Back to GROW ANZ 2026 | HubSpot Live

Unlock AI's Power: Build Trust, Not Tech Debt

AI adoption is surging, but a critical trust gap remains. Discover how to responsibly scale intelligent automation, balancing rapid innovation with robust governance. Learn the essential strategies for building customer confidence and avoiding costly pitfalls in your AI journey.

Matt PhamMatt PhamHead of Product – Financial Services · REA Group
Erika FisherErika FisherChief Legal Officer · HubSpot

Chapters

00:02The AI Trust Gap: Scaling Responsibly

What an absolute pleasure to be here and your host for today. We've got a fantastic panel here, but it's an interesting time. Yamini kind of asked for a raise of hands this morning and it was great to see how many hands went up when we were talking around who's adopting AI. We're seeing this accelerate in Anz now twice as fast as we even expected. But we still, as Kat was mentioning before, we still have this trust gap right now and we're trying to overcome that. I speak to marketers, sales leaders, business owners all of the time. In fact, even this morning I've been talking to them about it. And the one question they keep asking me is how do we scale AI responsibly? And I'm definitely not the right person to answer that, but I have two wonderful people who are going to be able to help me do that. First of all, we have Erica, who's an expert in his space, our chief legal officer, who's flown in from San Francisco. Welcome, Erica. Thank you for being with us. And also Matt Pham, as who's head of product at Mortgage Choice, works in a financial services industry, heavily regulated industry, you know, managing AI and change is never more prominent in your world. So thank you. A warm welcome to Erica and Matt, please. Erica, I might start with you. So I mentioned the trust gap before. From your perspective, why is trust the limiting factor for AI adoption right now in Australia?

01:25Navigating AI Regulation: Australia's Approach

Well, for one, I think just acknowledging Australia sits in a really interesting sort of continuum, I think between in the US where flown in from where frankly everything is more faster, more AI. And we are navigating our own challenges of how do we regulate that and can we even come to the table and regulate. And then you have Europe on the other end of the spectrum, which Europe has come out of the gate with a lot of rules, regulations, a big enforcement regime. Australia has taken more of a principles approach, which I think is a great way to think about it, which is like what are the principles that we should all sort of sign up to and self regulate around and how should we think about that? I think it's a very practical approach. It's a country that has very traditional sectors that have really sensitive customer data and important confidential customer data. Matt's going to talk a little bit about his sector that has that as well. I think that's a good grounding to start with. You're already dealing with a region where, yes, you're all getting pressure to transform with AI and to do that faster. And you're also Being to do that in a way that doesn't break anything and doesn't trip the wires on anything and doesn't sort of disrupt a lot of the trust that has been built through the types of businesses that really shape the landscape here. That is hard earned brand trust built over years and can disappear in a moment. So we'll get into more of the details about how to cross that bridge in between. But I think it's something that sits on a lot of our customer shoulders of go faster, make AI work for us, gain efficiencies. Oh, but also you're also responsible for making sure it doesn't break anything and damage the brand that we've already built.

03:13Financial Services & AI: Trust in a Regulated World

Matt, if you don't mind, just while we talk about the trust gap, as I mentioned before, you work in a highly regulated space financial services. Has there been any hesitation from inside your organization or even your customers? Yeah, absolutely. Particularly with our brokers starting to adopt AI features within our offering, I think the questions they're asking were fairly, I think natural questions to ask and probably ones that everyone in this room has also asked themselves as well, which is, is AI going to take over my job? That's always the first one. That's a whole other topic to talk about. But I think the next question that a lot of our brokers are asking around our AI products were around how can I actually trust them? And as you mentioned, financial services is a highly regulated industry. So the information we share, the advice we give has to be explainable and our systems need to be able to be auditable as well so that we can prove out, you know, what we're saying is accur accurate. So AI hallucinating is not an excuse for us to get it wrong. At the end of the day, if something does go wrong, it's actually our people, our brokers that are responsible to actually make sure that they're being compliant. So one of the really big questions that were asked was actually around how do I trust these experiences that you're building? Because particularly for some of our brokers that have been around for some time, we've got brokers that have been in the business for over 20 years. They're not digitally native people and as a result they're like, this AI experience is great. I put in a prompt and this answer comes out. It looks amazing, but how do I trust that it's actually accurate? And unlike, I guess, previous products we've built, which are a little bit more static. Think about a calculator. Two plus three equals four. That's very easy to explain. Whereas our AI tools are constantly evolving. And so being able to explain the mechanics of how that works and an education component to be able to go with that has really shifted the way that we go to market with our products and how we educate our brokers with these tools, which has absolutely helped with adoption and trust within our systems.

