If you work in a regulated industry, like banking, healthcare, government, aerospace, you’re likely aware of a stark reality: your sector is deploying AI more slowly than unregulated industries. The irony is that organizations that would like to use AI most to improve operations and competitive positioning are the ones least able to use it because compliance requirements create barriers. Most modern AI platforms simply aren’t architected for regulated environments.
According to the State of AI in Support Operations: Balancing Innovation and Compliance survey we conducted this Fall, roughly seven in ten organizations (71%) have adopted AI for support operations. Yet the numbers tell a different story when examined by industry. While nearly all technology companies (92%) have deployed AI for customer support, just over half of organizations in regulated industries (58%) have done the same, a disparity that reflects a mismatch between how modern AI is commonly deployed and what regulated industries actually need from their infrastructure to safely deploy AI.
Security and Compliance Block AI Adoption in Regulated Industries
Most vendors address the adoption disparity through a security lens, pointing to their platform’s comprehensive security measures. The issue, however, goes considerably deeper than their explanations suggest.
The standard AI deployment model works this way: your help desk platform runs in the cloud (typically AWS or Azure) while the platform’s AI capabilities run on a separate part of the cloud or on another cloud entirely, with unencrypted data flowing between the services.
The cybersecurity posture of the large public cloud services is strong, so for most organizations this architecture is just fine. But for many organizations in highly regulated industries or those with strict data sovereignty requirements, this model creates a significant problem. Unencrypted data flowing around public cloud services is simply a no-no from a security or compliance perspective.
IT Security Teams Determine AI Platform Selection
The adoption patterns between technology companies and regulated industries reflect fundamentally different approaches to security. Technology companies often operate with a reactive security posture, relying on the security infrastructure of the public cloud providers, moving fast to deploy cutting edge technologies and addressing additional security concerns as they arise. Most organizations in regulated industries operate under far more rigorous conditions where strict compliance requirements must be met before systems go live.
This difference manifests directly in the purchasing process. In regulated industries, more than half (56%) rate AI security as critical compared to less than half (43%) across all industries, and the vast majority of organizations (78%) involve IT or security teams in final purchasing decisions, effectively giving these teams veto power.
When security teams evaluate platforms with AI capabilities, they encounter a limited set of viable options: cloud-based solutions with modern AI features that, explicitly or not, require unencrypted data to flow between external systems, or on-premises solutions with expensive and/or limited AI capabilities. In practice, more than half (53%) of organizations currently in pilot or evaluation phases focus specifically on defining security and compliance requirements before committing to vendors, moving deliberately through their evaluation because the consequences of getting decisions wrong include regulatory fines, operational shutdowns, and reputational damage.
For technology companies, the question is straightforward, “will this improve our operations?” For regulated industries, the follow-up question is whether the organization can use it and remain compliant, and if the answer is unclear, the software doesn’t get purchased.
Four Criteria to Consider when Evaluating AI-enabled Platforms in Regulated Industries
If you work in a regulated industry, here are some criteria to consider when evaluating AI for support operations:
- Does the platform have its own dedicated data center(s) in which it is running the AI foundation model services or does it rely on services hosted in the public cloud?
- Does the platform offer deployment flexibility? Confirm that the platform can run in your virtual private cloud or data center rather than being restricted to the vendor’s public cloud infrastructure.
- Does the platform support AI model selection? Determine whether you can bring your own AI provider/model or if you are locked into the vendor’s chosen foundation model.
- Does the platform meet your data sovereignty requirements? Verify that your data will remain within the relevant geofenced area or security perimeter.
- Does the platform meet your compliance requirements? Evaluate the governance and visibility capabilities to confirm you can see exactly what’s happening with your data and maintain audit trails.
AI Adoption in Regulated Industries Requires Architectural Change
The AI adoption gap between technology companies and regulated industries isn’t permanent; it signals that vendors have built solutions for one market while the challenges of another remain largely unaddressed. This is a pattern that has historically been temporary in enterprise software. Eventually, the neglected market’s demand becomes large enough that vendors either adapt their offerings or get displaced by competitors who do.
The organizations that rethink their architecture to support secure AI deployment will establish the standard for how enterprises deploy AI-enabled tools and platforms going forward. Nearly three-quarters (74%) of organizations expect to increase their focus on AI security over the next two years, a clear signal that the market is ready for this shift. As regulations evolve and AI’s role in support operations and business operations deepens, the importance of security and compliance on procurement decisions will only increase.
