What Markets Can and Can’t Do for AI Governance
Dr. Gillian K. Hadfield and Andrew Freedman on how government and industry can work together for robust and safe AI development
AI changes rapidly, and government institutions are slow to adapt. The people who understand the technology best are, overwhelmingly, the ones building and selling it. Under these conditions, markets have a genuine and important role to play in governance.
It’s a reasonable instinct given how quickly AI technology is evolving, but one should question whether that role is sufficient on its own. The history of frontier technologies, from railroads to financial markets to the internet, consistently tells us that private governance can do things the government cannot, but it cannot do the things that only the government can. The question for AI is how to design a partnership that draws on the strengths of the government and private sector, providing safety without hindering development.
Identifying the technical and democratic gaps
Debates about AI governance often treat technical and democratic deficits as irreconcilable—as if we must choose between technical sophistication and democratic accountability. Pulling them apart shows why that assumption is wrong.
The government’s limited access to the deeply embedded, often proprietary technical knowledge that AI companies hold makes it challenging to translate broad public demands–like making AI safe–into workable technical requirements. This technical deficit prevents regulators from keeping pace with AI development cycles moving in weeks and months instead of years.
On the other hand, the companies building AI systems are making daily consequential decisions about how the technology affects society, what it optimizes for, whose data it trains on, and what risks it accepts. These are fundamentally questions about values. When regulation is left to industry alone, private companies are the ones choosing values for the rest of us. This is the democratic deficit the government addresses.
Private markets are essential to addressing the technical gap. Access to embedded technical knowledge, the agility to innovate, and incentives to develop rigorous oversight methods make private-sector participation indispensable. And yet, only the government can address the democratic gap. There is a need for public input, democratic legitimacy, and accountability to more than shareholders. To effectively govern AI, we need to close both technical and democratic gaps simultaneously.
Private governance falls short on its own
The concept of self-regulating industries can be traced back to early contract-establishing merchant guilds. Research on emerging industries shows that self-regulation can strike a practical balance between regulatory certainty and flexibility, fill jurisdictional gaps in global industries, and coordinate standards across networked supply chains. The structural gap between how fast technologies develop and how slowly regulatory institutions adapt is what scholars call the pacing problem—and AI is accelerating it faster than any predecessor.
The AI industry isn’t the first to find itself outpacing government oversight, and the historical record is instructive. History shows us that this simply works. Railroads organized through the General Time Convention to solve genuine coordination problems and to standardize time zones, track gauges, and signaling. Private governance effectively overcame these technical challenges. After the stock market crash of 1929, or Black Monday, financial markets created a hybrid system. Congress established the Securities Exchange Commission (SEC) while recognizing exchanges as self-regulatory organizations subject to government oversight. Today the private non-profit membership organization Financial Industry Regulatory Authority (FINRA) regulates thousands of brokerage firms under SEC supervision. Similarly to railroads, Internet governance through the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Engineering Task Force (IETF) succeeded in coordinating technical requirements for a revolutionary technology with no state boundaries.
But the pattern across these frontier technologies is revealing. Private governance handled technical coordination well in each case, and in each case it required something more. FINRA operates under SEC supervision. ICANN manages internet naming under delegation from the U.S. government. The multi-stakeholder governance of internet infrastructure succeeded at technical coordination but could not address content harms, misinformation, or societal concerns beyond its original technical scope. Where private governance stood alone, it reached its limits quickly.
Those limits are structural, not incidental. When AI companies govern themselves, the regulated party and the regulator are the same—a fundamental conflict of interest with no democratic input into standards, no real enforcement beyond reputational consequences, and no time for private organizations to develop organic public legitimacy. Voluntary self-regulation also creates a preemption problem: industry self-regulation can dampen political support for binding government regulation, creating the appearance of accountability without its substance. Private insurance markets illustrate the dependency directly. Insurers cannot price AI-related risk without clear liability standards, and those standards require government action. The market needs a public framework first.
What only government can do
A few functions fall outside what markets can do alone, and those functions are what create the bedrock of public safeguards.
The regulatory imperatives for AI are, for the most part, not technocratic. They are deeply value-laden choices—how to trade off the gains of innovation against risks to stability, welfare, and the shape of our social and economic lives. These are trade-offs that modern societies make through schemes of law and politics that are ultimately accountable to citizens. A private body that sets a standard speaks for its members, but a government that helps set a standard speaks for a public decision about the kind of AI a society is willing to live with. That legitimacy cannot be borrowed, purchased, or self-declared.
