Compliance as a Growth Lever: Close Enterprise Deals

00:00:07 Mark Smith
Welcome to AI Unfiltered, the show that cuts through the hype and brings you the authentic side of artificial intelligence. I'm your host, Mark Smith, and in each episode, I sit down one-on-one with AI innovators and industry leaders from around the world. Together, we explore real-world AI applications, share practical insights, and discuss how businesses are implementing responsible, ethical, and trustworthy AI. Let's dive into the conversation and see how AI can transform your business today. Welcome back to AI Unfiltered. Today's guest is from Virginia in the US. Caleb, welcome to the show.

00:00:50 Caleb Mattingly
Yeah, thanks for having me, Mark. I'm super excited to be here talking with you today.

00:00:55 Mark Smith
I'm looking forward to it. You seem to be working in an area that I spent, I feel like all of last year super focused on, which is governance and compliance and really how do organizations tackle especially if they're an organization that has a lot of compliance restrictions already. So thinking healthcare, finance, banking, manufacturing, there's a range of these industries that already have a lot of compliance requirements. And I want to look at them in the lens of AI. But before we get started, food, family, and fun, what do they mean to you?

00:01:32 Caleb Mattingly
Food, family, and fun? so man, I think the biggest one that stands out is family.Family is a big driver for me personally and then also our company. But yeah, I think it's a very open-ended question, Mark. Yeah, definitely love food. Cheese is the first thing that comes to mind. I'm a huge like lover of cheese. Yeah, fried or regular and fried cheese curds are my favorite. So yeah. And then with regards to family, I got a wife and a kid. 14 month old son named James and definitely keeps me on my toes. But he has been absolutely incredible. Already been on over 20 plane rides in his life. So crazy. Yep. Mainly just sleeps. So that's pretty good. And then as for fun, recently I've gotten really into baking. So making bread in particular and I've really enjoyed that. And then racing. So like F1 racing, I love watching F1 and then go-karting.

00:02:35 Mark Smith
Nice. It's some variety there.

00:02:37 Caleb Mattingly
Yeah, yep. It keeps my wife on her toes.

00:02:42 Mark Smith
So since the, since Gen. AI, you know, has taken the world by storm last three or so four years, what's been your focus? What's top of mind for you? What are you focusing on? What's got you to this point in your career?

00:03:01 Caleb Mattingly
I mean, I feel like it would be a little bit more agnostic to AI specifically, but just tech in general, we've seen so much growth, so many companies that are just like coming onto the scene, great ideas and able to leverage AI as well, right? So like you're seeing so many, you know, small brand new companies that are going into antiquated sectors of business, right? Like whether that's construction or, I mean, you mentioned a lot of highly regulated industries too, and they definitely have like some antiquated processes and ways of doing things and just bringing fundamentally changing the landscape of these different sectors within there. So like customer service or customer support, financial transactions, even deal flow for some companies and some of these larger organizations like just how time consuming all of that has been previously, but then you use something like AI and you're able to aggregate all that data so quickly and then get real actual results and analysis done from that data. It's added so many different opportunities for companies to come in and swoop in and get so much market share, right, to actually become a successful business. So for us, seeing all of that and recognizing that The question on top of everybody's mind with every startup is always, are you actually secure and are you going to handle my data securely? Like when you're selling to a customer. And even if they don't overtly ask for it, enterprises especially will always ask for it, right? Like the smaller business might not, enterprises always do it because they have way more at stake, right? When they're giving you maybe millions of user data points. And so with that in mind, we kept seeing that in the market and we kept seeing that like SOC 2, ISO certifications, HIPAA, GDPR, privacy in particular, has become a real big topic. And so between security and privacy, our focus has been, and it's kept us very busy, is helping those startups prove that they're compliant with privacy standards and also with security standards.

00:05:14 Mark Smith
So. you know, the big one that jumps to mind in that space for me is the ISO 42001 colon. What is it? 2023 or something on the end of it? I can't remember. Something like that, right?

