AI Regulation: What Security Teams Need to Know - #187

Show Notes

AI has officially moved from experimentation to execution—and regulation is racing to catch up.

In this episode of Reimagining Cyber, Tyler Moffitt is joined by Matt Aldridge to unpack what the rapidly evolving AI regulatory landscape means for security teams, businesses, and managed service providers heading into 2026.

From the EU AI Act and GDPR to California’s CPRA and emerging rules around automated decision-making, they explore how governments are trying to balance innovation with safety, privacy, and accountability. The conversation dives into the real-world security implications of agentic AI, autonomous decision-making, biased training data, and the growing risks of AI systems operating with minimal oversight.

Whether you’re an enterprise security leader, an SMB, or an MSP supporting multiple customers, this episode breaks down why AI regulation is no longer a future concern—and what practical steps organizations should be taking now to reduce risk, protect data, and responsibly govern AI adoption.

As featured on Million Podcasts' 

Best 100 Cybersecurity Podcasts  

Top 50 Chief Information Security Officer CISO Podcasts 

Top 70 Security Hacking Podcasts

This list is the most comprehensive ranking of Cyber Security Podcasts online and we are honoured to feature amongst the best!

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

Transcript

Tyler Moffitt: [00:00:00] Hello everybody and welcome to another episode of Reimagining Cyber. My name is Tyler Moffitt, senior Security Analyst, and today we're gonna be talking about everything, AI in regards to regulation. There's been so much development and sort of. Accelerating acceleration growth, and not only the capabilities of ai, but the adoption and real world application and use.

And so we're gonna talk everything you need to know about, you know, what are the implications, security wise, regulatory wise, all this compliance that's gonna, the mountain of it that's coming. We're gonna talk all about it with. One of my coworkers, Matt Aldridge, who's worked with me at OpenText for well over 15 years, and he's definitely somebody who's been following and tracking this closely.

And so I consider even him to be one of the foremost experts, and I'm glad to have him on the show today. So Matt welcome to the podcast and glad to have you here. Hi, Tyler. It's great to be with you. Thanks for inviting me on. Not a problem. Not a problem. So [00:01:00] obviously talking about ai, how it's moved from experimentation to execution.

Specifically this last calendar year, we really saw, you know, an in increase in capability agen AI now being granted permissions by all sense of the word to make decisions. Take actions. In many cases we saw some examples where, you know, when we've talked about previously how they can make mistakes, you know, calls real world impact.

And so regulators, of course, at the heels stepping in fast. So I wanna talk to you and sort of unpack what AI regulation, what does it mean for security teams, businesses of all different sizes and, you know, MSPs and stuff heading into 2026. 

Matt Aldridge: Yeah, there's a lot to go at and it's a very fast moving area, but of course with regulation it's never as fast moving as the actual AI itself that is trying to regulate.

So there's definitely a lot of different moving parts that we have to try and keep track of. 

Tyler Moffitt: What about this year [00:02:00] specifically this past year from 2025 to 2026, in, in, in your eyes, what do you feel has changed or feels different, if you will? And obviously I feel like there's an accelerating of it, but as far as from regulation, do we feel like it's enough to keep up with how AI's taking off?

Matt Aldridge: Yeah. Unfortunately it's, it's never gonna be fast enough or agile enough to control all the things we'd like or to, to give us the frameworks that we need. However, we have great starting points happening around the world, kind of led by the EU AI Act and other areas that are, that are, that are.

Catching up or keeping up with, with, with legislation. And of course there's always challenges as well with, with with with the EU being the first to legislate, then they have a lot of learnings coming out of that because if they're not careful, they over legislate. They start to cause problems that can actually cripple businesses in their [00:03:00]region, could actually slow down development.

Cause all sorts of knock on issues that weren't, maybe, weren't anticipated when that, when those things were first pulled together. So it's, it's a very much an evolving, moving situation. And there, there are, there, you know, there are new. Upcoming changes that we'll see in Europe that are being planned already, that are bringing together changes on, on AI and also on GDPR and other areas that will, will try to simplify things, rationalize and actually maybe even do some deregulation, you know, as much as regulation.

So, so sometimes we see that the regulation goes a little bit overstepping. Going a bit too far, then we actually have to pull things back, simplify and reframe what we're trying to achieve from, from the, the, the regulations that are, are being put in place. 

Tyler Moffitt: Yeah, that's interesting. You talk about the deregulation, you know, you sort of I would say accompany the term regulation with, like, slowing the innovation, if that makes sense.

