Form's regulated market thesis in the AI era
"Hard things" such as regulation and hardware were once viewed sceptically by VCs - now they are islands of defensibility as AI disrupts software.
When we set out to invest specifically in regulated markets back in 2019, a US LP told us that the venture model only works for unregulated software startups: as soon as you introduce sources of scaling complexity, such as regulation, the model breaks. The same argument was being made about hardware and startups with real-world operations.
We disagreed. We raised our Fund I in 2019, with our “government matters” thesis, just as a small number of other funds were making a similar investment case for “atoms, not bits”.
Events since then have demonstrated that policy is deeply relevant to startups and VC: Covid, Ukraine & Iran, activist industrial strategies in the US and Europe, the crackdown on social media to name but a few.
But AI is doing more than all of these to deepen our belief in our thesis, by hardwiring the venture-government interdependency and transforming what startup defensibility looks like.
Dude, where’s my moat?
The “SaaSpocalypse” suggests that, as the difficulty of sophisticated software development plummets, “old school” SaaS companies have little to defend themselves from a motivated teenager with access to compute and a quiet weekend. Traditional software suddenly looks like the business model for which VC specifically doesn’t work.
In contrast, regulation suddenly looks like one of the most obvious areas of defensibility in the “age of AI”. That was Taavet Hinrikus’ first instinct when asked on stage at Latitude59 in May about where moats can now exist for venture-backed startups. His mind immediately went to the regulatory complexity that protects a business like Wise from motivated-teenager disruption.
Similarly, other investors have pointed to businesses built around “atoms” as the newly-defensible. So the two standout characteristics of scaling complexity that had been antithetical to venture are now seen as the things that will save it.
Four types of regulatory defensibility
At Form, our whole business is based upon the value we target by focusing on regulated markets. And for regulated startups, the lines of code themselves are only a small part of the proposition. So while we expect and hope that AI will be transformative for the potential of regulated markets, this transformation is consistent with a much greater degree of defensibility for founders as they build.
Time: regulatory processes slow down fast-followers
A 12-month regulatory authorisation process is a vast amount of time given the speed at which AI-based companies can emerge and scale today. This legally-enforced head start can be used to lock in product depth, brand credibility and distribution. Competitors can vibe their way through code, but not through time.
But it’s not just about formal authorisation. Certifications, standards and other softer forms of approval also contribute to a startup’s credibility as a vendor, particularly to large enterprise - with SOC2 / ISO 27001 being a prime example. Leveraging soft-regulatory credibility as a sales enablement tool can lock in an advantage while new competitors struggle through these processes.
We’ve campaigned for regulatory approvals to be sped up, but if anything, in the short term, the new risks and concerns thrown up by AI are likely to make regulators less comfortable, not more. And even in a world where things do become much quicker, there will always be time-based friction to enter regulated markets.
Market entry: regulation creates cross-border defences
Entering a new regulatory geography requires resources, expertise and commitment whereas in unregulated sectors, cross-border market entry is far smoother. Yes, this cuts both ways - those same challenges face our own portfolio companies when looking to scale abroad, but they do that from a position of established strength at “home”. Whereas unregulated markets often see small European startups facing stiff competition (often from the US), right from the off.
Added to this is the recent emergence of sovereignty as a touchstone of tech policy. Strengthening preferences for “home grown champions” - evident in the UK’s industrial strategy, and the EU’s new tech sovereignty package (particularly the new Cloud and AI Development Act) - make “being foreign” a far bigger tax from a policy, regulatory and procurement point of view.
Go to market: credibility with buyers goes beyond software
Winning in regulated markets requires a degree of institutional maturity - to convince regulators that a startup is credible, trusted and effective. See our recent interview with Sarah Gates at Wayve for a masterclass in how to do this well.
This can include formal governance, capital adequacy and other structural building blocks, but also speaks to founder mentality and company posture. Knowing how to engage regulators and having the credibility to do so is not as widely distributed as access to compute - the teenager in their bedroom vibe-copying your product might have the latter but is unlikely to have the former.
There was an era where “move fast and break things” could work, and where immaturity in the eyes of regulators was dealt with by speed, aggression and “asking for forgiveness, not for permission”. We’ve long argued that era is over.
The importance of regulatory maturity may also protect regulated startups from another branch of the SaaSpocalypse argument, which argues that enterprises can use AI tooling to much more easily build solutions in-house rather than procuring third-party software. Yes, this makes “lightweight” workflow-style SaaS solutions look particularly vulnerable, because the product is only as thick as the code. But the complexity, liability, credibility and maturity issues that characterize regulated products again look like a moat here - an enterprise has to do far more than just assign a token budget to a developer to get the outcome they want.
Product: value beyond the code
Product roadmaps in regulated markets have always offered defensibility if a founder can closely track, pre-empt - or even influence - regulatory changes. Knowing that a regulator is about to loosen rules over a new feature (such as the way stablecoins are treated for tax purposes, unlocking new use cases) allows a company to ship more quickly and with more confidence than those coming in cold, without the regulatory connectivity that creates these kinds of insights.
In the age of AI, the speed of penetration of AI into regulated workflows is structurally slower than that of non-regulated workflows. Regulators are more cautious of AI capability, require more guardrails, may insist on humans in the loop, or simply don’t (yet) allow AI at all. Therefore the simple fact that a workflow can now be delivered by AI, perhaps agentically, isn’t enough - the market will only be transformed by AI as quickly as the regulator allows, not the speed at which innovation can happen.
Once AI is permitted to disrupt regulated markets, forms of product defensibility will remain - largely because regulatory protections do not end at permissions. Operating in regulated markets often generates unique datasets as a by-product: healthcare outcomes, transaction histories, real-world recordings, and so on. These datasets are difficult for new entrants to acquire, expensive to recreate, and are increasingly valuable in underpinning AI systems. As software becomes easier to build, access to proprietary data generated through regulated operations may become one of the most enduring product moats of all.
Human talent remains key
All said, we’re confident that what were once non-consensus theses for VC investing - whether focused on regulation, “atoms not bits”, or other sources of scaling complexity - are positioned well for the ongoing wave of AI disruption.
But that complexity still exists. The instinctive reaction that these domains are “too hard” still has a kernel of truth - they create complexity, risk, and challenges, as well as defensibility. In turn, they require founders with expertise, insight and judgment that goes beyond knowing what building a SaaS company looks like.
Founders with both the capability and ambition to take on these challenges will remain the scare resource in regulated markets. We can’t see AI changing that any time soon.