00:05:27 Caleb Mattingly
Yeah, exactly.

00:05:29 Mark Smith
Tell me, you know, that's the AI standard, if you like, around AI management systems. How are you seeing organizations either align to it or work with it, particularly that, you know, it's come out of Europe. There seems to be a synergy between that and the EU AI Act. What are you seeing in its application and what the companies you're working with are wanting to do with it.

00:05:53 Caleb Mattingly
Yeah, that's a great question. So at this point, no one that we know of, and that's not like a ton of people or a ton of companies, but no one that we know of is overtly asking their vendors to have ISO 42001. What's currently happening is people are trying to get ahead of the game. Companies are trying to get ahead of the game, startups in particular. But even enterprises are trying to go after this as well right now. And the reason for that is, so ISO 42001 is the AI-focused certification that the International Standards Organization, ISO, put out, as we both know. And then what it's really predominantly focused on is reducing like trash in, trash out kind of issues with AI, right? So like everybody talks about like, hey, the data that you give to the AI or the AI itself is only as good as the data that you give it. And so what the AIMS is focused on, or the AI management system is focused on, and that's what ISO 42001 is entirely oriented towards, is how do you get quality data into your AI system? And then how do you make sure that it's not going to be biased about that data? as you continue on. So, a lot of companies actually, as they try to enact this, think that it's going to be entirely security related, right? Like ISO 27001, which is very well known across the world, is entirely focused on information security management systems. And so there's already that mentality that like, oh, if we have ISO 27001, we want to go get 42001. That's now dealing with AI. It's going to be all security stuff. Most of it is not security related. Most of it is How do you all identify that your tool could become biased, even if it's working like the way that it's technically supposed to right now? Like in the future, how could it become biased so that your customers are aware of that, so that you're aware of that and you're thinking about it as you move on? Because again, like your pipelines that are driving all the data into your system, are functional right now, but as we all know, things break, right? Things break, the wrong data gets pushed, your customer has a mistake that happens, your team has a mistake that happens, that stuff happens all the time. And so what 42 Zeros 01 is really focused in on is how do we anticipate those issues? Because even with an AI management system, you still have humans in the loop, right? And humans, we're prone to make mistakes. And so Yeah, that's been really interesting to see, especially the misconceptions about what it really brings, because we had one customer that came to us and they were like, Yeah, we really want to get ISO 42001 to prove that our AI system's secure. We were like, Getting ISO 42001 doesn't prove that your AI system's secure at all. They were like, What? What do you mean? And I had to explain to them, you know, like, No, this really has to do with like proving that you're handling data well and that you've thought through like All right, if the data starts skewing, how do we correct it or catch it and then correct it really quickly? So yeah, that's been really top of mind lately when it comes to the AI systems.

00:09:06 Mark Smith
Yeah, I noticed that Microsoft got it very early on, it was one of their claims in the space. And as I said, I've seen it a lot more, talked about a lot more from European-based companies. And it is quite a different standard in that one of the things that it brings out this is AI management system with that whole concept that it's really holistically manages everything from, inputs to outputs to, do you, how do you think about AI as an organization and how you are going to make sure that you're you can identify those risks as they come up. So it is quite a broad standard, definitely. And then I've done some searches on are there off-the-shelf AI management systems that are software that would allow you to run this whole thing. Have you seen anything in that space?

