The Permit Paradox
In San Francisco, it takes an average of 627 days to get approval to build a new housing unit.¹ In Seoul, it takes 27 days. Both cities have regulations—building codes, zoning rules, environmental requirements. Both care about safety and quality. But one has figured out how to check compliance quickly; the other has not.
The difference isn't just technology. It's how rules are written, how compliance is verified, how decisions are made. San Francisco's rules are text—pages of prose that humans must read, interpret, and apply. Seoul's rules increasingly exist as code—logic that computers can execute, with clear inputs and deterministic outputs.
This is the promise of regulation as code: rules written in formats machines can process, compliance checked automatically, permits issued instantly when requirements are met. Not discretion replaced but routine decisions accelerated. Not judgment eliminated but paperwork automated.
The implications extend far beyond building permits. Business formation, tax compliance, environmental reporting, professional licensing—any domain where rules are clear and compliance is verifiable could be transformed. What takes weeks could take minutes. What requires lawyers could be self-service.
This chapter examines the transformation of regulatory compliance: what it means to encode rules, where it's already happening, what barriers remain, and what a world of instant compliance might look like.
2026 Snapshot — Regulatory Technology Today
Machine-Readable Regulation
Tax codes: Some jurisdictions publish tax rules in structured formats. OpenFisca (France, others) encodes tax and benefit rules for simulation.
Financial regulation: XBRL (eXtensible Business Reporting Language) for financial reporting. Some regulatory reporting in structured formats.
Building codes: ICC (International Code Council) developing machine-readable building codes. Singapore BIM-based checking.
Data protection: GDPR compliance tools encode some requirements; mostly human interpretation still required.
Status: Early adoption in specific domains; most regulation remains prose.
Automated Compliance Checking
Tax filing: TurboTax, H&R Block, and others encode tax rules into software. IRS e-file validates returns against rules.
Building permits: Singapore CORENET (Construction and Real Estate Network) automates some building code checking against BIM models.
Business registration: Estonia, Singapore, others enable fully online business formation in hours.
Financial compliance: RegTech tools automate some compliance monitoring, reporting, and checking.
Permit Processing
Variation is enormous:
- Business registration: Hours (Estonia, Singapore) to weeks (many jurisdictions)
- Building permits: Days (some) to years (San Francisco housing)
- Professional licensing: Days to months
- Environmental permits: Months to years
Online portals exist: Many jurisdictions have online permit applications. But "online" often means PDF upload, not automated processing.
Bottlenecks persist: Human review, inter-agency coordination, public comment periods, appeals.
Notable Players
Government Leaders
Singapore: GoBusiness platform for unified business services. BIM-based building code checking (CORENET). Aim for "minutes, not days" for routine permits.
Estonia: Business registration in 18 minutes. E-Residency enables remote formation. X-Road enables inter-agency data sharing.
New Zealand: Better Rules initiative: writing legislation in both human and machine-readable formats simultaneously.
United Kingdom: GOV.UK digital services. OpenFisca UK for tax modeling. Rule as Code experiments.
Denmark: Digital-first policy since 2014. Most citizen-government interactions digital.
Technology Providers
OpenFisca: Open-source platform for modeling tax and benefit rules. Used by France, UK, Tunisia, others.
ServiceNow, Salesforce: Workflow platforms adapted for government processes. Case management and automation.
Accela, Tyler Technologies: Permit and licensing software for local government.
Autodesk, Bentley: BIM (Building Information Modeling) software enabling model-based code checking.
RegTech startups: Ascent, Clausematch, Reg-Track, and others focusing on financial regulatory compliance.
Standards Bodies
ICC (International Code Council): Developing machine-readable building codes (cdpACCESS initiative).
XBRL International: Standards for business and financial reporting.
OASIS, W3C: Technical standards for structured data and interchange.
What "Regulation as Code" Means
The Concept
Traditional regulation: Rules written as prose in natural language. Humans read, interpret, and apply them. Ambiguity is inherent and sometimes intentional.
