Coming AI regulations have IT leaders worried about hefty compliance fines

More than seven in 10 IT leaders are worried about their organizations’ ability to keep up with regulatory requirements as they deploy generative AI, with many concerned about a potential patchwork of regulations on the way.

More than 70% of IT leaders named regulatory compliance as one of their top three challenges related to gen AI deployment, according to a recent survey from Gartner. Less than a quarter of those IT leaders are very confident that their organizations can manage security and governance issues, including regulatory compliance, when using gen AI, the survey says.

IT leaders appear to be worried about complying with the potential for a growing number of AI regulations, including some that may conflict with one another, says Lydia Clougherty Jones, a senior director analyst at Gartner.

“The number of legal nuances, especially for a global organization, can be overwhelming, because the frameworks that are being announced by the different countries vary widely,” she says.

Gartner predicts that AI regulatory violations will create a 30% increase in legal disputes for tech companies by 2028. By mid-2026, new categories of illegal AI-informed decision-making will cost more than $10 billion in remediation costs across AI vendors and users, the analyst firm also projects.

Just the start

Government efforts to regulate AI are likely in their infancy, with the EU AI Act, which went into effect in August 2024, one of the first major pieces of legislation targeting the use of AI.

While the US Congress has so far taken a hands-off approach, a handful of US states have passed AI regulations, with the 2024 Colorado AI Act requiring AI users to maintain risk management programs and conduct impact assessments and requiring both vendors and users to protect consumers from algorithmic discrimination.

Texas has also passed its own AI law, which goes into effect in January 2026. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA) requires government entities to inform individuals when they are interacting with an AI. The law also prohibits using AI to manipulate human behavior, such as inciting self-harm, or engaging in illegal activities.

The Texas law includes civil penalties of up to $200,000 per violation or $40,000 per day for ongoing violations.

Then, in late September, California Governor Gavin Newsom signed the Transparency in Frontier Artificial Intelligence Act, which requires large AI developers to publish descriptions on how they have incorporated national standards, international standards, and industry-consensus best practices into their AI frameworks.

The California law, which also goes into effect in January 2026, also mandates that AI companies report critical safety incidents, including cyberattacks, within 15 days, and provides provisions to protect whistleblowers who report violations of the law.

Companies that fail to comply with the disclosure and reporting requirements face fines of up to $1 million per violation.

California IT regulations have an outsize impact on global practices because the state’s population of about 39 million gives it a huge number of potential AI customers protected under the law.  California’s population is larger than more than 135 countries.

California also is the AI capital of the world, containing the headquarters of 32 of the top 50 AI companies worldwide, including OpenAI, Databricks, Anthropic, and Perplexity AI. All AI providers doing business in California will be subject to the regulations.

CIOs on the forefront

With US states and more countries potentially passing AI regulations, CIOs are understandably nervous about compliance as they deploy the technology, says Dion Hinchcliffe, vice president and practice lead for digital leadership and CIOs, at market intelligence firm Futurum Equities.

“The CIO is on the hook to make it actually work, so they’re the ones really paying very close attention to what is possible,” he says. “They’re asking, ‘How accurate are these things? How much can data be trusted?’”

While some AI regulatory and governance compliance solutions exist, some CIOs fear that those tools won’t keep up with the ever-changing regulatory and AI functionality landscape, Hinchcliffe says.

“It’s not clear that we have tools that will constantly and reliably manage the governance and the regulatory compliance issues, and it’ll maybe get worse, because regulations haven’t even arrived yet,” he says.

AI regulatory compliance will be especially difficult because of the nature of the technology, he adds. “AI is so slippery,” Hinchcliffe says. “The technology is not deterministic; it’s probabilistic. AI works to solve all these problems that traditionally coded systems can’t because the coders never thought about that scenario.”

Tina Joros, chairwoman of the Electronic Health Record Association AI Task Force, also sees concerns over compliance because of a fragmented regulatory landscape. The various regulations being passed could widen an already large digital divide between large health systems and their smaller and rural counterparts that are struggling to keep pace with AI adoption, she says.

“The various laws being enacted by states like California, Colorado, and Texas are creating a regulatory maze that’s challenging for health IT leaders and could have a chilling effect on the future development and use of generative AI,” she adds.

Even bills that don’t make it into law require careful analysis, because they could shape future regulatory expectations, Joros adds.

“Confusion also arises because the relevant definitions included in those laws and regulations, such as ‘developer,’ ‘deployer,’ and ‘high risk,’ are frequently different, resulting in a level of industry uncertainty,” she says. “This understandably leads many software developers to sometimes pause or second-guess projects, as developers and healthcare providers want to ensure the tools they’re building now are compliant in the future.”

James Thomas, chief AI officer at contract software provider ContractPodAi, agrees that the inconsistency and overlap between AI regulations creates problems.

“For global enterprises, that fragmentation alone creates operational headaches — not because they’re unwilling to comply, but because each regulation defines concepts like transparency, usage, explainability, and accountability in slightly different ways,” he says. “What works in North America doesn’t always work across the EU.”

Look to governance tools

Thomas recommends that organizations adopt a suite of governance controls and systems as they deploy AI. In many cases, a major problem is that AI adoption has been driven by individual employees using personal productivity tools, creating a fragmented deployment approach.

“While powerful for specific tasks, these tools were never designed for the complexities of regulated, enterprise-wide deployment,” he says. “They lack centralized governance, operate in silos, and make it nearly impossible to ensure consistency, track data provenance, or manage risk at scale.”

As IT leaders struggle with regulatory compliance, Gartner also recommends that the focus on training AI models to self-correct, create rigorous use-case review procedures, increase model testing and sandboxing, and deploy content moderation techniques such as buttons to report abuse AI warning labels.

IT leaders need to be able to defend their AI results, requiring a deep understanding of how the models work, says Gartner’s Clougherty Jones. In certain risk scenarios, this may mean using an external auditor to test the AI.

“You have to defend the data, you have to defend the model development, the model behavior, and then you have to defend the output,” she says. “A lot of times we use internal systems to audit output, but if something’s really high risk, why not get a neutral party to be able to audit it? If you’re defending the model and you’re the one who did the testing yourself, that’s defensible only so far.”