Nikhil Rathi, who runs Britain's Financial Conduct Authority, told an AI conference in London this week something regulators do not usually say out loud. "Technology is moving much faster than many regulatory paradigms," he said. "Legislation will never keep up." It was not a confession of defeat so much as a pivot. If the rulebook cannot move at the speed of the thing it governs, the FCA's answer is to lean less on rules and more on stewardship: monitoring markets with its own AI as a "first responder," using broad competition powers as routine tools rather than emergencies, and stepping in before laws catch up, as it did with Buy Now Pay Later.
That candor frames a fight playing out on the other side of the Atlantic, where the same problem has produced two opposite prescriptions. One camp says the answer is for the industry to police itself. Writing up a much-discussed legal paper by George Washington University's Aram Gavoor, City Journal argues that self-regulation is "an old and often successful means" of handling fast-moving technology, and that companies adopt voluntary governance precisely to head off the harsher external kind. The model floated is something like FINRA, the privately run but government-endorsed body that oversees the securities industry, reimagined for AI.
The other camp says self-policing is exactly what went wrong last time. In TechPolicy.Press, Carl Schonander and Mark MacCarthy point to Section 230, the 1996 liability shield that helped build the modern internet and, they argue, also let platforms off the hook for the harms that followed. Congress, they write, should not repeat the mistake with AI: it should pass narrow laws now affirming that AI companies are liable for their products and guarding against catastrophic risks, citing bipartisan draft bills from Representatives Obernolte and Trahan and from Senator Wyden. The urgency, they note, is partly about trust. A Pew survey found Americans more anxious about AI than people in two dozen other countries, with nearly half doubting the government can regulate it at all.
Underneath the debate is a landscape already crowded with rules nobody planned together. A majority of US states have passed AI laws, led by California, Colorado and Texas, producing what one industry summary calls a "patchwork" of clashing standards. Courts are busy too: Colorado repealed and rewrote its comprehensive AI law in May after a constitutional challenge, and a California deepfake statute was struck down on federal preemption grounds. The result is a system where, in the absence of one clear federal rule, everyone is improvising at once.
What links Rathi's speech to the American argument is a shared admission that the old sequence, write a law, then enforce it, is breaking down. The honest question is no longer whether to regulate AI but who holds the pen when the statute is always a step behind: the companies, through codes they design themselves, or legislatures racing to write rules that may be obsolete by the time they pass. The FCA's bet is that a regulator can stay nimble enough to do both. Whether that is wisdom or wishful thinking is the thing the next few years will actually test.