But I understand, you know, they want to add [00:04:00] accountability, but obviously AI is big on the impact, so I can understand why they, they wanna follow the hype there. So I guess talking about, you mentioned you know, GDPR and I know. California usually leads the way with America, with you know, CCPA or CPPA and now CPRA these new ones that they sort of added.

Do you have anything that, you know, what's actually changed with California? Is there anything security teams should be aware of with what's upcoming and what they're trying to create? 

Matt Aldridge: Yeah, so CP CPRA kind of strengthens CP. CCPA, it doesn't really replace it. They're building on the foundations there.

And again, you know, like I said before there's always a bit of a scramble to try and get these things in place. There's, there's the recognition stage where people go, hang on, this is coming down the line. We've gotta deal with this. We see what's happening elsewhere in the world. We recognize we need to protect the privacy of our [00:05:00] citizens.

Let's do this, let's get this in place. Let's, let's show some leadership here. But of course, the, the, the risks are that, that sometimes this, you know, things are gonna get missed, things are gonna get slightly overstated or misrepresented or what have you. So it's an, it's an on ongoing involving. Beast.

And and, and so c CPR is bringing bringing more of that into, into play. They're doing more things looking at things like cybersecurity audits and risk assessments. And, and, and one of the big areas is actually the, the looking at the automated decision making technology. So a lot of that does bring AI into play and there's a lot of risk associated with.

Making invalid assumptions about what systems are capable of doing. And so that's some of the things it's trying to address. 

Tyler Moffitt: Yeah. The automated decision making technology, the A DMT, I have a feeling we're gonna, we're gonna hear that acronym a little bit more as time goes on For sure. 

Matt Aldridge: Yeah. [00:06:00] Whether it's fortunately or unfortunately, of course, AI enables.

A great kind of force multiplier when it comes to the, the employees and the capabilities of any organization and indeed of individuals empowering individuals to, to achieve a lot more with their time than maybe they could have done with without ai. But when it comes to these, these automated solutions this is one example.

So automated decision making is one key example of, of automation. But there are many others. And what they're looking at here is things like, if you are automatically trying to identify, say someone from their, from their image, from facial recognition where maybe it's like a security system. Maybe it's policing.

Maybe they're trying to pick out people from a crowd who maybe like known felons or what have you. They are gonna rely on technology to do that. And of course. The, the users, the end users of the technology don't appreciate [00:07:00] the potential risks in terms of using that based on how that system's being built, how it's being trained, and what the data was that was used when, when training the systems.

So a lot of these systems have inherent biases built into them that maybe even the creators of those systems didn't have full awareness of at the time. And so what the legislation's trying to do. In, in many different parts of the world now is, is ensure that there's a lot of screening done, of training data before it gets anywhere near.

AI models or machine learning models or whatever it may be, you need to understand what is the quality of that data and how is it representing any kind of population of users or people or backgrounds or whatever it is you are, you are using it to check. So it may be even the financial systems, you know, is it trained across the board to look at all types of transactions or [00:08:00] is it.

Is it skewed in some way? So it's gonna be happy about, you know, particular types of transactions, whereas it might be like flagging up other ones. But that could be based on, on very biased information depending on where that dataset came from. So yeah, things like facial recognition is where we hear about it in the news and why we've seen things like CCTB that has.

Facial recognition built into it being very highly regulated and in certain, in certain instances actually banned because the, they, they just isn't that level of trust in those systems in, in many cases. Then, you know, we see, we see the opposite end of the spectrum as well. You go to places like China and everywhere has very highly developed.

The facial recognition systems that are tracking people down to the sort of human information Yeah. Individual level and, and, and, you know, that's the kind of next level of where, where it can end up. And so a lot of places are trying to legislate to, to ensure that maybe they don't want to [00:09:00] get to that, to that quite to that level.

Tyler Moffitt: Yeah, it's, it's definitely tough. You mentioned earlier how like the average user doesn't really appreciate all that that goes into it, and I completely agree. When you have these AI systems that now like all by themselves, automated can essentially plan, decide, and act, all together. You know, when you combine that, it's very, very powerful.

Lots of implications, and I'm sure at many cases, depending on interpretation of which different country it's gonna collide with regulation. You know? Talk us about how you think that that might happen. 

Matt Aldridge: Yeah. Well, like, it's already happening, so we're already seeing some, like I said earlier, there's, there's, there's a risk of, of holding back innovation and limiting.

