There is a deceptively simple assumption buried at the heart of most modern regulatory frameworks: that the thing being regulated is, in principle, knowable. That harms can be identified, their probability estimated, their severity weighed against the benefits of the activity producing them. That we can, in short, “calculate” our way to safety – or at least to an acceptable approximation of it. The assumption is so deeply naturalised in contemporary administrative practice that it rarely surfaces as an assumption at all. It appears, instead, as a methodological reflex, an unstated grammar of regulatory reason.Footnote 1
This assumption is not wrong, exactly. It is productive, even necessary. Without some framework for quantifying and comparing hazards, regulation collapses into either paralysis or arbitrariness – into either a refusal to act in the face of any conceivable harm, or a politics of selective enforcement that responds to whichever danger is loudest at the moment. Risk analysis, for all its limitations, gives the regulatory state a vocabulary in which competing harms can be discussed, traded and prioritised. It is one of the few intellectual technologies that allows public administrations to govern complex domains at scale.Footnote 2 The OECD, in its survey of risk and regulatory policy, treats this vocabulary as central to the contemporary state’s capacity to govern at all.Footnote 3
But the assumption does have limits, and those limits are becoming increasingly visible as regulators attempt to govern technologies whose effects are genuinely novel, whose failure modes are difficult to anticipate and whose social consequences may not manifest for years or even decades. At the frontier between risk and uncertainty, the dominant paradigm of risk-based regulation begins to strain – and in some cases, to fail. The frameworks continue to operate, generating documents, classifications, conformity assessments and compliance certificates; but the substantive grip of those frameworks on the world they purport to govern weakens, sometimes dramatically.Footnote 4
This article argues that the conceptual distinction between risk and uncertainty, long established in economics and decision theory,Footnote 5 has not been adequately metabolised by contemporary regulatory practice. The result is a series of frameworks – most visibly the EU AI Act,Footnote 6 but also the Digital Services Act (DSA)Footnote 7 and the General Data Protection Regulation (GDPR)Footnote 8 – that apply the form of risk-based analysis to domains where its substance cannot be supplied. They borrow the architecture of pharmaceutical safety review or environmental impact assessment and graft it onto problems that do not share the relevant epistemic structure.Footnote 9 Understanding why this happens, and what alternatives exist, matters not only for the legitimacy of regulation but for its actual ability to govern the technologies that increasingly shape contemporary life.
The argument that follows is not a brief against quantification, nor a defence of any particular regulatory failure. It is an attempt to take seriously a question that the dominant paradigm tends to suppress: what kind of knowledge does a given regulatory framework presuppose, and what happens when that knowledge cannot, in fact, be supplied? The answer, we suggest, is not that regulation becomes impossible. It is that we need a richer institutional toolkit – one in which risk-based analysis is one technique among several, rather than the master template into which every problem must be forced. In this article, we briefly trace the evolution of risk-based regulation as an idea in theory and EU digital regulatory practice. We then analyse the feasibility of risk-based digital regulation in the environment of deep uncertainty and suggest a few techniques that can improve the present regulatory setup.
I. The distinction that changes everything
The difference between risk and uncertainty is not merely technical – it is foundational. The economist Frank Knight drew the line cleanly in Risk, Uncertainty and Profit (1921): risk refers to situations where the possible outcomes are known and probabilities can be assigned to them. Uncertainty is something qualitatively different.Footnote 10 Under uncertainty, we do not simply lack confidence in our probability estimates; we may not even know what the relevant outcomes are. The space of possibilities is itself undefined.Footnote 11 To decide under risk is to bet on a die whose faces are visible. To decide under uncertainty is to bet on a die whose number of faces, and whose markings, we do not yet know.
Knight’s distinction has since been elaborated, complicated and contested. The Handbook of the Economics of Risk and Uncertainty traces, across more than a century of subsequent work, how decision theorists have developed frameworks for “ambiguity” – situations between pure risk and pure uncertainty, where probabilities exist but are imprecise, or where multiple plausible probability distributions cannot be ranked against one another.Footnote 12 Some authors prefer the term “deep uncertainty” to capture cases where even the structural model of the system is contested.Footnote 13 Others yet speak of “unknown unknowns” – outcomes that are not merely unlikely but unimagined and of “strategic ambiguity.”Footnote 14 The conceptual taxonomy is unsettled, but the underlying intuition is robust: not all problems of decision under partial knowledge have the same shape, and the tools that work for one shape may not work for another.
