Compliance Edge: Turning Digital Regulation into Competitive Advantage

This article is based on a recent panel discussion from Womble Bond Dickinson’s virtual summit, The Algorithm Economy: How to Win in a Digital World. In this session, Womble Bond Dickinson Privacy and Cybersecurity Team Chair Tara Cho joined Bandwidth VP & Deputy General Counsel Laura Chipman, and NVIDIA Director of Privacy Saori Kaji for a discussion on state and federal data regulation. 

As state and federal requirements continue to evolve — and in some cases conflict across industries — building an agile compliance program that is also future proof can feel overwhelming. Twenty-one states have their own privacy laws, with state-by-state variations.

Also, companies must deal with state-level artificial intelligence laws. As of February 2026, over 40 states had nearly 200 distinct AI laws on the books. In addition to comprehensive AI state laws, various states also address such AI issues as: AI generated intimate images, child sexual abuse material, deepfakes, likeness and right of publicity, elections and political advertising, employment, healthcare, government, automated decision-making, and chatbots/AI agents.

However, the Trump Administration is seeking to invalidate many of these regulations through federal-level executive orders. “There’s a real tension as to which of these laws will remain enforceable at the state level,” Cho said. In fact, since the time of our discussion, the Department of Justice intervened in a lawsuit challenging Colorado’s comprehensive AI law and Colorado stipulated to stay an enforcement of the law. Colorado has now amended its comprehensive AI law and delayed its effective date from June 2026 to January 2027.  

Building the Right Governance Models

Privacy and cybersecurity have been high-level business concerns for more than two decades. In that time, a variety of approaches have emerged. These different approaches continue to evolve with business technology. Should privacy be part of the company’s in-house legal department, or its own separate team? Does AI fit under privacy’s purview, or, again, should it be its own separate department?

“For me, AI governance is a natural extension of privacy work,” Chipman said. Many of the existing approaches apply well with AI governance, she said. But she noted that there is potential for gaps between the two.

“The key is that all of this [AI] work is innovation-, technology-, and business-led, not regulation-led,” Chipman said.

Kaji agreed. “We try to think of our compliance efforts not as a legal check-off, but as part of the product architecture…. We try to interject ourselves just enough to catch the big issues as early as possible.”

The industry term is “Privacy by Design”—embedding data protection from the outset of the process, rather than as an add-on. Both Kaji and Chipman said this approach has worked for their businesses and is flexible enough to accommodate new AI.

“That way, we’re able to make decisions and find solutions early on,” Chipman said. She said customer feedback also shapes how her department approaches privacy.

Cho said that in working with different clients, she sometimes encounters siloed approaches to making privacy compliance updates. Having the legal/privacy team involved up front can make things run more smoothly for the organization—but it also puts a greater burden on legal and privacy team members to know what’s going on.

Chipman said that she’s seen an overall shift in thinking in this direction. With AI moving so quickly, learning and collaborating across departments is essential. Companies now are more willing to see compliance teams as trusted business counsel, not roadblocks to progress.

“I feel like I’ve had the opportunity to give more early-stage guidance,” she said. “It’s been a true partnership.”

“The business has grown so much faster than our legal team has grown,” Kaji said. “There’s enormous pressure on the legal team to be as nimble as possible.” She said their team strives to be consistent. “You don’t want to be perceived as a rubber stamper [i.e., someone who approves everything uncritically] or somebody who says no at every turn. I constantly remind myself that we are problem solvers.”

Incorporating New Data Tools

When an organization starts using a new AI tool, what’s the first question a legal or compliance team should ask?

Kaji said she wants to know where the data is going and how it’s going to be used. This applies to both the input and output data. Also, it’s important to consider how much access a third-party vendor may have to the data collected.

Chipman said she wants to make sure data collected isn’t sent back to train an AI model, which can depend on contractual terms, settings within the tool, and sometimes proactive communication with the vendor.

Meaningful risk review also depends on the internal use case. “It’s not just about the tool; it’s how it’s being used.” That needs to be tracked. Even if a tool is approved, the legal and privacy team still needs to know how it is being used in order to provide relevant feedback, perform risk assessments, and create compliance documentation for the processing activity. But tracking use cases is a challenge when general purpose AI tools are so readily available. 

Cho brought up “Shadow AI,” in which employees use their personal AI tools for work use. Such cases may require IT solutions—blocking non-approved AI platforms, for example. “But also, education and empowerment go together (in the form of employee training),” Chipman said. Companies can’t just say, “Don’t do it”—they need to invest in the right AI tools to allow employees to do what they need to do, then train them on how to use those tools.

“It’s education over enforcement,” Kaji said. She said short FAQs on the dos and don’ts of AI usage have worked well for her.

“Identify any guardrails that may apply, so that people turn to those instead of their personal [AI] accounts [such as ChatGPT],” she said.

Cho likened it to allowing her kids to play Minecraft in creative mode on a closed loop, rather than banning them from playing entirely. “This allows them to be innovative and to play together, and it gives me the chance to teach them about online safety,” she said.