Regulation as code: Rules expressed in formal, machine-executable language alongside human-readable text. Computers can check compliance deterministically.
Not a replacement: Human judgment still needed for interpretation, exceptions, appeals. Code handles the routine; humans handle the complex.
How It Works
Dual publication: Rule is published in both human-readable and machine-readable form. The human version is authoritative; the machine version operationalizes it.
Input requirements: Applicant provides structured data about their situation. Not free-form narratives but defined fields.
Automated checking: System evaluates data against encoded rules. Returns pass/fail or list of issues.
Human review for exceptions: Complex cases, edge cases, appeals escalate to human decision-makers.
Example: Building Permit
Traditional process:
- Architect submits plans (paper or PDF)
- Plan checker reviews against code (days to weeks)
- Comments returned; revisions requested
- Iterate until approved
- Inspections during construction (scheduling challenges)
Automated process:
- Architect submits BIM model (3D digital model with metadata)
- System automatically checks against encoded building code
- Violations flagged instantly with specific code references
- Architect fixes violations in model
- Resubmit; automated re-check
- Approval issued when all checks pass
- Inspections can reference same digital model
Time impact: Days reduced to hours or minutes for the plan review component.
Current Applications
Business Formation
Estonia: 18-minute company formation online. Pre-verified digital identity; standard templates; automated registry.
Singapore: BizFile+ enables same-day incorporation for straightforward cases.
US (some states): Delaware online incorporation. Wyoming. Others offering expedited digital formation.
What enables speed: Digital identity; pre-validated templates; automated name checking; electronic filing; no human review for routine cases.
Tax Compliance
Pre-filled returns: Nordic countries, Australia, others pre-fill tax returns with employer and financial institution data. Citizen reviews and submits.
Calculation engines: Tax software encodes rules; calculates liability; validates against IRS/tax authority rules.
Real-time reporting: Some countries moving to transaction-level reporting (Mexico, Spain, India). Compliance checked continuously, not annually.
Financial Regulation
XBRL reporting: Standardized financial data submission to regulators. Enables automated analysis.
Regulatory sandboxes: UK FCA, Singapore MAS, others allow testing of new products with modified rules.
Algorithmic compliance monitoring: Banks use AI to monitor transactions for compliance with AML/KYC rules.
Building and Construction
Singapore BIM checking: Automated checking of building models against regulations. Not comprehensive but expanding.
New Zealand: Better Rules pilot projects for building consent. Mixed results; learning applied to new projects.
Nordic countries: Advancing toward automated building permit review.
The Path to Implementation
Step 1: Structured Rules
Requirement: Rules must be unambiguous enough to encode. Many rules are vague by design or accident.
Challenge: Legal drafting tradition favors flexibility. "Reasonable" and "appropriate" are hard to code.
Approach: New rules written with machine-readability in mind. Existing rules clarified over time.
Step 2: Structured Data
Requirement: Applicants must provide data in formats computers can process.
Challenge: Every form is different. Data entry is burdensome. Errors are common.
Approach: Standardized data formats; pre-filled from existing sources; validation at entry.
Step 3: Integration
Requirement: Different systems must share data. One application should trigger checks across agencies.
Challenge: Government systems are siloed. Different agencies, different databases, different formats.
Approach: APIs; data exchange standards (like Estonia's X-Road); single-sign-on identity.
Step 4: Workflow Automation
Requirement: Routine decisions made automatically; complex cases routed to appropriate humans.
Challenge: Defining what's routine; ensuring appropriate oversight; handling exceptions.
Approach: Clear escalation criteria; audit trails; human review of samples.
Step 5: Continuous Improvement
Requirement: System learns from errors; rules updated based on experience.
Challenge: Government processes are hard to change; accountability for AI decisions unclear.
Approach: Feedback loops; version control for rules; transparent change processes.
Barriers to Adoption
Technical Barriers
Legacy systems: Government IT can't easily integrate with modern automation.
Data quality: Existing data is inconsistent, incomplete, or wrong.
