mamluk Egypt running. Guilds also scaled up their coordination. The Hanseatic League, the best-known case, federated merchant towns across the Baltic and North Sea and negotiated privileges with cities and kings, at times even waging wars with them. The tension took a new shape with the chartered trade monopolies of the 16th to 18th centuries, the English and Dutch East India Companies being the most prominent cases. Here, business and policy fused, with the state granting a private firm a monopoly and quasi-sovereign powers. During the Industrial Revolution, it was reshaped by the drive for efficiency against the nascent demand for social protection. Britain’s Factory Act of 1833 constrained working hours for children. Its decisive innovation was enforcement, a four-man inspectorate empowered to enter any mill and levy penalties, whereas earlier acts had set rules but left them to local magistrates and so were largely ignored. Today, the tension surfaces most clearly in the modern regulatory system, nowhere more visibly than in the European Union, with the AI Act as its latest instance.

Addressing the tension

The business-policy tension is now well recognized, and there are attempts to manage it. These attempts range from traditional command-and-control (1985-2005), to co-regulation (2008-2015), public-private partnerships (2014-2021), and the most recent invention, regulatory sandboxes (2024-present). These periods in parentheses only indicate when each method was the dominant way to address the tension. Otherwise, they all coexist today.

The narratives of these approaches are simple. The initial was: “innovation creates risk — we must regulate it, and that’s it.” With the tension increasing, the new script read “regulation is too rigid, let’s consult businesses”(co-regulation), borrowing the term co-regulation from psychology and having mainly a psychological effect, if any. Yet, it showed a trend towards a more participatory approach and helped shift the narrative to “consultation is not enough, let’s build together”(public-private partnerships) and then "even building presumes we know the rules — let's experiment to find them together" (sandboxes).

This last invention, regulatory sandboxes, is a hot topic now, charged with different expectations and somehow trying to accommodate them all, ultimately turning into a strange beast with little chance of reproducing.

Regulatory sandboxes are meant to be safe environments where businesses can innovate under relaxed rules and supervision. They were first tried in finance in the UK with some positive results and then suddenly became a trusted device despite little evidence that they work, so much so that the EU AI Act dedicated several articles to them and mentioned them 52 times. Now there is even a separate regulation for the AI sandboxes.

The sandbox, being a sandbox, was also very accommodating for experimenting with itself by absorbing different symptoms of the tension. From a space for businesses to innovate, supervised but under relaxed rules, they morphed into a place where regulators can learn about technologies and AI providers will learn how to be compliant. This last bit looks very much like a response to the objection of Meta and Google. The text “the AI regulatory sandboxes should aim to enhance legal certainty for innovators” was a “moreover” in the AI Act. Now, in the Sandbox regulation, it got promoted as the primary aim. The innovation aim got demoted to “also.”

What’s difficult for me to imagine is what will attract participants to sandboxes. Supervising innovation sounds to me like conducting a jazz solo. And not much queuing is in sight. Every EU member state should have at least one active by August this year. To my knowledge, there is currently only one operational sandbox, in Spain.

But enough about sandboxes. The point is that all these approaches give different answers but to the same question: How to manage the business-policy tension? Let’s step back and ask a different question: What this tension actually is?

What it actually is

The business-policy tension is not a specific interface. It is just another manifestation of the omnipresent tension between autonomy and cohesion. The tension can be found in any biological, social and socio-technical system, even in some form, in purely technical systems. Different cohesion forces and tools result in different coordination regimes (more on that later).

This essay is part of the Autonomy and Cohesion series. In an attempt to make it self-standing, I’ll try to summarise the basic idea in the next three paragraphs.

Autonomy is the capacity to make uncoerced decisions; in purely technical domains it is read as a component’s degree of freedom. Cohesion is the action or fact of forming a whole or working as a whole, and through that second, dynamic aspect it subsumes coordination. Cohesion imposes constraints and reduces autonomy. Extreme autonomy dissolves the whole.

Too little autonomy makes systems rigid, non-adaptive, and brittle; too little cohesion yields inefficiency, silos, and, at the limit, disintegration. So systems do not resolve the tension. They hold a balance, and the balance is relative to culture, situation, and type of system.

Cohesion comes from two sources. There are forces we find ourselves within: needs for safety, belonging, reduced uncertainty, and shared values; social identity and loyalty; and external forces such as having a common enemy or a common market. And there are tools we shape and get shaped by in return: language above all, and rituals, norms, rules and laws. Forces are largely beyond our influence; tools are deliberately deployed, yet once deployed, they act back on us. Different tools strike the autonomy–cohesion balance differently.

The tension is a fractal. The business-policy tension is only one manifestation of the autonomy-cohesion dynamics in that fractal. And so the tension is not only between policy and business, but also within policy and within businesses and all the way down. Take the recent statement of Keir Starmer:

My experience now as prime minister is of frustration that every time I go to pull a lever there are a whole bunch of regulations, consultations, arm’s-length bodies that mean that the action from pulling the lever to delivery is longer than I think it ought to be, which is among the reasons why I want to cut down on regulation, generally and within government.

(My first challenge here is to resist commenting on the “policy lever” metaphor, which is so rich and generative on its own and even more so when paired with the “deliverology” narrative. Luckily, there is a good essay on the lever bit already and more moderate than the one I would’ve written.)

It is a clear illustration of the tension and its two sides, highlighted now green for autonomy and cyan for cohesion:

My experience now as prime minister is of frustration that every time I go to pull a lever there are a whole bunch of regulations, consultations, arm’s-length bodies that mean that the action from pulling the lever to delivery is longer than I think it ought to be, which is among the reasons why I want to cut down on regulation, generally and within government.

