AI risks are here. What's the 'shock event' that governments won't be able to ignore?

Risk and complexity are among the many topics top of mind in the artificial intelligence governance world, but 2025 saw some governments move toward a pro-innovative, deregulatory stance. In the last year, the Trump administration aimed to curb federal and state AI regulation and even the EU introduced reforms to its vanguard AI Act.  

AI's "regulatory winter," however, seems to be thawing into what some are calling a "regulatory spring" where governments and policymakers are shifting focus toward more concrete AI risks, particularly in the cybersecurity realm. This, in part, emerged last month in the wake of Anthropic's Claude Mythos model, capable of finding thousands of vulnerabilities across critical systems undergirding the internet. Its potential to identify and possibly exploit these vulnerabilities at scale has gained the attention of governments, regulators and businesses around the world. 

In recent days, U.S. President Donald Trump signed an executive order addressing cybersecurity concerns with frontier AI systems, and last month, Gov. Gavin Newsom, D-Calif., signed an executive order to prepare California workers and organizations for potential AI disruption. And though it amended some aspects of the EU AI Act, Europe will still move forward with its precedent-setting AI regulation. 

This pivot toward a "regulatory spring" was a focus Thursday on the IAPP AI Governance Global Europe 2026 keynote stage here in Dublin, Ireland. 

ZoomInfo Chief Strategist, Privacy and AI Simon MacDougall, AIGP, CIPP/E, CIPM, CIPT, framed the discussion around past "shock events" that moved the regulatory dial — whether it was the sinking of the Titanic or the vast surveillance apparatus revealed 100 years later in the Snowden leaks. 

"One thing to say is that not all regulatory shocks are equal," MacDougall said, "but it is fascinating how it's not always the biggest event that drives new regulation. It's a question of timing, public pressure, media reaction and how shocks combine."

"So, the key question we want to explore with this panel is: which ones might actually move the dial?"

With a panoply of potential shock events, from job losses to the future of work, the panel — which featured insights from Niamh Hodnett, who was recently appointed Ireland's ComReg Commissioner, U.K. AI Security Institute Head of Societal Resilience Andrew Strait and Oxford University Visiting Policy Fellow Gill Whitehead — focused on three: AI-enabled cyber incidents, AI's effect on children and critical infrastructure failures. 

AI-enabled cyber risk

"Cyber risk and cyberattacks are something we've been looking at for some time now," Strait said. "Historically, cyber defense has relied on a couple of core assumptions." For one, he noted, attacks have been costly, take time and require a level of expertise. 

"What we're spotting is a change in those dynamics," he said. 

The change underway involves the capabilities of emerging AI models, which, in some cases requires "very little human input." Though the agency tests these models in simulated environments that may lack some of the real-world defense systems, they are finding that the traditional issues of cost, time and expertise are changing. Two features, he said, are coming together. There is a lot of existing software structure that is vulnerable, and simultaneously, AI systems are getting significantly more advanced at finding combinations of vulnerabilities, patching them together and verifying the attacks work. 

"That creates a very challenging scenario for defense," he said. 

So how do organizations respond? 

"One concern is that for organizations without the resources to divert at scale, this creates a real imbalance of power … and I don't think it takes an extraordinary prediction market to say we may have some serious issues in this space."

And that means "cybersecurity, trust, safety and governance experts in organizations are going to need to work ever more closely together."

Children and AI 

Issues around children's safety and health in the AI age is prompting government response around the world. ComReg's Niamh Hodnett highlighted the potential mental-health shocks to children, whether through deep interactions with chatbots or other means. 

"Another area of focus is AI recommendation systems," she said. "Children are engaging with platforms and recommendation systems designed for addictive engagement."

AI-generated deepfakes and other abusive material is a "dominant concern, particularly where women and children are affected." She also noted it "can normalize abuse-related material."

"The headline concerns are children's mental health, physical health and societal impact. This is not just about regulation. Some countries are also developing national strategies on AI and childhood, including work to raise awareness and focus on these issues."

Oxford's Gill Whitehead pointed to society's "very low tolerance for harm to children," particularly parents. "And yet, the technologies we're talking about inherently carry risk," she said. 

If platforms and other AI systems "are seen as being off the pace in lowering risks to children, then I think more incidents will lead to more regulation. … If those risks are not mitigated to a point where society feels comfortable with these technologies being put in front of children, then there will be strong reaction."

Strait said many of the risks and harms to children can be hard to spot. "Causal relationships are hard to prove. With social media, we needed whistleblower reports and internal studies before there was enough evidence to support action," he said, adding, "there's an even harder problem with user-to-model interactions. It's not social media in the same way. These are often one-to-one conversations."

He said it's critical to understand things like how often children seek self-harm advice or mental health support, how systems respond and how users adapt over time. 

"If we don't understand that, we will be left with horrible cases," he said, and then we will be stuck asking how preventable those cases were.

AI, critical infrastructure and financial systems

Though it's likely the "least emotive" of the three cases cited, AI risks to critical infrastructure — notably banking and financial systems — could lead to a loss of public confidence or trust, not in AI itself, but in institutions and governments around it, according to Oxford's Whitehead. 

Finance is an area where errors can create significant consequences. "You could reach a point where people no longer feel in control of their money, or where confidence in a bank collapses," she said. "At that point, government may need to step in."

Whitehead pointed to past bank runs, perhaps most recently with Silicon Valley Bank, which went under within a 48-hour period. Though it wasn't created by AI in that case or in the financial crisis in 2008, "we saw how trust can fall away very quickly."

The difference now, she said, is that there are massive systems operating with increasing automation, which could lead to an example of AI affecting critical infrastructure. It not only may be a financial problem for those directly involved, it also becomes a problem of public trust. 

She also pointed to public services. How much experimentation are governments and innovators doing to services people rely on? Though it can improve services, it's critical to have backstops, accountability, consent and other risk-based processes so when something goes wrong, someone is responsible. 

"At a time when AI is being deployed, we need to ensure those backstops and safeguards are not lost," she said. 

The U.K. AI Safety Institute's Strait noted that AI "can be wonderful at optimizing for efficiency, but sometimes what it optimizes away is the very thing you needed." Organizations face risks in the form of shadow AI and other hidden dependencies, which can lead to the gradual erosion of governance, oversight and resilience. 

ComReg's Hodnett added that if corporate governance is absent, companies may focus on maximizing efficiency without adequately building in guardrails that could help prevent broader societal harms.