Are you sure the compliance answer you got from open-source AI is correct? Do you trust it?
AI is predicted to transform the speed of compliance monitoring. But speed does not equal accuracy. The gap between an answer that appears right and one that is actionable and defensible is where compliance exposure can live.
By Mary Foley, Expert Services Strategy Director, Enhesa
Quick Summary
- Open-source AI can generate compliance answers that look authoritative and well-sourced — but a wrong answer and a right one are indistinguishable on the surface, and the difference only tends to emerge during an audit or a regulatory challenge.
- EHS regulatory requirements grew from 203,000 in 2020 to 289,000 in 2024, and no team can manually track that volume — but speed alone is not a substitute for verified, defensible intelligence.
- The real standard for any AI-generated compliance answer is whether you can trace it back to its source, confirm it has been validated by jurisdiction-specific experts, and defend it to an auditor, a regulator, or your board.
- Why can’t you trust a compliance answer from a generic AI tool, even when it looks correct?
- What is the difference between AI that retrieves regulatory information and AI that delivers defensible compliance intelligence?
- What questions should you ask to determine whether the AI your compliance program relies on is a genuine support or a hidden risk?
Somewhere in a compliance team right now, a professional has just asked an AI tool a regulatory question. The answer comes back in seconds. It looks authoritative, cites the right regulation, and can even present a path to action. What comes next is a series of decisions: Do I know enough to believe it? Should I act on it? What happens if it’s wrong?
The problem is there’s no easy way to know if the answer is right. That gap, between what AI surfaces and what can actually be trusted and used, is where compliance exposure lives, and where costly mistakes can originate.
Speed can give a false impression of confidence
Globally, the volume of EHS regulatory change is growing at around 20% a year. New regulations, amended and updated regulations, simplified regulations, and new requirements layered on top of major amendments to existing ones are all compounding over time. To put that into figures, Enhesa tracked 289,000 EHS regulatory requirements in 2024, up from 203,000 in 2020.
No compliance team, however skilled, can manually monitor that volume and complexity, especially across multiple languages, and still have time to act on what they find. The case for AI is therefore a practical one. Tools that reduce the burden of manual monitoring and surface relevant obligations across hundreds of jurisdictions in the time it once took to search just one are a big step forward. Productivity gains are a dividend that compliance teams with limited resources are banking on.
That shift is worth embracing. But speed doesn’t equal confidence.
When an AI-generated compliance answer arrives without a transparent evidence trail or expert validation at both input and output stages, you still face the same decision you always faced: can I defend this to internal and external stakeholders? The monitoring hours may have reduced, but the duty to act on it hasn’t. It has simply arrived faster.
The gap generic AI can't close
Generic AI tools are built for retrieval. They’re exceptionally good at finding the needle in the haystack. But EHS compliance at scale isn’t solely a retrieval problem. It’s a matter of expertise, knowledge, and ultimately judgment.
A regulation that applies or is enforced in one jurisdiction may not apply in the same way in another, especially if your operations differ. A requirement that was current last quarter may have been revised, superseded, simplified, rolled back, or extended since the AI’s underlying data was last validated. Taken individually, these look like isolated cases, but for a business running a multi-site, multi-jurisdictional compliance program, they’re the daily reality.
The consequence is that teams often end up doing exactly what they were trying to avoid. Analysts are pulled in to verify what the AI returned. Results are cross-referenced against other sources. The speed advantage quietly disappears. And the person who owns the risk is left with the same question they started with: can I rely on and defend this answer?
For teams relying on open-source AI to manage compliance obligations, the ground is shakier still. A model trained on general web data has no mechanism for knowing what it doesn’t know. In compliance terms, that’s a major risk.
The specific risk of well-presented, confident-sounding AI output is that errors look identical to correct answers. There’s no red flag, no asterisk. You have little basis for telling them apart. This is where human expertise and experience become crucial.
When that happens, the costs of acting on misinformation rarely show up immediately. They surface later: during an audit, when a regulator calls, or when a missed obligation becomes a market access problem or an enforcement action, bringing you to the attention of the board and possibly even investors. By that point, the original answer may not even be traceable, and the cost of correction can be orders of magnitude higher than it would have been at the point of decision.
Bad data in compliance doesn’t just fail to help. It creates a whole new category of risk. Deploying AI without investing in the quality and integrity of what underpins it is not a neutral act.
What expert-led AI actually changes
The question that matters isn’t a binary one of AI or no AI. It’s a choice between AI that simply retrieves and AI that has expertise, knowledge, and experience embedded in it: AI built on a foundation that makes the output trustworthy.
When expert judgment is built into the architecture of regulatory monitoring, not just bolted on, the output changes. Content is structured and validated at every level. Every answer carries transparent, verifiable reasoning back to the source. The intelligence arrives already assessed for applicability to the specific regulatory context in which the question was asked.
That’s the difference between AI that (mis)informs and AI that enables a decision. The compliance team doesn’t have to second-guess before acting. The EHS director can present the board with one clear, defensible picture of global exposure. The regulatory affairs leader can walk into a call with a regulator with transparent, defensible evidence already prepared.
The stakes aren’t equivalent to the time saved. That time saving is real. But a missed obligation, an enforcement action, or a finding that requires board-level intervention won’t come close to being offset by how fast the tool got you there.
How can you ensure your use of AI is a support and not a hidden risk?
Trust and confidence are the end goals, so start by asking what expertise and knowledge are built into the AI, and whether the output is transparent, decision-useful, verifiable, and defensible. Can you follow the answer back to its source? Has it been validated by regulatory experts with jurisdiction-specific knowledge, who know what applies, where it applies, and to what it applies, and just as importantly, what it doesn’t apply to? Can you defend its output, and your consequent actions, to an auditor, a regulator, or your customers?
A compliance answer that can’t be defended is not a compliance answer. It is a potential risk waiting to be discovered. These aren’t unreasonable questions to ask of any tool your compliance program depends on. They’re the minimum standard.
If the answer is no, you have information. You do not have compliance intelligence.
Need a helping hand with regulatory Intelligence?
Enhesa has a wide range of solutions relying on expert-led AI and a legacy of intelligence and data that is unique to the company. If you need advice or more on compliance strategy get in touch.