Over the previous couple of years, I’ve sat in a number of conferences with IT and authorized groups the place the intent and motivation is visibly misaligned. It typically seems like two fully totally different worlds attempting to achieve settlement underneath stress. As one colleague as soon as described it to me: “Authorized writes for people, IT builds for machines.” Legislation permits interpretation, context, and mitigation, whereas IT is dependent upon logic and deterministic workflows. The result’s that even small ambiguities can result in weeks of wasted effort constructing options that had been by no means legally viable within the first place.
The issue, resolution and predicted outcomes I define right here is geared toward all three foundations: the enterprise leaders, IT professionals (extra particularly in Information & AI) in addition to authorized professionals attempting to navigate the rising disconnect in implementing compliant information options. Reasonably than treating the issue as a communication challenge alone, it proposes a sensible framework for translating authorized intent into machine-readable and architecture-aware controls that may scale with fashionable information and AI ecosystems.
For years this stress was manageable, but it surely has been uncovered for the reason that introduction of GDPR guidelines in 2016, and the inflow of AI requests from all corners of the enterprise is about to reveal the hole at scale.
Enterprise: outcomes over the whole lot
The enterprise prioritises progress, income, optimisation and aggressive benefit. Their language is KPIs, margins and efficiency. Compliance, from their perspective, is a constraint to navigate and never a mission in itself. They’re not attempting to be reckless, they merely function in a world measured by outcomes.
They need to:
- Analyse buyer behaviour
- Take a look at new options
- Use AI to personalise experiences
- Extract extra worth from information
Authorized: danger, mitigation and defensibility
Authorized doesn’t function in absolutes. Zero danger is never demanded or sensible, they function in acceptable danger. They do need any danger taken to be defensible, so if they’re challenged on one thing, they’ll display they acted responsibly.
They assume by way of:
- Lawful foundation
- Proportionality
- Mitigation
- Demonstrable intent
- Defensibility in case of investigation
Laws is written in narrative type and is deliberately principle-based. It leaves room for interpretation and authorized professionals are skilled to interpret that narrative. They don’t seem to be skilled to design database schemas, configure entry controls or outline system-level enforcement mechanisms.
IT: Deterministic Controls
IT wants specificity and can’t work in narratives. “Affordable safeguards” can’t be applied. When authorized says, “It relies upon,” IT thinks, “I can’t construct this.”
IT must know:
- Is that this discipline private information?
- Can this dataset be used for mannequin coaching?
- What retention interval must be enforced?
- Ought to this attribute be masked or eliminated?
- What precisely constitutes anonymisation right here?
So, the enterprise needs to create worth that results in profitability, whereas Authorized’s motivation is to make sure compliance. In the meantime, IT should assist each by constructing dependable methods that ship worth whereas remaining compliant. This creates an uneven compliance accountability burden and, consequently, makes discussions and agreements between these departments painstakingly sluggish.
How AI widens the hole
Beforehand this was manageable as a result of the tempo of knowledge utilization was slower. Guide oversight was nonetheless possible and authorized groups might overview main initiatives one-by-one. That period will finish when the amount and velocity of AI-driven information utilization overwhelms conventional compliance fashions. Information is not analysed linearly, it’s constantly processed, mixed, enriched, repurposed and modelled. Autonomous brokers may even set off workflows, generate insights and make choices with out human overview. At such scale, conventional authorized oversight breaks down. Authorized can’t manually assess each new information use case or “processing”¹ exercise and IT wouldn’t have the capability to interpret ambiguous authorized clauses each time an engineer builds a brand new pipeline, however the enterprise is not going to sluggish innovation to attend for interpretive debates.
From authorized textual content to architecture-aware compliance
Authorized intent is never encoded in a approach that methods can validate. As an alternative, compliance lives in PDFs, insurance policies, assembly minutes and emails. That works to a degree, however fails at scale.
What’s lacking is a shared interface in a structured, machine-readable type, utilizing ideas like structured metadata, policy-as-code and information contracts so as to add translation layers. So as an alternative of open-to-interpretation discussions, we use AI to validate utilization routinely and autonomously.
