AI may be a boon if companies can absorb indirect “compliance taxes.”
In the follow-up of Latest News Weekly Podcastpanelists Ameya Kanitkar, CTO of Raridin, and Eddie Taliaferro, Director of Enterprise Governance, Risk and Compliance and Data Protection Officer at NetSPI, explained how the cost of regulatory compliance can hinder some AI plans.
Policies aimed specifically at putting guardrails around AI are still under discussion in many jurisdictions. trump administration finally issued a national legal framework Meanwhile, data privacy regulations such as the European Union’s GDPR are already intersecting with this technology. Kanitkar said the costs associated with GDPR compliance could widen the gap between large companies with the financial wherewithal to pay and those still grappling with profitability and growth. The duplication and variation of these rules creates a costly and uneven compliance environment.
“It actually makes an already strong company even stronger,” he says.
Compliance challenges for AI are different and more volatile than traditional obligations because of the speed of the technology and the risks it poses, Kanitkar said. Regulation is necessary, but instead of hindering corporate innovation, it can slow it down.
“At least we understand what privacy is. With AI changing the landscape so rapidly, well-intentioned compliance laws can still backfire,” he said.
At the same time, the lack of clear rules creates uncertainty, leaving companies unsure of how aggressively they should invest in or deploy AI.
Part of the problem lies in the fundamental difference in thinking between policymakers who work on legislation for multiple years and fast-moving startups that shift gears within weeks. “We’re at that week’s stage with all AI, so there’s a huge gap between the two in terms of spec,” Kanitkar said.
Ameya Kanitkar, CTO at Larridin (left) and Eddie Taliaferro, Director of Enterprise Governance, Risk and Compliance and Data Protection Officer at NetSPI (right)
Businesses may already be shunning violations of policies such as GDPR, which can result in fines of up to 4% of global revenue for data privacy breaches. Adding AI to the mix can create new challenges. “Companies tend to be much more conservative in how they deal with this issue, which means everything is slower, everything is more bureaucratic, and everything requires approval,” Kanitkar said.
He said the pace of change in AI models and their capabilities makes it unclear what will be regulated. Kanitkar argued that laws based on principles, rather than language specifically targeting AI, could be more effective. “You could have a law that says, ‘OK, no mass surveillance, please protect your privacy.’ That’s true regardless of law or technology,” he said.
On Friday, the United States confirmed for the first time the framework issued by the White House. The framework aims to replace state laws on AI, but still requires Congress to draft actual legislation. The effort reflects pressure, particularly from big tech companies, to establish national standards and pre-empt a patchwork of stricter state-level rules.
Meanwhile, Taliaferro noted that state-level regulation of AI has already begun, and in some cases is already in place. “If you’re a US company and you’re dealing with customers in California, Texas, Michigan, New York, they’re going to have their own AI governance regulations, and you’re going to have to learn how to adapt to that,” he said.
Further AI policies may be in the works in overseas jurisdictions, he said, as Brazil, China and the United Arab Emirates have also developed their own regulations and requirements.
Given the compliance costs of disaster, security, and other necessary coverages from a financial and risk management perspective, the potential impact on companies may extend beyond just deploying technology resources, Taliaferro said. “From an administrative standpoint, let’s say you don’t have controls in place. Or maybe you don’t have a specific person in charge of information security. These are additional costs that you incur to comply with regulations.”
This policy may feel a little familiar, as GDPR and other regulatory updates take into account AI risks such as hallucinations and where the AI training data comes from. “When we talk about AI governance and the risks associated with using AI, we’re really thinking about data privacy,” Taliaferro says.
Despite potentially knowing their compliance intentions, some companies may still complain about the additional costs when considering various AI tools and training. “They don’t really know what direction they want to go in. They know they have to. I know AI is in the spotlight. AI is here… but they lack the right direction on how to go.”
