The regulatory landscape for AI is, in Beth White’s words, the Wild West — but a Wild West with walls that are closing in, and closing faster than most organisations realise. White, Founder and CEO of MeBeBot, has been building AI governance infrastructure for eight years, serving customers with employees across more than 30 countries. At Running Remote 2026, she walked through the current state of global AI regulation and what it means for distributed companies who have been assuming compliance is someone else’s problem.
The numbers frame the urgency
92% of Fortune 500 companies are using AI in some form. Remote workers show 66% AI adoption rates, significantly above the global average of 16%, because distributed workers are inherently digital-forward and use technology for efficiency in ways that in-office employees often don’t. The Middle East, Singapore, and Scandinavian countries lead in adoption globally.
The problem is that many of the AI solutions being deployed right now are not compliant with the regulations that apply to the jurisdictions where those employees are located. And in a distributed team, those jurisdictions multiply quickly.
The regulatory landscape in 2026
The EU AI Act is the most significant piece of AI regulation currently in force. Building on GDPR foundations and five years in development, it classifies AI applications into four risk tiers — unacceptable, high, limited, and minimal — with substantial fines for violations. The final phase of the Act rolls out in August 2026, and White was clear: most companies are behind on meeting the requirements. Auditors are already asking for proof of privacy settings and data handling practices.
The United States operates under executive orders rather than hard law, with the current administration’s January 2026 executive order emphasising innovation over regulation and actively challenging state-level AI laws. But state regulations carry legal weight regardless. Workday settled a class action lawsuit approximately six weeks before the conference concerning age discrimination and bias in their AI-driven hiring and applicant tracking system. The settlement established that state AI bias regulations cannot be ignored.
China requires all employee data to reside on Chinese servers — a practical challenge for companies using Microsoft or Google cloud services, which lack Chinese entities. Saudi Arabia requires compliance with Muslim laws. These are not edge cases. They apply to any distributed company with employees in those countries.
White’s principle on jurisdiction: companies doing business across countries hold risk and compliance liability in all jurisdictions where they operate or have employees. There is no true overlap between compliance requirements — each jurisdiction adds its own layer.
The shadow AI problem
Shadow AI is perhaps the most immediate operational issue. Employees are using AI tools their organisations do not know about — personal accounts, free tiers, experimental tools — because approved tools have not been provided or existing tools have not been granted access to the data employees need to do their jobs. IT and security teams have become unexpected compliance gatekeepers in a landscape they are still learning.
White flagged a specific, common failure: AI tools like ChatGPT default to sharing user data with training models. Unless employees manually disable data sharing settings — which most do not know they need to do — company information is flowing into training data. One early ChatGPT incident she cited involved a finance employee accidentally disclosing unreleased financial data weeks before scheduled public reporting.
The three compliance pillars
White’s framework is built around three foundations. Policy: a documented AI usage guideline that actually covers what employees need to know, not just legal boilerplate. MeBeBot offers an attorney-approved template, but the critical thing is having something current and accessible.
Visibility: a complete inventory of every AI tool in use across the organisation, including embedded AI in platforms employees already use. Canva, for instance, has AI features that may be feeding designs into training models. Most organisations do not have a complete picture of their AI surface area.
Enablement: AI literacy training that gives employees the baseline understanding they need before they can make sensible decisions about when and how to use AI tools safely. White noted that most companies attempt AI strategy before establishing AI literacy, which is exactly backwards.
Practical governance infrastructure
Best practices include a vetted approved tools list with Data Privacy Agreements, disclosure to clients when AI is used in their deliverables, incident reporting processes for when something goes wrong, and an AI steering committee with cross-functional representation that reviews use case approvals without becoming a bottleneck.
AI policies need updating at minimum annually, and ideally quarterly given the pace of change. The biggest blocker to successful AI governance, White found, is not technology — it is internal infighting over control, with different departments competing for ownership. The solution requires top-down C-suite clarity, even when executives are themselves uncertain about the right answers.