Interoperability: Systems don't talk to each other across agencies or jurisdictions.
Cybersecurity: More connected systems create more attack surface.
Legal Barriers
Vague rules: Many regulations intentionally leave room for interpretation. "Good faith," "reasonable efforts," "adequate measures."
Due process: Citizens have right to understand and contest decisions. Algorithmic decisions may not satisfy this.
Liability: When automated system makes wrong decision, who is responsible?
Legislative process: Changing how laws are written requires legislative buy-in.
Institutional Barriers
Risk aversion: If automated system fails publicly, who gets blamed? Safer to keep humans in the loop.
Jobs: Automating permit review threatens existing jobs. Union resistance; political opposition.
Budgets: Modernization requires upfront investment. Benefits accrue over time. Budget cycles don't match.
Culture: "It's always been done this way." Change is uncomfortable.
Political Barriers
Discretion as power: Permit decisions involve discretion. Discretion is power. Automation removes that power.
Corruption: In some jurisdictions, slow permits create opportunities for bribes. Faster permits reduce rent-seeking.
Constituencies: Those who benefit from current system (lawyers, expediters, connected insiders) resist change.
Second-Order Effects
For Businesses
Faster starts: New businesses can launch faster when permits come in days not months.
Lower costs: Less need for lawyers, expediters, and compliance consultants for routine matters.
Predictability: Clear rules with deterministic outcomes. Know in advance whether you comply.
Level playing field: Smaller businesses can navigate compliance without expensive help.
For Government
Efficiency: Same staff can process more applications. Or fewer staff needed for routine work.
Consistency: Same rules applied the same way. Less variation across reviewers.
Data: Structured data enables analysis, pattern detection, policy evaluation.
Focus: Human reviewers can focus on complex cases that need judgment.
For Society
Economic growth: Faster business formation and construction. Less friction in economy.
Reduced corruption: Less discretion means less opportunity for rent-seeking.
Transparency: Rules are explicit; compliance is verifiable; decisions are auditable.
But also: Loss of flexibility for edge cases; automation bias; digital divide for those who can't navigate systems.
The Path Forward
Near-Term Likely (2026-2032)
Expansion of online portals: More permits available online. Still mostly human review, but digital submission and tracking.
Tax compliance advances: More countries adopt pre-filled returns, real-time reporting, automated validation.
Business registration simplifies: More jurisdictions achieve same-day or faster incorporation for standard cases.
BIM-based checking pilots: More cities experiment with automated building code checking for defined elements.
Financial RegTech matures: Regulatory reporting increasingly automated and standardized.
Plausible (2032-2040)
Machine-readable regulation becomes norm: New rules published in structured formats alongside prose. Tools exist to consume them.
Routine permits are instant: Building permits, business licenses, environmental permits for straightforward cases processed in hours.
Continuous compliance monitoring: Instead of periodic audits, systems verify compliance in real-time for regulated entities.
Cross-jurisdictional harmonization: Standards enable compliance checking across borders for some domains.
Wild Trajectory (2040+)
Algorithmic regulation: Rules update dynamically based on outcomes. Optimization rather than fixed requirements.
Compliance by design: Products and services built to be compliant by architecture, verified continuously.
Friction approaches zero: Starting a business, building a structure, launching a product involves minimal regulatory delay.
New governance questions: What is the role of human judgment? How are algorithms accountable? Who decides the rules of the rules?
Risks and Guardrails
Over-rigidity
Risk: Encoded rules can't handle legitimate exceptions. Edge cases are rejected automatically.
Guardrails: Human escalation paths; appeal mechanisms; discretion preserved for exceptions; rule design that anticipates variation.
Automation Bias
Risk: When computer says "denied," humans accept without scrutiny. Errors propagate.
Guardrails: Meaningful human review for consequential decisions; training on system limitations; accountability for outcomes regardless of automation.
Algorithmic Discrimination
Risk: Rules that are facially neutral may have disparate impact when applied algorithmically at scale.