So the same autonomy–cohesion tension that runs between business and policy runs inside policy. A new executive wants to act. Old policy, encoded as regulation and arm’s-length bodies, holds it.

Each balance contains the next. The executive wants free movement (autonomy), yet ministries should act in sync (cohesion). The cabinet needs cohesion, but each ministry wants room to act. The balance works within and between recursion levels. While each ministry wants its own autonomy, it is only usable if the ministry has internal cohesion across its agencies, which in turn want their own autonomy, down to the individual official whose discretion is balanced by departmental policy. Central government wants local authorities aligned, while each municipality demands discretion shaped by local conditions, and is itself in need of cohesion between its own departments.

The fractal on the business side looks similar. This quote of Andy Jassy, CEO of Amazon, almost mirrors that of Keir Starmer:

Builders hate bureaucracy. It slows them down, frustrates them, and keeps them from doing what they came here to do.

A firm participates as an autonomous agent in the market, balanced by regulation and trade rules. Inside the firm, each department wants autonomy. Unbalanced, that autonomy hardens into silos, a popular corporate pathology. Each team, each employee, repeats the pattern: discretion in daily tasks balanced by shared goals, reports, and rules.

So business-versus-policy is one cut through a structure that repeats at every level: cell, organ, hand, person, team, department, firm, market; official, ministry, government, union. The tension is invariant. What changes is the cohesion mechanism: rules, plans, meetings, protocols.

Cohesion mechanisms vary in many ways. Andy Jassy again:

When you’re running something at scale, you need mechanisms to deliver the right experience and constant improvement for customers. However, as companies grow and add more managers, unneeded processes get layered on that add little value.

Some cohesion is good (cyan), and other is bad (pink).

But it is more useful to think in terms of autonomy cost (participatory autonomy) and autonomy gain (consequential autonomy) that different cohesion mechanisms bring. This results in a cohesion spectrum with seven zones.

The zones and trajectories are explained in another essay.

What is important here is that regulation, and by that I mean technical and safety regulation like the EU AI Act, is just one cohesion mechanism. It has a particular place in the spectrum (Administrative zone), which determines its impact on autonomy and, in turn, on the potential for innovation and the resulting tension.

Then maybe different cohesion mechanisms, further to the right towards the Interoperable zone, can bring more autonomy and alleviate the tension. But more importantly, when it comes to safety, they have another feature which makes them worth considering.

Illegal or impossible?

Let’s compare two familiar ways to coordinate the traffic of two (or more) intersecting roundabout roads: traffic lights and roundabouts.

A traffic light, just like law, is a cohesion tool that works on the basis of rules and sanctions. The rules are clear: red means stop. If you don’t, there is a sanction, and the sanction is also clear. If you don’t stop, collide with and kill somebody crossing on green, the sanction, applied only afterward, will not change the outcome for the victim.

Roundabouts are protocols. Their physical properties, together with some simple rules, serve as constraints that produce self-organized coordination behavior. The emerging order results from each driver following the rule of yielding to circulating traffic, but otherwise relying on personal judgment. The coordination between participants is internal and direct, unlike traffic lights, where it is external, though an intermediary. That difference is non-trivial, as I wrote elsewhere. But there is another difference when it comes to head-on collisions. While traffic lights make it sanctionable, well-designed roundabouts make it impossible.

Such a feature is not unique to roundabouts. Many standards and protocols work this way: cryptography protocols, building code for earthquake resistance, circuit breakers in the stock market, and childproof packaging, to name just a few better-known examples. Many others exist, but — as is so typical of protocols — they are invisible as long as they work.

Share

Which brings us back to the AI Act. The complaint is that it overrates the risk and smothers innovation. More likely, it’s the reverse: it underrates the risk.

It uses the EU’s product-safety template, the one for toys, electronics, and drugs. The checklist is: sort by risk tier, certify, monitor, fine the violator. That fits bounded harms, typical for the Administrative zone: rule plus sanction, applied after the outcome. But the template itself is a risk-categorization claim, in which the worst case is serious but recoverable. The people most worried about AI think it belongs in a different class altogether: alongside nuclear weapons, where the worst case is catastrophic and irreversible. It doesn’t matter if they are right. It is enough that the possibility is on the table, because for a risk of that size the sanction model fails on its own terms. An ex-post penalty is worth what it was worth to the driver dead at the green light. After a catastrophe of that scale, there is no one left to apply the sanction.

The bad outcome should be impossible or hard to reach, not merely punishable.

This shift does not abolish regulation. It only changes what regulation does. Instead of setting a rule and waiting to punish, a law can mandate a protocol and then govern it from a distance. Sometimes the law calls the protocol into being. eIDAS did this for digital identity, INSPIRE for spatial data. Sometimes the protocol already exists, and the law simply makes it compulsory. The EU’s SEPA rules required everyone to adopt IBAN, and its Common Charger Directive (2022/2380) required portable devices to adopt USB-C and the USB Power Delivery protocol, standards the industry had already built. Either way, the law names the need and points to the protocol, and the protocol does the coordinating.

And it coordinates differently from the law. Break a rule, the act still happens, and the sanction comes after. Break a protocol and nothing happens. Send the wrong account format and the transfer does not go through. Send a malformed request to a server, and you simply fail to coordinate. There is no wrong outcome to punish, because there is no path to it. End-to-end encryption does not block interception. It makes what is intercepted unreadable, so the interception is pointless. The roundabout goes further. It removes the crash itself. The undesirable is not threatened but designed out of the possibility space.