Proactive AI Approach: Creating Value, Accelerating Results

Hello everybody and welcome to this episode of AI Watch. With me here today, have you, Charlotte, founder and CEO of Lex Futura, also PhD within compliance and data governance and quite the voice within the field as well. I really appreciate you being here today. Thank you for inviting me into this studio. We have quite the agenda ahead of us. We're going to look at AI and especially the field of compliance with an AI, both because it's quite a challenge for quite many people, but we're here today to talk about how it can be less of a challenge and actually even become an enabler of business. Yes, looking forward to that. Excellent. So let's just start out with looking at the challenge. What is it that you see in the market? Why are people struggling with compliance when it comes to AI Actually, the first thing is that a lot of them are lacking of technological knowledge. the systems that they have tried to implement years ago are not the right systems for what's going on right now. One of the things is that AI is being talked about as one technology, even though it's in reality a lot of technologies. So they are having what I think the two of us have just developed a concept called "compliance debt". So there is almost like a fear to even open the box? Yes. Because of what may come out? Seeing from our perspective, the fear that the organization has got is often exaggerated. And what we are looking into is that we are capable of helping the organizations with this because we have the right methods. So we can help them being compliant in this area. So no fear. And this happens over what course of time? We can do it within a few months. So the model that we have made is that we sort of we ask the customer for maybe two or three weeks of their time and resources from their side. And then we get the data needed and then we do our things within one and a half months if they really want to push it or maybe a couple of months and then we are ready to put things into operation. So you can actually get from perceived non-compliance to production ready within the two months? Yes. This process is because it can kill everybody in an organization if you don't go into production. And because we got experience from the GDPR implementation products, we know that organizations are getting killed by long compliance projects. So from our perspective, it's much better to be 80 or 85 % compliant within two months of time and then go into operation, than you get to a point where you will never go into operation. So then two months later, what happens then? Now I'm in production. Then we start to monitor what's going on internally and externally. Is the people in the organization doing... what they are allowed to do, that sort of your GRACE platform. And on the other hand is that are there coming external things that are sort of affecting our level of compliance. It could be a cloud provider choosing another sub processor somewhere in the world and stuff like that. But we'll monitor that. We'll see if the supplier changes things in their legal documentation. If new decisions from authorities have been published and stuff like that. All these issues are part of the monitoring part. And the reason why we do this is that these changes, they might affect our risk assessment. And if the risk assessment change, we go in red from a legal perspective and we do not want that because from a legal perspective, we are not allowed to go on with a high risk. Then we have to ask the authorities. And one thing is, of course as you say, monitoring what's happening with the vendors and so on. And at the same time, where our partnership, I think, is really fruitful is that we're able to monitor if the users are using the technology as initially intended. We have a number of examples where we said this is what you use it for and then it sort of wanders off because people get inspired. And that can be a good thing. Yay, innovation. Or it can be a bad thing because it introduces a new risk. Again, that monitoring feeds into the advisory that you give us. Yeah. And also to the role of the management, because if things are changing, the risk picture might change. And that's what they are sort of building the compliance upon. So it's very important that they have not approved documents and procedures that are not being followed by the employees because then we also get a sort of a shadow – It's not a shadow IT system – but we get a sort of a shadow procedure and we do not have an overview of our risk landscape in the organization. And that's why it's so important that we actually know very close to real time what is going on both internally and externally. What are you typically seeing in that monitoring? Like what should people expect that happens after that? The compliance department will actually be capable of going out to the organization saying: We said to you last week you're not allowed to use this but this week things have changed and now you can use it. So they are sort of being a more active player in the organization instead of just being characterized as a compliance department with a no hat on and saying just no to everything And that's really a shift and that's also why it's important to do it on a regular basis to make the monitoring ongoing because then you sort of are able to use the possibilities that comes up naturally within a much shorter period of time. Yes, you can essentially go with the natural progression of the technology or the features and so on and actually act on opportunities. And I think that's probably a word that's not used too often in the compliance context, but actually... It can go both ways. It can be restrictive or open up for opportunities. That's a more balanced narrative, I guess, around the typical no environment of compliance. I think that's going to feel refreshing for many and the people at least I interact with in compliance and regulatory scene. They also like to be an active player, a constructive player and not be forced into that "no saying" corner that sometimes is the role. Exactly. I think it's very tough to be in that no corner all your working hours within a couple of years and you can also see that's where people are burning out and they do not want to have anything to do with compliance ever again. No, I can imagine. Okay so just to summarize a little bit like and essentially what what you're taking to this is: it starts with a bit of a rethink of your approach to compliance and one which brings out the information of where you can use a given technology and how and then on the back