The underlying assumptions about rational decision-making in the face of risk have already been challenged in theory. Buchak’s Risk and Rationality argues that orthodox expected utility theory, the dominant account of rational decision-making, is too restrictive because it cannot adequately represent how rational people actually think about risk.Footnote 15 Her work is significant for regulators because it challenges the assumption – implicit in much risk analysis – that expected value calculations are normatively neutral. Different attitudes towards risk are not irrationalities to be corrected; they may reflect defensible preferences about the structure of possible futures. A society that places extra weight on avoiding low-probability catastrophes is not making an error in arithmetic; it is expressing a substantive judgment about what kinds of futures matter, and how the prospect of irreversible harm should be incorporated into present choice.
The implication is uncomfortable for any regulatory framework that takes expected-value reasoning as its baseline. If reasonable people can defensibly disagree about how to weight tail risks, then the choice of weighting is not a technical matter to be settled by experts – it is a political question that the regulatory framework either resolves explicitly or smuggles in under cover of methodology.Footnote 16 Buchak’s point is that the apparent neutrality of expected-utility procedures is a substantive position, and one that ought to be defended rather than presumed.
Shrader-Frechette pushes the critique further. She argues that technical risk assessments routinely smuggle in normative assumptions – about whose exposures count, which futures matter, how to discount uncertainty – without making those assumptions explicit. Her central claim is that the appearance of scientific objectivity in risk analysis often serves to delegitimise precisely the concerns of affected communities, treating contested value judgments as if they were settled empirical conclusions. When a community whose members live downwind of a chemical plant insists on a more cautious risk threshold than the regulator’s technical model would suggest, that insistence is too easily described as “innumeracy” or “public misperception of risk.” This work shows that such descriptions frame dissent as a deficiency rather than a legitimate disagreement about values.Footnote 17
The regulatory implications are significant. A framework built to handle risk – known probabilities over known outcome spaces – will behave poorly when transplanted into conditions of genuine uncertainty. It will produce the forms of analysis without the substance. It will generate numbers that have the appearance of rigour but rest on foundations that cannot support them. And it will tend systematically to exclude exactly those harms that are hardest to model: diffuse, long-term, structural contested.Footnote 18 The most consequential risks of a new technology are often precisely those that cannot be cleanly fitted into a probability table – and a framework that requires harms to be fitted in this way will, by construction, fail to see them.
This is more than an abstract methodological worry. It has real consequences for how harms are distributed and whose claims get a hearing. If your problem has the structural character of risk, then risk-based regulation is, at least in principle, well-suited to it. If your problem has the structural character of uncertainty, then a framework that demands probability estimates as the price of admission to regulatory attention will systematically marginalise it. The distinction Knight drew a century ago is therefore not a footnote in the history of economic thought but a live question about which problems contemporary regulation is structurally able to see.Footnote 19
II. Risk-based regulation: the dominant paradigm
Risk-based regulation emerged as a response to a real problem. Regulators have finite resources and face an enormous range of potential harms. They need some principled basis for deciding where to focus attention, what to scrutinise and how intensively to enforce. Risk-based approaches offered exactly this: prioritise by assessed risk, allocate oversight proportionally and concentrate enforcement where harm is most probable and most severe. In an era of austerity and stretched administrative capacity, the model promised both efficiency and a defensible rationale for the choices regulators were going to have to make anyway.Footnote 20
The approach has genuine virtues. It is more systematic than discretionary enforcement. It creates transparency about the criteria being used. It can direct inspection resources towards genuine danger rather than bureaucratic routine and can give regulated entities a clearer signal about what behaviours will attract scrutiny. Black’s foundational work documents how this model has spread across sectors, from financial services to food safety, environmental regulation and pharmaceuticals.Footnote 21 The basic case – risk-based regimes can deliver greater coherence to fragmented oversight, especially when stakeholders, including third parties, are systematically engaged – can easily be supported today too.Footnote 22 In many of these domains, this model has improved regulatory performance in measurable ways: reductions in salmonella incidents, more targeted financial supervision, faster identification of unsafe products in the supply chain.
The historical context matters. Risk-based regulation gained prominence in the 1990s and 2000s, against a backdrop of new public management reforms, demands for evidence-based policy and pressure from regulated industries to make compliance burdens more proportionate. Hutter’s account of the “attractions” of risk-based regulation traces these political and institutional drivers, noting that risk language gave the state a register in which intervention could be reframed as proportionate management rather than discretionary command.Footnote 23 The OECD’s comparative review, Risk and Regulatory Policy: Improving the Governance of Risk, captures the same arc from a more institutional vantage point, treating risk-based methodology as a benchmark of contemporary good governance.Footnote 24
Van der Heijden’s review of the international academic literature offers a useful synthesis: across decades of research, risk-based regulation is typically defended for its proportionality, its evidence orientation and its contribution to administrative legitimacy and is typically criticised for its epistemic and ethical limits.Footnote 25 Coglianese’s analysis from a law-and-economics perspective complements this view: regulation has, at its core, always been about managing risk, but the choice of which normative principle structures that management – zero-risk, cost-benefit, precautionary, management-based – is anything but neutral.Footnote 26 Each principle carries a different image of the state and a different distribution of the burdens of proof, and the “risk-based” framing tends to elide those choices.
