Privacy and Compliance Challenges with AI - RSAC

Summary5 min read

RSAC Podcast: Privacy and Compliance Challenges with AI
Episode Date: May 22, 2026
Guests: Tatiana Sanchez (Host), Casey Zirkus (Host), Noor Bains (Principal Field Solutions Architect, CDW)

Episode Overview

This episode explores the increasing challenges organizations face in balancing AI adoption with privacy and compliance requirements. Hosts Tatiana Sanchez and Casey Zirkus welcome Noor Bains, a veteran in cybersecurity, to unpack the latest risks, real-world failures, and practical steps organizations can take to ensure responsible, privacy-first AI implementation. The conversation makes clear: with AI’s rapid proliferation across industries—especially sensitive sectors like healthcare and finance—privacy and compliance are now the main gating factors for enterprise AI, overshadowing purely technical concerns.

Key Discussion Points & Insights

1. Why Privacy and Compliance Now Outpace Technical Innovation as AI Gating Factors

Noor Bains explains that while early AI adoption was about technical capabilities, today’s gating factors are privacy and regulatory compliance.
Notable Quote (Noor Bains, 02:51):

"Technology is not the bottleneck anymore. Governance is. ... The real question isn't at this point, can we build it? It's more can we build it responsibly enough that people will trust and adopt it."
Real-world momentum:
- Harvard Gazette survey showing AI’s adoption curve outpaces that of the 1990s Internet and 1980s enterprise computing (02:55).
- 72% of S&P 500 companies now disclose AI-related risks, emphasizing regulatory and reputational fallout (05:20).

2. Personal Stories Illustrating Risks and Mindset Shifts

Noor shares a story about his wife’s dental visit, underscoring the subtle yet profound role AI now plays in healthcare diagnostics (03:30).
Casey discusses a doctor's offer to use an AI-powered note-taker—raising real-time questions about PII and data consent (06:01).
Such anecdotes illustrate how even the public is beginning to scrutinize data use in everyday scenarios.
Notable Quote (Casey Zirkus, 06:01):

"I said, well, is it tied to any of her PII? And she said, I don't know."

3. Hotspots for New AI Privacy Risks

Noor Bains outlines specific, emergent risks:

Complexity of Data Sources (07:40):
- AI draws from datasets subject to varied privacy regimes, making unified compliance hard.
Dynamic Inference vs. Static Consent (08:00):
- AI systems routinely infer new sensitive data (e.g., inferring a medical condition from a user dietary preference), bypassing original consent boundaries.
Re-identification of Anonymized Data (08:18):
- Combining datasets (e.g., fitness + location + purchases) can unmask individuals, undermining anonymization.
Opaque Data Reuse (08:41):
- AI often repurposes data for uses beyond initial disclosure, which legacy privacy frameworks weren’t built to check.
Notable Quote (Noor Bains, 08:19):

"Even anonymized data can be relinked with other datasets... can reveal health status, lifestyle, financial habits."

4. Real-World AI Failures—Lessons in Poor Governance

Noor shares three telling examples:
1. Healthcare AI Diagnostic Tool (09:34):
  - Accessed a million patient records without consent; regulators found privacy violations despite good intentions.
  - Lesson: Even well-meaning projects can fail without strict pipeline and consent controls.
2. Biometric Data Collection for Facial Recognition (10:15):
  - A company scraped billions of images, provoking multinational legal action.
  - Lesson: Over-collection without consent leads to worldwide reputational and legal repercussions.
3. AI Hiring System Bias (10:48):
  - Automated discrimination against women; trained on historically biased data and was abandoned.
  - Lesson: "AI can amplify inequalities when the training data reflects past human bias." (Noor Bains, 11:00)
Key Theme:
- Speed without governance leads to real, sometimes irreversible, harm.