Guardrails: Impact analysis before deployment; monitoring for disparate outcomes; adjustment mechanisms; transparency about how systems work.
Security Vulnerabilities
Risk: Automated compliance systems can be gamed, hacked, or manipulated.
Guardrails: Security by design; input validation; anomaly detection; audit trails; ability to verify claims independently.
Digital Divide
Risk: Those without digital access or literacy can't navigate automated systems.
Guardrails: Maintain non-digital options; assistance for those who need it; design for accessibility; not assuming everyone can self-serve.
Loss of Accountability
Risk: When decisions are automated, no one is clearly responsible for errors.
Guardrails: Clear accountability for system design and operation; audit trails; explainable decisions; legal responsibility regardless of automation.
The Deeper Questions
Can All Rules Be Coded?
Some rules are intentionally vague. "Reasonable care." "Good faith." "Appropriate measures." These words delegate judgment to enforcers.
Encoding requires precision. But precision may lose the flexibility that vagueness provides. The question is where on the spectrum each rule should fall.
Who Writes the Code?
If rules are code, programmers become lawmakers in some sense. Their implementation choices affect outcomes.
How can it be ensured that the code reflects legislative intent? Who audits the code? How is accountability maintained?
What About Politics?
Regulation isn't just technical. It reflects political choices about who bears costs and who gets benefits.
Making regulation "efficient" isn't politically neutral. Faster permits benefit some constituencies; slower permits benefit others.
What's Lost?
Human reviewers sometimes exercise wisdom that rules don't capture. They see context that data doesn't show. They make exceptions that serve justice.
Automation may be more consistent but less wise. The question is whether the gains in efficiency justify the losses in judgment.
Conclusion
The gap between what regulation could be and what it is represents enormous waste—of time, money, and human potential. Businesses that could launch wait for permits. Housing that could be built sits in review queues. Compliance that could be verified in seconds requires months of back-and-forth.
Regulation as code offers a path toward closing this gap. Rules that computers can process, compliance that can be checked automatically, permits that can be issued instantly when requirements are met.
The technology exists. The barrier is implementation—rewriting rules for machine-readability, modernizing government IT, changing institutional cultures, navigating political resistance.
Some jurisdictions are far ahead. Estonia, Singapore, parts of Scandinavia show what's possible. Others, including much of the United States, remain mired in processes designed for an era of paper and postal mail.
The next decade will determine how far this transformation goes. The stakes are significant: economic growth, entrepreneurship, housing construction, and countless other activities depend on regulatory efficiency.
Regulation as code won't eliminate the need for human judgment. Complex cases, novel situations, and value-laden choices will always require human decision-makers. But the vast majority of regulatory interactions are routine. Automating the routine frees humans to focus on what actually requires human wisdom.
The question isn't whether to automate but how—with what safeguards, what accountability, what protections for those the automation might fail.
Endnotes — Chapter 33
- San Francisco housing permit timeline data from various analyses; 627 days is approximate average for multifamily housing permit approval.
- Singapore GoBusiness platform consolidates business registration and licensing; aims for same-day incorporation for standard cases.
- Estonia e-Residency and business registration enable 18-minute company formation; over 100,000 e-Residents from 170+ countries.
- OpenFisca is open-source tax-benefit microsimulation platform; used by France (mes-aides.gouv.fr), UK, Tunisia, and others.
- New Zealand Better Rules initiative began 2018; aims to write legislation in both human and machine-readable formats.
- Singapore CORENET (Construction and Real Estate Network) enables BIM-based regulatory checking; expanding coverage over time.
- XBRL (eXtensible Business Reporting Language) mandated for SEC financial reporting in US; used by regulators globally.
- ICC cdpACCESS initiative working on machine-readable building codes; pilot projects with several jurisdictions.
- Nordic countries (Denmark, Sweden, Finland, Norway) consistently rank highest in digital government indices; pre-filled tax returns standard.
- Real-time transaction reporting implemented in Mexico (CFDI), Spain (SII), India (GST); enables continuous compliance verification.