But Black also identifies a recurring problem: the model works best when the risk landscape is relatively stable and well-mapped. It is not designed for situations where the most significant risks are unknown, diffuse, or emergent. When regulators build risk registers and prioritisation frameworks, they inevitably encode their existing knowledge – and thereby their existing ignorance. What falls outside the register is not regulated; it is simply invisible.Footnote 27 The risk register is a map, and like any map it tells the regulator where to look, and in doing so silently determines where the regulator will not look.
Black and Baldwin describe a tendency they call “aiming low”: the temptation, under risk-based regimes, to direct enforcement towards the harms that are easiest to define, count and prosecute, rather than those that may matter most.Footnote 28 The bureaucratic incentives are powerful. A regulator that focuses on well-defined risks can produce metrics, demonstrate progress and defend its budget. A regulator that takes seriously diffuse, structural harms must operate without ready measurement and is therefore more vulnerable to the charge of acting on hunches. The structure of accountability rewards visibility, and visibility is biased towards the kinds of harms that risk-based methods are already good at seeing.Footnote 29
O’Malley makes a related point from a different disciplinary angle.Footnote 30 Risk, in regulatory practice, is never simply a description of the world; it is also a technology of governance – a way of making certain problems legible and tractable while leaving others outside the frame. The choice of what to count as a risk, and how to measure it, is itself a political act, even when it presents as technical. Black’s longer-form treatment makes the same observation in more institutional terms: risk has become an “organising principle” of governance, but it is one whose inherent instability tends to destabilise the very decision-making it is invoked to discipline.Footnote 31 As that vocabulary spreads, it carries with it a particular ontology – a way of cutting up the world into events, populations, exposures and probabilities – that may or may not fit the problems it is being used to address.
This matters enormously for technologies that are genuinely new. A pharmaceutical can be assessed against established physiological pathways. A new food additive can be tested against known metabolic processes. The relevant outcome spaces are reasonably well bounded, the relevant populations identifiable, the relevant time horizons not so distant as to overwhelm analysis. But an artificial intelligence system deployed at scale, or a social media platform mediating information flows across hundreds of millions of people, operates in social and epistemic territory that has no established map. The risks are not merely uncertain in magnitude; they may be uncertain in kind. We do not yet have settled vocabularies for what it means to harm a public sphere, to erode collective attention, to reshape political identity through algorithmic curation.Footnote 32
To press these problems through a risk register is to discover that the register has the wrong number of dimensions. The harms either get translated, awkwardly, into proxies that capture only part of what is at stake – measured incidents of misinformation instead of the systemic loss of credibility – or they are excluded altogether on the grounds that they cannot be operationalised. Either result is unsatisfactory. The first produces metrics that mislead; the second produces a regulatory blind spot precisely where the most consequential effects may lie.Footnote 33
III. The EU AI Act’s calculated gamble
The EU AI Act represents the most ambitious attempt yet to apply risk-based logic to artificial intelligence. It classifies AI systems into tiers – unacceptable risk, high risk, limited risk minimal risk – and attaches regulatory obligations proportional to that classification.Footnote 34 The architecture is neat and politically legible, building on a long tradition of European regulatory design in which graduated obligations track assessed hazard levels. The model is explicitly intended to be familiar: a regulator confronted with a new and frightening object reaches, almost by reflex, for the toolkit that has worked elsewhere.Footnote 35
The Act has genuine merits. It creates a clear legal framework where none existed. It imposes substantive requirements on high-risk systems – conformity assessments, technical documentation, human oversight, data governance, transparency – that could meaningfully constrain dangerous deployments. It introduces obligations on general-purpose model providers that, while contested in their detail, mark the first serious legislative attempt to address the distinctive features of foundation models. And it has catalysed a broader international conversation about AI governance, helping to shift the debate from voluntary principles towards enforceable rules.
But critics have identified a structural tension at the heart of the uncertainty problem. A tiered classification system presupposes that the risks are already well enough understood to categorise. For a technology whose capabilities are evolving rapidly, whose emergent behaviours surprise even its creators and whose social effects compound and interact in ways that are difficult to model, that presupposition is strained.Footnote 36 The Act asks providers to determine, in advance, whether their system falls within a list of high-risk uses; it asks regulators to determine whether categories drawn up before the next wave of capability gains will still be adequate after that wave has arrived. Both determinations must be made in conditions where the relevant outcome space is, by hypothesis, in flux.
