Ashley Taylor, Gurkan Ay, and Andrew Coles focus on how AI is being regulated today — and what companies should be doing now to manage risk.
In this episode of Regulatory Oversight, host Ashley Taylor continues his multipart series on artificial intelligence (AI) with returning guests Gurkan Ay and Andrew Coles of Resolution Economics. Together, they move beyond headlines and hypotheticals to focus on how AI is being regulated today — and what companies should be doing now to manage risk.
Instead of waiting for a single federal AI law, the conversation explores the reality of "regulation by litigation" and enforcement. Ay and Coles explain how existing legal frameworks — such as anti-discrimination, employment, and privacy laws — already shape how AI can be used, and why the specific use case is critical. They walk through real-world examples using the same sentiment-analysis tool in two different ways, showing how differences in data, time horizon, and impact on employees can create very different risk profiles, even with identical technology.
The discussion also tackles the perceived tension between innovation and safeguards, and ongoing debates over a national AI framework and preemption of state AI laws. Rather than framing AI as a choice between speed and safety, the guests argue that organizations can foster innovation while still being thoughtful about how AI affects employees, customers, and other stakeholders.
Regulatory Oversight Podcast — AI State Regulatory Frontiers: How Existing Laws Regulate AI
Host: Ashley Taylor
Guest: Gurkan Ay and Andrew Coles
Aired: 4/29/26
Ashley Taylor:
Welcome to another episode of Regulatory Oversight, a podcast dedicated to delivering expert analysis on the latest developments shaping the regulatory landscape. I'm one of your hosts, Ashley Taylor, the co-leader of our firm's nationally recognized State Attorneys General practice and a member of our Regulatory Investigation Strategy and Enforcement or RISE practice group. This podcast highlights insights from members of our practice group as well as guest commentary from industry leaders, regulatory specialists, and current and former government officials. Our team is committed to bringing you valuable perspectives, in-depth analysis, and practical advice from some of the foremost authorities in the field today. Before we begin, I want to encourage all of our listeners to visit and subscribe to our blog at regulatory oversight.com to stay current on the latest in regulatory news.
Today we are continuing our multi-part series on artificial intelligence and our discussion with Gurkan Ay and Andrew Coles from Resolution Economics. In this episode, we'll focus on how AI is actually being regulated today and what practical steps companies should be taking now to manage AI-related legal and operational risk. And as a reminder, Gurkan is a director at Resolution Economics in Washington, D.C., where he leads advanced data analytics and compliance assessments in high-stakes matters and advises clients on AI governance and the risk of automated decision tools. Andrew is also a partner at Resolution Economics, a CPA and certified fraud examiner with extensive experience in forensic accounting investigations and global compliance. Gurkan and Andrew, thank you both for joining me again today, and let's pick up on our discussion. I want to start by asking, is AI regulation even relevant?
Gurkan Ay:
I can jump in. But first, thanks for having us again. It's a pleasure to be here and continuing this discussion. Is AI regulation even relevant? I think it's a tough question to answer. The answer is probably yes, but I don't think it's in the way that people expect. The real world is not waiting for one AI regulation that covers everything. Companies are already facing AI risk through existing laws, state activities, some agency guidance, and more importantly, private litigation. So I think the practical question is less about whether AI in general should be regulated, but more about how a specific AI use case creates legal or operational risks and whether there are risks associated with those pieces.
I think the starting point is what is the tool actually doing, what decisions it is affecting, what is the harm that it's causing, if there's any, or what is the potential harm that it could cause, and who could be harmed, and what laws or regulations can apply in these contexts separately. In the absence of a broad AI regulation, I think the companies are operating in an environment where Andrew called in our previous episode regulation by litigation environment. So everyone is learning from the lawsuits and enforcement actions and settlements, and the state activity is basically filling the void that we have now.