Machine-readable governance would enable Authorized to outline the appropriate boundaries, IT to implement enforceable constraints, and the Enterprise to see clearly what’s or isn’t permitted. We have to transfer from theoretical compliance to observable compliance.
The proposal
The Core Concept: Eradicate human error in handoffs between Authorized and IT
Unstructured human dialog is a poor mechanism for transferring exact, technical, legally-consequential choices between individuals who don’t share a typical language. The objective is to not eradicate human judgment, however to interchange the elements of the method the place human interplay provides friction and error relatively than worth.
I suggest a easy organisational precept: substitute the unstructured human handoff with a structured, AI-assisted course of. The failure level in conventional compliance shouldn’t be that people are concerned, it’s that people with totally different motivations are requested to achieve exact, technically implementable agreements by way of open-ended dialog. The answer described right here is designed to eradicate that friction systematically by structuring the inputs, automating the checks, and reserve human determination making for the genuinely ambiguous instances, not the routine ones.
Earlier than strolling by way of the method, a number of foundational ideas are value establishing clearly. These don’t require technical experience to understand, and actually, constant use of this terminology throughout Enterprise, Authorized and IT is itself a part of the answer.
Information Merchandise, Output Ports and Information Contracts
These phrases are well-liked in Information Mesh, however you don’t want a mesh to profit from them. Information Mesh is a technique to handle information in giant organisations by giving possession of knowledge to the groups that understand it greatest, relatively than centralising it in a single division. Every group treats their information as a product, one thing they’re answerable for sustaining and making obtainable to others in a constant, ruled approach. Even in a centralised structure, adopting information merchandise, output ports, and information contracts as a typical vocabulary brings rapid worth. It creates a shared language to obviously outline what information is, who can entry it, by way of which channels, and for what objective. With out it, governance conversations between Enterprise, Authorized, and IT will proceed to interrupt down. The terminology comes first, adopted carefully by the structure.
In follow, the chain might seem like this:
- an information product (“web site person behaviour”)
- exposes information by way of an output port (set of tables in a database)
- ruled by an information contract (which specifies that the web site person behaviour information could also be used for enhancement of the merchandise that get offered on the web site however not for advertising and marketing or buyer profiling, have to be retained for not more than three years, and requires pseudonymisation earlier than use in any predictive or AI mannequin)
Each layer is specific. Each layer is enforceable.
What a Information Contract Seems to be Like
The instance beneath exhibits an information contract assigned to the Web site Person Behaviour information product. The output port is a set of Iceberg tables in an S3 bucket, a typical sample in fashionable information platforms the place shoppers have freedom of the device they use to eat. The contract travels with that output port: whoever accesses these tables, for no matter purpose, does so underneath the phrases recorded right here.
A extra detailed normal for information Product contracts could be discovered here2.
The information contract will include both reference to or particulars concerning the authorized functions and different constraints by which this entry layer must be ruled.
The way it Works in Apply
What I’ve seen working effectively are organisations that already use Information Product and Information Contract terminology, the place these human conversations and agreements are captured as metadata artefacts after which utilized all through information pipelines and downstream consumption. Nevertheless, it nonetheless takes important time to ascertain these agreements within the first place, and it’s much more tough to take care of and replace them reliably because the organisation evolves.
To resolve these ache factors, I’m proposing an AI-assisted workflow organised into three phases: PREP, MAP and RUN.
PREP occurs as soon as and evolves incrementally. MAP runs for each new information exercise or modification. RUN is the continuing automated monitoring that operates constantly as soon as the contracts are in place. At no stage does ambiguity get handed silently from one particular person to a different and mistaken for settlement.
Part 1 — PREP
Earlier than any information exercise could be ruled by way of this course of, IT will play the driving force position in creating the framework for this course of: The information product catalogue, the output port normal, the info contract template, and the LLM-assisted interfaces used within the MAP section. That is the inspiration on which the whole lot else relies upon.
