The Die Progress Unit: Why Your AI Compliance Framework Is Already Obsolete
By Don Ho, Co-Founder & CEO, Kaizen AI Lab
Published: February 17, 2026
TL;DR: Tim Urban's "Die Progress Unit" measures how many years of progress would kill someone from the past from pure shock. In 1750, the DPU was about 250 years. In 2025, it might be 10. Your compliance framework was designed for the 250-year version. The regulatory system can't keep up, and regulators know it. They're just not going to say that out loud.
---
The Concept That Should Terrify Every Compliance Officer
In 2015, Tim Urban published a thought experiment on Wait But Why that hasn't gotten nearly enough attention from anyone writing compliance policy.
He called it the "Die Progress Unit," or DPU. The idea is simple: how many years of technological progress would you need to compress into an instant to kill a person from the past from sheer shock?
Take a farmer from the year 1500. Transport him to 1750. He'd see bigger cities, better ships, some mechanical innovations. He'd be impressed. He would not die from shock.
Now take someone from 1750 and transport them to 2000. Skyscrapers. Airplanes. Nuclear weapons. Television. The internet. A glowing rectangle in every pocket that connects to the sum of all human knowledge. That person might not survive the experience. That's roughly 250 years of compressed progress, enough to be lethal.
Here's where it gets uncomfortable. The DPU is shrinking.
In 1750, you needed 250 years of progress to produce that effect. By 2000, the interval was shorter. By 2025, some reasonable estimates put the DPU at 10 to 15 years. The amount of progress required to fundamentally overwhelm a human's ability to process reality is compressing at an accelerating rate.
Your compliance framework was written for a 250-year DPU world. Regulators draft laws over multi-year legislative cycles. Comment periods run 60 to 180 days. Implementation timelines stretch 12 to 24 months after passage. The system assumes technology evolves slowly enough for this cadence to work.
That assumption is dead. Nobody updated the paperwork.
The Chimp and the Skyscraper
There's an analogy I keep coming back to.
A chimpanzee can see a skyscraper. Walk around it. Touch the glass. Push against the concrete. It can experience the building through every available sense.
What it cannot do is understand that another creature designed and built it. That concept doesn't exist in its cognitive architecture. The chimp lacks the mental framework to process the idea of intentional, collaborative construction at that scale.
When people tell me "I understand AI," I think about the chimp.
We can use the tools. We can see the outputs. We can type prompts and get responses and feel a sense of mastery. But most of us, including a large number of the people making billion-dollar deployment decisions, cannot comprehend what is actually happening inside these models. The mathematical operations, the emergent behaviors, the patterns arising from training processes we designed but don't fully control.
I've sat in boardrooms where C-suite executives approved six-figure AI deployments after a 20-minute demo. They could describe what the tool did. They could not explain how it did it. They were the chimp, making decisions about the skyscraper.
We're building compliance frameworks from the same position. The people writing your compliance rules can use ChatGPT. They've seen the demos. They understand the outputs at a surface level. They do not understand the mechanism. They're writing rules for a machine they can describe but cannot explain.
The Regulatory Speed Problem
The EU AI Act took roughly four years from proposal to passage. In those four years, GPT-2 became GPT-4, image generation went from blurry curiosities to photorealistic output, and autonomous AI agents went from research papers to production deployments.
The law that passed in 2024 was written for the technology that existed in 2021. By the time the first enforcement actions hit in 2026, the technology will have moved at least two more generations ahead.
This is not a failure of intent. Regulators are working as fast as a legislative system designed in the 18th century allows. Comment periods exist for good reason. Stakeholder input matters. Deliberation prevents bad law.
But the system was built for a world where the gap between "new technology appears" and "that technology reshapes the economy" was measured in decades. Email was invented in 1971. Widespread business adoption didn't happen until the mid-1990s. Legislators had 20 years to figure out spam laws.
ChatGPT launched in November 2022. Within 18 months, it had restructured knowledge work across every sector. Legislators didn't get 20 years. They got 20 months, and the technology kept changing while they were drafting.
The Colorado AI Act (SB 205) was passed in May 2024. By February 2025, the state had already delayed enforcement and convened a task force to study whether the law they just passed actually made sense for the technology it was supposed to regulate. The law was outdated before the ink dried.
Here's the provocative claim I'll stand behind: any AI regulation written today will be functionally obsolete before its first enforcement action. Every single one. The regulatory apparatus cannot move fast enough. The question is whether your compliance program can.
What This Means for Your Business
If you're waiting for regulation to tell you how to deploy AI safely, you'll still be waiting when your competitors are two product cycles ahead. And when the regulation finally arrives, it will target technology that already aged out.
This creates a specific and quantifiable business problem.
