Too much oversight can smother useful automation. Too little has already wrecked lives and toppled a government. The real question is not control versus innovation, but where to set the dial, and what that looks like for administrative decisions, e-licensing, and cross-border digital trade.
Every debate about artificial intelligence in government eventually collapses into a single argument about a single dial. Turn it one way and you get the promise of faster licences, smarter services, and fraud caught before it drains the treasury. Turn it the other way and you get audit trails, human review, redress rights, and slower everything. One camp insists governance is a brake on innovation. The other insists governance is the very thing that makes innovation safe enough to scale. Both are partly right, and that is exactly the problem.
The tension is not new. In 1980, David Collingridge described what we now call the Collingridge Dilemma: early in a technology’s life, when it is still cheap and easy to steer, we do not yet understand its effects; by the time the effects are obvious, the technology is so embedded in economic and social systems that steering it becomes costly and politically painful.1 A generation later, Larry Downes named the mismatch differently, as the pacing problem: technology moves at an exponential clip while law and regulation crawl.3 Genus and Stirling argue that Collingridge’s insight has been widely cited but rarely taken seriously enough.2
AI sharpens the dilemma to a fine point. Public-sector AI does not arrive as a discrete product you can inspect once and approve. It learns, updates, and reshapes itself in deployment. The window between easy to govern and too entrenched to change is not just shrinking, it is closing while the system is running.
Fig. 01 · The pacing problem AI capability accelerates while regulatory adaptation lags, opening a widening governance gap. For self-updating public-sector AI, the two curves diverge faster than in any prior technology.
THE CURVE
Governance is not a brake. It is a tuning dial.
The instinct to treat the choice as binary, more rules or more innovation, is the first mistake. The relationship is better drawn as an inverted U. At the low end, the absence of governance breeds uncertainty, risk aversion, and distrust, so useful systems never leave the pilot stage. At the high end, compliance becomes so heavy it drains the resources that innovation needs. The productive zone sits in the middle, where governance supplies enough clarity and trust to act, without becoming prescriptive enough to paralyse.
This is not just theory. A 2025 study by the Cloud Security Alliance and Google Cloud, drawing on 300 IT and security professionals, found that governance maturity was the single strongest predictor of AI readiness. Organisations with comprehensive AI governance were nearly twice as likely to report early adoption of advanced agentic AI (46 percent) than those with only partial guidelines (25 percent) or policies still in development (12 percent), and about three times more likely to train staff on AI security.4 Yet only around a quarter of organisations had reached that mature state.4 Structure was correlated with confident adoption, not with caution.
The choice is not whether to control, but how to distribute control to the points where information and capacity are greatest.
For public institutions the stakes are higher than for a private firm. A government does not merely adopt AI; it is simultaneously the regulator, the buyer, the deployer, and the guardian of the rights of the people its decisions land on.13 That quadruple role is why setting the dial well matters so much, and why getting it wrong is so visible.
Fig. 02 · The governance maturity curve The dial has a sweet spot. Absence and excess of governance both suppress the same two things a public institution needs from AI: the willingness to deploy and the public’s trust that deployment is legitimate.
WHERE IT BITES
Three arenas where governments feel the paradox
Arena 1 · Administrative decisions and e-licensing
Governments already run AI quietly through the machinery of the state: triaging permits, screening licence applications, flagging fraud, prioritising inspections.14 The upside is real. A licensing authority that can pre-check completeness, detect anomalies, and clear routine renewals in minutes frees scarce human attention for the hard cases. This is the dial turned up on capability.
But the same arena holds the most sobering cautionary tales in modern governance, and they are stories of the dial turned down on accountability while it was turned up on automation. In the Netherlands, the childcare benefits scandal (the toeslagenaffaire) saw the tax authority wrongly brand roughly 26,000 families as fraudsters between 2005 and 2019, a risk model that treated dual nationality as a red flag, demands to repay tens of thousands of euros, and, in January 2021, the resignation of the entire Rutte government.6 The related SyRI welfare-profiling system was struck down by a court in The Hague in 2020 for failing to strike a fair balance with the right to privacy.6 In Australia, the Robodebt scheme falsely accused close to half a million welfare recipients of owing money before it was scrapped in 2020.7
These were not failures of ambition. They were failures of calibration: automation deployed at scale without explainability, without meaningful human oversight, and without a working route to redress. The lesson public-sector scholars now draw is a shift from trying to open the black box toward explanation-centric accountability, where the test is not how the model computed an output but whether the resulting decision is legally defensible, traceable to a statute, and contestable by the person affected.18 Practical instruments already exist: public algorithm registers, France’s long-standing right to request administrative source code under its 1978 CADA law, and mandatory human sign-off with an audit trail.13
Arena 2 · Cross-border e-licensing and digital public services
The moment a licence, a qualification, or a business registration has to be recognised in another jurisdiction, the paradox compounds. Here the European Union offers the most developed live experiment. The Single Digital Gateway Regulation requires 21 key administrative procedures to be available fully online, including to cross-border users, and applies the once-only principle so that citizens and businesses need not supply the same evidence twice.8 Its Once-Only Technical System lets one country’s authority request official evidence from another’s, but only at the user’s explicit, previewable request.8 Underneath it sits the eIDAS framework, which since 2018 has required mutual recognition of national electronic identities and is now extending, through eIDAS 2.0, into a European Digital Identity Wallet.9
Read through the control paradox, the crucial insight is this: interoperability is governance that enables. Mutual recognition and shared technical standards are constraints, yet they are precisely what allows an e-licence to flow across a border at all. The dial here is not more or less control but control that is common. For the Global South, and for regional bodies such as ASEAN, the design challenge is to reach that common baseline without importing regulatory machinery that local institutional capacity cannot yet sustain.