Company agility when it comes to implementing some of these systems. But fundamentally, safety probably needs to have a higher priority. So that's, you know, we are seeing that and it's great to see a lot of these [00:10:00] legislators putting the right emphasis on, on safety and on fairness. Then also of course on the, the privacy side of things and data protection because it's very easy to feed vast amounts of data into different AI systems, and you don't always.

Fully understand how that data might get extracted or misused or abused. So lots of care does need to be given to, to the data side, whether it's training data or actually operational data that's being processed through these AI systems. And then when we look at the, the EU for example, they're now bringing or discussing the, what's called the digital omnibus.

So that's like a, an initiative they have to. To start prop, start amending existing regulations. So this is where I was talking about maybe, maybe some elements of deregulation, some elements of changing the timelines for implementation of certain regulations as well to allow a bit more time to allow a bit [00:11:00] more responsiveness and just, just really trying to.

Still bringing these protections whilst not holding back development to such an extent as, as, as, as was being risked before. So I think the rest of the world can learn from this, that, you know. There are risks to being, to having that leadership on this side of things because things are moving so fast.

And you do need to make sure that you can be reactive as, as things develop. And these, these regulations always need to have an element of fluidity to them. 

Tyler Moffitt: Sure. And I'm sure there's differencing approaches and how you said like they try to balance having the progress that this brings without hindering it and having everybody take full advantage of it while still, you know, concerning the, the implications of security and trying to have some sort of fairness and privacy.

And we talked a little bit about California, but you know, this isn't, California is only you know, the part of [00:12:00] America. What about, what are we seeing in Europe? What, do you have information on that? 

Matt Aldridge: Yeah. I mean, in, in Europe, like I say over here the, we have been kind of ahead of the curve with privacy with GDPR, with the, the ai, with the EU AI Act and, and in other areas as well.

But the, the, the risk of, of being leaders in that space is that you do risk con con holding back. The development of certain solutions within that, within that area. So, so yeah, we, we are sort of shifting from a position where, where everything has been heavily regulated where sometimes that's, that's actually bringing, bringing, you know, us to the point of risking of risking competitiveness.

And now we are, we are starting to move towards elements of deregulation and certainly a lot more pragmatism when it comes to these things. 

Tyler Moffitt: Well, that's good to hear. Specifically talking to some of our core audience [00:13:00] here, you know, what does this mean for you know, small to medium sized businesses or managed service providers?

You know a lot of them hear regulation and they might assume, oh, it's only for large scale enterprises, and it doesn't really, you know, apply to them. What's, what's the approach or how, how should they look at this? 

Matt Aldridge: Yeah. And so just because you're a small organization doesn't mean that you are, you are not in scope very much.

These things are coming at it from a perspective of, individual protection, privacy protection. So as long as you have that mindset, which you should have anyway, and, and you take that mindset with you when you're dealing with AI and implementing AI solutions and processing data, using ai outsourcing to anything that's gonna have AI involved in it, then you know, you'll, you'll be.

You'll be doing the right thing. You know, without getting too much into the, the weeds of, of where you might be located and what what the legislation is, it's gonna apply directly to you. Obviously you need to check that out [00:14:00] with your own, with your own legal resources. But in general, generally speaking.

As long as you are demonstrating that you are taking very good care, you know, the best care you can when it comes to the data of your customers, of your employees, your contractors, if you're processing any other public data, personal data, as long as you're going through the, the, the rigors that.

Should and, and are expected of any organization to protect that information and to to manage it, control it, and, and have that full lifecycle approach to it. And then when, when, whenever you're dealing with AI and you need to take the same approach, so in the same way as if you are going to outsource some element of data processing.

You are gonna have to make sure you've got agreements in place that control exactly what can be done with that data, how it's protected, et cetera. Then you have to have that same approach with an AI solution as well. So if, if it's, if it's an [00:15:00] AI solution, you are running in-house and you can completely control it and it's, you can evidence that.

The data that's stored in there is, is highly protected, then that's great. But as soon as you start going to use any off the shelf solution, any cloud solution, any third party solution, that is not entirely under your control, that's where you need to make sure that. Everything is very carefully defined in terms of how that data's protected in terms of what you are doing to protect things in advance, and then in terms of how you are doing that ongoing due diligence to make sure that that things are working the way they should be and that data is not being, being put at risk.

So there's a lot of solutions out there that can help you with de-risking the use of of external. Third party data processing. You know, you can do anonymization, pseudo, pseudo anonym, anonymization, those types of things where you can actually take a lot of the, the [00:16:00] risk out of, of using third party solutions.

