Crises themselves guarantee neither progress on governance nor good practice. But they may provide an opening for bold action that is not currently feasible.
Crises trigger diverse responses. These responses can, and often do, lead to substantial policy change. When based on preparation and planning, change can enable states and societies to build better systems, and to improve robustness and resilience to future crises.
Drawing on desk research and expert interviews, this chapter examines the responses to three previous global crises in other sectors for insights that can be applied to AI governance. These case studies were selected for different levels of global impact, interdependence of outcomes and diversity in responses: one interventionist (the global financial crisis of 2007–08); one networked (the WannaCry ransomware attack of 2017); and one improvised (the COVID-19 pandemic of 2019–22).
This chapter is not a comprehensive crisis audit. Instead, it spotlights a range of institutional changes, new coalitions and networks, and innovations in the technological tools and infrastructures needed to monitor, weather and recover from crises. Building on case insights, this chapter considers what this set of best practices and cautionary tales can teach policymakers, practitioners and experts about building a preparation protocol.
3.1 What previous crises can teach us
A significant disruption to the current system will likely be required to break through the current deadlock on global AI governance. Historical precedent indicates that crises can catalyse policy changes that previously appeared unlikely. The 1986 Chernobyl disaster forced international cooperation on nuclear safety through binding conventions that Cold War tensions had previously blocked. The 2001 attacks on the US World Trade Center in New York triggered wide-ranging changes in international governance, notably in financial monitoring, security cooperation and the application of international law. The 2007–08 global financial crisis led to sweeping regulatory reforms being implemented in the banking sector.
Not every crisis produces governance change, but certain types of events create opportunities and generate political will. These ‘focusing events’ are rare, high-visibility shocks that concentrate harm, attract sustained attention and can break down structural barriers that prevent action under normal conditions. Such events mobilize diverse stakeholders, reveal hidden costs or risks in a system, change cost–benefit calculations among political leaders, temporarily invert concentrations of power and create a sense of urgency that can overcome vetoes. But, the governance opportunities crises create are time-limited. Crisis windows close as attention shifts, political constraints and authority resettle, interests retrench or a new crisis takes root.
Global crisis entanglement – or ‘polycrisis’ – emerges when slow-moving stresses, such as governance gaps or resource dependencies, intersect with fast-moving triggers, such as technical failures or malicious attacks. But entanglement may present opportunities for positive change, alongside risks of spillover from one sector to another as AI becomes integrated into the global economy. Entanglement also means that today’s change-makers must build crisis preparation protocols that respond to potential harms accruing through inaction in seemingly disconnected policy areas.
The case studies below suggest that interlinked factors determine the extent to which crises catalyse effective governance: the framing of an incident as crisis; the concentration and legitimacy of authority; the availability of institutionalized pathways for coordination; and the alignment of incentives among the significant actors.
- Framing shapes the perceived scope, severity and ownership of a crisis, determining whether an incident is understood as an isolated failure or a bigger threat requiring an exceptional response. Where incidents are framed as crises with collective, international implications, the range of legitimate policy tools expands, the political salience of the issue is elevated, and extraordinary levels of coordination and collective decision-making are justified.
- In moments of crisis, authority tends to concentrate temporarily, enabling certain actors (including officials, regulators, executive bodies or technical experts) to bypass veto points and define the options for response. Where such authority is recognized as legitimate, decisions can be taken rapidly. Where it is contested, though, responses fragment or stall.
- Governance change then depends on the availability of institutionalized pathways through which decisions can be turned into action. These pathways may take the form of existing legal mandates, international forums or emergency procedures. Crises accelerate the use of these mechanisms, but rarely create them from scratch.
- Finally, durable reform requires sufficient alignment of incentives to sustain change. Individuals and groups both within and outside government who push a particular set of policies – sometimes called ‘policy entrepreneurs’ – play a critical role in this phase by mobilizing coalitions, reframing interests and sequencing decisions so that crisis-driven reforms become embedded rather than reversed.
The response to the 2008 financial crisis succeeded partly because regulatory agencies and legislative frameworks already existed. UK policymakers framed COVID-19 as a security threat, which enabled them to deploy resources that were otherwise unavailable. International cooperation on nuclear safety after Chernobyl succeeded in part because the International Atomic Energy Agency provided a multilateral venue for negotiations, and in part because the disaster drew attention to a transnational threat to human life that could not be ignored.
