Regulatory Capture in AI Governance

In 2026, the EU AI Office hired eleven senior technical staff from frontier AI companies in a single quarter. In 2027, three of those staff left to take senior roles at companies operating under frameworks they had helped design. This is not remarkable. It has become the normal rhythm of AI governance, and the regulators doing the hiring will tell you, without embarrassment, that it is the only way to get people who actually understand the technology.

They are not wrong about the technical necessity. They are wrong — or perhaps simply evasive — about what this structural arrangement produces. Regulatory capture in AI governance does not look like a corrupt official taking a bribe. It looks like a technically brilliant regulator who genuinely believes that the frameworks she helped design are correct, who genuinely wants to see them implemented well, and who will be working for an AI company within three years. Her successors, watching her trajectory, draw reasonable inferences about which positions survive contact with industry pushback.

This is the most important thing to understand about AI regulatory capture in 2029: it doesn’t require bad actors. It produces bad outcomes anyway.

How capture happens without corruption

The classic theory of regulatory capture, developed by economist George Stigler in the 1970s, describes regulated industries gradually gaining control of their regulators through lobbying, revolving-door hiring, and the sheer resource advantage they enjoy over public-sector counterparts. The story has been told about banking, pharmaceuticals, telecommunications. AI is following a version of the same script, with some important variations.

The main variation is speed. The US banking system was around for a century before deregulation in the 1980s allowed the industry to substantially write its own rules. The AI industry achieved a comparable degree of influence over its regulatory environment in about four years, starting from 2024 when serious legislative efforts began in earnest. The reasons are structural: AI policy is technically complex, which means government bodies depend heavily on industry expertise; AI companies have valuations that give them enormous lobbying budgets; and — critically — the people who understand AI well enough to regulate it are the same people that AI companies want to hire, which means they can offer compensation packages that governments simply cannot match.

In Washington, the average tenure of a technical AI policy specialist at a regulatory agency before departing to industry is now 26 months. At the EU AI Office, it is 31 months. These are not people who are behaving badly. Many of them are principled and genuinely committed to public interest. The structural incentives simply operate on a timeframe that is shorter than the time needed to build robust regulatory capacity.

What capture looks like in practice

The clearest example of regulatory capture in AI governance is the treatment of foundation model evaluations. When the EU AI Office developed its framework for evaluating general-purpose AI models (the “GPAI” provisions of the AI Act), it relied heavily on input from the companies being regulated to determine what evaluation methodologies were technically feasible. This is standard in complex technical domains — you need industry input. The problem is that “technically feasible” became a proxy for “acceptable to the companies.” Evaluation approaches that the companies found burdensome or revealing were categorized as technically infeasible. Several were; others were not.

The result is an evaluation framework that is comprehensive on paper and systematically avoids the measurements that would be most informative about actual risk. The people who made this happen were not running a coordinated deception campaign. They were doing what seemed technically reasonable, drawing on expertise from people who would later benefit from the framework’s limitations. The outcome is indistinguishable from what deliberate capture would have produced.

In the United States, the pattern is slightly different because the regulatory environment is fragmented across agencies. The NIST AI Risk Management Framework, which has become the de facto voluntary standard that companies point to when asked about their safety practices, was developed through a process that included hundreds of industry comments and was revised substantially in response to them. The framework is genuinely good at many things. It is conspicuously weak in the areas where industry pushed hardest during the comment process. The people who drafted it were not captured in a corrupt sense. The institutional process was captured in a structural sense.

The revolving door directory

The traffic between AI labs and regulatory bodies has become so regular that tracking it has become its own small industry. The AI Regulatory Watch — a nonprofit that aggregates career moves in the space — published figures in August 2029 showing that 47 people who held senior positions in AI regulatory bodies in the G7 countries between 2024 and 2027 now hold senior positions at AI companies. The reverse figure — people who went from AI companies to regulatory bodies — is 61. The numbers are roughly symmetrical, which some observers cite as evidence of a healthy information exchange. The more accurate interpretation is that the boundary between regulator and regulated has become permeable in both directions, which is a different thing.

Some of these moves are genuinely benign. A person who spent three years at the UK’s AI Safety Institute working on capability evaluations, who then goes to work at a company trying to build safety into its development process, has probably made a choice that serves the public interest better than staying in the underpaid public role would have. The individual-level analysis often exonerates the people involved.

The system-level analysis is harder to exonerate. When the dominant career path for someone who wants to work on AI safety runs through the regulatory apparatus as a stepping stone toward industry compensation, the regulatory apparatus becomes an apprenticeship program for industry rather than a counterweight to it.

The international coordination problem

Regulatory capture in AI governance has an international dimension that gets insufficient attention. The major AI companies operate across every major jurisdiction and have coordinated lobbying operations in all of them. Regulatory bodies do not have equivalent coordination. There is no equivalent of the Financial Stability Board for AI — no international body with actual authority to coordinate regulatory approaches across jurisdictions.

What exists instead is a series of informal working groups, bilateral sharing arrangements, and aspirational frameworks (the G7 Hiroshima AI Process, the Bletchley Park declarations, the subsequent Seoul and Paris follow-ons) that generate communiqués and create venues for conversation but have no enforcement mechanisms whatsoever. Companies coordinate globally. Regulators coordinate, when they do at all, through processes that move approximately one-tenth as fast.

This asymmetry is not accidental. The AI industry has opposed formal international regulatory coordination consistently and effectively, supporting instead “voluntary” international frameworks that companies can participate in selectively. The argument made publicly is that formal international regulatory coordination would stifle innovation. The argument made internally, as evidenced by documents obtained through EU transparency requests in 2028, is that voluntary frameworks “preserve optionality” and prevent “the hardening of regulatory positions that would be difficult to reverse.”

What effective resistance looks like

A few counterexamples exist. The Canadian Treasury Board’s approach to algorithmic decision-making in government — the Directive on Automated Decision-Making, now in its third revision — has maintained its structural independence partly because it applies to government itself, which reduces the capture dynamic. The government is both the regulator and the regulated party, which creates accountability mechanisms that work differently than in private sector contexts.

South Korea’s AI oversight framework, implemented through the Korea Communications Commission with technical support from ETRI (the national research institute), has maintained genuine technical independence partly by refusing to hire from the five largest AI companies operating in Korea for its lead evaluation roles. This is an eccentric policy and it costs them expertise. It has preserved something that most regulatory bodies have quietly abandoned: the ability to conclude that a system fails to meet standards without immediately getting a call from a senior executive who used to work in the same office.

The honest conclusion is not that regulatory capture in AI governance is inevitable. It is that preventing it requires deliberate institutional design choices that most jurisdictions found too politically expensive to make when the industry was growing fast and governments were eager to be seen as innovation-friendly. Four years later, the institutions are set. Changing them requires a political will that has not materialized and probably won’t until something goes wrong in a visible enough way to make capture itself the story.

We are still waiting for that story. The industry is hoping we wait a long time.