Andrew Coles:
Yeah. And again, I'll echo what Gurkan said. Ashley, thank you so much for having us back on. We appreciate the time with you and all of the listeners out there. I agree. I agree with exactly what Gurkan just said. If you haven't adopted or started using AI yet, whether it's in your personal capacity or professional, not that you missed the boat, but you're late to adopt. I think what we've seen, even internally, our firm has our own closed network internal system that we leverage for a number of different things. And I think we've seen this happen across a number of our clients out there of how are they leveraging and harnessing AI technology to allow them to do more things, allow their people to be more efficient, allow them to spend their hours on things that really matter, really take the brain power versus the research that I think I talked about on there. I know I talked about on the last episode of this podcast.
I think the big thing here is that we are learning by litigation. And I think those are the biggest things that when clients ask us, how should I think about this or what should I do, is that we have to look to litigation and figure out, well, is this applicable in this scenario or not? Because like we had talked about before, and I think a lot of people will hopefully agree with this, is that what company A is using AI for and what company B are using AI for, even though they're leveraging a similar technology versus the predictive, the agentic, all the generative AI that we talked about, just because they're using the same sort of tools doesn't mean they're using it for the same thing. And those things, whether it's labor and employment or looking for fraud or reviewing applications, the results are different, the data is different, how it works is different. And I think it will, at this point in time, we're gonna be hard-pressed to find a regulation that encompasses all of it other than the applicability of current laws as well as what case law is telling us about what we should think about in these cases.
Gurkan Ay:
I can give a very concrete example of the importance of the use case. We had two projects. One was a proactive AI bias assessment, and the other one was within the context of a lawsuit. The underlying AI tool in both projects was the same. Basically, this tool is used to do a sentiment analysis of the customer representative conversations. So there is this company, they have a call center, and every conversation between the customers and the call center representatives is recorded. And this AI tool conducts a sentiment analysis on those conversations. You may recall a few years back, when you call your credit card company or some other utilities, they would say that, "Oh, this conversation is being recorded. If you'd like to stay on the line, then we will conduct a brief survey at the end of this conversation."
Now what's happening is, instead of conducting that brief customer satisfaction survey at the end of the conversation after everything is said and done, the AI tool is analyzing those conversations in real time and creating a sentiment score. This was a good conversation, it was a bad conversation, this was a neutral conversation. What is happening, how the results of the sentiment analysis is used, is very interesting. And this gets to the heart of the use case and how different risk can arise from different uses of the same tool. For one of our clients, they were taking the sentiment scores coming from every conversation, averaging them out or applying some kind of logic to create an average sentiment score for every customer representative for every pay period. Based on the customer representative's sentiment score, an incentive portion of their compensation is calculated.
So if this representative had a good month or good two weeks, then they would get a better incentive pay bonus at the end of the pay period. So this had a very direct impact on their compensation. And you can imagine the amount of data that is accumulated in this process. For the other client, it's the same tool, it's the same concept, it's used the same way. Every conversation is recorded and assessed. For the other client, they didn't use the sentiment scores for each pay period. Instead, they calculated the average or some kind of weighted average of the sentiment scores for the entire quarter or for the entire year, and the sentiment score is fed into their performance assessment system. Every year, these employees would get a performance rating. Part of their performance rating, among many other things, is their sentiment score throughout the quarter or throughout the year.
So in this instance, the impact of the tool is very indirect. It still may impact the employee's pay at the end of the year, but in a very indirect way. And we don't know... I mean, it's not easy to figure out whether that impact is even material. Is it even changing the incentive portion of their annual pay? So what I wanted to highlight with these examples is the use cases, the way the tool is used is different, the period is different, the data behind is different, and its impact is different. Because of all this, the risks associated with the use is quite different. Every instance of an AI tool is gonna pose different risks. So we always caution our clients, don't take comfort in seeing a bias audit of the tool that was done using someone else's data. Let's see how you are gonna use it, let's see what kind of data that you are gonna use it for, and let's see what the results are for that specific use case that you will have at the end of the day.