5. Practical Steps for Privacy-First, Compliance-by-Design AI

Noor stresses organizations don’t have to (and shouldn’t) wait for new laws or tech tools—they can start now:

Privacy by Design (11:45):
- Bake privacy into the system lifecycle “from day zero”—before training models.
- Conduct threat modeling, data flow mapping, privacy impact assessments.
- Apply data minimization—only collect what is necessary.
Automated and Continuous Governance (12:30):
- Manual checks don’t scale; integrate continuous monitoring and compliance controls directly into ML/DevOps pipelines.
Transparency Tools (13:00):
- Use model cards, data lineage tracking to answer: what data trained the model? Was it relevant? Has it changed?
Explainability (13:34):
- Adopt explainability frameworks to make key decisions (hiring, loans, medical) defensible and auditable.
Establish to External Frameworks (13:56):
- Anchor posture to GDPR, CCPA, HIPAA, NIST, ISO and perform regular gap analyses.
Continuous Compliance Posture (14:04):
- Staying compliant isn’t a one-time project—it’s ongoing as laws and tech evolve.
Notable Quote (Noor Bains, 14:07):

"Responsible AI is not about slowing innovation, it's making innovation sustainable. Privacy-first, compliance by design systems don't just reduce risk; they really accelerate trust, adoption and long-term value."

Notable Quotes & Memorable Moments

On the Risk Landscape (Noor Bains, 05:30):

"A single privacy or compliance failure can cascade into headlines, lawsuits, customer churn."
On Explainability and Trust (Noor Bains, 13:34):

"Leaders... must be able to articulate why the model behaved the way it did. Explainability frameworks help organizations demonstrate fairness, detect bias and maintain trust within customers."
On Actionability (Noor Bains, 11:35):

"Organizations don't just need to wait for new laws or new tools... There are practical and concrete steps that can be taken today to build AI systems that are privacy-first and compliance by design."

Timestamps for Key Segments

AI’s Adoption Outpaces the Internet—Risks and Stakes (02:51)
Personal Stories: AI in Everyday Healthcare & Privacy Qs (03:30, 06:01)
AI Privacy Risks: Consent, Data Complexity, Re-ID (07:34-09:01)
Detailed Real-World AI Failures (09:26-11:22)
Building Privacy-First, Compliance-by-Design AI: Concrete Steps (11:35-14:12)

Tone & Takeaway

The discussion is pragmatic, urgent, and solution-focused. Hosts and guest speak conversationally but with clear expertise, highlighting not just abstract risks but real-world impacts and immediately actionable strategies. Noor Bains succeeds in demystifying responsible AI, illustrating both the pitfalls of moving too fast and the just-do-it nature of embedding privacy today.

For those seeking to future-proof AI deployments, this episode offers both cautionary tales and a playbook for building sustainable, trusted, and compliant AI systems in the real world.

