Normis AI ResearchBook an interview

Applied AI Governance Research · 2026

How are regulated enterprises actually handling AI?

A field study of how compliance, risk, legal, and engineering leaders inside regulated enterprises are governing AI today — and the gaps no vendor is solving yet. We are interviewing 40 organisations across legal, financial services, healthcare, and critical infrastructure between May and August 2026.

Book a 30-minute interviewRead the research scope

The premise

Policy is moving faster than practice.

Across regulated industries, AI use has outrun the controls meant to govern it. Internal policies exist on paper. Vendor-supplied training has been delivered. Yet the practitioners we have spoken to — general counsel, CISOs, heads of compliance, engineering leads — describe the same gap: they cannot answer, with evidence, what their organisation is actually doing with AI today.

This research sets out to map that gap honestly. We are not benchmarking maturity. We are not selling a framework. We are asking the people closest to the problem to describe the controls they have, the controls they are missing, and the regulatory exposures they expect to face in the next eighteen months.

Research scope

Five questions we are trying to answer.

Each interview is structured around the same five questions, adapted to the participant’s role and industry.

  1. The control stack as it really exists.

    What policies, training programmes, technical controls, and monitoring tools are deployed today — and which of them are actually enforced versus aspirational.

  2. Shadow AI and the visibility gap.

    Whether organisations can answer, with evidence, where confidential data has flowed through AI tools in the last ninety days — and what they would need to be able to.

  3. Agentic systems and autonomous action.

    How organisations are governing AI agents that act on their behalf — Copilot Studio agents, Harvey-style agents, custom agents on Anthropic, OpenAI, or Google models — and where accountability sits when an agent acts.

  4. Regulatory readiness.

    How organisations are preparing for the EU AI Act high-risk provisions, ABA disclosure rules, FRCP Rule 11 sanctions, and FMI supervisory expectations — and what they are not preparing for that they probably should be.

  5. The unsolved problem.

    The AI governance problem the participant can see coming that nobody is solving yet. This is the question we care about most.

Participants

Forty organisations. Four sectors. One conversation each.

We are interviewing forty organisations between May and August 2026, weighted toward the roles closest to operational AI governance: general counsel, chief compliance officers, CISOs, heads of risk, chief innovation officers, and the engineering leaders responsible for AI deployment. Sectors include legal services, financial market infrastructure, regulated banking, healthcare, and critical infrastructure operators. Each interview is thirty minutes, conducted under Chatham House rules, with optional attribution at the participant’s discretion.

  • Legal
  • Financial services
  • Healthcare
  • Critical infrastructure

The exchange

What you get for thirty minutes.

  1. Early access to the findings.

    Participants receive the synthesised report — anonymised, aggregated, with sector-level breakdowns — six weeks before public release.

  2. A peer benchmark.

    A short personalised summary showing where your organisation’s controls sit relative to the cohort, on the dimensions you care about most.

Methodology

How the research is run.

Each interview follows a structured questionnaire of roughly forty questions, organised across seven domains: current AI tool landscape, pain and near-misses, existing controls, concept tests, buying process, adjacent and forward-looking risks, and a closing referral question. The questionnaire is the same across participants; the depth is calibrated to the participant’s role.

Interviews are conducted by the research team. Notes are taken in real time. Audio is not recorded unless the participant explicitly requests a transcript. Direct quotes appear in the published report only with written consent.

The research is conducted by the Normis AI research team. The findings will be published as an open report at the end of the field study. No participant data, organisation name, or quote will appear in the report without express permission.

Who is running this

The research team.

Lenka Molins

Co-lead. Chairs the NYC Bar Association’s Subcommittee on International Regulation of AI. Built and scaled Deloitte’s AI audit practice for the EU content safety sector. Qualified New York attorney. MSc, Oxford Internet Institute.

Kyle Bossonney

Co-lead. Software engineer in security at Google, working on autonomous agentic systems operating across an 86-terabyte monolithic codebase. Published at ACM SIGMOD/PODS. MSc, Advanced Computer Science, University of Oxford.

Book an interview

Thirty minutes. Chatham House rules.

We will respond within one business day to confirm a time.

Attribution preference

Submissions are used solely to schedule research interviews. We do not add submitters to marketing lists. We do not sell or share the information.