Advocates of AI governance span a broad range of perspectives – from those who see it as necessary to prevent catastrophic or existential risks to humanity, to others who seek to mitigate foreseen political or economic disruption, to others still who want governance to serve in protecting national industries or even guaranteeing further acceleration in the development of AI. This paper does not attempt to arbitrate among them or to prejudge what ‘good’ governance might look like. Its central messages are that progress on binding and durable international governance of AI has stalled, and that a major AI-related crisis can rapidly shift the political constraints that have so far hindered international coordination. Investment in strengthening any of the four factors listed above will help a durable form of governance to emerge.
3.2 Three case studies: Good practice and cautionary tales
The interventionist response: the 2007–08 global financial crisis
Triggered by the collapse of the US subprime mortgage market and the failure of major financial institutions to prevent its collapse, the global financial crisis (GFC) rapidly cascaded into a global polycrisis through an interconnected system of credit, liquidity and confidence. More than $2 trillion in global asset value evaporated, and economies around the world faced simultaneous banking failures, frozen credit markets and systemic contagion.
The immediate crisis response was heavily interventionist, highly centralized and led by key institutional players. In the US and Europe, central banks and finance ministries coordinated emergency liquidity injections, bank guarantees and bailouts, such as the US Troubled Asset Relief Program. The US Federal Reserve and the US Treasury deployed extraordinary powers to stabilize markets. This interventionist response enabled rapid decision-making, but, to its critics, also entrenched the dominance of technocrats and financial regulators as guardians of the global financial system. At the same time, parallel coordination took place in transnational channels. The G20 became the premier forum for global economic governance, and the Financial Stability Board was created as the successor to the Financial Stability Forum to strengthen macroeconomic oversight and standards. These two institutions remain key to financial monitoring and coordination almost 20 years on.
The GFC demonstrates that crisis-driven governance works best when it can leverage existing institutions, technical expertise and monitoring infrastructure, rather than building this infrastructure from scratch.
Though the success of this response remains disputed, the scale of post-crisis reforms is not. New regulatory architectures, such as the Dodd-Frank Act in the US and the Basel III framework on capital requirements, introduced greater oversight, data reporting and early-warning mechanisms. The crisis also elevated the value and role of technical expertise and real-time system-monitoring through dashboards, supervisory technologies and centralized information-sharing systems. These were incorporated into everyday financial governance around the world. An example is the new Global Systematically Important Banks Classification, which is based on scoring thresholds that, once surpassed, automatically trigger heightened supervision, planning requirements and capital surcharges.
Stronger regulatory architecture emerged from a crisis that created the conditions for prevention, coordination and rapid action. Yet the crisis response also revealed and institutionalized persistent inequities. Developing and lower-income economies affected by the crisis had limited influence in the development of the post-crisis architecture. Much rule-making occurred within institutions dominated by advanced economies, meaning that many states affected by spillovers had minor voices and limited bargaining power in shaping the remedies.
The GFC demonstrates that crisis-driven governance works best when it can leverage existing institutions, technical expertise and monitoring infrastructure, rather than building this infrastructure from scratch. In terms of an AI crisis, this lesson suggests prioritizing investments in AI safety institutes (AISIs), technical exchange networks and pre-negotiated frameworks that can be rapidly activated, rather than relying on improvised solutions in the event of catastrophe.
The example of the GFC also reveals a danger. Those countries that were excluded from negotiations had governance imposed on them, rather than being involved directly in shaping it. Their exclusion helped entrench global inequities that persist today.
However, the main elements of both the GFC and the response can be discerned, and may be useful in the event of an AI crisis:
- Symmetric economic harm. All major economies faced simultaneous banking failures and frozen credit, aligning incentives for cooperation.
- Clear causation and shared language. Financial contagion mechanisms were well understood, enabling rapid diagnosis and coordinated response.
- Pre-existing institutions. The crisis primarily empowered institutions that already existed (such as central banks, finance ministries and the G20), rather than creating new ones – demonstrating that preparation must build capacity before crisis strikes.
- Speed through concentrated authority. Emergency powers and technocratic dominance bypassed normal veto points to reach a solution rapidly.
The key lesson for AI governance is that infrastructure and economic crises affecting all major powers symmetrically offer the best prospects for comprehensive governance. But the response will only be swift and effective if technical capacity and institutional pathways exist before the crisis hits.