Loading summary

Transcript15 lines

[00:05]
A
You're listening to the RSA Conference podcast, where the world talks security. Hello, listeners. Welcome to this edition of our RSAC podcast series. Thank you for tuning in. I'm Tatiana Sanchez.
[00:22]
B
And I'm Casey Zirkus, and we are
[00:24]
A
your RSAC podcast hosts. Casey, what are we going to discuss today?
[00:30]
B
Well, Tatiana, according to Forbes, 72% of businesses have adopted AI for at least one business function. And of course, that was, you know, last week when we were writing the script. So that number likely increased since then. It's just insane how prolific AI is, and we'll continue to see these numbers rise in the weeks, days, months, and years to come. But while AI provides many benefits and has been expanding across critical sectors, it can also disrupt an organization's privacy and compliance efforts. So that's why we're excited to welcome Noor Baines as he will examine how AI can create new risks in consent and data use. He'll share real world cases and practice practical guidance so our listeners can learn how to build privacy first, AI systems that maintain trust and regulatory alignment. Are you ready to dive in?
[01:33]
A
Yes, I am. But before we get started, we do want to remind our listeners that here at rsac, we host podcasts twice a month. And we encourage you to subscribe, rate and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now we would like to ask our guest to formally introduce himself before he dives in. Noor?
[01:52]
C
Yeah. Thank you, Casey. Thank you, Tatiana. My name is Noor Bains. I'm a principal field Solutions Architect for CDW. I've been in the cybersecurity industry for more than 15 years. I have been privileged enough to have been in different roles in cybersecurity from soc, NOC Advisor, Professional Services, Implementation Engineer, Risk and Compliance Advisor for a Canadian government crime corporation, and most recently, as a solutions architect. I get to see different customer environments from different verticals, from different sizes and scales, and try to help them to improve their security posture from an enterprise risk management approach as well as from considering their business use cases as well. Thank you for having me.
[02:35]
A
Thank you for being here, Noor. And as we know, organizations are adopting AI every minute, every day, for new uses. So, Noor, why are the privacy and compliance now the ultimate gating factors for AI adoption rather than technical innovation?
[02:51]
C
Yeah, so the numbers tell a story. And one thing we can be sure of in this digital age is that everything is quantified, including technology disruption and adoption. According to a survey done by Harvard Gazette, the AI Adoption within the same life cycle, if you compare to the adoption of Internet in 1999 and the adoption of enterprise computing in 1980s has been higher. And this is not surprising, but it tells us a story. It tells where businesses are investing. It tells us how should we quickly adapt to the potential next wave that is approaching. We're seeing AI being embedded, not just the typical retail personal use cases which are pretty heavily leveraged in the past few years, but we're seeing investments in sensitive areas and use cases being leveraged in sensitive areas such as healthcare diagnostics and financial risk modeling as well. Let me show you a personal story. So recently my wife went to dentist and when she came back home she was unusually excited. She told me she needed a root canal. So that is not something for me that sparks excitement. That sounds like pretty painful. And then she ended up mentioning that her doctor actually leveraged AI driven imaging to detect the issue. And the doctor mentioned that traditional methods would have caught it later and this could have been more painful. So potentially, and I say potentially, at this point we have not actually gone through the treatment or potentially this will be a less painful treatment. Now this is the quiet power of AI. A bit of backstory to this. I talk about AI all day, so that's something my spouse, my wife, when she went to doctor, she was laughing because she mentioned, there you go, I have another AI story. I wouldn't be surprised if my 4 year old daughter at this point talks about AI in the next couple of years. But anyways, coming back to it. So there's a flip side and it's one that organizations can't afford to ignore. A single privacy or compliance failure can cascade into headlines, lawsuits, customer churn. We are seeing for the first time, 72% of S&P 500 companies now disclose AI related risks in their filings. So what this signals is that there is reputational fallout from poor governance. And this is no longer just theoretical, it's visible, it's material. And regulators and investors are paying attention to this. Technology is not the bottleneck anymore. Governance is excessive. Data collection such as biometrics, health records, financial data combined with misconfigured models and insecure pipelines create vulnerabilities which ultimately road trust. When stakeholders can understand or rely on outputs, confidence in leadership erodes with it. And even when no laws are broken, being perceived as careless with AI can permanently damage a brand. So the real question isn't at this point, can we build it? It's more can we build it responsibly enough? That people will trust and adopt it. So that's really defining the challenge of AI in this era.
[06:02]
B
I love the personal anecdote and I have another one for you. I went to the doctor recently with my daughter and the nurse practitioner asked, do you mind if I use the AI note taker? And I said, well, is it tied to any of her pii? And she said, I don't know. And she said, I guess maybe we shouldn't use it then. And I was like, yeah, I think that's fine. We've made it this far without using it. I think we'll be okay. But you know, those types of questions are probably not regular questions that doctors get, obviously because they couldn't answer the question. And I'm thinking of other instances where maybe someone has an AI note taker on their phone or even like smart glasses and they're attending a meeting that maybe is meant to be closed door and they're recording for their notes, but they're actually recording content that shouldn't be recorded or shared. Right. And these are just the little, you know, my life risks that I can think of that truly I'm not even sure if they're actually risks, but I am so interested in hearing from you. We hear about these new risks, privacy risks that AI is introducing, particularly the fact that the legal controls have not yet even been designed to help mitigate these risks. So what are some of the risks that we should be concerned about?
[07:35]
C
