In February, news broke that Anthropic had revised its Responsible Scaling Policy, moving away from an earlier commitment not to train or deploy certain highly capable models unless adequate safeguards were in place.
At the same time, the EU has signalled adjustments to the enforcement timeline for high-risk systems under the AI Act, amid continued resistance from major technology providers.
Taken together, these developments reveal a growing tension between those building AI and those responsible for regulating it.
At the heart of that tension is a familiar concern: that AI regulation is moving too quickly, and that it could ultimately restrict innovation rather than support it.
It’s a valid concern. But I would argue it is also the wrong framing. Instead of asking whether regulation is arriving too quickly or too slowly, we should be exploring whether we are regulating AI in the right way.
Why pre-deployment guarantees fall short
At present, regulatory thinking is built around quite a traditional model – one that focuses on testing systems before they’re deployed, certifying them as safe, and then releasing them into the market. It’s a model that has worked in industries such as aviation and pharmaceuticals. But it does not carry over cleanly into the AI realm.
AI systems aren’t static and, once deployed, their behaviour evolves. Whether it’s shaped by human input, changing data, new integrations or increasingly sophisticated cyber adversaries, a model that behaves safely in a controlled testing environment can behave very differently in the ‘real world’.
The evidence of this trend is clear. Each passing day brings headlines about AI hallucinations, jailbreaks and unintended data leakage. Recently, rogue AI agents reportedly published passwords and disabled anti-virus software while attempting to generate LinkedIn posts from internal company data.
That is why absolute safety guarantees are proving difficult to maintain, and why many organisations are arguably trying to quietly drop them in the name of innovation and quicker go-to market timelines.
Boosting safety post-deployment
With this in mind, post-deployment safety must become a much bigger part of regulatory and governance frameworks.
This requires a shift in how we think about AI risk. It is not something that can be fully assessed once, signed off, and then left alone. It is something that develops over time as systems interact with the world around them.
Other sectors have already had to come to terms with this. In cybersecurity, for example, the focus has shifted away from the idea that prevention alone is enough. Continuous monitoring, detection and response are now seen as essential, because threats do not stand still.
The same shift in thinking needs to happen in the AI sector, and organisations need much greater visibility of how their systems and models behave once they are live. Only then will they have the ability to act when something goes wrong, and the system goes rogue.
Building a more effective and realistic model
If AI and the risks that come with it continue to evolve after deployment, then the way we regulate it needs to reflect that. That means moving towards a model that supports safety throughout the lifecycle of an AI system, rather than one focused almost entirely on what happens before release.
Pre-deployment testing still matters. It helps identify known risks, set a baseline for safety and stop clearly unsafe systems from reaching the market. But it can’t be where oversight ends.
What happens once systems are live has to become a much bigger part of the conversation. A more effective approach would combine rigorous testing before deployment with continuous oversight and monitoring in production, providing firms with the ability to detect problems as they emerge and respond in real time.
Fortunately, this is no longer a theoretical idea or ambition. Tooling to monitor model behaviour, governance and compliance on an ongoing basis already exists. Organisations in regulated sectors such as financial services are increasingly putting those capabilities in place as AI adoption scales.
What’s more, it doesn’t have to come at the expense of innovation. It doesn’t mean holding systems back with endless pre-launch checks. Instead, it’s about giving organisations the confidence to bring AI to market while retaining the visibility needed to manage risks as they emerge post-deployment. In that sense, continuous oversight is not just compatible with innovation but essential to it: if AI systems are left unchecked, they become too risky to deploy at scale or with public trust.
It would also create a more realistic standard for accountability. Rather than expecting organisations to guarantee safety in advance, the focus should be on whether they can monitor those systems properly, understand how they are behaving, and act quickly when something goes wrong.
If regulation can move in that direction, we can create a model that doesn’t force organisations into a choice between safety and innovation but delivers both.
Leave a Comment