For many institutions, the responsible posture toward AI adoption still sounds like restraint: move slowly, study the risks, wait for governance frameworks to mature, and avoid deploying capabilities faster than oversight can absorb them."The Deferral Trap: Compounding Risk and AI Adoption Governance" scrutinizes that presumption — that this instinct is understandable, but incomplete.The paper does not dismiss the risks of AI adoption. It starts from the opposite premise: AI systems can be opaque, difficult to govern, and dangerous when deployed in high-stakes contexts without accountability.The paper challenges a quieter assumption embedded in much of today's AI skepticism: that waiting is safe.That assumption no longer holds. In a deteriorating cyber threat environment, deferral is not neutral. Every month an institution delays its own governed AI adoption is also a month in which adversarial capability continues to mature, defensive expertise fails to accumulate, and the gap between what attackers can do and what defenders can govern grows wider.Read Dr. Mussington's "The Deferral Trap" white paper here.In a worsening threat environment, ungoverned deferral may be the more dangerous posture.
The core question: Is caution still conservative?
Caution has a cost, and that cost compounds.Traditional AI risk calculations often compare adoption against a stable baseline: The organization can wait, preserve optionality, and adopt later once the rules are clearer.This baseline is not a safe and stable assumption. Critical-infrastructure operators are already facing sustained adversarial pressure from state-linked actors, communications systems have already been compromised at scale, operational technology environments are already being targeted for disruption, and frontier AI capabilities are already compressing the time required to find and exploit vulnerabilities.As such, besides asking, "What are the risks of adopting AI?," another question must also be asked: "What are the risks of not adopting governed AI fast enough?"A genuinely conservative posture is not indefinite restraint. It is accelerated governed adoption: moving quickly enough to keep pace with the threat environment, while building accountability into the architecture from the start.What the baseline actually looks like
The argument is grounded in a blunt assessment of the current operating environment.Volt Typhoon demonstrated that PRC-linked actors were not merely stealing information; they were pre-positioning inside U.S. critical infrastructure networks for potential disruptive or destructive action.Salt Typhoon showed the communications layer itself could be penetrated at extraordinary scale, including systems tied to lawful intercept.Iranian-linked operations against internet-exposed industrial control systems showed that operational technology disruption is not theoretical.Anthropic's Claude Mythos Preview marked a new threshold in AI-enabled cyber capability: a model capable of autonomously identifying and exploiting serious vulnerabilities across major software environments.Together, these describe the environment in which AI governance decisions are now being made. That environment is not stable. It is already compromised, contested, and accelerating.For defenders, this changes the risk calculation. If adversaries are integrating advanced capabilities more quickly than institutions can build defensive expertise, then delay does not preserve safety.How deferral compounds risk
There are several ways institutional skepticism can become a risk multiplier.First, deferral widens the capability gap. Adversaries do not wait for public-sector governance cycles, procurement reviews, or organizational consensus. They adopt useful capabilities on timelines driven by advantage. By delaying, defenders may not be moving backward, but they are falling behind.Second, deferral delays expertise formation. Governed AI adoption requires people who understand both the technology and the mission environment well enough to evaluate outputs, detect failures, challenge assumptions, and design functional oversight. That expertise is built through use and iteration.Third, deferral reduces institutional influence over standards. The governance frameworks that will shape AI use in critical infrastructure, cyber defense, and national security are being formed now. Institutions that stay on the sidelines are not avoiding the governance problem; they are allowing others to define it.The result is a trap: Organizations wait because they want to adopt responsibly, but waiting too long erodes the very capacity required for responsible adoption.Governed adoption is the alternative
We ought to be careful not to replace one oversimplification with another. The answer to the deferral trap is not reckless deployment, but governed adoption.AI systems should be integrated into institutional workflows only with accountability structures that make their use auditable, reviewable, and subordinate to human judgment.Several principles make this possible:- Human authority by design: Human judgment should be structurally required before consequential outputs are produced or acted upon.
- Provenance at the claim level: Analytical outputs should be traceable back to the source material, reasoning steps, and human judgments that produced them. Without that chain, speed easily becomes liability.
- Data sovereignty as an architectural constraint: Sensitive missions require architectures that do not force institutions to externalize protected materials into environments they cannot control.
- Audit independence: Records of what was ingested, generated, reviewed, and approved should survive system changes, personnel turnover, and operational failures.