of that information really set your sort of direction and that direction is likely not very stable but likely something where you have to continuously navigate. Yes, exactly. So it's... sort of evolving all the time, both sometimes for the worse, but also in some cases for the better, which is definitely a changing thing recently. So let's take a look at more like sort of perhaps a bit binary example. So let's say I'm using a service that is not approved for certain sensitive data in a public cloud, but only in something within daily's borders or in my own country's borders. How do you see that exercise? How can I navigate that if those two scenarios were playing out? One of the things that we seeing is that it's not like everything is going into the cloud right now. We can see that some of our customers are to a much higher degree looking into a hybrid solutions where they are hosting things themselves or maybe hosting things, very locally, very close, narrow to them. And then there are other things they are put in the public cloud. So it's not either or. You can have the full solution and all the possibilities it actually gives you. But the precision for doing that is that you got an overview of what's going on. So in essence, hybrid setups are being adopted, but to really make it work, you need to know what to put in which bucket. Otherwise, you force over compliance by putting everything in the local bucket and perhaps missing out on opportunities or you are under compliant by putting everything in the public cloud. So it's really knowing what to put where and not just knowing today but also knowing tomorrow. Yes, and one of the things we can also see and also in relation to these very, very big AI solutions is also the power of calculation. It's not always possible for you to have the necessary power in-house. It'll be very, very expensive for you if you have to be able to do that on your own Kubernetes platform as an example. So in essence, the notion that compliance becomes an enabler of business, I think this is actually quite a good example, apart from knowing, am I or am I not compliant in my use, but now also: Where can I move my workloads? Meaning I can now think ESG, I can think economics and so on or scale is actually really a true business enabled. Exactly. And then you're moving outside of compliance by being well informed. Yes. Very interesting. I'd love to hear your perspective on 2026. The year has just gotten started. Where do you see the market move and the compliance landscape move? One of the things that is definitely going to change in 2026 is the governance focus. Having to build the right governance set up in this field and especially the management by IT. And one of the things we started to look into in 2025 is also organizations not being scared of the governance part, but actually taking the governance that they have in other areas, which are very close to, as an example, AI processing of personal data and sort of just putting the AI parts outside. So it's not like that you have to make in the worst case, a hundred new documents and implementations, but more saying, okay, can I get a small angle on this existing governance document. Do I actually have a group or ethics boards in my organization or something very close to it that I can take these issues and get the discussions, right? Making small adjustments of the people who are actually in these different boards in the organization. Yeah, so it looks scary, but actually building on existing structures will help quite a lot. Yeah. I noticed that you mentioned that management is getting involved. It's also taking from the classic only a compliance function into really: Okay, this is on the management agenda. A note on that, you're actually contributing to some educational sessions that are coming up here together with one of our other partners, DNV. And that, guess, is a really good opportunity to get very concrete on these perspectives and to help especially management to get a grasp on what this looks like. Yeah, yeah. And also because from a management perspective, if you have to make the right or the best decision for your organization, you also need to have a certain degree of knowledge about the technology. So instead of what we have seen up until now is more like a bottom up approach. People are trying things and just try it, go and now it's sort of you have to sort of gather it from the top and say, okay, we got certain principles that we are working on the basis of and you cannot just go and use this solution and this solution and we don't want shadow systems. We don't want you to use your own private Chat-GPT solutions. The only solutions you are allowed to use are the one approved in the organization. Yeah. So exciting one and I definitely recommend to join that and I think you're right. Now is the time for really elevating that understanding of what this is because one of the trends that I foresee in this is AI is going to be adopted. There's actually quite a lot of statistics showing that us as individuals have largely adopted it already. Question is whether companies are in control of that adoption. Meaning am I using the company version of AI or am I using my own? In areas where you're using that much money it's also very important that you use it on the right things and that you do not dig a compliance hole or a non-compliant hole where at some point in time if you do not have focus on the governance part then you will not be able to sort of get up from that hole and then you just have to restart everything which would be much more expensive for you. Correct and now we're into the field of management, right? Yes. Because if you do that, you are likely not to see the same returns as if you did it properly. And again, at least in Denmark, we got actually rules in the the legislations where a board of a company and the management of a company, they are actually obliged to have a picture of the risk in the company. Going along the way, we will see cases where the management has not taken their role seriously because they do not have the sufficient knowledge about technologies and what they sort of put into operation. So perhaps a hope for 2026, not necessarily a prediction that the task of AI governance will be elevated to a management level, but also embraced because to sort come back to the beginning can actually be an enabler and strengthening of your business. Exactly. Looking forward to a 2026 and not least to our collaboration. Really, really appreciate the partnership and I'm sure we can do great things together to the benefit of our respective customers.