Still, there are significant gaps that will require new rules. These include shortfalls in understanding (including legislators’ knowledge of future developments) and data, let alone guidance on ethical questions like, ‘who should bear criminal responsibility for criminal acts promulgated by Gen AI?’. It is likely to take at least a decade to begin to address these. This is because in the UK, US and other common law countries the answers will be determined in lengthy court battles. Legislation is unlikely to be much faster; the Canadian AIDA has only passed two of five legislative hurdles since June 2022. 

Trade-bloc-based rules are also likely to take years to enact and roll out. The EU is moving faster on the AI Act than the decade it took to enact GDPR; the European parliament aspires to have the legislation approved by late 2023. But there is much uncertainty around implementation. And given the global nature of trade and labour markets, EU rules will only be part of the puzzle. It will also be important for businesses to monitor the nature of rules that other major trade bodies like the World Trade Organisation (WTO) adopt.

The current geopolitical context – specifically US-China competition – means that the rules these bodies promulgate will create further competition. That is also because it is in the interest of Western-backed companies driving many of these technological advances to ensure that the regulations protect their commercial advantage. That would in turn pressure countries that fall on the periphery of existing alliances and trade pacts to align with the likes of the EU. This would also intensify a sense of antagonism and isolation from China and its allies. 

Domestic politics too will determine the speed and strength of regulation. The Dutch DPA was able to muscle into AI issues because of a high-profile scandal stemming from the discriminatory use of algorithms. Ahead of the 2024 Paris Olympic Games the French regulator is scrutinising AI-augmented CCTV. The extent to which new rules seek to protect jobs will no doubt be influenced by the effectiveness of unions, other influence and advocacy groups and leftist parties. Probable consequences are likely to include internal pressure to deploy teams handling new technologies in places with more permissive regulation but that are more exposed to other risks like weak governance and instability.

New rules are no less likely to restrain criminal organisations and other malign actors than old rules. Nor will unscrupulous and disruptive competitors (whether in business, development or politics) become more likely to hold off as a result of regulation. But the fundamentals for security teams to ensure the resilience of their businesses in the face of all these changes are themselves unchanged; they must be able to rapidly identify, adapt to and robustly mitigate emerging risks while keeping an eye on the horizon to anticipate those that are yet to emerge.