Only the government can set mandatory baselines that apply universally. The underlying logic is that of performance-based regulation. The government specifies the outcome to be achieved—like emissions levels, accident rates, and risk thresholds—and leaves the methods to others. Voluntary standards bind those who opt in, and give the responsible developer protection against being undercut by a less careful competitor.
A legal framework that says who is responsible when an AI system causes harm is what gives any oversight regime its teeth. Much of that framework already exists: tort law imposes a duty of reasonable care, and plaintiffs are already bringing claims against AI developers over chatbot-facilitated self-harm. But liability rules, like all law, are an exercise of public authority. Without them, insurers cannot price AI risk, procurement rules cannot condition purchases on compliance, and private oversight has no consequence attached to its findings.
Finally, only the government can license and de-license the organizations doing the overseeing. Licensing is the mechanism by which the delegation of regulatory oversight to private actors is made legitimate. The power to grant and the power to withdraw are what distinguish accredited oversight from industry self-regulation.
These functions are why public authority is irreducible. Every durable precedent discussed above follows the same pattern. FINRA operates under SEC supervision. NFPA codes carry force because state fire marshals adopt them into law. ICANN manages internet naming under delegation from the U.S. government. Technical expertise is supplied by the private sector. Legitimacy, baselines, liability, and licensing come from the state. The partnership works because each side does what the other cannot.
Independent Verification Organizations offer an effective partnership
Independent Verification Organizations (IVOs) are one institutional design that embeds this logic for AI. The government defines the outcomes on bio-risk, disinformation, child safety, self-harm, autonomous replication, or whatever else the public decides matters. Multiple IVOs per claim compete for licenses to verify those outcomes, demonstrating through their plans that their methods are independent, credible, and adequate to the risks they propose to verify. AI developers submit to IVO verification; the IVOs, not the developers themselves, design and run the tests. And the government retains the power to revoke an IVO’s license if its plan proves misleading, its independence is compromised, or technological change has rendered its methods obsolete.
What makes the model work in the near term is that most of the legal infrastructure for demand already exists. An AI developer facing a tort claim is in a much stronger position if it can show that it submitted to verification by a licensed IVO. Under legislation recently introduced in Ohio, that submission earns a rebuttable presumption that the developer exercised reasonable care. Insurers can offer lower premiums to verified developers. Enterprise and government procurement rules can condition purchases on verification. And because the model is built around licensed verifiers, governments can condition market access on verification by an IVO licensed anywhere in a trusted network—a pathway to regulatory coverage even for users in jurisdictions that lack the capacity to regulate directly. All of this embeds the government’s functions instead of replacing them.
U.S. public opinion reflects this. In a recent Quinnipiac survey of over 1,500 U.S. adults, nearly 70% said the government is not doing enough to regulate AI. The public is not asking for markets to be replaced. It is asking for the piece that markets cannot supply.
Frontier technologies demand cooperative governance
Every frontier technology has eventually demanded governance that neither markets nor government could provide alone. AI is no different. However, the stakes are higher and the timeline is much shorter. We need to design institutions that are fast enough to keep up, technically proficient to be effective, and democratic enough to be legitimate. The regulatory markets approach offers a path, but the longer we wait to build it, the more difficult it becomes.
Dr. Gillian K. Hadfield is the Bloomberg Distinguished Professor of AI Alignment and Governance at the School of Government and Policy and the Whiting School of Engineering at Johns Hopkins University. She is a faculty member of the Vector Institute for Artificial Intelligence and is a Schmidt Sciences AI2050 Senior Fellow. Hadfield’s research focuses on innovative design for legal, regulatory, and technical systems for AI, computational models of human normative systems, and building AI systems that understand and respond to human values and norms.
Andrew Freedman is Co-Founder and CEO of Fathom, and has over 15 years of expertise in emerging industries and regulatory frameworks.
When you say, 'the longer we wait to build it..' what do you mean?
In 2024, a fake AI-generated robocall imitating President Biden told New Hampshire voters not to vote in the Democratic primary; the FCC later issued a $6 million fine. So here is the question: if an AI deepfake can suppress votes at scale for the price of a cheap campaign stunt, should political deepfakes be banned outright, or should democracy simply adapt to a world where no voice, video, or image can be trusted?