Interview: what data centres companies should know about AI ‘shadow regulation’

  • Artificial Intelligence, Data Centre Infrastructure & Management

Executive Summary

  • Chief Editor, Lauren Raybould, sat down with George Tziahanas, VP of Compliance and Associate General Counsel at Archive360, to talk about AI ‘shadow regulation’ and the important steps UK companies need to build an AI strategy that is legally defensible without crippling operational efficiency.
  •  AI shadow regulation is how lawsuits, copyright claims, and commercial pressures establish de facto rules for artificial intelligence. For the UK, AI governance may start being defined through litigation and enforcement actions under existing authorities, versus new legislation. If a model uses personal or customer data, organisations must demonstrate control in data lineage and provenance, its use, and outcomes against expectations.
  • AI adoption is moving faster than governance, and that’s where the real risk sits. Two years ago, companies were banning AI. Today, those same companies are rolling it out fast while trying to figure out governance at the same time. Waiting for formal regulation risks creating a gap where litigation and enforcement effectively set the rules instead.

Chief Editor Lauren Raybould, sat down with George Tziahanas, VP of Compliance and Associate General Counsel at Archive360, to talk about the reality of AI shadow regulation, how AI adoption is moving faster than governance and how you should still retain AI data in case of future regulation but use a governed, tiered retention system that balances the need to optimise and become more efficient.

For UK firms operating under GDPR and banking rules, what does the reality of AI ‘shadow regulation’ look like in practice, and why is waiting for formal policy a mistake?

“Shadow regulation is starting to happen with courts and regulators starting to apply existing data privacy, cybersecurity, financial services, and recordkeeping obligations to AI systems. In the UK, firms shouldn’t be waiting for a dedicated AI statute. They are already being judged on whether their use of data is lawful, explainable, and defensible.

“In practice, AI governance may start being defined through litigation and enforcement actions under existing authorities, versus new legislation. If a model uses personal or customer data, organisations must demonstrate control in data lineage and provenance, its use, and outcomes against expectations. That is becoming the real test for enterprises.

“What is clear is that AI adoption is moving faster than governance, and that’s where the real risk sits. Two years ago, companies were banning AI. Today, those same companies are rolling it out fast while trying to figure out governance at the same time. Waiting for formal regulation risks creating a gap where litigation and enforcement effectively set the rules instead.”

How does the risk of AI litigation change the way data centres and enterprises must manage the explosive growth of unstructured data?

“Litigation risk fundamentally changes data from being an operational by-product into a governed legal asset. Defensibility in how data used to train models, execution by agents and AI applications, and expected outcomes becomes critical. They could become discoverable evidence in AI-related actions such as bias, discrimination, data loss, or inappropriate use or outcomes.

“That shifts expectations around scale. It is no longer enough to store data efficiently. Organisations need confidence they can reconstruct how datasets were formed and how they were used in model training or decisioning.

“A useful parallel is early eDiscovery cases like Zubulake, where existing retention and civil procedure rules, brought digital communications into routine scope.  AI extends that requirement across far larger, more complex datasets. In recent supply chain incidents involving AI platforms, scrutiny has extended beyond breach events to data lineage and reuse. That level of exposure forces enterprises to treat data as part of governed infrastructure, not passive storage.”

If companies must retain large auditable platforms of AI inputs to defend against lawsuits, how can the data centre industry balance this data growth with its urgent need to cut energy consumption?

“Retaining or governing the data is a very small contribution to energy consumption in a data center.  AI training and inference consume most of the energy in data centres.

“The workable approach is governed, tiered retention. High-risk datasets linked to regulated decisions, model training, or sensitive processing must remain fully auditable. Lower-risk operational data can be summarised, compressed, or transitioned into aggregated formats over time.

“Data centres must become part of the governance model. Lifecycle automation, policy-driven retention, and structured deletion controls are essential to managing both compliance and energy efficiency together.”

How must data centre storage architectures evolve to move away from passive archiving toward active, fully auditable data structures that can withstand a legal challenge?

“Storage architectures are shifting from passive repositories to active governance systems. The requirement is no longer just to store data, but to maintain context, lineage, and traceability throughout its lifecycle.

“In practical terms, that means embedding metadata, provenance, and policy controls directly into storage layers so data remains auditable wherever it moves. AI training data, prompts, and outputs need to remain linked, not separated across systems.

“Data centres need support platforms that enable traceability and classification of data so it can be linked to its operational and legal context. Without that, organisations end up trying to reconstruct data histories after the fact, which is both costly and unreliable. Governance becomes the control layer for AI, and this is a benefit to everything running in a data centre.”

What is the single most important step UK data centre leaders and CIOs should take today to build an AI strategy that is legally defensible without crippling operational efficiency?

“Defensibility has to be built in, not retrofitted. The most important step is to embed data and AI governance as an architectural principle. This provides trust throughout the AI ecosystem.  It provides a foundation of trust in the data used in training and inference, and allows data centres and organisations that rely on them to manage risk.

“Without strong data and AI governance, it is difficult to successfully execute an AI strategy. The organisations that get this right will unlock efficiency and reduce risk at the same time, but it requires treating AI systems as governed operational assets rather than experimental tools.”

 

Share this Post:

Related posts

DCi-desktop-newsletter
DCi-mobile-newsletter