“This takes work,” Chipman said. “We have to think creatively about, ‘How can we make this safe and easy?’”

Defining Risks—Asking the Right Questions to Protect Your Organization

When it comes to AI generated content, what is the biggest IP risk—and how should companies protect themselves?

“Risk depends greatly on what role you play in the ecosystem. Are you the user? Are you the provider?” Kaji said.

The U.S. Copyright Office has determined that there is no ownership of AI-generated content. If the user wants to retain that copyright, they need to add a human-created element to the finished work. 

Also, she said there has been a flood of litigation surrounding copyrighted material in AI content. “Depending on your risk appetite, you may want to consider contractual protections with the tool provider.”

On the data front, Chipman said a risk assessment before signing a contract is important. Many software providers have not yet adopted AI provisions into their standard software agreements, so in-house counsel must develop their own playbooks for risk assessment based on the information available.

“Do they have the updated CCPA terms in that agreement? Those sorts of things can give you clues about a vendor’s risk posture,” she said. Chipman also looks for white papers, model cards, and other explainability efforts by the vendor, in addition to their contract terms. 

Kaji agreed privacy and compliance teams need to take a close look even at standard vendor agreements. “Some vendors have seemingly benign contract language that would give them the rights to use data as they see fit.” Also, keep an eye out for contractual use case restrictions.

Cho asked, “When you’re dealing with 21 different state privacy laws, and GDPR and all the various AI laws, and compound that with the speed of development with your organization, how do you manage that in such a fluid regulatory landscape?”

Leaning on existing processes that already work well is a good place to start, Chipman said. Also, she said privacy counsel should focus on identifying the highest risks and biggest value for the company, rather than trying to address every possible scenario. Looking for the highest risks under relevant regulations depends on first understanding what business stakeholders are trying to accomplish. 

“I enjoy the process of finding what the key issues and trigger questions are, rather than focusing on the legal differences (between various state privacy and AI laws),” she said. “If you’re asking the big-picture questions to get those issues in the right bucket, then you can look at those geographical differences.” 

“It should be a risk-driven analysis,” Kaji said. Again, she advised addressing the biggest risks first. She also noted that a business’s privacy needs can change within a matter of hours, so legal and privacy departments need to be adaptable. “There’s never a talismanic language that works for all circumstances.”

Cho said customer expectations and corporate culture may require standards beyond the legal minimum. For example, companies increasingly are leaning on AI to provide automated decision-making. But Kaji said such decisions impacting recruiting and hiring decisions need to be scrutinized, as do any decisions that impact a person’s livelihood. 

To close the discussion, the panelists addressed the best approach for next five years of digital regulation and transformation, keeping in mind that more regulation is coming.

“Go beyond the 20-page PDF document that recites what the law requires and think about how that translates into actionable steps for operational teams,” Kaji said. 

“Use what’s working now and layer on,” Chipman said. “Have a point of view and be proactive.”

As digital regulation grows more complex and less predictable, organizations that treat privacy, cybersecurity, and AI governance as strategic business functions—not compliance afterthoughts—will be best positioned to succeed. By embedding governance into product design, focusing on risk-based decision-making, and aligning legal, technology, and operational teams early, companies can move faster with greater confidence. Thoughtful, proactive compliance isn’t just about keeping up with the rules—it’s a way to build trust, enable innovation, and turn regulatory uncertainty into a lasting competitive advantage.

Key Takeaways

• Treat privacy, cybersecurity, and AI governance as business disciplines—not legal checklists. Embedding governance into product design and operations supports faster, more confident innovation.
• Expect continued regulatory fragmentation and uncertainty. State‑level privacy and AI laws are rapidly expanding, even as federal action may reshape the enforcement landscape. Flexibility is essential.
• Leverage existing privacy frameworks when addressing AI. Many AI governance challenges can be addressed by adapting proven privacy and data protection processes.
• Prioritize risk. Focus compliance resources on the biggest threats rather than attempting to solve for every regulatory variation at once.
• Ask critical questions early when adopting new technologies. Understanding how data is used, shared, retained, and trained against—especially by third parties—is foundational.
• Monitor approved tools as closely as unapproved ones. Ongoing visibility into how AI tools are actually used is just as important as initial approval decisions. An expanded use case for an existing tool can introduce new risks.
• Address “shadow AI” through guidance, not prohibition. Clear guardrails, training, and sanctioned tools help employees innovate responsibly.
• Scrutinize vendor contracts for hidden data and AI risks. Standard terms may not reflect evolving privacy, AI, or IP considerations and can signal a vendor’s risk posture.
• Build governance programs that can evolve quickly. Compliance needs, customer expectations, and regulatory interpretations can change rapidly. Agility is a competitive advantage.

About WBD’s Digital Solutions Team - The pace of digital transformation continues to accelerate, influencing every area of today’s business environment. Our Digital Solutions Team helps organizations navigate this landscape, offering integrated support across compliance, transactional, litigation, and intellectual property matters.