In a world more focused on data governance than ever before, compliance is a key conversation from the IT team to the board room and back again. Channel Insider spoke with Avani Desai, CEO at advisory and assessment firm Schellman, to learn more about what her team is seeing directly from clients worldwide.
Complexity is the name of the game: how compliance has changed
Desai has worked in the compliance space for decades, and her expertise forms the foundation of how Schellman advises its thousands of clients through various assessment, certification, and attestation services, encompassing everything from ISO certifications to SOC assessments and regulatory compliance specific to healthcare and government organizations.
Now, though, the demands placed on organizations to achieve and maintain compliance are more complex than ever.
“We’re in the middle of a lot of transformation,” Desai said. “The volume of regulatory frameworks coming to the market is increasing significantly, the convergence of compliance and security is pushing the conversation towards trust, and everybody wants to integrate everything to be more efficient.”
“Expectations are rising and everything is getting more complicated, and that complexity is outpacing what most organizations can handle,” Desai continued.
Desai says her clients are best served by creating an overarching compliance framework that addresses best practices for proper security and governance. Then, as new regulations and frameworks become relevant over time, the organization has a baseline that will cover most demands, making it easier to adapt to more frameworks at scale.
“Unified control frameworks are helpful for a variety of reasons, but even more so now,” Desai said. “When companies go through M&A and need to ensure every aspect is up to the same standard, or they operate globally and need to maintain compliance across standards, having a unified baseline makes it easier to then add in specific elements to adhere to new regulations.”
Where regulation falls short of innovation: how AI is complicating compliance goals
It is impossible to talk about anything technology-related without discussing artificial intelligence, and that is increasingly true for security and compliance needs, too. The widespread adoption of AI has accelerated the demand for data, which in turn has caused headaches and heartburn for organizations that lacked proper governance and privacy frameworks.
“I’ve done this for 25 years now, and I think AI has introduced the most urgent governance questions to date,” Desai said. “This is partially because the tech is so new, but also because everyone is so fast to adopt without weighing risks or thinking through the total impact. Our pace of innovation is a lot faster than the pace of regulation right now.”
Desai highlights the following four categories of risk that all organizations should plan for when integrating AI solutions:
- Bias
- Data provenance
- Model drift
- Explainability
Where regulation surrounding AI and its various implications for privacy and security exists, it is primarily driven by the EU Artificial Intelligence Act, which was passed in 2024. The ISO 42001 framework also now certifies secure AI adoption; Schellman was the first ANAB-accredited certification body for ISO 42001. Desai says the framework is the first, and still one of the only, to validate organizations’ security posture specific to AI-related work and encourages the establishment, implementation, maintenance, and improvement of AI management systems.
Still, though, these regulatory frameworks aren’t enough to completely address AI-related risks.
“We’re innovating faster than we’re regulating, and you can see that in the fact that most regulations today don’t address agentic AI, because it’s come to market so quickly,” Desai said. “Still, we advise our clients to get onboard with AI governance programs now. What is encouraged today will almost certainly be required tomorrow, and organizations need to prepare for that reality.”
The areas Desai thinks we aren’t talking enough about
If all of the above wasn’t enough, Desai thinks the market generally is just beginning to get its head around the various ways the world is changing. She points to the shift towards sovereignty and regionality in data governance as a massive undertaking that all organizations must consider this year.
“The world is asking new questions, and various geopolitical factors are impacting how countries approach what can be considered trustworthy,” Desai said. “The key areas of focus now are around localization, not enabling data processing across borders, colocation, and a renewed look at sovereignty.”
“For years, companies have been building a unified approach, and while that worked for a time, the demands are changing rapidly,” she continued.
The conversations around cloud sovereignty are shifting the market’s focus towards architecture and related needs tied to security and compliance, according to Desai. Factor in the ongoing discussions tied to cost and cloud consumption that have taken prevalence this year, and Desai says organizations are facing a complex technical and regulatory landscape in the months and years ahead.
For many firms, this change signifies a significant shift in how they must approach technology and remain compliant with local, regional, and national regulations. To global operations, this might mean undoing work of the past decade to match current best practices. And while Desai acknowledges that this will be difficult, costly, and time-consuming for organizations worldwide, it is necessary to keep pace with innovation and maintain as much security as possible.
“I have a lot of empathy for the fact that this will be hard for some, and that for years now many businesses have been doing what they thought was the best thing to do and are now being told to change their approach,” Desai said. “But at the same time, technology changes, and we have to as well. I always like to say we aren’t undoing the past, we’re evolving to meet the needs of today’s technology.”
Compliance remains a challenging yet necessary goal for many organizations. Katie Bavoso explored why the area is a value-add for MSPs in an episode of CI: PPOV.