Arena 3 · Cross-border trade in AI itself
Digital trade agreements are quietly becoming AI governance instruments. The Digital Economy Partnership Agreement (DEPA), launched by Chile, New Zealand, and Singapore and since joined by South Korea, already carries provisions touching AI, digital identity, and paperless trade.10 ASEAN’s Digital Economy Framework Agreement (DEFA) aims to make digital rules more interoperable, enable cross-border data flows, and build a mutually recognisable digital identity and authentication framework, with explicit cooperation on emerging topics including AI.11 The OECD’s 2026 Digital Trade Review of ASEAN notes that regional trade agreements already address AI-relevant matters such as cross-border data flows, source-code protection, and the continuation of the WTO e-commerce moratorium.11 Older instruments point the same way: the USMCA digital trade chapter presses members to base domestic rules on international standards.12
This is where the compliance-cost asymmetry the ethics debate keeps flagging becomes economic policy. Large firms can absorb divergent, jurisdiction-by-jurisdiction rules; startups and development-sector organisations operating across many countries cannot. Interoperable governance lowers that toll, which is why, counter-intuitively, well-designed rules can widen the field rather than narrow it.
Fig. 03 · The cross-border e-licensing stack Read bottom-up, each layer is a constraint that makes the next one possible. Shared identity enables trusted data exchange; trusted data enables an accountable decision; common rules let the whole service cross a border. The constraints are the enabler.
CALIBRATION
From control to partnership
If the dial has a sweet spot, the policy task is finding it deliberately rather than by accident or scandal. Three mechanisms, already visible in practice, do most of the work.
Regulatory sandboxes as a third way. Rather than choosing between blanket permission and blanket prohibition, sandboxes create supervised environments where an AI system can be tested against real conditions with a regulator watching. The model migrated from fintech into AI governance, and the EU AI Act now requires every member state to have at least one national AI regulatory sandbox operational by 2 August 2026, with explicit priority for SMEs and start-ups and the option to run them jointly across borders.5 The OECD frames sandboxes as adaptive-governance instruments that shine precisely where uncertainty and innovation potential both run high.17 For public-sector e-licensing, a sandbox is where you learn whether an automated decision is contestable before it is imposed on a citizen.
Differentiation by scale and context. A single compliance burden applied identically to a global platform and a two-person GovTech startup entrenches the incumbent and starves the challenger. Calibrated governance is tiered: proportionate to risk, and sensitive to the institutional capacity of the deploying body. This matters doubly in the Global South, where the answer is rarely to copy the EU machine wholesale, but to reach the same trust guarantees through lighter, locally sustainable means.
Evaluators and security experts as co-navigators. Responsibility cannot sit with the AI, which has no agency; it sits with the people who design, deploy, and assess these systems.15 The FRAME approach positions evaluation practitioners as ethical navigators across the AI lifecycle, from pre-deployment assessment through continuous monitoring.16 Paired with security practitioners, who bring threat modelling and the hard safeguards without which no ethical deployment is even possible, evaluation becomes the bridge between the soft principles of fairness and transparency and the hard requirements of robustness and integrity. Monitoring, evaluation, and learning is not paperwork after the fact; it is the instrument that reads the dial.
Fig. 04 · The dial across three arenas
| Arena | Dial too low | Calibrated | Dial too high |
| Administrative decisions & e-licensing | Opaque automation, no redress. See toeslagenaffaire, Robodebt, SyRI. | Explanation-centric accountability: human sign-off, audit trail, algorithm register, contestable decisions. | Blanket bans on any automation; useful triage never leaves the pilot. |
| Cross-border e-licensing | Administrative geo-blocking; documents unrecognised abroad; duplicated evidence. | Interoperability as enabler: once-only exchange, mutual recognition of eID, user-controlled consent. | Rigid harmonisation that outpaces local capacity and stalls adoption. |
| Cross-border trade in AI | Fragmented rules; compliance cost falls hardest on SMEs and the Global South. | Common baselines + sandboxes: DEPA / DEFA provisions, shared standards, joint testbeds. | Data-localisation walls and protectionism disguised as safety. |
FOR PRACTITIONERS
Setting the dial, deliberately
For those building or evaluating public-sector AI, especially in development contexts, the paradox resolves into a handful of working commitments:
- Design for contestability first. Before an automated licensing or eligibility decision reaches a citizen, confirm there is a human accountable for it, an explanation a lawyer could defend, and a route to challenge it.
