By Itamar Apelblat, CEO & Co-Founder, Token Security
For decades, compliance frameworks were built on an assumption that now feels outdated: humans are the primary actors in business processes. Humans initiate transactions, humans approve access, humans interpret exceptions, and humans can be questioned when something goes wrong.
That premise sits at the core of regulatory mandates, like SOX, GDPR, PCI DSS, and HIPAA, which were designed around human judgment, human intent, and human control.
But, AI agents are now changing the operating model of modern enterprises faster than compliance programs can adapt.
AI has evolved beyond “copilots” and productivity tools. Increasingly, agents are being embedded directly inside workflows that affect financial reporting, customer data handling, patient information processing, payment transactions, and even identity and access decisions themselves.
These agents don’t simply assist; they act. They enrich records, classify sensitive data, resolve exceptions, trigger ERP actions, access databases, and initiate workflows across internal systems at machine speed.
That shift introduces a new compliance reality. The moment AI agents begin executing regulated actions, compliance becomes inseparable from security. And as that line blurs, CISOs are stepping into a new and uncomfortable risk category where they may be held responsible not only for breaches, but also for compliance failures triggered by AI behavior.
Compliance Frameworks Were Built for Predictable Actors
SOX, GDPR, PCI DSS, and HIPAA all assume that “actors” can be understood and governed. A human user has a job role, a manager, and a clear chain of responsibility. A system process is deterministic and repeatable. Controls can be tested periodically, validated quarterly, and assumed stable until the next audit.
AI agents don’t operate in that manner.
... continue reading