Subscribe

Note on infinite risk

Note on infinite risk
Reflection of buildings on water at dawn. Photo by author

Data has this magical economic property of non-rivalry. Once we've paid the fixed cost to collect, clean and structure a high-quality dataset, the marginal cost of an additional use is near-zero. One dataset can simultaneously feed a thousand AI agents, analytics pipelines or business decisions without being physically depleted. In the context of the public sector, these uses spread out into a sector via contracted providers and third parties, and the overall public value is the sum of concurrent uses.

Thus, we get the engine of AI's promise: extremely high marginal returns to scale. The data doesn't run out when we train more models or serve more users. Scale is nearly free. But here's what we rarely discuss: risk is non-rivalrous too. Just as value scales effortlessly across networks, so does the harm. A single compromised credential, misconfigured API or stolen dataset doesn't stay local—it replicates instantly across the entire ecosystem.

Super-Linear Risk Scaling

In the physical economy, risk tends to be local and contained:

  • My factory burns down. Yours stays safe.
  • My truck crashes. Your supply chain continues.

In the data economy, risk is contagious and systemic:

  • One vendor's credentials get phished → instant access to our entire customer base
  • One poorly secured dataset gets dumped → resold indefinitely on dark web markets
  • One weak link in the AI supply chain → model poisoning that affects millions

The attack surface doesn't grow linearly with connections—it scales super-linearly. Shared dependencies (cloud services, LLMs, identity providers) mean one breach becomes everybody's problem.

Because stolen data is non-rivalrous, the social cost dwarfs any single firm's loss. That dataset of 10 million health records doesn't disappear after the first identity theft—it fuels fraud, blackmail, and ransomware for years.

The Market Failure: Private Gains, Socialized Pain

This creates a textbook negative externality + moral hazard problem:

  • Firms capture the private benefits of speed, scale, and insights from hoarding and aggressively using data.
  • Society bears most of the costs—identity theft, fraud losses, eroded trust, systemic outages.

The rational business response is to underinvest in security. Why build robust governance when:

  • Expected breach cost = (small fine + remediation) < upfront prevention spend
  • Insurance + limited liability externalize tail risks
  • Good enough security works on the average day
  • Competitors who skimp move faster

Organizations optimize for quarterly results, not correlated systemic failures. The invisible hand fails spectacularly, and we end up with a tragedy of the commons. Easy enough for the private sector to ignore but impossible for the public sector to ignore.

Regulation as Economic Correction

This is why GDPR, HIPAA, Privacy Acts and sector-specific rules aren't red tape—they're essential market corrections. They work through three mechanisms:

  • Transparency (breach notification, DPIAs) → ends information asymmetry, so poor security can't hide
  • Liability (fines scaled to revenue) → forces accurate risk pricing
  • Minimum standards → raises the floor so laggards don't drag everyone down

This is how prevention becomes cheaper than the cure and the expected cost curve flips.

The Economics of Collective Defence

But regulation alone creates compliance, not security. The real leverage is sector-wide protection, which is why standards-based regimes make a lot of sense and why the retreat from a rules-based order is a foolish strategy in the long run.

When banking, healthcare, or government adopt:

  • Shared threat intelligence platforms
  • Standardized baselines (zero trust, SBOMs, etc.)
  • Joint red-teaming and incident response
  • Risk-adjusted insurance pricing

The hostile actor's ROI collapses, they must spend more to steal less valuable targets and their business model breaks. This is where using economics as a defence strategy makes sense: we want to degrade adversary economics while protecting our value.

The Takeaway: Governance = Infrastructure for Dynamic Trust

Data governance really shouldn't be a cost centre or compliance checkbox exercise (hence why I get worked up when we keep defaulting to the norm and doing what we know well). Data governance is the best scalable mechanism to bound the infinite risk surface of non-rivalrous data assets.

Without it:

  • Our data capital depreciates through distrust and legal restrictions
  • AI scaling hits hard limits (consent, access, legitimacy)
  • Systemic shocks wipe out years of value creation

With it:

  • We unlock data's scaling superpowers responsibly
  • Trust becomes a moat and multiplier
  • Collective defence turns risk into a shared asset

This is one of my motivators to lift data governance out of a single-issue topic and address the underlying economics of data. The future belongs to organisations that treat governance as trust infrastructure, not overhead. In the non-rivalrous data economy, those who master both value and risk will scale indefinitely. Everyone else will discover that breaches scale faster than revenue.