AI is moving faster than regulation, and that creates opportunities and risks for compliance teams. While governments work on new rules, businesses cannot sit back and wait.
In this Help Net Security video, Matt Hillary, CISO at Drata, look at how AI is changing the role of governance, risk, and compliance, from handling sensitive data to making compliance a continuous, adaptive process.
Are regulators moving fast enough to address the risks and opportunities AI brings to compliance?
Regulators are making progress, but the speed of AI innovation continues to sprint ahead. This gap means risks are already surfacing before formal guardrails are in place. Because GRC is central to growth and trust, organizations can’t wait for regulation to catch up. Leaders now expect GRC programs to go beyond risk mitigation — serving as trusted advisors that unlock new markets, shorten sales cycles, and reinforce trust at scale.
Frameworks like NIST AI RMF and ISO 42001 already provide structured ways to manage AI risks, and many of their principles (i.e., transparency, explainability, continuous oversight) are likely to shape future laws. By adopting these now, organizations not only prepare for eventual regulation but also demonstrate proactive trustworthiness. In short: while regulators will provide direction over time, businesses must act now as though those standards are already here.
How should compliance teams prepare for the fact that AI-specific regulations will likely differ across jurisdictions?
AI-specific regulations will vary widely across jurisdictions, much like privacy laws. To prepare, compliance teams should adopt a “global-first, local-fast” mindset: establish a foundation in universal principles, then adjust quickly as local requirements emerge.
Since AI risks are inherently global, applying proven risk management practices (identify, assess, mitigate, and monitor) provides stability across geographies. This is most effective when security, compliance, and privacy converge into a principle-based, collaborative framework, enabling organizations to scale and adapt without overhauling their core approach every time a new rule appears.
Finally, compliance programs must embrace risk adjustment. Just as real-time data reshapes risk assessments, compliance cannot rely on annual reviews alone. Programs must remain living, flexible, and continuously adaptive to keep pace with evolving threats, regulations, and public expectations.
How does AI change the way compliance teams must handle data privacy requirements, especially with sensitive or regulated datasets?
Traditional systems process data in predictable, well-defined ways, often with identifiable and discoverable attributes. By contrast, AI can process massive datasets in opaque ways, creating new questions about where and how data is stored and used. Leaders must ensure models are unbiased, accountable, and transparent, with oversight extending beyond initial deployment.
First, there’s the ethical and privacy dimension. AI systems must be unbiased, transparent, and accountable. Achieving that requires both human oversight and an understanding of the data elements fueling AI training and operations. Second, there’s the challenge of data lineage and purpose limitation. Leaders need to know not just where data resides, but how it flows into AI models and what those models are allowed to do with it. Sensitive or regulated data should not be used in training or inference without explicit justification.
Perhaps most importantly, validation can’t be a one-time exercise. AI models evolve as they’re trained, meaning both the data and overarching privacy practices must be continuously assessed. Ongoing monitoring and review are essential to ensure lawful and appropriate use over time.
What steps should compliance officers take to validate that AI-driven data processing aligns with data minimization and lawful use principles?
As with any other technology, organizations must know which data elements train their AI models, which elements the models can reference or retrieve, and how those elements are codified. This is much like creating a data dictionary for personal information stored, processed, or transmitted by the organization.
From there, compliance officers should ensure visibility into how and where AI is used across the business. AI can already support this through evidence collection and real-time compliance reporting, helping teams detect gaps and misaligned uses faster than manual methods. Because AI models evolve, validation must be ongoing. This requires continuous monitoring to confirm that data use remains lawful and appropriate over time.
Will AI make compliance easier, harder, or simply different? Why?
The honest answer is all three. AI will make compliance harder because it introduces new risks and new compliance frameworks. These risks, and the controls required to mitigate them, include bias in decision-making, data leakage at scale, and a lack of explainability in model behavior. It forces compliance teams to grapple with issues they’ve never faced before.
At the same time, AI will make compliance easier by streamlining many of the most time-consuming tasks. Risk assessments, evidence collection, audit preparation, and third-party questionnaires can all be accelerated with automation and intelligent analysis. What once took days or weeks can now take hours or even minutes. The use of agentic AI will further expand the capabilities of lean GRC teams to meet growing demands.
But most importantly, the compliance world itself is changing on a larger scale. Instead of point-in-time snapshots and periodic reviews, compliance is becoming a continuous, adaptive discipline that is supported by automation and AI. Real-time data enables continuous risk assessment and dynamic adjustment. Compliance shifts from a back-office function to a live process that evolves as quickly as the risks it seeks to mitigate.
Source link
