A few years ago, Kieran Donovan was a partner at one of the world’s largest law firms, advising tech and gaming companies on how to stay compliant across dozens of countries. For over a decade, compliance was the problem he got paid to manage — a cost, a constraint, the thing publishers called him about when they needed to know whether a thirteen-year-old in Seoul could access the same features as a fifteen-year-old in Berlin.
Then he had a kid, and the abstraction became personal. He looked at the broken age gates, the platforms that didn’t really know children were using them, the regulators handing out fines — over two billion dollars of them to big tech in the space of two years, for breaching children’s privacy laws. And he saw something most people in his seat had missed. The worst-case scenario wasn’t non-compliance. It was platforms looking at the rising penalties and concluding it was simpler to just kick all the kids off — fear shrinking what got built.
So he left the partnership and founded k-ID — infrastructure that helps any platform understand when a user is a child and adapt the experience accordingly, across countries, platforms and devices. Not a binary gate kids lie their way through. A layer that lets them stay in the game, safely. Backed by Andreessen Horowitz and Lightspeed, named a World Economic Forum Technology Pioneer and one of Time’s best inventions of 2025, it now serves more than forty million users a day across 195 countries.
He turned the thing the industry treats as a cost into a company. That’s the whole point.
Friction with a reason
For twenty years, compliance has been the part of communications you paid someone else to worry about. Number portability. Proof of ownership. KYC. Sender ID registration. Proof of address. The slow, country-by-country paperwork of being allowed to send a message or connect a call. None of it ever closed a deal.
And the same rules land completely differently depending on who you are. For a small business, compliance is annoying and complicated — you don’t have the specialist skills in-house, and it eats time you don’t have. For a large enterprise, it isn’t a nuisance at all. It’s the difference between being allowed to operate in a market and not.
And the friction makes sense once you look at why it exists. We’re not living in a world populated only by good actors. Online fraud is enormous and getting worse — treat cybercrime as an economy and it now ranks as the world’s third-largest, behind only the US and China. That was one of the threads running through the Aduna Summit in Madrid this April, where a venture built by the world’s largest telcos is putting serious weight behind digital identity and fraud prevention. (We wrote about it here.) Scams, spoofed numbers, hijacked SIMs, artificially inflated traffic, and elderly people getting cleaned out because a number looked legitimate are no longer edge cases. They’re the main event.
Guardrails, not protectionism
It’s time to stop thinking about regulation as protectionism and start thinking about it as guardrails — rules that protect the people on the other end of the technology and, done right, give everyone the confidence to build on top of it. Not always; plenty of regulation is clumsy, and it deserves to be argued about. But the direction of travel is real.
Because we’ve learned the hard way that “leave it to tech” isn’t a plan. There was a time when the internet was an almost unqualified good — knowledge and connection on tap, genuinely amazing. Somewhere along the way that changed. The biggest platforms stopped being optimised for our wellbeing and started being optimised for our attention. You can see it most clearly in what social media has done to young people — addictive by design, with a mounting, hard-to-ignore impact on teenagers and especially on the self-esteem of teenage girls. As parents and grandparents, many of us feel we owe the next generations a real effort to make the internet safe for them. Tech is still capable of extraordinary good. But the assumption that it will reliably do what’s good for us, left to its own devices, no longer holds. That’s what guardrails are for. And in the age of AI, they matter more, not less.
What’s really blocking enterprise AI
There’s a good piece doing the rounds that calls all of this the compliance tax — regulatory fragmentation eating your roadmap, one jurisdiction at a time. It isn’t wrong about the friction. But it reads the situation from the wrong end of the table. Because the thing slowing this market down isn’t that compliance is getting heavier. It’s that enterprises are stuck on AI — and compliance is what gets them unstuck.
Talk to any large enterprise right now and you find the same thing. They know AI matters. They are not sure what to actually do with it. There are real technical obstacles — data readiness chief among them — and nobody should wave those away. But tech problems tend to get solved once the business case is clear; investment follows a use case that stacks up. The harder blocker is the uncertainty that stops the business case being made at all. If you’re building for the long term, and especially if you’re in healthcare, banking or government, you cannot commit to AI without knowing it will stand up to a regulator in two or three years. “Move fast and we’ll see you in court” is the US instinct. It doesn’t work for a regulated European enterprise, and it doesn’t work for most of the world.
So the question every serious buyer is really asking is: can I build on this without it blowing up on me later? That’s a compliance question. And answering it well is what turns hesitation into commitment — exactly what Donovan saw. Get the trust layer right and you don’t exclude people out of fear; you let them in with confidence.