05:13Data Training & AI: What Customers Expect

Yeah, that's interesting. So they're really worried about the accuracy of it as well, which is interesting. Funny enough, the number one thing that our customers are worried about in Australia is actually where the data sits, who controls it, who owns it, what are you actually doing with it right now? And Erica, for you, what are customers actually asking you about, like data and AI right now? And where do you see the biggest misunderstandings around risk versus the actual reality? Yeah, and I'll be interested to hear how this resonates with you too, Matt. But I think we spend a lot of time right now talking about training and what is an AI model or what is AI technology actually allowed to do with the data that you're giving access to it. And so training, if I rewind even a year ago, we've progressed the conversation because if I rewind a year ago the idea of training or word training from a data perspective was just like a non starter. And I think everyone was still trying to understand what do these models actually do, how did they relate to the technology that's being built, et cetera. Now we have a much more nuanced conversation around training and to be totally candid as well on the legal side of things, as we negotiate some of the commercial arrangements, whether it's with our LLM providers that are under the hood of some of our technology. We've seen the language around this even settle a little bit when we first started having these conversations with we use OpenAI AI to power some of our technology. We use anthropic to power some of our technology. When we were talking with their teams and saying, okay, here's what we want to be able to articulate in the contract, there just weren't settled commercial terms around these things. So now we're graduating to where there's like more common understanding. And when we talk about training, we really talk about training from the perspective of what would the customer expect, the value out of this product being delivered, what would they expect from it? Have we explained it to them in a very clear way? And then do they have a choice around that? And so I'll give you just a quick example from HubSpot's perspective and how we Build products. We use our customers data, when they put it into different products to train outcomes that are unique and personalized to them. So for example, you're putting in your data and we're using that to get better and better at understanding your tone or your brand of voice so that we can create content or automatically generated messages that really mirror you. And you feel this, right? Like you use a product and you're like, okay, it's getting me now that feels more and more. Whereas in the beginning you're like, no, nope, rewrite it. Nope, that's not good. So that's one area that we use data for training. Another area that we use data for training is when we take data and we look at it on a very aggregated and wide scale to understand trends that might be helpful to our customers. So for example, we know from our vast 250,000 plus customer data set that these types of deals typically take this amount of time to close. And by the way, you're behind and we think here are some actions to take. So that's a type of training that we do. We explain that very clearly to our customers and we also offer the ability for customers to opt out of that training. And then last but not least, when we bring any third party models to the game, and there's great models out there that are powering the next innovation curve of technology, we do not let them train on our customers data. And so that's something that we have a hard stop on and that gives our customers the confidence that whatever's happening with their data is really in service of the product that they are using from us and the value exchange that they're getting. And any technology that we're bringing to power that along the way does get sort of backdoor access to that as well.

