It's Called Compliance Debt

Key Takeaways:

• The 2026 International AI Safety Report identifies an "evidence dilemma" at the heart of AI governance. Education is living that dilemma right now.

• 95% of GenAI implementations are delivering zero return according to MIT NANDA research cited in the WEF's January 2026 paper. The cause is governance failure, not technology.

• Both reports independently conclude that governance infrastructure must exist before deployment, not after. Education has neither.

• "Compliance debt," the concept introduced in Memorandum No. 4 of this series, has now been validated by two of the most significant AI publications of 2026.

Late autumn 2025, past midnight, and I am in my basement poring over reports. Insurance endorsement language, ISO clause structures, regulatory filings, half-read academic papers on every surface. Cold tea. A cucumber sandwich curling at the edges because I forgot about it around ten. And I am doing this thing where I am cross-referencing what insurers are starting to require from schools against what schools can actually produce, and the gap between those two columns is enormous. It is not an information gap. It is not a technology gap. It is an infrastructure gap. Schools are racking up invisible liability every day they run AI without the controls and records to back it up, and nobody has a name for it. So I gave it one. I started calling it "compliance debt," borrowing from the software concept of technical debt: the cost that piles up when you ship without proper architecture. It compounds. It stays invisible until something breaks. And when it breaks, it breaks expensively. When I published that in this memorandum series starting December 2025, I was sticking my neck out. It is not a comfortable idea for education leaders who have been told that an AI acceptable use policy is good enough. Four months later, two of the most significant AI reports of 2026 have landed on my desk, and they are describing the exact same mechanics from different directions. I was not crying wolf.

The Evidence Dilemma Is Already a School Problem

The International AI Safety Report introduces what it calls the "evidence dilemma." Policymakers face a tension between acting on incomplete information and waiting for conclusive evidence while risks accumulate. Acting too early risks implementing ineffective or harmful interventions. Waiting too long leaves institutions exposed to the very risks the evidence might eventually confirm.

The report frames this as a national policy challenge, but the dilemma maps directly onto educational institutions. School boards across North America, Europe, and beyond are deploying AI-powered assessment tools, recommendation engines, and student support systems without the evaluation infrastructure to understand what these systems actually do in practice. The Safety Report is blunt about the technical reality: developers themselves "cannot yet provide robust, quantifiable assurances that AI systems will avoid specific harmful behaviours." If the people who build these systems cannot guarantee their behavior, what chance does a mid-sized school district have of demonstrating due diligence to an insurer asking for evidence of oversight?

The report compounds this with documentation of what it calls an "evaluation gap": the disconnect between how AI systems perform in pre-deployment testing and how they behave in the real world. One study cited in the report found that language models fine-tuned to sound warm and empathetic became 10 to 30 percentage points more likely to promote conspiracy theories, validate incorrect beliefs, and offer unsafe medical advice, yet scored comparably to more reliable models on standard benchmarks. Another study in a medical setting found that models with strong benchmark performance still produced clinically unsafe responses across more than 300,000 real interactions.

This is not an abstract concern for education. When an AI tutoring system passes every vendor demo but behaves unpredictably with a struggling 14-year-old, the benchmark meant nothing. The monitoring protocols, incident reporting, and human override mechanisms that could have caught the problem are the assurance capacity that was never built. That is compliance debt in action.

The Governance Bottleneck Is Organizational, Not Technical

The WEF paper arrives at the same destination from the enterprise side. Drawing on experiences from more than 20 leading technology firms, the paper identifies four imperatives for organizations adopting AI. The fourth is unambiguous: "Build governance infrastructure before scaling AI."

The paper cites MIT NANDA research (Project NANDA) indicating that 95% of generative AI implementations are delivering zero return. The cause is not regulation or model quality but how companies approach implementation. Most deployments remain stuck in experimentation, boosting individual productivity without delivering measurable business transformation. The WEF paper describes situations where AI is deployed as a bolt-on tool "sprinkled across existing tech stacks through co-pilots, productivity apps or closed software environments." These bolt-on deployments, the paper argues, do not generate value. Real value requires deploying AI across systems while breaking down organizational silos. Deploying AI without aligning it to workflows or redesigning business processes "ends up creating more work instead of less."

When the world's largest technology companies acknowledge that the absence of oversight mechanisms is the primary obstacle to realizing AI value, the education sector's continued reliance on aspirational policy documents becomes increasingly difficult to justify.

The WEF paper also introduces a concept that speaks directly to the liability dynamics this series has been documenting. Citing Dan Davies, the paper describes "accountability sinks": systems that produce outcomes nobody owns. The gate agent who cannot explain an automatic rebooking. The insurance processor powerless to override a claims denial. AI threatens to multiply these dynamics at vastly greater scale and speed. Education is already living this pattern. When an AI assessment tool flags a student for behavioral intervention, who owns that decision? When a recommendation engine steers course selection, who is accountable for the outcome? When a chatbot provides mental health guidance to a minor, where does liability sit? The Safety Report reinforces this from the technical side, documenting that AI agents "act autonomously, making it harder for humans to intervene before failures cause harm." Neither report treats education as a primary case study. Both should.