AI makes the question sharper, not softer — because the bad actors get the same tools. Deepfakes. Voice cloning. The same AI that lets a brand run a natural, automated conversation lets a fraudster clone one. The moment the voice on the line might be synthetic, “can you prove this caller is who they say they are” stops being a nice-to-have and becomes the whole ballgame.
From the enterprise to the nation
And the stakes don’t stop at the enterprise. They run all the way up to the nation. Just last week, the Dutch government blocked the American firm Kyndryl from acquiring Solvinity — the cloud provider that runs DigiD, the digital identity system millions of Dutch citizens use for tax, healthcare and government services. It was the first time the Dutch Investment Screening Bureau had ever prohibited a US acquisition. The sticking point was the US CLOUD Act, which lets American authorities compel US-headquartered companies to hand over data wherever in the world it sits. Kyndryl called the decision “politicized,” and argued it was robbing Dutch citizens of a more modern, more secure system. They may even be half right about the technology. But as analyst Tim Banting put it sharply in a post this week — and Tim will be at this dinner — for public-sector technology, user experience cannot be separated from political trust. A sleek, modern interface means nothing if the underlying infrastructure compromises national sovereignty. The old playbook of expanding fast and sorting out compliance later is dead.
That’s the same lesson as k-ID, just scaled up from the developer to the state: trust is now the deciding factor, not the feature set. It’s also the argument we keep coming back to on sovereign AI — that data residency and regulatory trust aren’t a compliance drag on the AI opportunity, they’re the thing that determines who gets to capture it. The European Commission’s Tech Sovereignty Package is the same signal at policy level. This is no longer a Dutch quirk. It’s the shape of the market.
The commercial question
None of this means more rules are automatically better — regulate everything and you strangle the innovation you were trying to protect. The goal isn’t maximum compliance. It’s the right constraints, clearly understood. And the industry has a role in that: not just complying with the rules, but helping shape ones that actually make sense. Done well, compliance stops being the thing that slows the enterprise down. It becomes the thing that lets it move at all.
Which turns it from a cost line into a commercial question — and a genuinely hard one. Where exactly do you draw the line between compliance and innovation? If you’re a channel partner, how do you turn “we keep you compliant” from fine print into an actual selling point? And with AI specifically: do you build that regulatory capability yourself, or work with a partner who already has specialist teams doing nothing else? k-ID is one answer to that question. Most enterprises will reach for a partner rather than build it. The opportunity belongs to whoever can be that partner.
This is where players like Gamma matter. The structural map favours operators who already do regulated trust at scale — KYC, number ownership, portability, the regulatory relationships built over decades, and the specialist teams to run them. The fragmentation that looks like a tax to a software company looks like a moat to an operator who already does this across dozens of markets. What’s a barrier to one is a barrier to entry for the other.
The companies that win the next phase won’t be the ones who minimise the compliance tax. They’ll be the ones who turn it into the reason enterprises say yes.
A conversation worth having
That’s the discussion CPaaSAA and Gamma want to have around a table — a small one. On the evening of Monday 15 June, in London, the night before Cavell CX, we’re hosting an intimate executive dinner: where the line between compliance and innovation actually sits, how to turn compliance into a commercial advantage rather than a cost, and how to lean into the regulatory side of AI — build it, or partner for it.
It’s built for the people who live this in practice — the CEOs, CROs and strategy leaders running CPaaS and CCaaS platforms, the channel and MSP businesses building on top of them, and the connectivity players underneath. If you’re steering product or commercial strategy at one of those businesses — or you’re the person whose job title actually has the word “regulatory” in it, as a few around this table will — this is your conversation. The value is in who’s around the table, not how many.
It’s deliberately small and by invitation. If you’ll be in London for Cavell CX, or close enough to make the trip, and this is your world, we’d like you there.
Compliance, done right, doesn’t hold you back. It’s what gives you the confidence to move. Kieran Donovan built a company on that insight, and the Dutch government just drew a national border around it. The rest of us should at least be building it into our pricing. A tax, in the end, is just a price someone else hasn’t learned to charge for yet.
Reach out if you’d like a seat.
My lifetime in IT and telecoms has been dedicated to innovation, building bridges and creating change. From the early days of cloud communications to working with operators on innovations and business development, and currently emphasizing APIs, CPaaS/CX and AI, my journey has been one of continuous evolution.
As founding partner at CPaaS Acceleration Alliance and The Next Cloud I'm privileged to help global telcos and techcos thrive in a fast changing world - through events, community building, strategy and global business development. I thrive on challenges and change, strategizing in cloud communications, and bringing people together for mutual success. Travel and continuous learning are my passions.
I believe the global communications industry is pivoting to prioritize customer experience and impactful solutions over mere technology and platforms, and we can tackle societal challenges by merging the strengths of corporates and innovators within new ecosystems.
Comments are closed