00:10:01 Caleb Mattingly
Yeah, I mean, with regards to ISO, I mean, we predominantly use GRC tools for managing that process. AI security, I mean, there's a lot of tools coming out. There's one, I have a friend who's building this and the tool is up and able to be used, but it's called Verde, V-A-I-R-D-E.A-I. And that one scans the repository or GitHub repositories or GitLab repositories. determines like where you need guardrails around your AI and everything. And that's something that a lot of companies aren't thinking about either, is like you want to be all about speed to market, right? That's what building a business ends up being very focused on, right, is speed to market, your go-to-market strategy and everything. And so I think it's really a really good thing that we are thinking more about privacy, though, early on in building AI systems. Because like, And Europe is so well known for this, right? GDPR came out and that's all about, privacy and data around the use or the use of data, sorry, around your users and everything. And so I think there's a lot of truth to the mantra that, Europe is really good at regulation, right? Like, and very good at coming out with strong regulation that it really is geared towards helping people. Now, I think ISO 42001 isn't so much like a regulation, right, as opposed to being a certification, but it gets the ball rolling. It starts the thought process, right, of like, okay, how do we start actually implementing this? And I know you mentioned the EU AI Act as well. So like there are now a lot of different conversations happening around like, how do we make sure that this doesn't just blow up out of proportion and we lose complete control over the data that's being used by the AI because like, or by our AI systems. Because that could happen very quickly, you know, like we want to move fast, right? Like in the US, we're known as like being moving too fast sometimes, right? Like through this stuff. And I think having partners that are able to come in and actually like really reel in some of that to make sure that it's not just focused entirely on building something cool, but also building something that's protecting the people that are using it. And so that's a really big piece of what we talk about and think about with our customers, because it's like, you can be building something that is very beneficial for the people, for the direct people that are using it. But what about like the broader reaching data that they're using to aggregate and like make their decisions or process? And so Yeah, and hopefully there's not just rambling about it. Yeah.

00:12:40 Mark Smith
Now, what it brings to mind is that you mentioned there that, sometimes America is seen as moving too fast. And one of the arguments I've seen is that if you regulate, you stifle innovation, right? Regulation kills innovation. And, you know, I'm always happy that electricity is regulated. Like, right, I don't want to make it super easy for my kid to put their, grab a spoon and put it in a socket in the wall and see what that electricity can do. Electricity incredibly powerful in helping humanity, but done wrong, it's deadly. And I feel this parallel with so much with AI. How do you, how do you handle that conversation that if we over-regulate, we stifle innovation? And it's not even about over-regulations. It's just, you know, you've got these camps that are totally anti-regulations. And I predominantly only see that mantra coming out of the US. And then the flip side, that that's going to kill innovation. And so we need to go full steam ahead, no restrictions. But how do you handle that discussion?

00:13:54 Caleb Mattingly
I've gone to several AI conferences in the last year and that topic gets brought up a lot and it's extremely controversial, right? Because like you've got some people that claim if we don't regulate, people will die, right? There will be some issue that occurs where somebody doesn't take the necessary security precautions and like something will occur or somebody dies, right? And like the loss of human life being kind of like the farthest echelon that you can reach in the conversation, right? And like And it's, I personally have a hard time seeing that like jump right now, but I also understand the heart behind like them saying that, right? Which is that we essentially want to safeguard the people that we are trying to serve as businesses, right? Even if they're the second or third party, you know, to our customer, right? From my perspective, I think a lot of it has to do with having conversations, not just with thought leaders, but also with competitors. And the reason for that is like you're going to be pushing to go faster than your competitors at all times, right? Like you build business, like if you're slower than your competitor, then you're essentially going to lose to them in a lot of ways, right? Depending on what you're focused on and maybe you focus something else. But for the sake of this argument, bear with me here. But I think when you're dealing with something that has the ability to affect billions of people, right? And if it isn't reined in some manner, I think the, and if you don't want it to be regulated, then you have to be open to like discussions, like forum discussions, to open to like meeting with people and keeping like accountable through some manner. Because own devices, I personally believe that we will push the boundary as far as it'll go, and try to see what we can get away with. And so I think having other business owners, especially, that are also wanting to push, but then also your competitors are going to be there to maybe have thought through the next three steps of what you want to do. right? To then tell you like, if you do that, like you're going to be putting at risk this data, or you're going to be putting at risk these people, or you're going to be putting it like at risk, you know, some liberties and whatnot. You know, like I know with regards to the US government and their whole fallout right now that's happening with Claude and Anthropic and even with OpenAI about essentially Anthropic saying that they don't want to be used for any kind of like weapons or mass surveillance. across the US and the government not really being entirely okay with agreeing to that. And I think that's a whole like boatload discussion topic, right? And it gets a little bit more political, but I think from a perspective of doing what's best for the people that are the end users and also that are like tertiary users, right, that could be affected by this. And at this point, that's pretty much everybody. Like, Anybody can pull up Claude right now. Anybody can pull up ChatGPT and use it, except maybe Department of Defense, government people on their computers now. But you get the point, right? Like, I mean, they could still do it on their phone or they could still gather that information.I think we really have to be cautious with this. And I don't know what the answer is in regards to innovation speed versus regulation. And personally, you know, Our focus, like my family's focus, my focus, and then also our business's focus is on doing right by the people that we're working with. Like that is fundamentally our goal and part of our mission statement. So I don't know, like with big tech, I mean, we see a lot of stuff with Facebook, like they're going under, like being sued right now for potentially creating too much of an addictive situation for children and teens and everything and causing mental health, a mental health crisis.And whether that's true or not, I don't know. But they're going through a lawsuit with regards to that right now. And it's proof that like, I think we will try to push for more and more monetary success as businesses and such. And not everybody runs their business ethically. And so like, I think regulations are in place because eventually you get somebody that wants to screw over a great system and take advantage of it. So.

