COMMENTARY: We’re in a year that’s rapidly defined itself by what it isn’t: clear, predictable, or federally aligned, when it comes to AI and data privacy regulations.When President Donald Trump took office in January, one of his first moves was to revoke President Joe Biden’s executive order (EO) that regulated AI. In its place, Trump signed a new directive that sought to deregulate AI development.If Biden’s EO was about guardrails, the current administration focuses on acceleration.The pendulum swing between these two administrations has created a kind of policy whiplash, especially for security, privacy, and compliance leaders tasked with interpreting what’s enforceable, what’s symbolic, and what’s coming next.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]One of the stark realities facing CISOs and governance, risk, and compliance (GRC) leaders has been the growing disconnect between federal ambition and practical compliance.With federal regulators like the FTC and CFPB facing budget cuts and reduced authority, it’s highly unlikely we’ll see comprehensive federal data privacy legislation in 2025.The chances are virtually nil. Since 2018, Congress has introduced five major legislative data privacy proposals intended to unify the country’s patchwork of state regulations. Each attempt has fizzled in committee, even as pressure from the private sector grows for a single, unified standard.On the AI front, now that the House’s attempt to impose a 10-year moratorium on state-level enforcement of AI regulations was blocked 99-1 by the Senate, many other states may move forward on AI regs. Without the AI moratorium, the regulatory spotlight has shifted to the states – and it's anything but uniform. Across the country, lawmakers are introducing a wave of privacy and AI bills, each with its own definitions, obligations, and enforcement mechanisms.For enterprise organizations investing heavily in AI, this creates a tangled web of state-by-state requirements that are often overlapping, occasionally conflicting, and always evolving. Here are just a few of the more consequential state efforts currently in motion:In short, enterprise organizations investing in AI don’t have the luxury of charting their compliance course on a well-defined map. Rather, they’re plotting their routes across a patchwork of shifting terrain. And the burden has fallen squarely on the shoulders of their GRC and security teams to strike the right balance between enabling innovation and enforcing proper oversight.The rest of 2025 will in all likelihood remain a regulatory gray zone for AI. But the reputational and legal risks of noncompliance are very real. We’ve already seen the CPPA levy substantial fines over inadequate consent mechanisms and opaque data flows. Organizations that treat AI governance as a legal checkbox will fall behind. Those that integrate security, privacy, and compliance into a unified data intelligence layer will be best positioned to innovate responsibly.Regardless of what happens with all these conflicting laws, companies shouldn’t just sit on their hands. Doing the right thing with AI and data governance isn’t just good business. It helps build trust, keeps the business ahead of the curve, and pays off in the long run, regardless of what the regulations might eventually mandate.Jack Berkowitz, chief data officer, SecuritiSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- California AB 2930: This proposed bill would require developers and deployers of automated decision systems (ADS) to conduct impact assessments before deployment and annually thereafter. It also mandates user notification when ADS plays a substantial role in consequential decisions – think hiring, lending, or medical determinations. If risks of algorithmic discrimination are identified, deployment must halt until mitigated.
- Colorado Artificial Intelligence Act SB 24-205 (CAIA): Enacted in 2024 and taking effect in 2026, CAIA imposes strict obligations on developers and deployers of “high-risk” AI systems such as those used in decisions related to employment, education, housing, healthcare, and financial services. The law requires impact assessments, transparency disclosures, and affirmative measures to prevent algorithmic discrimination and mandates that consumers be notified when an AI system plays a significant role in a consequential decision.
- New York AB 3265 – The “AI Bill of Rights”: This broad proposal includes the right to opt out of automated systems, mandates human fallback and appeal processes, and introduces protections against abusive data practices. If passed, it would redefine how AI can be used in consumer-facing contexts within the state.
- The EU AI Act: While not a state bill, the EU AI Act looms large for global companies. It introduces tiered risk classifications for AI systems, with compliance obligations scaling from transparency requirements to outright bans. With deadlines beginning to take effect, international organizations are now juggling cross-border obligations with little harmonization.
Three ways to stay ahead in an uncertain regulatory climate
Here are three best practices that will help enterprise security and GRC teams better navigate a confusing regulatory environment:- Connect the dots in the organization’s AI stack: In the age of generative AI, visibility isn’t just about knowing where sensitive data lives. Rather, it’s about understanding how that data flows into and powers the organization’s AI systems. As enterprises integrate AI across their operations, they need complete observability into the full data pipeline: from source systems and vector databases to training datasets, models, prompts, and responses. Mapping these interconnections – often referred to as data lineage – is essential for building trust, enforcing policy, and avoiding unintended consequences. By establishing a real-time knowledge graph of AI interactions and data provenance, organizations gain the ability to monitor usage, detect policy violations, and ensure AI systems remain compliant, secure, and aligned with internal governance frameworks.
- Bring order to unstructured chaos: Unstructured data is increasingly being ingested by LLMs and other GenAI models, yet remains the least governed part of many environments. Emails, chat logs, documents, and even videos can contain sensitive personal or regulated data. Conventional data protection tools weren’t designed to parse this complexity, but next-generation data security posture management (DSPM) tools can classify and flag this information before it gets ingested by AI models.
- Contextualize the risk: Regulations are rarely just about the what: they hinge on the who, where, and why. That’s why contextual insights are critical. Purpose-built tools that build real-time knowledge graphs – capable of connecting each data point to its source, owner, access entitlements, applicable regulations, and physical location – are required for letting organizations enforce dynamic, automated controls. Organizations need this kind of context-aware approach to keep pace with rapidly evolving privacy and AI governance requirements.