Systemic risk management, common to both the AI Act and the DSA, is a sui generis regulatory approach distinct from earlier risk-based models in EU law. Both bring uncertainties, including disagreement about what counts as a systemic risk, who has authority to define it and what kinds of mitigation can plausibly be required. The elegance of the tiered architecture is partly a function of its abstraction from the actual content of the harms it is trying to govern.
Civil society organisations have argued that the underlying frame is itself the problem. Some have argued that a rights-based framing would be more durable than a risk-based one.Footnote 37 Rights – to dignity, privacy, non-discrimination, due process – are relatively stable normative commitments even when consequences are hard to predict. A system that violates them is objectionable regardless of whether we can calculate the probability and magnitude of harm with precision. The risk-based approach, by contrast, tends to generate a demand for evidence of harm that novel technologies, by definition, have not yet produced. The result is a structural asymmetry in which the burden of proof falls on those who would constrain a system before it has had time to cause measurable damage.
The question of whether the Act is a proper risk-based instrument is also open. Ebers argues that although the EU AI Act presents itself as a proportionate, risk-based framework for regulating artificial intelligence, many of its core provisions depart from a genuinely risk-based approach, leading to overregulation, legal uncertainty and inconsistent treatment of AI systems.Footnote 38 True risk-based regulation should balance risks against social and economic benefits, rely on empirical evidence, remain technologically neutral and impose obligations proportionate to actual harms. The AI Act often relies on politically constructed and rigid risk categories, lacks meaningful risk-benefit analysis, applies broad definitions that capture even low-risk deterministic software and creates overlapping compliance burdens with existing EU laws. The Act’s attempt to address fundamental rights through risk management logic is also flawed as rights violations cannot easily be quantified or traded off. Despite these shortcomings, the AI Act contains sufficient flexibility – through delegated acts, Commission guidelines, harmonised standards and codes of practice – to enable a more genuinely risk-based implementation in the future.
This asymmetry has consequences beyond the deployment of any particular AI system. It shapes the political economy of regulation: industry has the resources and the data to argue that any specific risk has not yet been demonstrated. Civil society organisations and affected communities are typically arguing about a counterfactual future, and they argue it without the resources of those whose products would be constrained. A rights-based architecture relocates the conversation. It does not require the user of an AI-driven hiring system to prove statistically that discrimination will occur; it requires the operator of the system to demonstrate that fundamental rights will be respected. The change in burden is not cosmetic but alters who must do the explaining.
Paul has raised a different but complementary concern.Footnote 39 She questions whether the risk-based framework embedded in the AI Act can be operationalised. Systemic risks – diffuse, interconnected, potentially catastrophic – are particularly resistant to the kind of discrete, quantifiable analysis that risk-based frameworks assume. A platform that subtly erodes epistemic diversity across a continent, or an AI system that concentrates economic power in ways that take a decade to become visible, does not fit easily into a risk register. It is not that such harms are unlikely; it is that they are the wrong shape for the tools being used to assess them.
Different European public administrations have developed quite different practices of risk analysis, even when nominally working within the same overarching framework.Footnote 40 The variability across jurisdictions is a clue that “risk-based regulation” is not one thing. It is a family of practices that share a vocabulary while embedding very different epistemic assumptions about what can be measured, by whom and to what end.Footnote 41 A Member State whose administrative culture is comfortable with quantitative modelling will operationalise the AI Act differently from one whose tradition leans towards qualitative judgment, and the resulting inconsistencies will themselves become a site of contestation.
A complementary set of concerns has been documented in the empirical fieldwork by Hacker, Kilian and Costas in their evidence-based white paper on the simplification debate around European AI regulation.Footnote 42 Their interviews with companies operating across multiple EU regimes show that the AI Act is not, in itself, the principal source of difficulty. The deeper problem is regulatory fragmentation: the Act’s intersection with the Medical Device Regulation,Footnote 43 the Machinery Regulation,Footnote 44 financial services legislation and earlier instruments such as the GDPR creates compliance landscapes that are hard to navigate even for mature firms and unworkable for many small and medium enterprises. The risk-based architecture, in other words, does not stand alone; it sits at the intersection of multiple risk-based architectures, each with its own definitions, thresholds and procedural mechanics.
The deeper point is that classification systems are not neutral. The choice to make “risk to fundamental rights” a category alongside “risk to safety” encodes substantive judgments about which harms are commensurable, which are foreseeable and which can be left to ex post enforcement. The Act’s framework does not avoid these judgments; it embeds them in technical-looking machinery that is harder to contest precisely because it appears to be merely procedural.Footnote 45
There is also a temporal problem the Act struggles to solve. Risk classifications are by their nature retrospective, even when expressed in forward-looking language. They are built from prior incidents, prior harms and prior expectations about what kinds of effects technologies of this type produce. AI capabilities have, repeatedly, surprised both their creators and their critics. A regulatory framework whose categories are stable for any meaningful period of time runs the risk of being overtaken by the very phenomena it is supposed to govern. Adaptive mechanisms – review clauses, delegated acts, harmonised standards that can be updated – are partial responses to this problem, but they import their own difficulties, including the risk that the substantive rule-making migrates from public to technocratic settings.