Most of the customers we talk about, that's the number one question. We are helping customers as well. So there are a few big ones. First, complexity of data sources. AI pulls from different sources that fall under different privacy regimes. So what requires explicit consent in one jurisdiction doesn't in another, and legacy controls were not built for that mosaic. Second, the consent is static and AI learning is dynamic. A user agrees to terms at one point, but the model keeps learning and infer sensitive information downstream. For example, someone's marks a preference for gluten free food. And the model infers that they have a celiac disease. So that's health data derived without explicit consent. And the third being re identification risk. Even anonymized data can be relinked with other data sets. For example, a fitness app combined with location history and purchase history can reveal health status, lifestyle, financial habits. And finally, the opaque nature of AI means that data collected for one purpose gets reused or potentially reused for others, often without user even knowing about it. Legacy frameworks like static consent forms and one time privacy notices simply aren't designed for this Kind of continuous inferential data processing. So that's some of the big ones that we see and we potentially try to help our customers with.
[09:01]
A
And if AI isn't integrated with strong guardrails, it can lead to operational disruption within an organization. You know, especially with healthcare, it can lead, you know, patient risk. Or if they're on a machine and the system goes down, it can be critical. So noor, can you provide some real work examples of AI failures within organizations and then what do they teach us about the consequences of moving too fast without proper consent and governance?
[09:27]
C
So AI failures can create tangible harm and governance must evolve alongside. So I'll give you three examples. First, a major healthcare partnership, and this was a well intentioned AI project, attempted to build the diagnostic tool. But it assessed around million patient records without proper consent. Regulators later ruled that the data use violated privacy requirements. The key takeaway was simple. Even well intentioned AI projects can breach the law of consent. Data minimization and pipeline controls are not rigorously designed. I'll give you second example where a facial recognition company scrapped billions of publicly available images to build its biometric database. Now the practice triggered lawsuits, regulatory actions across multiple countries. This case underscores how over collection of sensitive information, even without explicit permission can spark global legal, ethical and reputational consequences as well. And third, and this is something that we're seeing a lot more and a lot of companies are actually tackling this, a large enterprise developed AI hiring model that ultimately had to be abandoned after it found to disadvantage female applicants. Now the system learned from historical hiring patterns that were already biased. And without proper bias mitigation techniques, it simply automated discrimination. This really shows how AI can amplify inequalities when the training data reflects past human bias. Across all these three use cases or examples, the pattern was pretty much similar. Speed without governance create real harm. Whether it's privacy violation, unethical data sources or or algorithm bias, the absence of strong oversights turn AI initiatives into compliance failures and reputational risks.
[11:22]
B
So what are some practical steps that our listeners can take today to build AI systems or tools that are privacy first and maybe compliance by design?
[11:36]
C
So when we talk about responsible AI, the conversation often jumps to regulation or technical controls. But the reality is organizations don't just need to wait for new laws or new tools to start doing this right. There are practical and concrete steps that can be taken today to build AI systems that are privacy first and compliance by design. The starting point in this journey is privacy by design. That means embedding privacy into entire system lifecycle from day zero before a single model is trained, team should be running threat models, mapping data flows, conducting privacy impact assessments and the defaults matter. Opting out from tracking anonymized logging principle of only collecting what's absolutely necessary for the specific use case. And from there on the focus shifts on governance which has to be centralized, automated and continuous. Manual compliant checks don't scale in the AI driven environment. Organizations need automated audit trails, continuous monitoring, compliance controls integrated directly into MLOps DevOps pipelines. Governance should follow the model from development to deployment, not really chase after the fact and transparency another pillar, tools like model cards, data lineage tracking gives teams ability to answer fundamental questions. What data trained this model? Why was the data chosen? Has the model changed over time? And this is what makes AI auditable? And for regulators, this is what makes AI defensible. And then there's the explainability. If a model influences hiring decision, which we leveraged in the previous example, a loan approval, a medical recommendation, leaders of that organization must be able to articulate why the model behaved the way it did. Explainability frameworks help organizations demonstrate fairness, detect bias and maintain trust within customers. And finally, organizations should anchor their programs to established frameworks. Gdpr, ccpa, hipaa, nist, ISO perform regular gap analysis. Both the technology and regulatory landscape are evolving quickly. Staying compliant is not really a one time project, it becomes a continuous posture. And to summarize, responsible AI is not about slowing innovation, it's making innovation sustainable. Privacy first. Compliance by design system don't just reduce risk, they really accelerate trust, adoption and long term value.
[14:12]
B
I agree and I'm so grateful that you joined us today because it's an important conversation. I think that a lot of times when tools are released and they afford great efficiency and expediency and convenience and all of the benefits that we're seeing as reasons why folks are leveraging AI. It's hard to kind of pause and think about the maybe not so great implications that can come along with implementing these tools into their daily use and organizations and systems. So really appreciate you joining us today as a reminder to think about privacy and compliance and the impact on the users. So thank you so much for being here today listeners. Thank you for tuning in. Please keep the conversation going in our RSAC membership platform by visiting onersac.commembership and be sure to check onersac.com for new content posted year round. Until next time.