Compliance built on current regulation is compliance built for yesterday's technology. The NIST AI RMF, the EU AI Act's risk classifications, and the emerging state-level frameworks in Colorado, New York, and Illinois all target specific capabilities and risk profiles. Those capabilities change faster than the regulatory cycle can track.
The gap between "compliant" and "responsible" is widening. You can be technically compliant with every current AI regulation and still be deploying systems with significant unaddressed risk. The regulations haven't caught up to the risk surface. Being compliant and being safe are diverging.
Regulatory uncertainty is itself a business cost. When you don't know what the rules will be in 18 months, every deployment decision carries additional risk. Do you build for the current framework and potentially need to rebuild? Do you build for anticipated regulation and potentially over-engineer? The uncertainty tax is real and it compounds.
The DPU Compliance Framework
If the regulatory system can't keep pace with the technology, your internal compliance architecture needs to move ahead of both. Here's what that requires:
Principle-Based Governance Over Rule-Based Compliance
Rules tell you what to do. Principles tell you what outcome to achieve. In a fast-moving technology environment, principles are more durable.
Instead of "all AI outputs must be reviewed by a human before delivery to customers" (a rule that may be appropriate today and absurd in 18 months), adopt "AI outputs affecting customer outcomes must meet the same quality and accuracy standards as human-generated outputs, with appropriate verification mechanisms."
The principle survives the technology shift. The verification mechanism evolves with it.
Technology-Agnostic Architecture
Your AI compliance framework should not be written for GPT-4 or Claude 3 or any specific model. Write it for the capability class. What does the system do? What decisions does it make or influence? What data does it access? What's the blast radius if it fails?
Models will change. Capabilities will expand. Your governance framework should evaluate new capabilities against a consistent risk matrix, not get retrofitted every time a new model launches.
Internal Red Teaming on a Fast Cycle
If the DPU is 10 years and shrinking, your compliance review cycle needs to be faster than annual. Quarterly internal assessments, at minimum, that specifically ask: What has changed about our AI capabilities since last review? What new risks have those changes introduced? Are our controls still appropriate?
This is the compliance equivalent of continuous integration in software development. Small, frequent assessments catch drift before it becomes a gap.
Preemptive Documentation
When the regulation does arrive (and it will), you want to demonstrate that your organization was already operating above the standard. Document your AI governance decisions, your risk assessments, your deployment evaluations, and your control mechanisms now.
The organizations that will navigate regulatory uncertainty best are the ones that can show regulators a principled, documented approach to AI governance that predates the regulation. The difference between "we scrambled to comply after the law passed" and "we've been operating this way for two years" is the difference between a fine and a commendation.
DPU Compliance Checklist
Use this to evaluate whether your compliance program can survive in a 10-year DPU world:
Architecture:
- [ ] Governance framework is principle-based, not rule-based
- [ ] Compliance policies reference capability classes, not specific vendors or models
- [ ] Switching AI providers requires config changes, not a compliance rewrite
Cadence:
- [ ] AI risk assessments happen quarterly or faster
- [ ] Compliance review triggers automatically when new AI capabilities deploy
- [ ] Regulatory monitoring covers all operating jurisdictions, updated monthly
Documentation:
- [ ] AI governance decisions are documented with rationale, not just outcomes
- [ ] Deployment evaluations exist for every AI system in production
- [ ] Documentation predates regulatory requirements (proving proactive posture)
Resilience:
- [ ] Compliance framework survived the last major model update without rewriting
- [ ] Team can articulate governance principles without referencing specific regulations
- [ ] Incident response plan accounts for AI capabilities that don't exist yet
If you checked fewer than 8 of 12, your compliance program was built for a 250-year DPU. You're living in a 10-year one.
The Uncomfortable Truth
The DPU is shrinking and the regulatory cycle isn't accelerating to match. That gap will persist for at least the next several years. Possibly longer.
Every organization deploying AI is operating on a regulatory frontier. The rules that will eventually govern your AI use haven't been written yet. When they are written, they'll target technology that's already outdated by the time the enforcement mechanisms activate.
Waiting is not a strategy. The organizations that build principled, documented, technology-agnostic AI governance frameworks now will have a structural advantage when regulation catches up. They'll already be in compliance with rules that haven't been written, because they built for outcomes instead of checklists.
The chimp can't understand the skyscraper. But it can learn to navigate around it safely. You may not fully comprehend the technology you're deploying. Nobody does. But you can build governance systems that account for that uncertainty, systems that prioritize safe outcomes over specific technical controls.
That's what building for a 10-year DPU looks like. And that's the world we're in now.
---
Kaizen AI Lab builds AI governance frameworks designed to outlast the next three regulatory cycles. We help organizations move ahead of compliance instead of chasing it.
Take the AI Compliance Readiness Assessment: acra.kaizenailab.com
Learn more: kaizenailab.com
Book a call: cal.com/dhoesq/kaizen