08:42Enterprise AI: Governance & Pilot Programs

A lot of that really resonates with, I guess, our layers of governance and how we approach these conversations as well. From a group office perspective, when we're selecting third party tools, we're having those exact conversations, you know, understanding where our data sits, what it's been used for, and making sure that that's compliant, particularly with Australian law as well. And that's, you know, an aspect to navigate particularly with International businesses like HubSpot as well, from a broker perspective. Things that we had to kind of think about in terms of these safety measures that we had to put into place, similar themes as what you kind of talked about. One of the first things that I'll probably just start off with is that everything that we release to our network has to go through a really rigorous due diligence process when we're selecting vendors, particularly third party. So before anything actually goes live, there's already been a fairly extensive process to make sure that we're asking those very questions that you've mentioned. But in terms of safely deploying it to our network, there's another layer that we have to also start thinking about. And I think you touched upon this a little bit with the importance of using enterprise technology as well. And what's been really good about today is actually hearing thematically with a few of the other talks about the important importance of using your data and plugging your data into the systems. And so for us, as the conversations around AI tools started to emerge, and some of our more digitally savvy brokers are like, why aren't we using this tool or that tool? It was really important for us to think about the enterprise technology that we're using. And we're a Google workspace business. So Google Gemini made sense for us and actually making sure that our instance of Gemini had our data plugged into it so that the results were a lot more predictable than using things off the shelf that's just connected to the Internet. And it's really interesting you talk about, I guess, the idea of training as well. Often when we release new products to our network, we will actually do it in pilot groups, so smaller groups, and that's more of a risk issue. In case something goes wrong, we can roll back, make modifications and deploy again. But in the instance of AI, these pilot groups actually help us train the models as well. So there is a dual benefit of being able to actually do that pilot group so that we've got better confidence on the results as we start to spread out to wider consumption within our network.

11:05The "Pit Crew" Approach to AI Adoption

Awesome. I love what you just described and I think it really brings things to life. When I think about AI. Everybody's having a personal experience of AI inside of work, outside of work. And so the surround sound of, hey, my buddy's using this cool tool or this other company, the IT departments and people in math's role are just getting inundated. And when you think about being able to move fast but with precision, and I think about this in the context of where in life do we move fast but with precision? And I think about a racetrack or I think about launching a rocket into space. And what are the common patterns that you see? You see something moving fast, but you also see a very tight collection of team members that are responsible for making sure everything runs well and they're involved early and you see them as a pit crew, et cetera. And that's, I think, exactly what you're describing, which is if you're waiting to kind of a waterfall approach almost to get a piece of technology into your company and you sort of like are sending it down the assembly line and legal or security or somebody else is at the end, you're almost guaranteeing that you're going to do this in the longest and most painful way possible. Whereas if you bring that collection of individuals to the start and you start with, and this is what I love what you described. Start with the value case. What do you expect this technology to do for your business? What is your hypothesis of the value return? And you all probably heard Yamini talk about this, of what is the business problem? And that everybody's anchored in that. I think you'll see everybody shift to a more business forward posture, including the lawyers, because they now have context of everything to say, okay, this is what we're shooting for. How do we design a process that allows us to prove that out in a safe way? And then you have everybody collaborating in a mindset of okay, what kind of data is there? Can we minimize the amount of data that is really high risk until we trust this product more? We get a few rounds on things. But it also keeps the business from just sort of spraying technology into the space, which is, yes, a risk from a security perspective. You expand attack vectors whenever you introduce new modes of technology into a space. But it's also a practical issue. It's a, does everybody in the company understand what tools I'm supposed to use for this process? Do I have control of the cost around it? Have I put vendors into my stack now that might not be here in six months? And now I have a business continuity issue. So this is a really 360 conversation to have. And the more you get that sort of tiger team of the business stakeholder lawyers, IT security in the conversation together and they treat each other as the team that is here to solve speed and precision. The more I think you'll get great outcomes.

