Thought Leaders

How to Address Upcoming Regulatory Compliance Requirements for GenAI Security

mm mm
Published

Just when you thought managing the data security risks around GenAI and getting a handle on growing shadow GenAI were enough, here comes a new wrinkle.

Regulatory and legal demands for securing GenAI are increasing, and organizations will soon need to demonstrate how they handle the risks associated with it. The EU Artificial Intelligence Act (EU AI Act) is the clearest early indication. It explicitly labels specific AI applications as “high risk” and imposes strict requirements for transparency, accountability, and human oversight. Penalties for noncompliance are meant to be punitive, calculated as percentages of global revenue rather than flat fines. For multinational companies, this shifts AI governance from a best practice to a legal obligation, with serious repercussions for noncompliance.

In the United States, the Federal Trade Commission (FTC) has made it clear that AI use will be scrutinized under its mandate to prevent “unfair or deceptive practices.” This means companies cannot hide behind technical complexity. If customers or employees are misled about how their data is managed, or if AI poses undisclosed risks, executives may be held responsible.

Early enforcement actions have already demonstrated that regulators are willing to make examples of companies that act too quickly without proper controls. For example, the FTC took action against DoNotPay, a company that promoted an AI tool as a “robot lawyer” capable of generating valid legal documents and expert legal guidance, finding that the company’s claims about the capabilities of its AI were false or misleading and violated Section 5 of the FTC Act. In another instance, the FTC required Everalbum, Inc., to destroy AI models and algorithms built using consumer photos collected without proper consent – a direct penalty for using data in ways that diverge from user consent and legal expectations.

At the state level, California and New York are leading a wave of AI and privacy laws that build on existing frameworks, such as the California Consumer Privacy Act (CCPA). These laws align with broader privacy requirements, requiring businesses to treat AI governance and data privacy as a single, integrated program.

The collision is already apparent. Today, a consumer can request under GDPR or CCPA that their personal information be removed from a company’s systems. However, there is no equivalent process to request the removal of data once it has been ingested into a GenAI model. The lack of a “delete-my-data-from-your-model” option will soon become a point of contention between regulators and businesses.

Why Compliance Feels Harder This Time

At first glance, regulating AI doesn’t seem much different from previous compliance challenges. However, GenAI governance introduces a new complication – unpredictability. The boundary between harmless and harmful isn’t always clear. A single prompt can disclose proprietary information, and one output can carry confidential content into places it doesn’t belong. Traditional controls, such as DLP and permissions audits, weren’t designed for this level of speed or complexity.

For GDPR compliance, the focus was on privacy. The tasks were straightforward – identify personal data, implement controls, and document compliance. GenAI, however, complicates matters because it’s less about the data itself and more about how that data is transformed, remixed, and revealed in unexpected ways. Organizations face risks such as Copilot exposing sensitive spreadsheets stored in SharePoint, employees pasting proprietary code into ChatGPT to debug scripts, and AI-generated outputs that contain just enough context to leak confidential information.

Traditional tools were not designed to handle GenAI security risks and compliance issues. DLP rules overlook nuance. Permissions audits struggle to keep up with collaboration. And shadow AI means activity occurs outside approved tools altogether.

What Security Leaders Can Do Now

The upcoming regulatory challenge feels daunting, but it doesn’t have to be overwhelming. The first step is to reframe the problem. GenAI isn’t a new, risky category; it’s a booster. It amplifies existing issues – such as excessive data permissions, poor classification, and limited visibility – making them more dangerous. Tackling those risks can help meet GenAI compliance requirements.

CISOs should prioritize building strong foundations over perfect policies to better meet future regulatory demands. This includes gaining visibility into AI use, applying context-aware data classification, and creating adaptive policies that balance security with productivity.

The organizations that succeed won’t be those with the most rulebooks and commandments; they’ll be those with a clear understanding of what’s happening, combined with protections that meet compliance requirements. Here are key steps to follow:

  1. Assess visibility. Identify where GenAI is in use, including shadow GenAI. Avoid waiting for an incident to discover that finance has been pasting forecasts into ChatGPT.
  2. Classify using context. Go beyond regex or filenames. Semantic classification helps identify if plan_final.docx is harmless or highly sensitive.
  3. Tighten permissions. Least privilege shouldn’t be optional; it’s essential to maintain compliance and prevent Copilot from exposing sensitive board minutes to an intern. Overshared folders are a common source of risk and future compliance violations.
  4. Treat outputs like inputs. AI-generated text can leak just as easily as prompts. Audit and monitor how it is shared downstream.
  5. Develop adaptive compliance strategies. Policies written today may become ineffective in six months.

For executives, the message is clear. Regulatory pressure is advancing faster than many expect, and waiting for standards to settle is not a feasible plan. Governance frameworks must be put in place now, not only to reduce risk but also to demonstrate to regulators, customers, and boards that AI adoption is deliberate and responsible.

mm

Dr. Shashanka is Chief Scientist and Co-Founder for Concentric. Before joining Concentric, Dr. Shashanka served as Managing Director for Charles Schwab's Data Science and Machine Learning team. He co-founded and was the Chief Scientist for PetaSecure before their purchase by Niara.

mm

Lane Sullivan serves as the Senior Vice President and Chief Information Security and Strategy Officer at Concentric AI, leading the company's global cybersecurity program and influencing product strategy to enhance enterprise data security and AI governance. Previously, Lane held the position of Senior Vice President and Chief Information Security Officer at Magellan Health, focusing on compliance within a highly regulated environment. Experience also includes directing a multi-million-dollar cybersecurity program at Ingram Content Group, and providing infrastructure leadership at C&S Wholesale Grocers. Lane's leadership roles span back to JT Investments, where operations and technology were managed, and Basin Home Health & Hospice Inc., where significant advancements in healthcare IT were achieved. Lane's educational background includes a Master's degree in Computer and Information Systems Security from Western Governors University, complementing a Bachelor's degree in IT Management from the same institution.