Ashley Taylor:
So, Gurkan, that seems to put companies in a quandary. You've identified the complexities and the variables, but there is no single standard, certainly not a federal standard. How should companies think about compliance and risk in that context and in this environment?
Gurkan Ay: Again, the focus is on the process. Take this case-by-case basis, look at how you use it, and see what are the applicable laws to your specific case, and then go from there.
Andrew Coles:
That's exactly what I was going to say, Gurkan, is that to highlight something that we have talked about internally across many different clients is that, and not just AI, I think it's an applicable sort of thought process for many different things is, innovation versus risk tolerance or how you manage the innovation. Because what we're seeing right now is innovation of tools and applicability of those tools to what we do. What Gurkan just described is seeing two different use cases with the end result somewhat similar, going into some sort of score. But just because it works for one company it doesn't mean it's gonna work for the other. And I think that's what we're assessing or thinking about in terms of regulation. Just because the overarching regulation may say do this, don't do that, or be wary of this and careful of that, it doesn't mean it's gonna work for company A and company B and company C.
And that's how, I think, even when a company thinks about, well, do we want to expand to a country in Africa? Or do we want to go to Latin America? Well, coming from my perspective, the bribery and corruption risks are different in those countries. So how do I safeguard that expansion and that innovation to those new territories versus the risk that is ultimately part of those decisions? And I think the same thing comes back to AI. And I think companies should challenge themselves to say, let me think how this will impact me, impact my shareholders if it's private, how it'll impact my employees. And I think that's really where we're at right now, is that we aren't seeing a big overarching regulation, but what we are seeing is companies being thoughtful, and if they're not, they should be thoughtful and forward-thinking in terms of what that impact could be.
Ashley Taylor:
How do you all think about this debate that we see developing, which is framed as a tension between innovation and safeguards? So we are recording this in the context of a national debate in Congress around a single AI framework and whether states should be permitted to continue to innovate legislatively and in a regulatory context around AI, or whether there should be preemption and one set of rules. How do you all think about that tension and/or debate? Is that a real tension? Is it an either/or proposition?
Andrew Coles:
I don't think it's either/or. I think it's finding the happy medium. No matter what field of work you're in, if you go to a conference today, there are going to be probably one, but most likely more than one section that talks about AI. I think everyone has it top of mind for two reasons. One is that a lot of us are very creative and innovative and we want to figure out ways to use it. But two, we are concerned about how it is used and the perception of what data is being stored. "Wait, you're recording our conversations and using it to impact someone's pay?" I think if we're struggling and if there is a debate, I think it's a good one in the sense that we don't want to burden, or I don't think the government, the regulators want to burden people with, "You shouldn't be doing this." I think what we're looking for and what we'd like the government to help us with is that we should be using these tools to innovate. But companies should be thoughtful in figuring out, well, can we innovate carefully so that we aren't stepping into these gray areas without thinking about the risks and the impact that it could have on our stakeholders?
Gurkan Ay:
If I can chime in on this, the Senate's draft AI framework from I think it was last week, it focuses on certain areas, but I think one of the last items in that framework is preemption of the state AI laws. The focus there is to make sure that the state-level laws do not hinder the innovation or the development of the AI tools. That's great. We all agree that we need to make sure that we are competitive and we are making the best tools out there. But at the same time, the existing laws are still there. Non-AI related laws are still there. Non-discrimination laws are in the books at the federal level. The privacy laws at the federal and state level, they are still there.
So even this new framework focuses on making sure that the AI tools are competitive globally, we need to keep in mind that the existing laws are still there, regardless of it's AI or a human making a decision, we need to still comply with all the laws that we have. So I think it's gonna put a little bit more burden on the companies because now, with this uncertain regulatory environment, the companies have to pick their own risk acceptance levels. And based on that, based on where they operate, how they operate, what kind of tools that they use, they need to pick and choose a menu of regulatory decisions along the way. So I think until we have more guidance moving forward, it will be a little bit burdensome on the organizations using the AI tools to decide how much risk they are going to accept and how they are going to comply with whatever is out there at the moment.