IV. The DSA, GDPR and the diffusion of risk-based logic
The difficulty is not unique to AI regulation. The EU’s DSA addresses systemic risks posed by very large online platforms – disinformation, manipulation of public discourse, harm to minors, threats to fundamental rights – using a framework that requires platforms to conduct their own risk assessments and implement proportionate mitigation measures.Footnote 46 The architecture is recognisably the same family as the AI Act: define categories of risk, require regulated entities to map themselves against those categories and supervise the resulting self-description.
The approach is sensible in principle, but it faces a version of the same problem. What counts as a systemic risk, and how should it be measured? Critics have pointed out that the European Commission’s approach to systemic risk under the DSA raises questions about scope, definitional precision and implications for freedom of expression.Footnote 47 Where the boundary lies between mitigating “negative effects on civic discourse” and policing political speech is not a question that risk-assessment methodology can settle on its own. It is a normative question that the regulatory framework either resolves explicitly, in legislation, or pushes downward into the operational practices of platforms and the soft-law guidance of regulators.
Platforms may conduct risk assessments that are thorough in form but narrow in substance – identifying the risks they already know how to mitigate, while structural risks that challenge their business model are quietly excluded from scope. Platform business models concentrate market power in ways that risk assessment, conducted by the platforms themselves, can neither fully diagnose nor convincingly correct.Footnote 48 A risk assessment that the regulator never independently audits is, in effect, an exercise in self-presentation rather than self-constraint. The DSA’s answer to this problem is partly the involvement of independent auditors and vetted researchers, but the underlying epistemic challenge remains: how does an external auditor or a judge verify a platform’s assessment of risks whose causal mechanisms are themselves contested in the academic literature?
The GDPR’s risk-based approachFootnote 49 has attracted similar scrutiny. GDPR shifted from a prescriptive model towards a more flexible risk-based one: assess the risks to data subjects and implement measures proportionate to those risks.Footnote 50 The shift gives controllers welcome flexibility. It also moves the burden of defining what counts as a risk – and how serious – towards private actors who have structural incentives to assess risks conservatively. The data protection impact assessment, which sits at the centre of this architecture, is supposed to be a forward-looking analytical exercise; in practice, as Gellert and others observe, it can become a documentary ritual, performed at the level of compliance teams rather than at the level of strategic product design.Footnote 51
The risk vocabulary also subtly reshapes what data protection means. The original framing of European data protection law was rights-based: the data subject has a set of legally protected interests – to know what is being done with their data, to correct errors, to object to certain uses, to be free of certain decisional consequences – that constrain processing irrespective of whether “harm” in the actuarial sense can be demonstrated. A pure risk-based reading translates these interests into expected harms and then asks whether mitigation measures bring expected harms beneath some threshold. The translation is plausible at the margins; it begins to look strained when the rights at stake do not reduce easily to harm probabilities. A right not to be subject to certain forms of automated decision-making, for instance, is not exhausted by an empirical claim about how often such decisions go wrong.
A further critiqueFootnote 52 suggests that the risk-based approach in data regulation has come under particular pressure as geopolitical fragmentation intersects with regulatory uncertainty. When the political stability that risk frameworks presuppose erodes, the technical machinery of risk assessment becomes harder to defend on its own terms. Cross-border data transfers, once governed by a relatively stable architecture of adequacy decisions and standard contractual clauses, now sit within a landscape of strategic competition, surveillance disputes and contested judgments about which jurisdictions can be trusted with information about whom. Risk assessments in such an environment must implicitly take a view on geopolitics that they are ill-equipped to articulate.
This pressure is not merely external. As Zenner and others document, the EU’s digital rulebook has expanded so quickly – by their count, more than a hundred tech regulations in force or in procedure, and over two hundred and seventy digital regulators across Member States – that the regulatory state is now confronting concerns about its own coherence.Footnote 53 The “techlash” that produced this expansion is now meeting a counter-wave of complaints about complexity, compliance burdens and the erosion of innovation, especially from firms operating across multiple instruments simultaneously.Footnote 54 The “European Way” Blueprint, by contrast, urges the EU not to retreat under this pressure but to use the moment to articulate a more coherent digital sovereignty agenda – one that ties regulatory ambition to industrial strategy rather than treating them as competing priorities.Footnote 55
Bradford’s work pushes against a particular framing of this debate. The argument that regulation and innovation stand in a zero-sum relationship is, in her account, more rhetorical than empirical: the actual sources of European underperformance in tech lie in capital markets, immigration policy and university–industry linkages, not in the stringency of digital rules.Footnote 56 The implication for the present argument is important. The case against indiscriminate risk-based regulation is not the case for deregulation. It is the case for more precisely calibrated regulation, including non-risk-based instruments where appropriate, in a setting where the trade-offs are not as starkly framed as the loudest voices suggest.