13:47Why Early Legal Engagement Accelerates AI

I love that. It's so true. You're one team. You've got to bring people together. You go on the journey together. And I think what I'm seeing when I'm talking to business businesses at the moment is you've got business leaders not operating with other parts of their flywheel and they go right the way through the process and then they go, okay, we're going to engage legal now and then legal raise all of the concerns. So it's great. Legal are no longer the. No, it's a part of the team. I like that a lot, Erica. Matt, just on that then. So where has embedding legal helped you move faster or avoid any mistakes at Mortgage Choice. Mortgage Choice, as a part of REA Group, which is our parent company, we're really lucky to have an in house team of legal experts that are well tenured as well. They've been in the business for some time. There's a habit where we get lawyers coming into the business and they tend to stay for quite a long time and as a result they're really embedded in our actual business functions. So to your point earlier on, they're not treated as a separate office where we go ask for permission or forgiveness. They're actually very much a part of our processes and we really them early on in the conversations so that we can really frame and understand the things that we have to be careful about. And to me that's probably more important to be able to have those conversations early because as a product and tech person, one of the worst things that has to happen on occasions, thankfully not too often, is actually releasing a product and then having to scale it back because you found a major flaw. From a compliance perspective within financial services, it doesn't matter how small it is, we can't go live with those things or we have to roll back and fix and we have to alert the network that it's happened. And we've all seen the impacts of things like data breaches in other businesses and the trust impact that actually creates. Having those conversations earlier on is super important to be able to avoid those very things. I mean, Mortgage Joy is a large organization. We have lots of large businesses in the room. Erica, though we have a lot of smaller businesses as well that don't have access to in house councils and everything. What's the advice you could give for those small businesses as they like navigate through this change?

16:00AI Due Diligence: A 5-Question Checklist for Small Businesses

Yeah, so a couple things I would say and the first maybe I'll just like tick off. We kind of use a framework internally that the super simplified framework of five questions that I want our teams constantly thinking about when they're thinking about bringing new technology into a space. And it's simplified because it's meant to be able to give to anybody in the business because sometimes we have tools that our teams want to use and there's a salesperson or somebody else that has to be the advocate for that tool. So they may not be a security professional by trade or A lawyer. But they need to be able to interface with the vendor and say, hey, this is what my team is going to expect for you to be able to answer. So can you give me some basic answers answers around it? We touched on one of them already which is do you use my data to train AI? And they should be able to answer that question really clearly and specifically the same way that I did. The second, is my data secure? And that was true before AI. It matters now. Even after AI, can they articulate to you how they secure data? And what this typically looks like is usually on a website they will have some area that is a trust center or documentation where they have some explanation of not only how do they secure their products, but what standard. Because there's sort of globally accepted standards, what standards they use to abide by that. You can look for words like ISO 27001soc2. Those are good indicators that not only is the company engaged in those practices, but they have an auditor that they bring in to recertify them on a rolling basis and say yes, yep, this company is abiding by that standard. So that's around security. The third is who can access my data? And this is as much as if it matters to you as a small and medium sized business or not. It's around where is the data. So we talked a little bit about some of our more sophisticated customers really wanting that data to stay in the Australian data center. So you should have some understanding of where does the data go and this should be on their website and documentation. But also who in the company actually has access to the data? So is it just the product teams? Do the support teams get access? Can they articulate the answer to that question? The fourth area is are you going to help me comply with laws and regulations? The easy one to look for here is if they don't have a good answer to do you comply with GDPR run? So that's like an easy test case where the EU sets a pretty high bar. GDPR actually has of a lot, quite a few regulations around how to handle data and they should have some really good explanation of here's how we do it and here's our sub processor agreements, et cetera. Last but not least is do you delete my data? So when I ask for specific data to be deleted or when I actually leave, what is your process for that and what we're typically looking for, there is some reasonable explanation of how do they actually delete data? Can they articulate the mechanism that they do that words like cryptographic hashing or rolling data stores and then they may have something in backups. But there should be some period of time that they can say, at this point in time, we've deleted all your data. Those are good indicators of good hygiene practices. Those are things that we even give that talk track to our business associates and people in the company that are trying to run ahead of the backlog of legal insecurity and whoever else that it's like. If you can get reasonable answers to these questions just from their website, that's a good indicator that you're dealing with a mature company. The two other tips that I would give is one, if you're looking at a license and there's tiers, pick the enterprise tier. And the reason that I say that is because it's going to give you the best protections. And if you're a business running your business off of specific technology stack, you do not want that to tool using your data in a way that you would not be comfortable talking to your customers about. And the enterprise tier, even though it's more expensive, is almost going to all the time have the sufficient protections. The reason for that is because AI tools are powered by data. And so if you're talking about a lower tier, you're talking about a pay to play model where you're getting a discount, but you're paying in the form of giving rights to data that you probably don't want to. Last but not least is to think about whether or not there's a delineation between high risk data or really anything else. And an easy search for this is actually the EU has a great website where you can go on a small and medium sized business, enter the data that you're considering dealing with or in a specific vendor, and it will sort of give you a decision tree of are you dealing with high risk data or are you dealing with lower risk data, in which case you don't have to think about as many parameters overall. So those are just some good tips and tricks as you're kicking the tires on things. And I think if you use those like 90% of the time, even in the absence of a big compliance team or lawyers, you're going to come out on the right side of things. I don't know how you think about my cheat sheet, Matt, but you can use it for your teams if you'd like. I think you basically described our process essentially and I work in the product side. So on the opposite side of Erica, in terms of talking about what we want to do and, and have these collaborative conversations with our legal teams and I think what's really good about thinking about this upfront and setting up these processes early, it makes it so much easier. So Erica mentioned you literally have a checklist. We have these documents that asks every vendor that we work with these same questions and often the answers for those questions will lead into what we have to do next as well. If you asked me earlier in my career how I feel about governance and processes and these types of things, I probably wouldn't have been that excited by it for being honest. But making it easy by doing it really often and building that muscle just really enables you to move at speed afterwards. So standardizing this process, and I mentioned that before, not everyone has the luxury of having an in house legal team, but actually having these processes in place still make sense and are sensible for any business to think about asking the right questions so that you don't find yourself in a bit of a sticky situation later on and have to kind of rectify.

