The gap between AI capability and regulation is widening. According to a TechRadar article by George Tziahanas, the EU AI Act comes into force for UK businesses in a matter of months, but its ability to keep pace with AI development is questionable. Instead, human pragmatism and existing authorities will play a larger role in establishing AI guardrails for businesses than new regulations. Litigation, in particular, will shape how AI tools are used and governed.
The Mythos wake-up call
Anthropic’s Mythos model, a large language model, caused serious concern globally due to its ability to spot zero-day vulnerabilities in IT systems, theoretically exposing the world's cybersecurity infrastructure to significant risk. According to TechRadar, its existence was announced on 7 April, along with Anthropic’s intention to restrict its use to a handful of key tech firms and banks like Apple and Goldman Sachs. By 22 April, Anthropic was investigating reports that unauthorized users had accessed the model. The span between Mythos becoming known and posing a real-world risk was measured in days, not years, making it functionally impossible for lawmakers to adjust legislation in time. This demonstrates why new regulation alone cannot be the primary guardrail.
The role of litigation
Checks and balances on the AI industry will need to come from elsewhere. TechRadar argues that businesses will need to turn to common sense and survival instincts. Pragmatism, driven by the threat of litigation and fines under new liability frameworks, is more likely to curb harmful AI deployment earlier than formal regulation can. Successful lawsuits for unethical AI creation or use will lead to pre-emptive work by the industry itself, constrained by precedent of litigation.
The AI startup Mercor, valued at $10bn, is already facing seven class-action lawsuits following a data breach that raised concerns about the provenance of training data and opacity in practices. According to the lawsuits, Mercor monitored contractors’ computers and shared resulting data with clients, used recorded candidate interviews to train AI models, and trained client models on materials potentially owned by other companies. These lawsuits are based on existing statutes including privacy, cybersecurity, and record keeping causes of action. This shows that older laws can cover new AI harms.
Implications for enterprise leaders
For CTOs and chief digital officers deploying AI in logistics and supply chain, the message is clear: wait for comprehensive AI legislation at your peril. Instead, build AI systems with defensibility in mind—document data provenance, ensure transparency in training data, and respect intellectual property. The risk of class-action litigation under existing laws is real and growing. Enterprise technology leaders should work with legal teams to assess exposure under laws like privacy regulations and cybersecurity frameworks.
The article also notes risks in the software supply chain, such as the LiteLLM hack at the center of the Mercor breach. While the entire security infrastructure of the internet hasn’t collapsed, security and compliance teams are losing sleep. Enterprises must secure their AI supply chains as much as their own models.
| Guardrail mechanism | Speed of adaptation | Key example |
|---|---|---|
| New regulation (e.g., EU AI Act) | Slow (months to years) | Mythos zero-day risk emerged in days |
| Litigation under existing laws | Faster (case precedent) | Mercor class actions based on privacy/cyber laws |
In summary, the combination of human pragmatism, common sense, and the threat of litigation will drive AI accountability far quicker than statute books. Enterprises that prioritize defensibility today will be better positioned to weather the coming wave of AI-related lawsuits.
Sources:
