AI Regulation Readiness: A Guide for Businesses

By Matt Hillary, Drata

In case you missed it, regulators around the world are hard at work defining acceptable use rules that will guide and impact the way businesses incorporate and build artificial intelligence (AI) technology into their internal operations and customer-facing SaaS platforms. For now, most such regulations remain drafts, but it's a safe bet that the day when they enter into full force is fast approaching.

That's why now is the time for businesses to think about how they'll approach building in these requirements, and which corporate security and data collection policies they'll need to implement to remain in compliance during this momentous shift in the AI landscape.

The good news for business leaders and compliance teams is that, in general, AI regulations aren't actually likely to require major material changes. Organizations that already have healthy data privacy and security practices in place are likely to find themselves well-positioned and almost future-proofed to meet AI compliance mandates.

On the other hand, AI regulations do present some novel challenges, and it would be a mistake to assume that having a strong track record of complying with other regulations means your business is prepared for AI compliance, too.

Related:AI Basics: A Quick Reference Guide for IT Professionals

With all of the above in mind, here's what business decision-makers and compliance officers should be thinking and doing today to respond proactively to AI compliance mandates.

The State of AI Compliance Regulations

The first thing to note about AI compliance today is that few laws and other regulations are currently on the books that impact the way businesses use AI. Most regulations designed specifically for AI remain in draft form.

That said, there are a host of other regulations — like the General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), and the Personal Information Protection and Electronic Documents Act (PIPEDA) — that have important implications for AI. These compliance laws were written before the emergence of modern generative AI technology placed AI onto the radar screens of businesses (and regulators) everywhere, and they mention AI sparingly if at all.

But these laws do impose strict requirements related to data privacy and security. Since AI and data go hand-in-hand, you can't deploy AI in a compliant way without ensuring that you manage and secure data as current regulations require.

This is why businesses shouldn't think of AI as an anything-goes space due to the lack of regulations focused on AI specifically. Effectively, AI regulations already exist in the form of data privacy rules.

Related:AI Quiz 2024: Test Your AI Knowledge

It's worth noting, too, that most of the draft AI regulations proposed to date focus on the same general principles — like data privacy, fairness, transparency, and acceptable use — that are at the heart of the regulations I mentioned above. They don't really introduce any fundamentally new requirements.

How to Comply with AI Regulations

The above means that, by and large, organizations that already have healthy compliance, privacy, and security practices in place in their software development lifecycle will find themselves well-equipped to meet AI compliance regulations. You're likely in a good position to comply with AI regulations if your business — as well as any vendors or partners who process data that your business collects or stores — adhere to practices like the following:

It will be important to assess the details of AI regulations as they come online, of course, to determine whether they impose any additional or more specific rules. But in general, having strong privacy, security, and transparency practices surrounding data as a whole means you'll be able to meet those requirements in the context of AI.

Best Practices for Navigating AI Compliance Challenges

That said, there are certain special challenges or hurdles that businesses will likely face to comply with AI regulations. None of them requires deviating from the foundational data transparency and management practices I described above; nonetheless, it will likely prove important for businesses to have plans in place for addressing these challenges as they increasingly adopt AI solutions.

1. Manage data collection and processing by new AI technology

The adoption of AI will lead to a technology infusion for many businesses as they deploy new types of AI-powered solutions. Some of these solutions will collect or process data in novel ways.

For example, a chatbot that accepts open-ended input from users may end up collecting all manner of personal data that users enter into it. Compared with traditional technology, where businesses could typically define ahead of time which types of data input by users were allowable, this creates a novel challenge because users could potentially enter personal information that the business had no intention of collecting.

In this case, monitoring for sensitive data and processing it (or, if appropriate, deleting it altogether) within chatbot conversations would be an important prerequisite for using AI chatbots in a compliant way. Doing so would require new types of data controls, like the ability to monitor user prompts during chatbot conversations.

2. Balance user experience with privacy and compliance

While managing novel types of AI-related data privacy and security risks, businesses will also need to decide to which extent they will allow compliance to take priority over the user experience.

For instance, to go back to the chatbot example, imagine that you automatically block certain words or phrases within user prompts in a bid to reduce the types of sensitive data you may inadvertently end up processing. This might reduce your compliance risks, but it could also undercut the user experience if it makes it more difficult for users to interact with the chatbot.

While there are no hard-and-fast rules about how to strike the right balance, businesses will need to think about where to draw the line between privacy and user experience based on the unique context of each AI tool deployment.

3. Manage user expectations

No matter how well you comply with AI regulations, you might still find that your users are frustrated by the way you put their data to work within AI applications or services.

For example, users may not take issue with their personal information being analyzed to help drive targeted marketing campaigns, but some might be more wary of the idea of having their data used to train an AI model simply because AI feels newer and more threatening to them.

To help manage expectations and avoid situations where users become frustrated — and to stay on the right side of compliance mandates related to data transparency — being open with users about how you use their data will be critical.

The bottom line: Integrity remains the foundation for responsible use of data in any compliance context — whether you're talking about regulations that target AI specifically or data privacy laws in general. This makes it critical for businesses that already have healthy data privacy hygiene in place to continue adhering to solid practices — and it makes it doubly important for those that don't to update their processes, lest they find themselves in violation not just of the more traditional data privacy laws, but also of novel AI regulations.

About the author:

Matt Hillary is the CISO at Drata.