The networked response: WannaCry
In May 2017, ransomware known as WannaCry proliferated globally. At the time, security analysts called it the largest ransomware cyberattack ever recorded. Within a single day, it infected more than 200,000 computers in 100 countries. In the UK, the National Health Service (NHS) was badly hit, with widespread disruptions to computer systems preventing access to data about patient care, leading to cancelled appointments and procedures. The attack cost the NHS £92 million and the global financial impact was estimated at around $8 billion.
Over 34 per cent of NHS trusts found their devices’ files encrypted and a ransom demand for bitcoin. Fearing permanent loss of access, some trusts shut down their systems as a precautionary measure, ‘as they had not received central advice early enough’. Private sector providers led the initial response, in coordination with the recently instituted UK National Cyber Security Centre (NCSC). Information-sharing on the threat and responses was relatively informal, but nonetheless agile and effective.
UK media covered evidence of disruption, such as diverted ambulances and offline equipment, but had little information on its source. Political leaders reassured citizens that the attack was global and untargeted. By the evening, an independent cybersecurity researcher stopped the ransomware spread by buying a domain name. The crisis was triggered by the exploitation of a known software vulnerability by a hacker group, and later formally attributed to a North Korean-linked group. Ultimately, WannaCry was an avoidable crisis with a relatively uncomplicated ‘fix’.
WannaCry was unprecedented but not unexpected. It is best understood as a complex, lurking threat, compounded into a crisis by globally networked technologies and interdependence. The crisis demanded emergency coordination, primarily between the private sector and central cyber authorities, but also between these authorities and NHS healthcare trusts. It platformed novel responses, many of which were later used to inform policy changes.
The WannaCry incident illustrates both the promise and limitation of networked crisis response for AI governance. The UK’s reforms to crisis governance in the wake of the cyberattack (for example, the centralization of cyber crisis response and the recognition of cyber risks in the UK’s central emergency response unit) demonstrate that even limited crises can catalyse significant institutional change. However, WannaCry produced minimal international governance precisely because no institution had jurisdiction or prepared mechanisms.
The response to WannaCry succeeded in producing governance change because the crisis was limited enough to allow informal, expert-led coordination rather than requiring top-level political negotiation.
WannaCry suggests that dual preparation is important: strengthening national-level technical response capacity that can be deployed rapidly, while pre-preparing international coordination channels that can be activated when crises cross borders.
The key elements of the WannaCry crisis and its response were:
- Scale of random harm. The threat was not targeted at a specific institution but proliferated widely and unpredictably, both in the UK and globally. It impacted critical national infrastructure.
- Technical expertise as legitimate authority. In the UK, the NCSC’s technical credibility enabled it to coordinate the response despite being newly established, showing that crisis elevates actors with relevant technical expertise.
- Networked response among key actors. Parts of the crisis response – such as information-sharing – were facilitated through informal connections between public and private actors, which might have improved agility and speed to respond.
- Clarification of global norms and boundaries. WannaCry’s impact on the NHS was criticized worldwide as inappropriate and unacceptable. The incident helped states and experts clarify what is off-limits – targeting critical national infrastructure, like healthcare – for state behaviour and activity in cyberspace.
The lesson for AI governance is that narrow, technical crises with an adverse impact on specific sectors (such as finance and healthcare) may be more amenable to rapid coordination than broad systemic disruption, as they can elevate the salience of technical expertise and sector-specific institutions in the response.
The improvised response: COVID-19
The first cases of COVID-19 respiratory disease were detected in China in 2019. The disease was infectious and quickly spread around the world, leading to the World Health Organization (WHO) to declare a public health emergency in January 2020. While widely recognized as a catastrophic global health crisis, the COVID-19 pandemic also exposed the failure of decision-makers to mount a coordinated response that could have mitigated devastating impacts. Official data indicate that more than 7 million people died during the COVID-19 pandemic. Total global excess deaths following the pandemic have been estimated at between 19.2 million and 36.3 million.
WHO attempted to communicate and coordinate a response through the IHR Emergency Committee, Strategic Preparedness and Response Plan, situation reports, and declaration of a public health emergency of international concern. But the crisis was ultimately managed via a wide variety of national responses. Sweden, for example, focused on voluntary measures, emphasizing personal responsibility over the restrictions on movement and interaction elsewhere. By contrast, China implemented a strict ‘zero-COVID’ policy, with controversial restrictions on movement of people, community-wide health screenings and mandatory quarantines. Some countries pursuing so-called elimination strategies, such as New Zealand, achieved early success in controlling transmission of the disease. But it was the eventual development and rollout of vaccines and high levels of uptake that finally caused the global fatality rate to decline sharply and allowed national authorities to regain control.
