Regulatory regimes for disruptive IT: A framework for their design and evaluation

The pervasiveness and the impactfulness of information technology (IT) have been growing steeply for decades. Recent forms of IT are highly obscure in their operation. At the same time, IT-based systems are being permitted greater freedom to draw inferences, make decisions, and even act in the real world, without meaningful supervision. There are prospects of serious harm arising from misconceived, mis-designed or misimplemented projects. Organisations developing and applying IT need to be subject to obligations to take degrees of care, prior to deploying impactful initiatives, that are commensurate with the risks involved. They also need to be subject to accountability mechanisms that act as strong disincentives against reckless behaviour by executives and professionals alike. This article presents a framework whereby practitioners can evaluate the efficacy of regulatory regimes for impactful IT-based systems, design new regimes, and adapt existing ones. The author has matured the framework over several decades, applied early variants of it in multiple contexts, and published articles on many of those projects. The article commences by defining regulation and the kinds of entities and behaviour to which it is applied, and identifying the criteria for an effective regulatory mechanism. This is followed by presentation of models of the layers of regulatory measures from which regimes are constructed, and the players in the processes of regime formation and operation. Observations are also provided concerning the nature of the principles and rules that need to be established in order to provide substance within the regulatory frame. An evaluation form is provided as an Appendix. Also provided as Appendices are pilot applications of the evaluation form in several diverse contexts. A companion article (Clarke 2025b) applies the framework to a technology of current concern.