Will Compliance Rules Change How Enterprises Buy GenAI?
The landscape of enterprise AI purchasing is undergoing a significant transformation, shifting from a tech-first approach to a compliance-first mindset. This change is largely driven by the stringent regulations established under the EU AI Act, which imposes fines that can reach up to €35 million or 7% of annual revenue for non-compliance.
Regulatory Landscape
The AI Act came into effect on August 1, 2024, with full activation expected by August 2, 2026. Companies that fail to adhere to these regulations may be forced to withdraw AI systems from the market, rendering non-compliant solutions unviable. The implementation of these rules varies across EU member states, creating complexity for global enterprises navigating this regulatory environment.
Enforcement actions have already begun to yield substantial penalties, as evidenced by France’s CNIL imposing fines of €325 million on Google and €150 million on Shein for cookie consent violations.
Impact of Copyright Cases
High-profile copyright disputes are further reshaping the vendor selection process for enterprise buyers. For instance, Anthropic recently agreed to a proposed settlement of $1.5 billion concerning approximately 500,000 works, committing to destroy unlawfully obtained files. Similarly, Thomson Reuters secured a partial summary judgment against Ross Intelligence, which improperly utilized 2,243 Westlaw headnotes, harming Thomson Reuters’ market interests.
Some legal precedents are favorable for AI companies, such as the ruling in Bartz v. Anthropic, where the court deemed the use of purchased print books for AI training as “highly transformative” and a case of fair use, though this was separated from Anthropic’s use of pirated copies.
Shifting Buyer Priorities
The changing legal landscape is influencing enterprise buying behavior, with factors like security and cost gaining precedence over mere accuracy and reliability. A prominent industry leader noted that “for most tasks, all the models perform well enough now—so pricing has become a much more important factor.”
Organizations employing AI systems are advised to negotiate contracts that ensure the developer conducts thorough reviews of training inputs and eliminates reliance on questionable datasets. Furthermore, companies are increasingly seeking indemnities from AI providers to guard against potential IP infringements, data privacy breaches, and confidentiality violations.
Emergence of Compliance Startups
The demand for compliance solutions has led to significant investments in AI compliance companies. For example, Delve raised $32 million at a $300 million valuation, a substantial increase from its previous funding round, serving over 500 companies across various compliance frameworks. Meanwhile, Zango secured $4.8 million for its AI-driven governance, risk, and compliance platform.
The Market Shift
Despite the clarity of regulations, practical compliance remains challenging. AI models can inadvertently reproduce sensitive information from training data, leading to outputs that may contain confidential data. As a result, enterprises are moving from a “build” to a “buy” strategy, increasingly opting for third-party applications over internally developed tools, which are proving difficult to maintain in this dynamic environment.
This shift towards risk-first buying is creating new market categories where a startup’s legal safety can command a valuation premium far exceeding that of pure technological capabilities.