What unites these examples is a common structure: a regulatory framework that delegates the operational definition of risk to the very actors whose conduct it is trying to constrain, while preserving for itself the appearance of objective oversight. This works tolerably well in stable, well-understood domains, where the regulator can in principle audit the substance of any given assessment because it has independent knowledge of the underlying hazard. It works much less well at the frontier of what is knowable, where neither regulator nor regulated entity has a clear view of the relevant outcome space, and where the act of producing a risk assessment can itself be a political move – a way of foreclosing more contentious questions about the legitimacy of certain practices in the first place.
There is a further, subtler effect. The diffusion of risk-based logic across data protection, platform regulation and AI governance creates an institutional consonance that reinforces itself. Officials trained in one framework move into the design of another; consultancies build practices around the common methodology, standard-setters develop reference texts that travel across domains. The resulting regulatory style has its strengths – it makes technical assistance easier to scale, allows experts to migrate between sectors and keeps the cost of compliance for multinational firms broadly predictable – but it also entrenches the assumption that the appropriate answer to a hard governance question is, in the first instance, a risk-management exercise. Other framings come to feel exotic, even slightly amateurish, simply because the risk-management framing has become the default professional dialect.Footnote 57
V. Deep uncertainty: different territory, different tools
The literature on decision-making under deep uncertainty (DMDU) offers a different vocabulary for thinking about these problems – one that starts from the explicit acknowledgment that formal probabilistic risk analysis may not be available. Deep uncertainty is defined as the condition under which the parties to a decision cannot agree on the probability distributions governing the relevant outcomes, or when those distributions cannot be meaningfully specified at all.Footnote 58 The label itself encodes an important admission: not every decision problem is a problem of risk; some are, in their very structure, problems of a different kind.
DMDU methods – robust decision-making, adaptive pathways, dynamic adaptive policy pathways – are designed for precisely this condition. Rather than asking what is the optimal policy given our best probability estimates, they ask: what policy choices perform acceptably across a wide range of possible futures, including futures we have not anticipated? The goal is not optimisation but robustness. A robust policy is one that does not collapse when the world fails to behave as expected; an adaptive policy is one whose structure anticipates revision and incorporates it into the design from the outset, rather than treating revision as a sign that the original plan failed.
Similar themes from the angle of project management and large-scale capital decisions have also been analysed.Footnote 59 When the future is genuinely unknown, the right question is not what will happen but what should we do that will still make sense if we are wrong. Raydugin’s emphasis on decision quality under structural uncertainty has clear analogues in regulation. A regulatory rule that performs well only if the technological trajectory unfolds in one specific way is, in effect, a bet on that trajectory. A rule that performs reasonably across multiple plausible trajectories – even at the cost of being suboptimal in any particular one – may be a better choice when the trajectory itself is in dispute.
This reframing has direct implications for regulatory design. Regulators have already attempted to incorporate degrees of uncertainty into regulatory design. Precautionary principle, which enables policymakers to enact preventive measures when scientific evidence is inconclusive, is often dismissed as scientifically unsophisticated.Footnote 60 It represents a rough institutional response to deep uncertainty: when the possible harms are severe and irreversible, and when the uncertainty is genuine, the burden of proof is shifted towards demonstrating safety rather than demonstrating harm. The precautionary principle is not anti-scientific; it is a recognition that science cannot always deliver the probabilities that risk-based frameworks demand.Footnote 61 To require a probability estimate before acting is to make action impossible whenever the relevant probability cannot be computed; to act as if such a probability could always be computed is to mistake the form of risk analysis for the substance of warranted belief.
Adaptive regulation – with mandatory review mechanisms, sunset clauses, built-in revision cycles – reflects a similar epistemic humility.Footnote 62 It acknowledges that current knowledge is incomplete and designs governance accordingly, building in the capacity to learn and adjust rather than locking in frameworks calibrated to a world that may no longer exist by the time they take full effect. Adaptive design has its own pathologies: review clauses that are perpetually deferred, sunset provisions that are renewed without serious re-examination, revision cycles that become rituals of confirmation rather than occasions of genuine reassessment. But the principle remains sound: a regulatory framework that cannot revise itself is one whose accuracy is hostage to the world remaining as it was when the framework was drafted.