- Treat interoperability as governance, not plumbing. Mutual recognition of identity and evidence is what lets services and licences move; invest in the common baseline early, when it is still cheap to steer.
- Use sandboxes to learn, not to delay. A supervised testbed is the cheapest place to discover a system’s failure modes, and the honest way to say yes to innovation without saying yes to harm.
- Tier the burden. Match oversight to risk and to the capacity of the deploying institution, so governance does not quietly become a moat for incumbents.
- Put evaluation and security in the same room. Impact measurement and threat modelling are two readings of the same dial; neither alone tells you where it is set.
The framing that got us here, ethics versus innovation, was always a false binary. Absence of governance and excess of governance suppress the same things: the confidence to deploy and the trust that deployment is legitimate. The question a government should ask of any AI system, whether it screens a licence, recognises a foreign credential, or clears a cross-border transaction, is not how much control, but control placed where information and capacity are greatest, and accountability that a citizen can reach. That is the move from a control paradox to a control partnership. The dial is not something to fear. It is something to read, and to set on purpose.
REFERENCES
- Collingridge, D. (1980). The Social Control of Technology. London: Pinter.
- Genus, A. & Stirling, A. (2018). Collingridge and the dilemma of control. Research Policy, 47(1), 61-69. https://doi.org/10.1016/j.respol.2017.09.012
- Downes, L. (2009). The Laws of Disruption. New York: Basic Books.
- Cloud Security Alliance & Google Cloud (2025). The State of AI Security and Governance Survey Report. https://cloudsecurityalliance.org/artifacts/the-state-of-ai-security-and-governance
- EU Artificial Intelligence Act, Regulation (EU) 2024/1689, Articles 57-58 (AI regulatory sandboxes; operational by 2 August 2026). https://artificialintelligenceact.eu/article/57/
- Dutch childcare benefits scandal (toeslagenaffaire) and the SyRI ruling, The Hague District Court, 2020. https://en.wikipedia.org/wiki/Dutch_childcare_benefits_scandal ; Lighthouse Reports, The Algorithm Addiction: https://www.lighthousereports.com/investigation/the-algorithm-addiction/
- On Australia’s Robodebt scheme and comparative welfare-state analysis: The implosion of the Dutch surveillance welfare state, Social Policy & Administration (2024). https://onlinelibrary.wiley.com/doi/10.1111/spol.12998
- Single Digital Gateway, Regulation (EU) 2018/1724; once-only principle and Once-Only Technical System. https://eur-lex.europa.eu/EN/legal-content/summary/the-single-digital-gateway.html
- eIDAS Regulation (EU) 910/2014 and eIDAS 2.0 (EU) 2024/1183, European Digital Identity framework. https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation
- Digital Economy Partnership Agreement (DEPA), OECD.AI policy dashboard. https://oecd.ai/en/dashboards/policy-initiatives/digital-economy-partnership-agreement-9554
- OECD (2026). Digital Trade Review of the Association of Southeast Asian Nations (DEFA, WTO e-commerce moratorium, AI in RTAs). https://www.oecd.org/en/publications/digital-trade-review-of-the-association-of-southeast-asian-nations_abd6f44a-en.html
- USMCA Digital Trade Chapter (2020); AI regulatory interoperability and international standards. Office of the United States Trade Representative.
- OECD (2025). Government automated decision-making: transparency and responsibility in the public sector. https://oecd.ai/en/wonk/government-automated-decision-making-transparency-and-responsibility-in-the-public-sector
- Route Fifty (2026). How state and local governments will operationalise AI: explainable, auditable decisions. https://www.route-fifty.com/artificial-intelligence/2026/04/5-ways-state-and-local-governments-will-operationalize-ai-2026/412638/
- Gandhi, V.J. (2025). Responsible AI: Myth or Shared Burden? United Nations University.
- Gandhi, V.J. & Bruce, K. (forthcoming, 2026). Framework for Responsible AI in Monitoring and Evaluation (FRAME), in GenAI in Evaluation Practice. Routledge.
- OECD (2023). Regulatory sandboxes can facilitate experimentation in artificial intelligence. OECD.AI Policy Observatory.
- A Neuro-Symbolic Framework for Accountability in Public-Sector AI (2025). https://arxiv.org/abs/2512.12109