The Education Blind Spot and the Calendar

That absence is itself a data point. Education is classified as high-risk under the EU AI Act's Annex III categories, covering admissions, assignment, evaluation of learning outcomes, and vocational training. The sector serves minors who cannot consent for themselves. It operates under dense regulatory overlays including FERPA, COPPA, GDPR, and an expanding set of state-level requirements. It is among the fastest-adopting sectors for AI tools.

Yet neither report subjects education to sustained analysis. The WEF paper draws entirely from technology firm experiences. The Safety Report's labor market section documents concentrated impacts on early-career workers (Stanford's Digital Economy Lab research using ADP payroll data shows significant employment declines for workers aged 22 to 25 in AI-exposed occupations) without examining the institutions responsible for preparing those workers. This confirms the thesis of Memorandum No. 1 in this series: the education sector lacks dedicated AI assurance infrastructure, and this absence is so normalized that even comprehensive international assessments overlook it. The compliance debt is not just accumulating at the institutional level. It is accumulating at the sector level, invisible precisely because nobody is measuring it.

Both reports treat governance as a forward-looking challenge. For education, the deadlines are already here. Colorado's consumer AI protections law (SB24-205, with its effective date extended to June 30, 2026 via SB25B-004) is months away. EU AI Act obligations tied to Annex III high-risk systems take effect August 2, 2026. Insurance renewal cycles throughout 2026 will encounter new AI governance questionnaires for the first time. These are not hypothetical forcing functions. They are calendar dates. Institutions that have not begun building oversight capacity are not simply behind schedule. They are accumulating compliance debt that compounds through every missed deadline.

I think about that night in the basement sometimes. The discovery was not some flash of brilliance. It was pattern recognition, the same gap appearing in every document, every framework, every insurance questionnaire I could get my hands on. The gap between what governance frameworks say institutions should do and what institutions can actually demonstrate they have done. Four months later, Yoshua Bengio and over 100 international experts call it the "evidence dilemma." The WEF's C&T Strategy Officers community calls it a governance imperative. In Memorandum No. 4, I called it "Compliance Debt". We are all describing the same structural problem from different elevations. The difference is that education institutions cannot wait for the view from 30,000 feet. They need operational infrastructure now. Before the next renewal cycle, before the next regulatory deadline, before the next incident that turns invisible liability into visible crisis. The tea is still getting cold. But the work is getting warmer. I'm working on it so feel free to reach out if this is of interest to you. 

The seven memoranda in this series are available on SSRN and Zenodo, alongside the public school board assessments that demonstrate how governance readiness varies in practice. If your institution, association, or organization is navigating AI governance, I welcome the conversation. You can reach me directly through LinkedIn.

Ryan James Purdy is the founder of Purdy House Publishing & Consulting and the author of three books on AI policy and compliance in education. His seven-memorandum research series on AI governance in education is published on SSRN and Zenodo. He has 30 years of experience in education and specializes in the intersection of AI governance, insurance liability, and institutional compliance.

References

Bengio, Y. et al. (2026). International AI Safety Report 2026. February 2026. https://internationalaisafetyreport.org/

Brynjolfsson, E., Chandar, B., & Chen, R. (2025). "Canaries in the Coal Mine? Six Facts about the Recent Employment Effects of Artificial Intelligence." Stanford Digital Economy Lab. https://digitaleconomy.stanford.edu/

Challapally, A. et al. (2025). "The GenAI Divide: State of AI in Business 2025." MIT NANDA / Project NANDA. [Cited in WEF paper as source for 95% zero-return finding.]

Colorado General Assembly. (2024). SB24-205: Consumer Protections for Artificial Intelligence. Effective date extended to June 30, 2026 via SB25B-004 (2025 special session). https://leg.colorado.gov/bills/sb25b-004

Davies, D. (2024). The Unaccountability Machine: Why Big Systems Make Terrible Decisions and How the World Lost Its Mind. Profile Books.

European Union. (2024). Regulation (EU) 2024/1689 (Artificial Intelligence Act). Annex III: Education and vocational training. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ%3AL_202401689

Purdy, R.J. (2025). "The Operational Gap: How Insurance Requirements Reveal What AI Policy Frameworks Miss." Memorandum No. 1, AI Governance in Education Series. Purdy House Publishing & Consulting. December 2025. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5949655

Purdy, R.J. (2025). "The Forcing Function: Insurance, Regulation, and Loss Signals in Education AI Governance." Memorandum No. 2, AI Governance in Education Series. Purdy House Publishing & Consulting. December 2025. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5982614

Purdy, R.J. (2026). "ISO 42001 in Education: Assessing the International Standard Against Sector Reality." Memorandum No. 4, AI Governance in Education Series. Purdy House Publishing & Consulting. January 2026. [First formal definition of "compliance debt."] https://ssrn.com/abstract=6070028

Purdy, R.J. (2026). "The Liability Squeeze and the Governance Response: How Documentation Becomes Leverage." Memorandum No. 7, AI Governance in Education Series. Purdy House Publishing & Consulting. January 2026. [Add SSRN/Zenodo URL]

World Economic Forum. (2026). "AI at Work: From Productivity Hacks to Organizational Transformation." Community Paper, C&T Industry Strategy Officers Community. January 2026. https://www3.weforum.org/docs/WEF_AI_at_Work_2026.pdf