Navigating AI Compliance: Building Foundations for Future Success

Organizations face a strategic choice between building or buying AI capabilities, but the key to compliance and success lies in understanding AI's purpose, managing risks and maintaining disciplined oversight. Fundamental principles like data control and explainability are more critical than regulatory specifics.
June 17, 2026
7 min read
Add Us On Google

Key Highlights

  • Regulatory divergence across regions often shares common goals: protecting citizens, data and ensuring responsible AI use.
  • Strong governance foundations — clear policies, oversight and explainability — are essential before adapting to regulatory changes.
  • Vendor risk management has become crucial, requiring organizations to scrutinize AI capabilities and data practices of third-party providers.
  • Focus on three core priorities: get the data right, preserve deterministic logic, and control the AI environment to ensure compliance and accountability.
  • The build versus buy debate is less important than understanding and managing AI risks, regardless of how capabilities are developed or acquired.
ID 139424366 © Ljupcho Jovkovski | Dreamstime.com
Steel guard rail barrier on the motorway without reflective sign

As governments race to establish rules for artificial intelligence, many enterprise leaders find themselves navigating an increasingly complex compliance landscape. The European Union's AI Act, General Data Protection Regulation (GDPR) requirements, state-level legislation in the U.S., and a growing collection of industry-specific guidance have created what many describe as a fragmented patchwork of regulations. For CIOs and technology leaders, the challenge can seem daunting: How do you stay compliant when the rules are still being written?

Yet the regulatory complexity may be distracting organizations from a more important reality. While the language, scope and enforcement mechanisms may differ across jurisdictions, many AI regulations are ultimately trying to solve the same fundamental problems. Organizations that focus on strong governance foundations rather than chasing individual regulations may find themselves better prepared for whatever comes next.

That perspective comes from Arron Lamp, CIO of Tokio Marine HCC's Public Risk Group. At the 2026 Insurtech Insights USA Conference, Lamp participated in a fireside chat exploring a critical question facing enterprises today: What is holding back large-scale AI deployments? In a subsequent one-on-one interview, he argued that while regulatory frameworks may continue to evolve across jurisdictions, the organizations most likely to succeed will be those that establish strong governance foundations, understand their data, and maintain clear accountability for how AI is used throughout the business.

Why AI compliance starts with shared regulatory goals

When asked about the growing divergence between U.S. and European approaches to AI regulation, Lamp offered a perspective that may surprise many executives.

Arron Lamp

Arron Lamp

"I don't see a big divergence, honestly," he said. "I think regulators are trying to protect citizens, protect data and accomplish the same basic things."

From Lamp's perspective, the underlying questions remain remarkably consistent regardless of geography. Organizations must determine whether they are exposing customer data, making decisions that affect individuals or processing information in ways that create risk or adverse outcomes. While different jurisdictions may establish different requirements for achieving those goals, the objectives themselves remain largely unchanged.

This viewpoint challenges the common narrative that organizations must build entirely different compliance strategies for every region in which they operate. Instead, Lamp argues that leaders should focus on understanding the principles driving regulation rather than becoming overly consumed with individual rules.

Governments, after all, are attempting to address a common concern: AI systems can access, process and leverage data in ways that are fundamentally different from previous generations of software. The technology introduces new questions around transparency, accountability and decision-making that regulators are still working to answer.

For CIOs, that means the most important compliance question may not be "Which regulation applies?" but rather "Can we explain and defend what our AI systems are doing?"

Why AI governance must come before regulatory flexibility

As regulations evolve, many organizations are looking for ways to remain flexible. But according to Lamp, flexibility is not the starting point. The first priority is governance.

Organizations need clear AI policies, standards, review processes and evaluation criteria before they begin worrying about how future regulations may change. In many ways, AI governance resembles traditional technology governance disciplines: understanding risk, establishing controls, documenting decisions and maintaining oversight.

A key part of that process is ensuring that organizations can explain their AI systems in practical terms. Can leaders clearly articulate what a tool does? How it works? Why it produces certain outcomes? And perhaps most importantly, are they comfortable with those outcomes?

"The basics probably won't change a lot," Lamp explained. "Don't do something you can't defend. Don't use data you shouldn't use. Don't make decisions with technology that hasn't been approved to do so."

That philosophy highlights a reality that many organizations are beginning to discover. Regulatory requirements may evolve, but the need for explainability, accountability and auditability is unlikely to disappear.

The organizations most likely to struggle with future compliance obligations may not be those facing the most regulation. They may be the ones that never established governance foundations in the first place.

How AI is changing vendor risk management

The rapid adoption of AI has also transformed how organizations evaluate technology vendors. Five years ago, vendor due diligence rarely included questions about large language models, generative AI systems or machine learning capabilities. Today, those conversations have become essential.

Jess Mand
Arron Lamp's fireside chat with Aman Gour at the 2026 Insurtech Insights USA Conference

Arron Lamp's fireside chat with Aman Gour at the 2026 Insurtech Insights USA Conference

At nearly every technology conference, vendors are eager to showcase AI-powered features and capabilities. While those innovations may create new opportunities, they also introduce new compliance considerations.