Now, as I say that, I may confidently say the next: If there’s one factor I’ve discovered from working in and with giant organisations, it’s that there’s completely no level in ready for each part to be completely in place earlier than beginning. In follow, that second by no means arrives. Most organisations have already got items of the puzzle, even when they’re fragmented or immature. A big enterprise already operating some type of Information Mesh may unknowingly be 80% of the best way there, whereas a smaller startup should be constructing its foundations from scratch. The truth is that these transformations are nearly all the time iterative, messy, and taking place whereas the enterprise continues to maneuver.
Begin with what you need to construct out a correct information catalogue, specializing in the low-hanging fruit: high-value information units that get continuously requested. For “information product” (in quotes as a result of which may not be what you name it and defining your disparate set of tables is perhaps your first large hurdle), seize solely the knowledge that matter most at this stage: the title of the info product, the group that owns it, how it’s shared, and a one-line description of what it comprises. All the pieces else — detailed field-level tagging, information high quality metrics, lineage graphs — could be added iteratively as {the catalogue} matures and the organisation builds confidence within the course of. A list with 5 well-understood information merchandise is extra helpful than a list with 2 hundred partially documented ones.
Critically, PREP can’t be approached as an enormous bang. A programme that makes an attempt to catalogue each information product, outline each output port and contract each dataset earlier than something goes reside will stall earlier than it begins. The trouble is simply too giant, stakeholder urge for food will wane, and the enterprise will transfer on with out the framework.
The LLM interfaces themselves observe the identical incremental precept. A working MVP is perhaps a operating Claude with a connector to your information catalogue utilizing an pre-built MCP server (I exploit Entropy Information as it is rather straightforward to setup for exploratory functions).
Output: Not a completed framework, however a working MVP centered on one or a number of excessive worth information units.
Part 2 — MAP
The MAP section runs each time the enterprise proposes a brand new information processing exercise, or an present information exercise modifications, a brand new AI mannequin, a brand new pipeline, a brand new entry request, an modification to an present contract. It’s the structured substitute for the open-ended compliance dialog. Three steps, three homeowners, one clear handoff every time, with the LLM making certain that nothing ambiguous passes between them unexamined.
Step 1 — Enterprise initiates a change or new processing exercise
When the enterprise proposes something that entails information, a brand new AI function or a further supply to an present pipeline for instance, this course of is triggered. That is NOT a gathering. It’s a structured dialog with an LLM configured to seize the character of the change or new processing exercise and translate it into the knowledge wanted to have interaction the formal MAP course of.
The LLM asks direct questions, based mostly on the framework that IT has arrange. Relying on the solutions from enterprise, the follow-up questions are tailor-made based mostly on the prevailing metadata, firm information paperwork and regardless of the LLM has been set as much as entry.
If the enterprise says one thing obscure like “We need to use buyer information in a different way,” the LLM will drive the dialog into the precise structured method and can examine whether or not the request falls inside the functions already recorded on the related output port’s contract, or whether or not it constitutes a brand new processing exercise requiring a brand new or amended contract.
The result’s a structured description of the change or new exercise: the info product, the output port, the declared objective and any amendments required.
Technically, underlying this may very well be the YAML information with change monitoring in GIT, however the LLM might current it within the type of a PDF or doc on shared wiki.
Output: A structured description of the change or new processing exercise. The information product, output port, declared objective, scope of change along with any unanswered questions flagged explicitly.
Step 2 — IT receives amended contracts
IT receives the structured description from Step 1 — whether or not that could be a proposed new contract or an modification to an present one.
IT can settle for the amendments as they’re (as it will have already been curated at this level) or they’ll select to interrogate them additional.
IT resolves what it may possibly and passes solely the real ambiguities ahead. Questions despatched to Authorized are pre-scoped and particular. They’re framed as exact binary decisions, not open-ended narrative. That is what makes Step 03 environment friendly.
Output: A brand new draft contract or marked-up modification, technically validated, with a brief listing of particular scoped questions for Authorized — every framed to ask a deterministic reply, not a prose opinion.
Step 3 — Authorized evaluations, decides and indicators off
Authorized receives a near-complete information contract with a brief listing of particular questions that require authorized judgment. They work together with an LLM loaded with the related regulatory context, whether or not it’s GDPR, the AI Act, sector-specific laws or the organisation’s personal insurance policies. The LLM guides them by way of every query systematically.