00:18:33 Mark Smith
Tell me about using agents for compliance autonomously. Is that something that you are doing, that deploying agents to assist organizations to maintain their compliance posture?

00:18:48 Caleb Mattingly
Long story short, no, it's not. We use AI tools for analyzing like policies that people have to determine which controls they map to quickly. We use AI tools for doing like vendor security reviews, but we don't use agents to interact directly with customer environments. And the main reason for that is twofold. One, we still believe that having a human making a mistake or whatnot is better than having an AI make a mistake because a human can only make so many mistakes in like an hour that are able to be rectified. And AI can make a lot of mistakes very quickly. And for us, that speed at which it can move is actually a bit terrifying to be totally transparent. The second thing, the second reason is because my personal thesis on this is that most companies are not ready for AI agents to have full admin level access, or even like editor level access to their cloud environments. And we have, you know, full access to our customer cloud environments because we are going in behind them and cleaning up like the compliance pieces there. So.

00:20:04 Mark Smith
Yeah. So not yet. Maybe in time?

00:20:07 Caleb Mattingly
We do think like probably within the next 10 years, the mentality will switch because you'll see a lot more companies that are pushing on that. We just don't want to be the first ones innovating that.

00:20:20 Mark Smith
Makes sense. Are you working with many startups?

00:20:23 Caleb Mattingly
We primarily work with startups. I think about 90% of our businesses are startups.

00:20:28 Mark Smith
Okay, so going back to that compliance view, do you see that startups are embracing compliance? Is it enabling them? What's the typical posture you're seeing then from startups? And are you seeing compliance either, you know, affect them positively in their trajectory as a startup?