For CIOs, understanding what a vendor's AI capabilities actually do has become just as important as understanding the service being provided.

Organizations should be asking questions that were largely irrelevant only a few years ago:

  • Does the product use AI or large language models?

  • How is customer data processed?

  • What controls exist around data access and retention?

  • How are outputs monitored and validated?

  • What governance processes exist behind the scenes?

Lamp argues that organizations should hold vendors to the same standards they would apply internally.

"You shouldn't have any vendor doing something differently than you would do it yourself," he said.

That mindset is becoming increasingly important as AI capabilities become embedded in software platforms, productivity tools and third-party services throughout the enterprise.

How data, logic and control support AI compliance

For organizations that feel behind, Lamp recommends focusing on three core priorities.

First, get the data right. Data quality, ownership, governance and access controls form the foundation of every successful AI initiative. Poor data governance inevitably becomes poor AI governance.

Second, preserve deterministic logic. Organizations need a clear understanding of which decisions should remain governed by established business rules and which can be influenced by AI systems. Not every decision should be delegated to a model.

Third, control the environment. That includes controlling access to data, monitoring model behavior, establishing review processes and maintaining oversight of how AI systems operate in production environments.

Interestingly, Lamp rejects the notion that AI represents an entirely new governance challenge. Instead, he sees it as an extension of discipline organizations have been managing for years through predictive analytics, modeling and risk management programs.

The principles remain largely the same. The scale and visibility have simply increased.

Why AI governance responsibility does not stop with vendors

One of the most common strategic questions organizations face is whether to build AI capabilities internally or rely on third-party vendors. According to Lamp, that may be the wrong question.

Whether an organization builds, buys or rents AI capabilities, the governance responsibility remains unchanged. Leaders must still understand what the technology does, how it works and what risks they are accepting.

"AI for the sake of AI is not a good thing," he said.

Instead of focusing on the source of the technology, organizations should focus on whether they understand its purpose, limitations and business impact.

That same discipline extends to broader executive decision-making. Lamp cautions against viewing AI as an arms race where every new capability must be adopted immediately. The more effective approach is to identify where AI creates meaningful business value and apply it thoughtfully.

Like any technology tool, AI excels in certain use cases and falls short in others. The organizations that succeed will not necessarily be those deploying the most AI. They will be the ones deploying it where it makes sense.

Why future AI compliance depends on today’s governance basics

When asked what AI compliance might look like three years from now, Lamp offered a candid answer: nobody really knows.

What he does know is that organizations will learn from experience.

He compares future AI governance to highway guardrails. Guardrails are installed because someone, somewhere, drove off the road. Over time, organizations and regulators will accumulate real-world examples of AI failures, near misses and unintended consequences. Those experiences will shape future controls and governance expectations.

In the meantime, CIOs should resist the temptation to chase every new regulatory headline.

The future of AI compliance may not depend on mastering an ever-changing collection of regulations. It may depend on something far less glamorous: strong data governance, clear oversight processes, disciplined vendor management and a commitment to understanding how AI systems actually work.

In other words, the future may belong not to the organizations with the most sophisticated AI strategies, but to those that get the boring basics right.

  • AI compliance will mature through real-world examples.
    Regulation and governance often become clearer after organizations see actual failures, risks or near misses.
  • “Build versus buy” is the wrong first question.
    The governance burden does not disappear whether a company builds, buys or rents AI capabilities. The first question is still: Do we understand what it does, how it works, and what risks we are accepting?
  • Responsible AI starts with informed adoption.
    The greatest AI risk is not the technology itself — it is deploying technology that the organization does not fully understand. Effective governance requires leaders to understand, evaluate and consciously accept AI-related risks before deployment.
  • C-level leaders need business-value discipline.
    AI should be a question of fit-for-purpose adoption: Use AI where it creates real business value, and use other tools where they remain better suited.
  • “Boring and basic” may be the correct governance message.
    The future of AI compliance may not depend on flashy tools, but on fundamentals: data control, explainability, review processes, vendor diligence and risk acceptance.

About the Author

Jess Mand

Jess Mand

Contributor

Jess Mand is an award-winning communications strategist and founder of INDEMAND Communications, where she helps organizations translate complex ideas into clear, compelling narratives that drive connection and action. She partners with Fortune 500 companies, growth-stage firms, and mission-driven organizations to design communication strategies, content programs, and experiential campaigns that engage employees and elevate leadership messages. Known for her creative storytelling and pragmatic approach, Jess brings a rare blend of strategic insight and human-centered perspective to every project she leads.

Trending

Resources

June 3, 2026
Oct. 16, 2025
Oct. 16, 2025

Quiz

mktg-icon Your Competitive Edge, Delivered

Stay ahead of the curve with weekly insights into emerging technologies, cybersecurity, and digital transformation. TechEDGE brings you expert perspectives, real-world applications, and the innovations driving tomorrow’s breakthroughs, so you’re always equipped to lead the next wave of change.

Sign Me Up
marketing-image