Are CX leaders relying too heavily on the reputation of major AI models to protect them from legal compliance risk?
In this CX Today interview, Nicole Willing speaks with Nadia Kadhim, Executive Director at Aithos, about research that raises serious questions for organizations deploying AI agents across customer support, sales, onboarding and digital engagement.
Aithos, the European non-profit AI research foundation behind LARA, a legal compliance testing tool for AI systems, tested leading AI models against European regulations, including GDPR and the EU AI Act. The results were stark: every major model tested failed compliance checks across realistic workplace scenarios.
For Kadhim, the most surprising finding was not one isolated failure. It was the consistency of non-compliance across the board. Even frontier models, which many organizations may assume are safer or more reliable, broke legal provisions in multiple scenarios. In some cases, the models also violated banned practices under Article 5 of the EU AI Act, which covers practices Europe considers especially harmful to safety, health and human rights.
“So newer and more capable does not necessarily mean more compliant, and that was the most surprising.”
That point matters for customer experience leaders because many businesses are deploying AI agents quickly, often with a focus on whether the system completes the task, answers questions, sounds human or uses the right tone of voice. But Kadhim argues that organizations are less likely to test whether those same systems are violating legal provisions while doing the job they were designed to do.
The risk becomes sharper in customer-facing environments. An AI agent tasked with upselling, supporting, or retaining customers may have access to far more data than a human agent would typically use, from messages and emails to social media profiles and volunteered personal information. When that data is combined with personalization, a helpful tone, and a target-driven objective, the line between assistance and manipulation can become difficult to manage.
Kadhim also warns that businesses cannot simply outsource responsibility to the model provider. Under European and U.K. privacy law, as well as the EU AI Act, the organization deploying, building, or buying the AI system can still be responsible for ensuring that its behavior is legal. That applies even outside Europe in cases where companies process data from, or provide services to, European citizens.
Watch the full interview above to learn what CX leaders should ask before deploying AI agents at scale.
