Red tape or responsible tech? Regulation’s growing influence on govtech suppliers

Compliance and competition

Vince Dooher, principal architect at Axiologik, argues that while standards such as the Algorithmic Transparency Recording Standard (ATRS) are essential for trust, the administrative burden can favour larger suppliers.

“There is a growing compliance moat,” he said. “While ATRS is vital for trust, the administrative overhead of completing them alongside the rigorous AI TRiSM telemetry now required, favours large vendors with massive legal and responsible AI departments.”

Smaller suppliers, he explains, often build more transparent “glass box” systems, but struggle to endure year-long assurance cycles to demonstrate alignment with the DPA and related refinements. The typical annual compliance cost attached to regulations such as the DPA and the AI Act can price innovative startups out of the public sector market before they achieve formal assurance.

Chris Elsins, group vice-president of public sector at Domino Data Lab, tells Computer Weekly that current AI and digital rules “are unintentionally privileging firms that can afford regulatory overhead”.

In practice, he says, the ability to finance audits, documentation and prolonged reviews is increasingly treated as evidence of reliability, even though “the size of a company’s legal or risk team is not the same as the quality, safety, or effectiveness of its technology”.

The cumulative effect, Dooher suggests, is consolidation. Technology behemoths provide foundational frameworks, while smaller providers are pushed towards building “on the edges”. Power shifts towards those able to absorb compliance costs across broad portfolios.

Innovation caught in a regulatory paradox

Governments frequently ask for cutting-edge AI and automation to improve public services. At the same time, procurement and compliance frameworks often reflect a zero-failure mindset.

Dooher describes a paradox: AI systems are probabilistic, but compliance models remain binary – a system is either compliant or not. Legislation such as the EU AI Act can demand “100% ‘ex-ante’ certainty before a project even begins”.

When pilot projects face the same rigidity as national roll-outs, he argues, experimentation suffers. The result is a shift from “cutting edge” to “cutting safe”, where innovation becomes confined to low-risk tasks rather than core transformation.

Elsins makes a similar point. Promising AI capabilities, he says, have been slowed, “not because they were demonstrably unsafe, but because full regulatory frameworks were applied before meaningful pilot data existed”. Guardrails are sometimes written around hypothetical harms rather than observed ones, which can stall responsible experimentation.

The challenge is not whether to regulate, but how to design oversight that supports iteration rather than locking systems before they can fully deliver on their promise

Tom Peirson-Webber, who leads engineering at Harbr Data, explains that projects are often not abandoned outright, but “derisked to the point of becoming pointless”. Inconsistent interpretation of the General Data Protection Regulation (GDPR) across departments has blocked efforts to make datasets AI-ready. By the time legal and procurement teams have debated whether something qualifies as high-risk AI, he says, “the policy window has closed”.

In this context, innovation may happen before procurement and during competitive demonstrations. Once systems are in production, updates can trigger fresh reviews and recertification. Elsins notes that change-control processes can slow iteration in fast-moving AI fields, unintentionally favouring stability over continuous improvement.

Yet not all agree that regulation inevitably freezes progress. Rich Giblin, head of public sector and defence at SolarWinds, says innovation “shouldn’t stop” once systems meet regulatory scrutiny. Instead, it becomes “a continuous improvement cycle to keep service effective, secure and up to date with the latest threats”.

The challenge, therefore, is not whether to regulate, but how to design oversight that supports iteration rather than locking systems before they can fully deliver on their promise.

Safeguard or stall: The evidence question

A central question remains: are current regulatory frameworks measurably improving citizen outcomes?

Elsins says the evidence base for broad, precautionary AI regulation is still developing. In high-risk areas such as privacy and bias mitigation, guardrails are clearly warranted. However, in many cases, comprehensive frameworks are being implemented before robust longitudinal data shows how they improve service delivery or public trust.

The result can be what he describes as a “precautionary posture” that mitigates theoretical risks while delaying practical benefits such as faster eligibility decisions and reduced administrative burden.

Dooher points to concrete examples where oversight has delivered value. The AI Security Institute has identified model drift in health technology pilots that could have led to misdiagnosis. However, he argues that much legislative energy is spent regulating speculative risks, while citizens still face long waits and high running costs for basic services.

Peirson-Webber acknowledges that regulation has “almost certainly prevented bad outcomes we’ll never see”. GDPR-driven data minimisation has improved privacy, even if implementation remains uneven. The difficulty lies in regulating a rapidly evolving technology with rules that may lag behind innovations.

Douglas Wadkins, chief technology officer at Opengear, emphasises that some risks are demonstrably real. Incidents related to internet of things (IoT) devices in critical infrastructure have surged, with significant breach costs. Frameworks such as NIS2 are responses to genuine threats. The issue, he suggests, is that regulation often focuses on process compliance rather than measurable resilience outcomes.

Giblin adds that regulation should function “as a baseline for safeguards, not a brake on decision-making”. While it is sometimes cited to slow development, the test is whether concerns are specific and evidence-based.

Distinguishing between genuine safeguards and institutional hesitation is not straightforward. Several contributors observe that regulation can become a convenient explanation for avoiding risk or difficult trade-offs. In fast-moving AI programmes, cultural readiness may be as significant as formal compliance.

The future market: Incumbents, startups and architectural answers

If the trajectory of regulation continues, what will the govtech market look like in five years?

Dooher warns of a drift towards a small number of incumbents, where startups survive by becoming feature sets within larger ecosystems. Elsins similarly suggests that fewer bidders and reduced price competition could follow if compliance costs continue to rise.

Peirson-Webber points to procurement dynamics that favour suppliers already approved in multiple departments. Large incumbents can demonstrate compliance on day one. Smaller suppliers may need to invest engineering effort before winning a contract, creating difficult product prioritisation decisions.

Regulation is necessary. Few argue for its removal. The debate centres on calibration

However, not all see consolidation as inevitable. Giblin argues that innovation will continue to originate with startups but be scaled and delivered by established players. This dynamic, he says, is likely to accelerate as AI adoption grows.

Wadkins believes architectural approaches can level the playing field. Building security and auditability into infrastructure from the outset, rather than bolting on compliance later, can help smaller suppliers demonstrate adherence without extensive compliance departments. The question for procurement teams, he says, should be how architecture meets resilience requirements, not the size of a supplier’s legal function.

Across these perspectives, a common theme emerges. Regulation is necessary. Few argue for its removal. The debate centres on calibration. Good regulation, according to Peirson-Webber, sets guardrails and enables accountability, whereas bad regulation attempts to eliminate risk entirely.

For govtech suppliers, the practical implication is clear. Compliance can no longer sit with a legal team in isolation. It must inform product roadmaps and go-to-market strategy. For public buyers, the challenge is to design procurement processes that reward demonstrable security and measurable outcomes.

Whether regulation becomes red tape or responsible tech will depend less on the existence of rules and more on how they are interpreted and embedded into practice. In a sector responsible for critical services and sensitive data, that balance is unlikely to be settled any time soon.