AI product cycles are fast. ISO, SOC2, and HIPAA were not built for fast. The friction between them is real, and pretending it isn't is how teams ship something that fails an audit six months later.
The mistake is treating compliance as a gate at the end. By then the design choices that create the risk are already locked, and the team faces a bad trade: rework or ship something exposed. Neither is good and both were avoidable.
What works is moving the compliance questions to the design stage, where they're cheap to answer. Where does the data live, who can see it, what's logged, what's the retention. Asked at design, these shape the architecture for almost no cost. Asked at launch, they're a crisis.
On the Einstein AI work at Salesforce I made compliance readiness a fixed point in the sequence, not a final inspection. The gates were known from the start and everything planned around them. The teams moved fast because the compliance work was built in, not bolted on.
Governance done right doesn't slow AI down. Governance done late does. The difference is entirely about when you ask the questions.