The DMDU literature also offers something subtler than methodology. It offers a posture – a way of holding regulatory ambition together with epistemic modesty. The posture insists that admitting uncertainty is not the same as surrendering to it; that one can act decisively while remaining open to the possibility that the action is, in some respects, mistaken; that the appropriate response to deep uncertainty is not paralysis but design. Robust strategies, scenario analyses, exploratory modelling and stress testing under adversarial assumptions are all attempts to embody this posture in concrete techniques. Each of them gives up on the comforting fiction that the future can be reduced to a single best-estimate probability distribution and tries to govern despite that loss.
Importantly, none of this requires abandoning quantification. Robust decision-making, for instance, makes heavy use of computational simulation. Adaptive pathways are typically expressed in formal terms. The point is not to retreat from technical sophistication, but to deploy it differently. Where risk-based frameworks marshal numbers in the service of point estimates, DMDU methods marshal them in the service of a wider spectrum of what might be possible. The shift is from a single privileged future, to be optimised against, towards a landscape of futures, to be navigated.
Translating these methods into regulatory practice is non-trivial. Bureaucracies are not project teams, legislators are not modellers and the political economy of rule-making rewards apparent decisiveness and punishes doubt. Yet the alternative – pretending that risk-based analysis can deliver crisp answers in domains where it cannot – has its own political costs, paid in the form of frameworks that lose credibility as their predictions fail. A regulatory state that learns to deploy DMDU methods, even partially, would be one whose confidence in its own outputs would be more carefully tied to the actual epistemic conditions of the problem at hand.
VI. The political question: who names the risk?
There is a final dimension to the uncertainty problem that is political rather than epistemological: the question of who gets to define what counts as a risk worth regulating in the first place. Risk assessment is never neutral. The choice of which variables to measure, which harms to count, which populations to survey and which time horizons to use all encode normative commitments.Footnote 63 Two analysts using the same formal apparatus can reach very different conclusions depending on what they decide, before any analysis begins.
When the GDPR places the risk assessment obligation on data controllers, or when the AI Act requires AI providers to demonstrate that their systems are not high-risk, the framework is not simply measuring a pre-existing fact; it is constructing a particular account of the risk landscape, one that has institutional and political stakes. The actor who fills out the assessment also helps to determine what the assessment means. The methodology may be standardised but the application of the methodology is a chain of judgments by the same actors whose conduct the assessment is supposed to constrain.
We have seen how expert risk assessments systematically undercount the concerns of affected communities, treat certain kinds of uncertainty as ignorable noise and present contested value judgments as technical conclusions. The response should be a refusal to grant unconditional authority to procedures whose normative content has not been subjected to democratic scrutiny.Footnote 64
Black and Baldwin reach a complementary observation: risk-based regulation can produce a tendency for regulators to “aim low” – to focus on the risks that are easiest to define and measure, rather than those that may matter most.Footnote 65 The bureaucratic incentives are powerful, the methodological grooves deep. The result is that the most consequential harms – those that operate at scale, over time, through complex social mechanisms – are precisely the ones at greatest risk of being filtered out by the very procedures designed to address them.
Scholarship on the politics of AI regulation in the EU documents how “economic competition, institutional structure, and the policy preferences of domestic actors” shaped the EU AI Act at every stage.Footnote 66 The technical-looking risk framework was the outcome of a deeply political process, in which industrial interests, civil society pressure and inter-institutional bargaining all left their mark. None of this is necessarily illegitimate. Politics is how democratic societies make collective decisions about contested matters, and there is no obvious alternative. But it does undermine the picture of risk-based regulation as a neutral, technocratic exercise standing above politics. The framework that emerges is a political settlement; the methodology used to administer it inherits the contestability of the settlement that produced it.
The political stakes are particularly high for AI and digital regulation, because the most uncertain and potentially significant risks are often the ones most difficult for existing frameworks to accommodate: risks to democratic deliberation, to cognitive autonomy, to the distribution of economic and political power. These are not easily expressed as probabilities over individual harm events. They are diffuse, relational and long-term. They are also, not coincidentally, the risks that powerful actors have the strongest incentive to keep off the regulatory agenda. A framework that demands clean operationalisation as the price of regulatory attention is a framework that tilts, structurally, in favour of those whose harms are amorphous and against those whose harms are sharp.
There is an institutional consequence here as well. If risk assessment methodology is itself a site of political contestation, then the locations where assessment methodology is decided – standard-setting bodies, technical agencies, consultancy networks – become more politically consequential than the procedural rhetoric around them often suggests. Decisions taken in these venues, often invisibly, can determine the practical meaning of a piece of primary legislation more decisively than the legislative debate that nominally settled it. A serious account of the politics of risk-based regulation must therefore attend not only to who voted for the rules but to who writes the standards, drafts the templates and trains the auditors.