Many national governments proved ill-prepared and sluggish in their responses, neglected the most vulnerable segments of their population, and struggled against low public trust and rampant mis- and disinformation. The Lancet Commission on lessons for the future from the COVID-19 pandemic, formed following the pandemic, identified global systemic failures across multiple levels: inadequate prevention; irrational policy responses; lack of transparency; departures from established public health practices; weak operational cooperation; and an absence of international solidarity.
The international response proved equally troubling. One interviewee remarked that ‘the only institutions with the ability to make positive governance changes in this case are international organizations, because it [was] an international problem’. Yet no adequate international coordination mechanism functioned effectively during the crisis, nor have lessons been properly applied to multilateral enforcement since. Even in the Pandemic Agreement recently adopted by the World Health Assembly, critical guidance remains either non-existent or non-binding, including on commitments to equitable access to medical countermeasures like vaccines, or on sustainable financing for pandemic preparedness and response.
While the wide variety of national COVID-19 responses showed mixed effectiveness, the overarching global response can be characterized as reactive improvisation rather than coordinated strategy. The experience of the COVID-19 pandemic has still not prompted the development of a robust international crisis architecture applicable to other borderless threats.
This lesson is particularly relevant for any future AI crisis. Like infectious diseases, threats proliferating on networked systems spread with little regard for legal and political boundaries. Similar to COVID-19, an AI-enabled crisis will likely require swift international cooperation and policy alignment to prevent cascading global harms.
COVID-19 therefore represents the failure mode that AI crisis governance must avoid. The pandemic had the scale, urgency and global reach that should have triggered cooperation. But it produced little or no durable international architecture for dealing with similar threats. The pandemic response reveals which crisis types are least likely to be productive in terms of governance: those with contested origins; those where the status of experts and their expertise remains politicized; and those where blame can be directed at specific actors rather than forcing acknowledgment of shared vulnerability. Crisis governance is not impossible, but it depends critically on fundamental shared understanding and institutional legitimacy.
The most significant elements of the COVID-19 pandemic response were:
- Epistemic collapse prevents coordination. Contested attribution, politicized expertise and fragmented blame prevented the shared threat perception necessary for cooperation. Low public trust and the proliferation of mis- and disinformation meant that emergency measures faced resistance.
- No institutional foundations to empower. WHO lacked enforcement mechanisms and had already been weakened, meaning that the organization could not elevate itself into an effective coordinating body.
- National interests overriding a shared sense of threat. Vaccine nationalism and geopolitical blame games dominated the global response to COVID-19, despite the clear mutual interest in controlling the pandemic.
COVID-19 is a cautionary tale: even significant global crises can fail to produce governance when institutions are weak and information environments are low quality.
3.3 Key lessons
The case studies above show how previous crises led to both successful and unsuccessful governance outcomes. The response to the 2008 financial crisis succeeded because it met four conditions simultaneously: symmetric harm, pre-existing institutional capacity, epistemic clarity, and concentrated authority. The response to WannaCry succeeded domestically for similar reasons: the response drew on technical expertise with legitimacy, and a scope allowing for informal coordination. COVID-19 had the scale and urgency that should have triggered global cooperation but failed to meet these conditions.
While not all such ‘focusing’ events will be conducive to governance change, those most likely to result in durable solutions will combine the following characteristics:
- Clear and undeniable framing of the problem. For instance, in events involving infrastructure failures, economic harm or loss of life.
- Harms that affect all major powers equally, rather than hitting some countries harder than others and allowing for blame-shifting or claims of strategic advantage.
- The involvement of sectors where technical expertise has established legitimacy, such as finance, cyber security or the maintenance of critical infrastructure.
- Occurrence in domains with pre-existing coordination mechanisms or institutions, rather than across domains too wide for existing coordination mechanisms to cover.
The COVID-19 response is not the only cautionary tale that demonstrates that even global crises may fail to spur governance. The climate crisis has so far only produced commitments that fail to meet the scale of the challenge through processes that are frequently paralyzed by contested attribution, divergent national and public/private interests and incentives, and an inability of governments and organizations to achieve buy-in for expensive interventions. There is no guarantee that global AI governance will not follow a similar trajectory, even after a ‘focusing’ event. The following chapter outlines measures that can help policymakers and other stakeholders to implement rapid and effective interventions in the event of an AI crisis.
