AI's moving faster than attempts to regulate it. Here’s how firms are coping.

European lawmakers this month approved the world’s most comprehensive legislation yet on artificial intelligence, although other regions, including the U.S. and individual states, aren’t as far along.

Potential threats to customer privacy, the security of customer data, as well as the potential bias and inaccuracy of AI algorithms are all areas regulators are examining.

“There’s a lot of unanswered questions," said Mastercard President and Chief Technology Officer Ed McLaughlin. “So you start having to build systems in anticipation of requirements that you don’t quite know what they are yet.

Companies are not waiting for regulatory bodies to determine how and when to use the technology. At the same time, chief information officers say they are combining best practices around customer data with a little guesswork to make AI applications regulatory friendly, while maintaining open dialogue with policymakers.

Nationwide Mutual Insurance and Goldman Sachs are among the companies that have established their own internal guidelines and frameworks for how they use data and AI, in part by anticipating what ultimate regulations could look like.

Any future state-level AI regulation will likely mandate certain levels of transparency in terms of how customer data is used to fuel AI decision making, said Nationwide CTO Jim Fowler.

Nationwide established a “red team, blue team approach," with the blue team exploring new AI opportunities and the red team considering where it should pull back due to concerns around cybersecurity, bias and ensuring it can meet government regulation.

What came out of the red team was a set of principles for AI that Fowler said “will help us continue to develop solutions that drive business value but in a way that matches up with where we believe state risk is going to go," Fowler said.

The fact that AI regulations could look different nation to nation, or even state to state, creates additional complexities for how companies operate their AI tools—but Fowler said this is already an area the company is comfortable with since regulations around insurance underwriting already vary state to state.

“When you look at how we’ve done product, there are different products that are available in different states and I think technology’s going to end up in somewhat the same form where things that benefit customers might look different from one state to another," Fowler said.

At Goldman Sachs, CIO Marco Argenti said the company established a committee focused on the potential risks associated with deploying AI. Argenti said he has a constant dialogue with regulators and works to ensure that all internal AI use cases address those risks, including concerns around data protection.

But setting up internal guardrails isn’t a cure-all for meeting future rules. “We need to be aware that there will most likely also be additional regulations that might come from policymakers," he said.

The AI Act, passed by European lawmakers earlier this month, represents the first set of rules and regulations expected to have an immediate impact on how AI should be used. The rules, which are set to take effect gradually over several years, ban certain AI uses and introduce new transparency rules. Makers of the most powerful AI models—deemed to have what the EU calls a “systemic risk"—will be required to put those models through safety evaluations and notify regulators of serious incidents that occur with their models.

While the law only applies in the EU, it is expected to have a global impact because large AI companies are unlikely to want to forgo access to the bloc.

In the U.S. alone over 500 different pieces of AI-related legislation have been filed, said Eric Loeb, Salesforce executive vice president of global government affairs. “There’s an incredible amount of activity even in the U.S. states that we do need to keep aware of and sift through," he said.

Loeb said his team, which helps contribute safety and compliance guidance to Salesforce products, is talking with policymakers to anticipate what’s coming, but he added, “None of this is static. You can never assume that you have everything solved."

Other companies say they are hanging back a bit. At KeyBank, CIO Amy Brady said she is more focused on cases that don’t get ahead of regulation, including a conversational AI tool that she says is helping reduce the volume of calls coming to the customer service center.

She added that she doesn’t allow use of ChatGPT inside the company. “We want to make sure that we can monitor the use so we understand the sources of data, so that we don’t have any kind of unintended consequences," she said.

“We all are learning together as these tools deploy," she said, “but I think each company, each institution has to deploy these tools in a way that meets your own values."

Write to Isabelle Bousquette at isabelle.bousquette@wsj.com