Ashley Taylor:
That's a great segue. Our listeners to this podcast join us on a regular basis because we provide practical advice as part of this podcast series. So I don't want to disappoint them. What should the organizations be doing now, gentlemen, if they want to use AI responsibly and they want to reduce their legal and operational risk? This is the money question that they all tuned in for.
Andrew Coles:
Yeah. And I'll go first here. And I've always said this to all of my clients, regardless of what we're working on, is that, buy-in is key. So getting the right stakeholders in the room to make these practical business decisions is extremely important. For example, when we're developing a third-party risk management program, we're not developing that program to solve just for bribery risk or just for privacy or just data security. We're doing it to solve for a myriad of risks that impact the organization. The same thing goes for AI and responsible use of AI is that it doesn't just impact one department, but there's legal implications, there's personnel implications for HR, there's IT implications, there's compliance implications.
So, when we're making these decisions and companies are making these decisions, and hopefully we're helping them make those decisions, it's bringing the entire stakeholder team together to ensure that we are thinking through what that risk is, how we're safeguarding that risk, but also going back to the previous question, that's allowing us to innovate and provide value to not only our internal team, but our customers and our clients, so on and so forth. I think that's a really big thing that often gets overlooked. Because if you're like, "Oh, we have the right people in the room," but do you? I think that's the real question that you need to ask yourself.
And the other big thing that I will say, and then Gurkan, I'll turn it over to you because I think you have some really good ones here, is that just because you outsource something doesn't mean that the risk is gone. It's that ultimately you are still going to be responsible for what you're putting out. So if you're using this AI tool, an enterprise risk tool, and you don't know what's going on inside that tool, that black box that we talk about, it doesn't matter. It's ultimately your responsibility to your stakeholders to understand what's happening. You can't outsource that responsibility. And I think that's a big thing when you're talking about these innovative solutions or potential AI rollouts with your stakeholder team is, what is our risk, what are we outsourcing, and how is that risk being managed?
Gurkan Ay:
Let me pick up on that, Andrew, actually. So, if you can't explain why the AI made a decision, you cannot defend it in the court. So to understand and to explain how the decisions are made, we need to look at the entire process, not just what goes into an AI tool or what comes out of the AI tool. Especially with the advent of the agentic AI, I think the importance of looking at the entire process is more critical than ever. Agentic AI tools are communicating with each other, they're communicating with your existing tools, they're communicating with non-AI tools. So understanding how all these come together it will be very critical in case there is a complaint about the process.
Another thing is, going back to our discussion earlier on the use case, it is not enough to analyze or look at how AI is making a decision. It is important to look at the entire process and how AI is integrated into that entire process so that we can see whatever the problem is, whether it's coming from the AI or it's coming from some other parts of that process. So it is critical to look at the big picture first, understand how AI comes into play, how it is used, and distinguish between the AI components and non-AI components. That's gonna help us to find what exactly is going on, what the problem is, but also it's gonna help us to address any issues that we might find.
Ashley Taylor:
Gurkan and Andrew, I want to thank you all for that practical advice to close out this session. I think that's all we have time for today. So again, I want to thank our listeners for joining us for these two episodes and to thank you all again for joining us as our resident experts. Remember to subscribe to this podcast via Apple Podcasts, Google Play, Stitcher, or whatever platform you use, and we look forward to having you join us next time.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.
---------------------------------------------------------------------------
DISCLAIMER: This transcript was generated using artificial intelligence technology and may contain inaccuracies or errors. The transcript is provided “as is,” with no warranty as to the accuracy or reliability. Please listen to the podcast for complete and accurate content. You may contact us to ask questions or to provide feedback if you believe that something is inaccurately transcribed.