AI and Data Privacy Regulation in 2026: Flexible, Principle-Based Governance Is Key

Amid an increasingly complex and fragmented regulatory landscape, organizations must adopt new governance structures to ensure compliance—and gain a competitive advantage.

In our Winter 2025 forecast, we predicted a dawning convergence around how data-oriented risks—including data privacy and protection, information security, and artificial intelligence (AI)—would be regulated.

Given President Trump’s January 2025 executive order, his subsequent AI Action Plan, and attendant discussions of AI “deregulation,” readers may wonder whether that forecast still holds.

Our view is that you should not be misled. We forecast continued growth in the 1) demand by corporate leaders to leverage and innovate with AI; and 2) complexity of ensuring that the uses of AI—and the data that fuels it—meet fast-changing legal and market expectations.

An increasingly fragmented data privacy regulatory landscape

The absence of AI-specific federal regulation in the United States and Canada likely will make effective AI use more complex as states and provinces step in to fill the void (to say nothing of class action lawsuits, at least in the US).

_{Source: Amy Worley, The Confidence Advantage (forthcoming, 2026).}

As of this writing, twenty US states have AI-specific laws passed or in the legislative development process, with little indication this trend will slow, and the European Union’s (EU) AI Act also has begun to take effect. If the aim is to use AI with personal data, compliance with the continued sprawl of privacy laws must be considered: twenty states now have comprehensive privacy laws, and global companies also must consider the EU’s Global Data Protection Regulation and numerous other international requirements. In the US, Canada, the EU, and China, laws related to data protection, cybersecurity, and AI have grown by 400 percent since 2016.

The common threads are rapid change and a focus on the responsible use and handling of data. It’s worth noting too that the evolving patchwork of laws is often downstream of what actors in the market—which have a vested interest in the proper care and handling of their data—will demand before the law catches up.

Why Flexible, Scalable, and Efficient Governance Frameworks Are Essential

The speed and scope of these regulatory changes are unprecedented, underscoring the need for organizations to develop flexible, scalable, and efficient governance strategies that unleash the power of their data, AI tools, and other advanced technologies—without getting bogged down in reactive law-by-law or issue-by-issue frustrations. To be effective, these strategies can’t be siloed or made the sole responsibility of a single team.

A concept we call “Confidence by Design” may offer a useful approach to the challenge. The shape this takes varies from organization to organization, but the goal is consistent: embed trust concepts throughout the enterprise to build a principle-based culture of confidence that creates opportunities to lead, innovate, and build lasting value.

Organizations that do this successfully can create confidence internally and in the marketplace that their products, services, and uses of data and new technologies incorporate sound, consistent ethical principles. These in turn allow organizations to move quickly and innovatively while meeting compliance responsibilities (and without compliance merely being an end to itself).

Finding a way to transcend the growing regulatory complexity of AI data and security is both a growing challenge and significant opportunity. In our view, compliance is necessary; but confidence is transformative and can bring compliance along for the ride.