InformationWeek Podcast: CTOs on How They Use AI in Regulated Spaces

The InformationWeek podcast explores how CTOs and CISOs navigate AI adoption in highly regulated sectors such as payroll and personal finance. Guests Mike Tria, CTO of Gusto, and Joshua Folultz, CISO of NerdWallet, discuss the tension between AI’s speed and the strict compliance guardrails that govern their industries.

Both leaders describe a decisive shift from buying third‑party AI tools toward building internal solutions that can be tightly controlled. Gusto now runs a dedicated team to re‑evaluate vendors, insisting on human sign‑off before any AI‑generated code reaches production. NerdWallet has bolstered its third‑party risk management framework, adding checks for AI maturity, data segregation, and learning restrictions. Across the board, the classic CIA triad—confidentiality, integrity, availability—guides every AI risk assessment, with Sarbanes‑Oxley requirements demanding non‑human identities be logged and accountable.

Concrete examples illustrate the new rigor: Gusto refuses to let AI push code directly to live environments, while NerdWallet treats any AI that accesses customer data as the highest‑risk tier, applying HIPAA‑level controls. Both firms stress role‑based access, audit trails, and the need for agents rather than humans to interact with AI services, a concept that could reshape vendor offerings.

The discussion signals that regulated enterprises will increasingly embed AI governance into their core development pipelines, balancing innovation with compliance. Vendors that fail to provide transparent, auditable AI models risk being sidelined, while firms that invest in internal AI capabilities gain both security assurance and competitive advantage.