Technology Overview
The AI technology stack for commerce — foundational models, agentic AI, LLMs, privacy & security, investment costs, and what comes next — based on Book Part 5 of the AI Best Practices for Commerce reference.
Privacy & Security
Foundational principles for responsible AI systems
Regulatory and Governance Considerations
Regulatory frameworks worldwide are evolving to account for the unique risks associated with artificial intelligence. Traditional privacy laws already impose obligations around lawful basis, consent, purpose limitation, data minimization, and user rights. These principles remain essential but must be reinterpreted for AI environments where data may be transformed, embedded, or inferred in ways that challenge conventional assumptions.
A fundamental regulatory concern is transparency. Organizations must explain how AI systems make decisions, what data they rely on, and how individuals can exercise control over their information. However, producing meaningful explanations for complex models is challenging, as their internal representations are not easily interpretable. This tension between legal expectations for clarity and the mathematical reality of deep learning continues to shape debates around explainability and accountability.
The European Union’s AI Act represents one of the most comprehensive attempts to regulate AI at scale. It requires organizations to classify systems by risk category and impose stricter obligations on high-risk applications. These obligations include robust data governance practices, human oversight mechanisms, thorough documentation, and continuous monitoring for safety. General-purpose AI systems must comply with additional transparency requirements, ensuring that users understand the capabilities and limitations of the models they interact with. This regulatory shift reflects a philosophical change: AI systems are seen as socio-technical systems with broad impact, requiring governance frameworks similar to those used for critical infrastructure.
International standards such as the NIST AI Risk Management Framework and ISO/IEC 42001 complement these regulatory developments by providing actionable guidance. These frameworks emphasize lifecycle governance, cross-disciplinary collaboration, transparency of design choices, and the need to embed security and privacy considerations into the earliest stages of development. Organizations that adopt these frameworks benefit from clearer internal processes, improved risk-assessment capabilities, and stronger alignment with emerging global norms.
Beyond formal regulations, internal governance practices are gaining prominence. Many organizations establish AI ethics committees, data governance councils, or model review boards to oversee the development and deployment of AI systems. These groups evaluate the ethical, legal, and operational implications of proposed models, ensuring that risk considerations are balanced against business objectives. At the operational level, maintaining inventories of AI systems, documenting datasets, and defining usage policies help organizations maintain discipline and transparency across their AI portfolios.
Governance must also account for organizational culture. Without proper communication and training, even the most robust policies may fail in practice. Governance frameworks succeed only when employees understand the rationale behind them and are empowered to follow them consistently.
- EU AI Act: risk-based classification — high-risk AI requires robust data governance, human oversight, continuous monitoring
- NIST AI Risk Management Framework: lifecycle governance, transparency, cross-disciplinary collaboration
- ISO/IEC 42001: embed security and privacy from earliest design stages
- GDPR, CCPA, HIPAA: data residency, purpose limitation, right to deletion all apply to AI training data
- Differential privacy: mathematical guarantees limiting individual data point influence
- Synthetic data: artificial datasets preserving statistical structure without real individuals
- Data minimization: collect only what is strictly necessary for defined purposes
- Federated learning: train locally, share only model updates
- Trusted Execution Environments (TEEs): hardware-level isolation for sensitive compute
- Secure multiparty computation / homomorphic encryption
- Data pipeline: validation, sanitization, encryption at every stage
- Training isolation: protected clusters, anomaly detection on gradients
- Agent controls: least-privilege, audited operations, sandboxed actions
Last updated: March 12, 2026