This is one reason why “rights-based” supplements to risk-based architectures are not simply alternative methodologies. They are also alternative distributions of political power. To embed protected rights into a regulatory framework – and to give individuals or civil society organisations standing to invoke them – is to make it harder for risk-managerial discretion to silently absorb questions that ought to be visible as political choices. It does not eliminate disagreement; it changes the venue and the language in which disagreement is conducted, in ways that can be more amenable to democratic accountability than the technocratic interior of an impact assessment.
VII. Governing what we cannot fully see
None of this means that risk-based regulation is worthless, or that uncertainty renders governance impossible. It means, rather, that risk-based frameworks need to be applied with a clearer understanding of their own preconditions – and supplemented with different tools when those preconditions are not met.
Where risks are reasonably well understood and stable, calibrated risk assessment is exactly the right approach. The regulatory state’s experience in pharmaceuticals, food safety and environmental protection demonstrates that risk-based methods can deliver genuine improvements in public welfare when the underlying domain is amenable to such analysis. There is no reason to abandon what works. The mature regulation of vehicle safety or pesticide residues offers an existence proof that probabilistic risk methodology can govern complex socio-technical systems without collapsing into either paralysis or cosmetic compliance. The policy goal is not to dismantle that achievement but to recognise that it is an achievement of a particular epistemic situation, not a universal template.
Where uncertainty is deep, however – where outcomes are genuinely novel, where second- and third-order effects are unpredictable, where the stakes of being wrong are high and potentially irreversible – governance needs to be more humble, more adaptive and more attentive to the normative assumptions embedded in its own analytical frameworks. This may mean rights-based supplements to risk-based architectures. It may mean the explicit incorporation of DMDU methods into regulatory practice – not as exotic optional extras, but as integral components of how rules are designed for technologies whose trajectories are uncertain. It may mean broader procedural openings for affected communities, for dissenting experts, for those whose concerns do not fit easily into the existing risk register to contest the framing of risk itself.
A more candid regulatory grammar would accept that some questions cannot be settled at the level of methodology and would build institutions in which they can be argued out as the political questions they actually are. That is the recognition that the legitimacy of regulation depends not only on the quality of its technical reasoning but also on the openness of its procedures to the people most affected by its outcomes. A framework that pre-empts this openness in the name of objectivity may achieve internal coherence at the cost of public trust, and the cost is paid most heavily when the framework fails – when its predictions diverge sharply from observed reality and the public is asked to accept that the methodology, rather than the world, was correct.
The current European debate about “simplification” illustrates both the temptation and the danger of treating the answer to imperfect risk-based regulation as simply less of it. The empirical evidence suggests that what firms experience as burden is not, primarily, the AI Act’s tiered architecture; it is the friction between overlapping risk-based regimes built without enough attention to one another.Footnote 67 The remedy for that friction is not a wholesale retreat from regulation, as some industry voices urge, nor is it a blind continuation of the current accumulation, as defenders of every individual instrument tend to imply. It is a more careful articulation of what each regime is for, what kind of knowledge it presupposes and how its outputs combine – or fail to combine – with those of the others.
Bradford’s reminder that the regulation-versus-innovation framing is, in many respects, a false choice has its place here as well. A regulatory state that becomes more honest about the limits of its risk-based instruments is not, on that account, a more permissive regulatory state. It is one with a more credible claim to the public legitimacy on which all regulatory authority ultimately depends. A more candid grammar can support, rather than undermine, the kind of innovation that European policy explicitly wants to foster, by replacing performative compliance with substantive engagement on the harms that actually matter.
The most urgent question is not the regulation of risk. It is the regulation of uncertainty: the governance of what we cannot yet calculate, anticipate, or fully name. That is not a problem that can be solved by better risk models alone. It requires a different kind of institutional imagination and a willingness to acknowledge, in the design of our regulatory frameworks, the limits of what we currently know.
Whether contemporary regulators are capable of that acknowledgment is, in some respects, a test of the regulatory state itself. The pressures that produce risk-based frameworks are not going away – bureaucracies still need to allocate scarce attention, still need to defend their choices in the language of demonstrable effect, still need to communicate with industries and publics in vocabularies that travel across borders. But the technologies they are now being asked to govern are increasingly of a kind for which the comforting closure of the risk register is no longer available. The next generation of regulatory design will be measured, in large part, by its honesty about that fact: by whether it builds frameworks that admit what they do not know and govern anyway.
If it succeeds, the result will not be a regulatory state that has solved the problem of uncertainty. There is no such state, and there will not be one. It will be a regulatory state that has matured into a more complicated relationship with its own limits – one that has stopped pretending that the form of analytic confidence is the same thing as warranted belief and has begun, instead, to design institutions adequate to the world as it is. That is not a small ambition. It may, in the end, be the most consequential one available to administrative law in the coming decade.