And. Again, whether you do that and to what extent you do, that needs to come out of the risk assessment that you are, that you are making. So yeah, I think as long as you're showing that you've gone through that process, you're doing, you are assessing the risk, you're managing, mitigating that risk, and not just going blindly ahead with, with using the latest, greatest technology, then then you're definitely gonna be along the right lines.

Tyler Moffitt: Well, yeah, I mean that, I tell you what that sounds like a lot and it might be. If anything, a little bit confusing of everything that needs to be taken care of for these, you know, smaller teams. So for, you know, MSPs is there, I'm guessing there's some opportunity here on sort of centralizing them and telling them, Hey look, here's what you should get.

Here's how you should follow this. It, it does seem like there is a definite opportunity for MSPs here to sort of help those SMBs navigate the new AI landscape. 

Matt Aldridge: Yeah, absolutely. I mean, they, they, they [00:17:00] need to be doing things like Inventoring Invent, doing inventories for the AI solutions they're using, making sure they understand what is out there already.

You know, they're like, like we said earlier, these things are moving so quickly and employees are in a challenging situation because they are increasingly under more pressure to deliver. More wide ranging impacts on their organizations because the organizations believe them to be using AI and expect them to be using AI in different ways.

So as an organization and and leadership within that organization, you need to have a handle on. To what extent is this happening? How do we control this? Do we need to have some kind of approval cycle for new AI solutions before they, before anyone's allowed to use them? We have to be very careful about where any of our data gets, gets put outside of our organization.

And and then once you've. Done that and you start [00:18:00] to understand and control the actual AI solutions that are being used. You've gotta start thinking about then, okay, so are we making any decisions based on this, on this AI deployment and. What are the risks around that? What are the risks around those decisions that are being made?

How do we mitigate and manage the, the risks from, from any aut automated decision making processes that are gonna be happening across our organization? And this is going to become just. You know, on a daily basis, we're gonna have more and more issues and, and risks around this. So I think, you know, we can touch a little bit on, on the whole agent AI thing.

And there's we are seeing, you know, every day new solutions coming out that are linking together multiple different AI models in the cloud, maybe local ones Yep. That are allowing automation, that are allowing scheduling even things like. Like social networking almost [00:19:00] between AI bots so that they can kind of compare how they've got on on different challenges and discuss with each other how they might do things better next time.

But the more communication that is allowed into any LLM or, or large, you know, large model. The, the more that happens, the more that communication opens up, then you, you dramatically amplify the risk of something going wrong, whether it's just something as simple as unintentional data loss or something much more significant like prompt injection happening across.

Social media platforms or between bots, you know, bots that are actually designed to, to harvest and take control of other bots to build AI bot armies effectively. These are the sorts of things we are gonna start to see. And so, yes, of course a lot of the owners needs to go on the [00:20:00] creators of these solutions and these platforms.

However. The, the users also need to take an element of responsibility here. You know, if you go and put these systems in place and leave them wide open, like we're seeing vast numbers of, of these local AI bots being opened up to the internet and left open. And then of course, the, any vulnerability comes along.

All the data that's being managed by those systems becomes vulnerable. All the controls that those things have. Decision making, like we were saying earlier, all those things get opened up to be influenced and so it's, it's the wild West and. You, you know, I would just say to any business, that's a good point.

Whether you are an MSP or whether you are a, just a small business yourself, make sure you are, you, you are carefully recording the, the decision making processes around how you roll these things out and, and the, the due diligence you've done. 

Tyler Moffitt: Yeah. Yeah. I've been seeing a lot with, claude Bot, [00:21:00] which is a new agentic AI that people are like, essentially like how do you say the next stage of sort of chat this local.

AI agent that you're having on your machine that then you can contact with your phone and just text it and then you give it access to the internet like you were talking about, and it can go and do all these things for you. And if there was a compromise on your computer through malware and it decided to take over and give it, like you said, all the data that it has, all the context and everything you've been using and searching like absolutely has massive potential for, you know, misuse. We're talking not just in, in the hacking and malware world, but who knows what type of new attack or new or new thing that we needed to protect ourselves from. Like you said, an army of AI bots seems very real. Yeah. And I feel like we're seeing the beginning stages of, of that, that makes sense.

Not to yell you know. Terminator or Skynet or anything, but it does feel like we're, [00:22:00] we're playing around with what, how that started, if that makes sense. Yeah. 

Matt Aldridge: Yeah, I, I, you know, it's now, so that, that claw bot thing has gone through a couple of renamings over the last few days. It's now called Open Claw and the, the, yeah, because they, they had objections from, from Anthropic about the naming of it.