00:20:49 Caleb Mattingly
Yeah, great question. So there's three reasons people get compliant, right? It's one, it's either a legal requirement, so like GDPR, HIPAA, legal requirements. It's a customer requirement. So SOC 2, ISO, sometimes HIPAA can be a customer requirement. You know, if you're not dealing, if you're not a covered entity, you don't necessarily need to go get it. But a lot of companies do it just because they're dealing with PHI and everything. So, and then the third reason is because you have more matured organizations that decide that they want to really shore up security and privacy within their org. Very far and few between. We have some customers that are like that, but those are much larger than like 100 people usually. Before that, what compliance acts as is actually like a sales lever. So when you're building a business and you want to sell to enterprises and everything, like going and getting SOC 2 or ISO 27001, usually that's like table stakes to just get past the due diligence that a company is going to do on you. to be able to sell into that enterprise. So we tend to talk to companies that have just like, either they've closed some smaller deals and they've gotten like interest from, a larger organization. And by large organizations, I'm talking about like, huge, massive 10,000, 100,000 person like companies and stuff. Those are the ones that are going to be pushing like to say, hey, if you don't have this, we're not going to do business with you. Like we can go find a competitor of yours who will get it and then we'll work with them. ButSo with regards to that, our startups that we work with are typically looking to try to get this done so they can close deal, right? Like that's the main driver. Now what we found is really helpful in our approach is that most of the time companies misunderstand what's actually required with compliance, right? So like going to get SOC 2 or ISO, the thought process is if I go get it done, I'll get the sale done. And then the consultant that I hired, I can just tell them, hey, thanks for the help, move on. And then next year I can reach out to them again and we can go through the process again. But the reality is that you actually have to upkeep those things. Like there's ongoing controls that have to be maintained. There's a lot of different pieces to it. And so our whole focus has been like making sure that the companies that end up working with us know that like, hey, this is an ongoing thing. And And then you can lose those enterprise deals if you fall out of compliance and they find out. So it holds a lot more weight, but not because it makes or breaks a company's security. And personally, we hold the opinion that compliance and security are not like one-to-one, right? If you've got SOC 2 or ISO and you talk to anybody in the compliance industry, they're going to tell you like, that doesn't mean that your company is secure. There's a lot of companies that have SOC 2 or ISO that get hacked. There are. But it's a great starting place. And so what we end up doing is we come in and we help somebody get like compliant and then we start building security stuff on top of that. So with startups, you know, It's all about runway, right? Like it's all about making sure that you've got enough money to keep going, right?To keep raising, to keep getting customers and to keep building. And so with compliance, it is definitely an enabler to go and get the like larger contracts that allow you to keep going. But it's an investment right up front because you don't necessarily know if you're going to close that enterprise. You don't know like You might not even know what your pricing model is for enterprises, right? Because you're only sold to other businesses or you're brand new and you're trying to sell your first time. And so you're going to be trying to figure out like the pricing model and stuff. And that it's difficult, right? Like it's really difficult. Our suggestion is always go and get smaller customers first. Go find like you have product market fit and then go sell to the big guys. Because then at that point you'll have an idea of what people will pay and at scale. And then you also will have the justification to spend the money on going and getting certified, because it usually can take between like 40 to $60,000 for a company that's like less than 20 people to go and get fully compliant.

00:25:01 Mark Smith
Yeah. And then what would be, you know, I mean, I've seen similar figures, but what's then the ongoing, you know, because you talked about, hey, it's not a one and done type scenario. What would typically the rolling costs then be once you'd, you know, achieved it, whether it be SOC 2 or your ISO what's the rolling to maintain kind of costing?

00:25:25 Caleb Mattingly
Like with us or just a general or time? No, just in general. What's kind of like typical in the market type thing?

00:25:31 Caleb Mattingly
I mean, if you pay a consultant, you're going to be paying somewhere around $250 an hour. So like, and it's usually about 20 or so hours per framework, you know, to like maintain if you're doing everything correctly.And there's a lot of companies that'll like, you know, There's a lot of corner cutting happening right now within the compliance industry. Like, I don't know if you saw this, but like there was a pretty well-known GRC tool. I won't mention it on the call, but like, or on this recording, but there's a pretty well-known GRC tool that essentially just went through a whole scandal. And if you were to Google like SOC 2 scandal, this company, it'll pop up and, you know, and show. And so like, There's a lot of stuff like that happening where you're getting lower and lower cost vendors and companies that are doing this. And people are, I won't say falling for it, but when you're a small business and when you're a startup, like again, if somebody's going to offer you, hey, 5K for SOC 2, all in. You're like, man, I'm, yeah, I want to pay that instead of 40K for the year, right? Like, who wouldn't want to? But there is a point where it's too good to be true. And a lot of these companies are kind of getting to that point where it's too good to be true. And so SOC 2 is becoming devalued, ISO is becoming devalued. Like, there's a lot of issues there. And what we're trying to do is really help shore up not just the compliance, but also the security piece, because that's really what your enterprise customers care about as a startup, right? Is Do you handle my data securely or not? That's all that I care about, right? I don't care if you really have SOC 2 or ISO. Those are just ways to prove that you kind of are doing the thing that I want you to be doing, right? So, and I fundamentally, I think... when you start a startup, you have to learn so many different things, right? You've got to have such a big view of so many different topics that I think the startup founders in general tend to forget that. And then they're like, well, I just want to get the little sticker on my website or the badge on my website so I can get the fields and stuff instead of really thinking about like, what's the reason for the badge, right? What's the reason for the compliance? So yeah, hope that makes sense.