That is the important design level: the LLM is configured to push Authorized towards deterministic solutions. Not “It relies upon” or “We would want to evaluate,” however “Sure, this objective is appropriate with the declared lawful foundation on this output port,” “No, this output port is probably not used for mannequin coaching with out specific consent,” or “Permitted underneath these particular circumstances, which have to be recorded within the information contract.” Wherever Authorized workouts judgment, that judgment is captured as a structured determination, not a paragraph of prose that IT should interpret.
Authorized owns what’s signed off. The information contract is up to date to replicate their choices. If the entry request is authorised, the consuming information product is added to {the catalogue} and the contract governs its use routinely. If challenged later, the document exhibits precisely what was assessed, by whom, on what date and on what foundation. There isn’t a ambiguity about accountability.
A couple of of the authorized professionals I’ve spoken to during the last couple of years have already began recognising this shift themselves. For my part, the organisations that can navigate it greatest are those the place authorized groups turn out to be extra architecturally conscious and technically literate. The extra they perceive methods, information flows, and implementation realities, the extra doubtless they’re to genuinely personal and validate the selections being made. That’s the place the thought of a “human within the loop” begins turning into significant relatively than symbolic. If authorized groups stay purely advisory whereas more and more counting on LLM-generated interpretations, they could find yourself implicitly trusting outputs they can not absolutely validate themselves. Sarcastically, that dependency might itself turn out to be a compliance danger.
Output: A finalised, legally signed-off information contract hooked up to the related output port — prepared for IT to implement immediately, with no additional translation required.
Part 3 — RUN
As soon as information contracts are in place on output ports, the RUN section operates constantly and routinely. There are not any conferences, no guide audits and no set off required from Enterprise, Authorized or IT.
In a examine “Automating Data Governance with Generative AI”3 the use case checked 110 information entry requests towards privateness insurance policies in actual time. It caught each challenge a human professional flagged, plus 3.6 instances extra warnings — 80% of which consultants later confirmed as legitimate. People retain the ultimate name on each flag. This isn’t changing governance; it’s making governance function on the velocity AI-driven information utilization calls for.
In follow, the RUN section means the system is constantly doing what no group of people might do manually at scale:
- Checking each new information entry request towards present contracts on output ports routinely in the intervening time the request is submitted, earlier than any human evaluations it.
- Monitoring the reside information panorama for rising violations: when a brand new restriction is launched, the system detects which already-approved contracts could also be affected and surfaces them for overview.
- Answering governance queries in actual time. Authorized groups can ask conversationally: “Which information merchandise presently haven’t any documented lawful foundation?” or “Which output ports are being accessed for functions not listed of their contracts?” The system solutions immediately — no audit, no electronic mail chain.
- Flagging coverage drift — when a regulation modifications or a brand new inside coverage is launched, the system re-runs it towards your entire contract panorama to establish what wants overview.
As with the opposite steps, begin small and scale up. Begin by solely evaluating new information requests. Then you can improve this course of to periodically and randomly checking question logs to examine whether or not it nonetheless matches. Or you can select to set off quarterly audits. No matter is required inside your organisation.
Let’s be pragmatic: don’t anticipate a clear start line. What the RUN section will initially reveal is the governance debt that has been accumulating quietly for years. That’s high-quality. Seen issues are solvable ones.
The Final result
The Enterprise Worth of Getting this Proper
The worth of actual automated and observable governance is tough to see in case you are not conscious of the tsunami that’s coming over the horizon. A number of distributors are already rolling out managed AI providers.
What has shocked me most during the last 12 months is how shortly non-technical individuals are starting to construct their very own small networks of AI brokers and automations. At this time many of those are nonetheless prototypes or aspect tasks, however it’s apparent that this may quickly spill over into actual enterprise processes at scale. I’ve personally seen extremely spectacular options constructed by individuals with little formal technical background, but typically with very restricted consciousness of the authorized implications, governance necessities, or compliance conditions that include them.