And then that in itself created all sorts of carnage. 'cause people were you know, these guys created some new crypto coin and then started trying to. The ride on the back of the popularity of the Claude Bot and all sorts of crazy things like that have happened. And this is, you know, it's, is just the beginning.

And I mean, the great thing about this type of solution and, and you know, this is just one example of it, is that it does empower people to do quite incredible things, quite incredible levels of automation. But. Without those people, those people, you know, implementing it, you don't necessarily have to really understand quite what's happening behind the scenes.[00:23:00]

And you are very quickly gonna lose track of where your data is, where your credentials are, because some of these systems will take details of how to log into your email, for example, how to log into your social media, you know, your WhatsApp messaging and. As soon as that has come out, as soon as something like your email account has come out of your control, you are hugely, hugely exposed from a security perspective.

So just, just, you know, I would say yes, this is great. It's exciting just. To slow down and, and take very great care about how you proceed from this point. A lot of people, you know, this capability is not something that is super difficult to do. It's kind of the linking linking between multiple existing AI services.

And part of the reason why it hasn't really become popular yet is because of the dangers of it. Nobody has really dared to do it. And when we have seen things like. Some of the big [00:24:00] AI providers like Google for example, enabling agentic control of local systems. You, you know, immediately you see that some guy has, has asked a system to delete a file and then the system wipes his entire drive, you know, and things like that so that the, as soon as you start having these agents that have the, the same level of access as, as you do.

You're, you're gonna see all, all kinds of abuse and all, all kinds of, just, just unfortunate errors or, or hallucination based mistakes happening because this technology is still very young. So I would say any implementations you do, just take whatever steps you can to ringfence them, to isolate them, segment them, whatever it is you can do to keep them at, at arm's length from anything of any.

Significant importance to you or to your organization because it's gonna come back to bite you very quickly. Otherwise, 

Tyler Moffitt: that's a, that's a good point. And [00:25:00] segue here as you talk about recommendations. Just to ask you to sort of wrap this up, we appreciate your time is, you know, if you had to give listeners sort of a shortlist things to watch out for, like what should they actually do this year?

Can you unpack that for us? 

Matt Aldridge: Yeah, I think, you know, we've touched on most of the points already. You know, understand and audit what you are doing with your, with your data on the whole, you know, think, think for data protection. Start from a data protection standpoint and a risk assessment standpoint.

Ensure then you are understanding what AI usage you have. How that's being done. We have, you know, every individual in the organization has potential access to very, very powerful and diverse AI tools. Now, how are you going to, to manage the risk of that happening and, and how are you gonna encourage.

Your, your, your employees, your contractors, down a particular route that's gonna de-risk as much as possible. The use of [00:26:00] those, those systems. You know, how are you gonna write up those audits? How, how often you're gonna come back and continue these risk assessments on the basis that things are changing so fast.

And, you know, it's not really, you know, there's no point trying to have a. A list of things that people can't do. You know, you've really gotta come at it from a a, a, a very clear policy that states. What people are able to do and everything outside of that is excluded. And, and then make sure everyone is trained up and, and understands what the company position is or the organizational position is on that.

Obviously that will have to evolve and, and be pretty. Nimble because you don't wanna hold your company back, but at the same time that there are, there are levels of risks that you really must not take. And, and what we were just talking about is, is a great example of that. 

Tyler Moffitt: No, I completely agree.

The the risks are, are pretty massive here when you sort of understand the full [00:27:00]levels of permissions that we are just sort of handing over to the AI robots. And this isn't about stopping ai, obviously it's, it's very powerful. Everybody is leveraging it. Only more and more people are. Using it to a greater degree as time goes on.

Where are we at a year from now, two, three years from now? Who knows? But I mean, the regulation, it isn't about stopping ai, it's just about, you know, making sure we use it responsibly, defensively sustainably, you name it. So, I, I, again, I, I really appreciate the, the time that you gave us here, Matt. So, you know, AI regulation isn't a, a future problem.

You know, anymore, it's it's definitely a reality. Security teams, you know, understand that it's gonna be a much, much better position if you start thinking about these things now, then reacting to 'em later. So, Matt, once again, thanks for breaking this down. And to our listeners we will link additional resources, for you. We, Matt and I actually presented a a New Year's Resolutions webinar where we talk about a lot of these governances and AI stuff. So if you wanna know more about that, we can link that in the chat. But thanks again, Matt, [00:28:00] for joining the podcast. Thanks, Tyler. Really great to be with you.

Cheers. Thanks for listening to Reimagining Cyber. Please remember to follow or subscribe wherever you get your podcast.