00:27:41 Mark Smith
That's good. That's good. And my final question as we wrap up is, What's the trigger point that a company needs? Is it a deal that has come and said, hey, for us to do business with you, need this level? I'd be able to demonstrate it, but what's the typical trigger point where people knock on your door, for example, and say, we need to have a chat about these things?

00:28:06 Caleb Mattingly
Yeah, good question. So either they have a customer that's asking for it, so like you said, a deal. Either that or they want a deal, right? They want to go after enterprise customers. They know this is going to happen. It takes a minimum of five months to get SOC 2. Like a minimum. And like there's a lot of people saying like SOC 2 in two weeks. That's not a thing. If you're using a reputable auditor, they're going to do a three month minimum on a timeline. And then it's going to be like 4 to 8 weeks for the report to come out. So at the very absolute best, fastest case scenario, five months to get your report in hand and be able to hand it over. And a lot of companies, they want to think ahead and be like, well, I'm going to go after enterprises in 2027 or 2026 or whenever. And I know that it's going to be 5 months because I know that like with reputable auditor, three month minimum audit period. So we're going to go tackle this. So that's the second situation, right? First situation, they have a customer that's going, hey, We've done the POC, proof of concept. We like what you guys are doing. Where's your SOC 2 report? And then without fail, the answer is always, we're working on it. And so that's always without fail, what our customers that come to us tell us that they've said. And then we have to scramble to make sure that they get it done quickly, right? But five-month minimum timeline, those are the first two.The last situation would be where it's legally required. Right, so they start dealing with data, so CCPA, which is the California Consumer Privacy Act, which is now, I believe, the PRA, that has three thresholds that if you cross any of those, you become now required to be compliant with that. It has to do with like your revenue numbers, it has to do with how many California residents data you have, and then whether you're selling that data or not And you can, people can Google that. If you're not familiar with it, you can Google it and check it out. But that's the situation there. Or EU citizen data or HIPAA, you know, like we have so many customers that have come to us previously and been like, hey, you know, nobody's ever asked us if we're GDPR compliant. We are handling, you know, EU citizen data, but they're not asking if we're GDPR compliant. We go, that means they expect that you're GDPR compliant. It's not on them to ask you, you know, like to go and become GDPR compliant. It's that you are required, if you have EU citizen data, to be GDPR compliant, end of story. And so generally speaking, all of those customers end up being like, all right, well, let's go get this squared away and make it official. So thankfully, that's the case. But in those cases, obviously, they don't have like a deal on the line, and they're already selling to companies, but there's just like an uninformed mentality of like, well, nobody's asked me if we're GDPR compliant, so we must not need it. Again, hopefully that makes sense.

00:30:51 Mark Smith 
Yeah, that's awesome. Caleb, thank you so much for coming on the show. I really appreciate it.

00:30:56 Caleb Mattingly
Absolutely, Mark. Thanks for having me.

00:30:59 Mark Smith
You've been listening to AI Unfiltered with me, Mark Smith. If you enjoyed this episode and want to share a little kindness, please leave a review. To learn more or connect with today's guest, check out the show notes. Thank you for tuning in. I'll see you next time, where we'll continue to uncover AI's true potential, one conversation at a time.