The examine AI agents under EU law: A compliance architecture for AI providers4 signifies that the laws framework shouldn’t be presently appropriate for actual, complicated AI methods. Many within the trade predict that the laws is not going to sustain, which suggests authorized groups will should be enabled to make risk-lowering choices at scale.
Within the course of that I put ahead, as a result of Authorized’s choices are recorded as structured sign-offs on information contracts relatively than prose opinions, authorized accountability is obvious, defensible and unambiguous. If a query arises about why a specific entry request was authorised, the document exhibits precisely what was assessed, by whom, on what date, and underneath what circumstances. That is the distinction between saying you acted responsibly and with the ability to display it.
My one concern with this method
There’s one future situation that has me involved (aside from us all turning into just like the people in Wall-E). What if my steered plan goes too effectively. It turns into such a cultured course of that we turn out to be over-confident.
At first this seems like progress: irritating and arduous to know human interactions turn out to be clear structured handoffs that are straightforward to question. However as a result of the hand-offs are so seamless, confidence will increase sooner than comprehension.
People begin reviewing the form of the output relatively than the substance. “It appears to be like nice” relatively than “Sure, it’s deciphering the request appropriately”. Over time, the “human within the loop” turns into thinner. At first we overview, then we solely approve, then we begin asking one other LLM to examine whether or not the primary LLM missed something. Finally, the organisation shouldn’t be actually transferring information between individuals anymore; it’s transferring believable summaries between methods. The hazard shouldn’t be that the AI makes one apparent mistake. The hazard is that accountability turns into distributed throughout a sequence of fantastically formatted outputs that no person absolutely owns, understands, or has time to interrogate. When one thing fails, everybody can level to a hand-off, a overview, a abstract, or an approval step. However the authentic context has evaporated. The loop nonetheless comprises people, technically. It simply not comprises human judgement on the level the place it issues.
What if we do nothing?
As Jean-Paul Sartre mentioned: “As soon as we all know and are conscious, we’re answerable for our motion and our inaction.” Failing to shift shouldn’t be impartial; it’s a regressive alternative. The AI Act’s phased enforcement means organisations that haven’t operationalised literacy by then are already non‑compliant. The compliance window is closing whereas AI velocity retains doubling.
In follow, each month of delay compounds the debt. The longer authorized recommendation stays trapped in unstructured paperwork, casual interpretations, and human-only overview cycles, the nearer it strikes from being merely inefficient to being indistinguishable from non-compliance. And as regulatory expectations shift towards demonstrable literacy, traceability, and accountability, “we didn’t know” will not be a reputable defence.
If I had a crystal ball
If I had been to look into my crystal ball I’d predict some manifestation of the Gartner hype cycle “Plateau of productiveness” taking part in out.
I imagine round 2027/2028 there shall be appreciable pushback from regulators if we can’t reel again the management. We can have fairly a number of real-life horror tales within the information about Agentic AI gone dangerous within the subsequent 2 years. The pushback shall be met by corporations and consulting companies that promise higher ruled implementations (just like the one which I suggest) after which for years we can have this delicate dance between the regulators and corporations which can be pushing the boundaries.
In the long run we’ll survive and most certainly will probably be much less dramatic than some (like myself) envisage.
[1] ‘Processing’ as outlined in Article 4(2) of the Normal Information Safety Regulation (EU) 2016/679 (GDPR).
[2] Bitol. (2025). Open Information Contract Normal (ODCS) (v3.1.0). LF AI & Information Basis. https://bitol-io.github.io/open-data-contract-standard
[3] Dietz, L. W., Wider, A., & Harrer, S. (2025). Automating Information Governance with Generative AI. AAAI/ACM Convention on AI, Ethics, and Society. Obtainable at: Automating Information Governance with Generative AI
[4] Nannini, L., Smith, A. L., Maggini, M. J., Panai, E., Feliciano, S., Tiulkanov, A., Maran, E., Gealy, J., & Bisconti, P. (2026). AI brokers underneath EU legislation: A compliance structure for AI suppliers. arXiv. https://arxiv.org/abs/2604.04604