22:16Regulators vs. Customers: AI Priorities

Wonderful. Well, that was a big checklist. But don't worry, there's an AI transcript coming out, so if you didn't catch all of those amazing tips and checklists, you'll be able to get that basic Erica, what do regulators actually care about versus customers right now? Is there a difference? And for you, what's the non negotiables every company company needs in place before deploying AI? It's a really interesting question because oftentimes regulators are stepping into the shoes of the consumer. So regulators are really thinking about where is there an asymmetry of power and where do I need to step in and protect an end user or consumer of technology that may not have the same bargaining position as a business? For example, in our case with HubSpot, our customers are business and so we're often thinking about, okay, what obligations do they have? How would they have this conversation with their customer? And honestly, a good line in the sand that I use frequently when I'm talking with our product development teams and even our chief product officer, we'll say, okay, this is what we want to build, understand? Okay, let's think about it through the lens of the customer and maybe we'll make some tweaks and then we'll also take a step back and go, okay, would we all feel comfortable sitting across the table from a customer and explaining that this is how we use their data? That's usually just a really good brings it home human level question. Because if you can articulate that and stand behind it from a relationship, standpoint that's probably a good litmus test that you're on the right track. But generally the customers are looking to us to really think about their stewardship obligations and and their end users and would they feel comfortable explaining to their customers or prospects that we're using that data in that way in their tool. So I think the interests are super aligned. Regulators, on the other hand, when we interact with them, they're really looking for us to be thoughtful about the end user. So they care about you all as customers, but they ultimately care about collectively as a customer, as a business using our tools and as a provider providing business tools, are we collectively thinking about the individual end user or consumer in a way that's responsible? And so they're looking for the thoughtfulness of that process. They're looking for exactly what Matt described, which is do you have a process where you involve all of the stakeholders upstream at the point of design and then what are the checklists or some of the controls that you've put in place? Doesn't mean that everything goes right 100% of the time. And believe it or not, regulators deal with situations that don't go right 100% of the time, but they're really looking that you are nimble and that you're able to apply a thoughtful framework and then adapt that framework where you see vulnerabilities exist.

25:01Hard Noes: Selecting & Governing AI Tools

So I'm hearing governance equals speed and scale. There's definitely no constraint there. So governance all the way. Now I do want to move though to the fact that at the same time we've got like a decision paralysis. There are so many tools, unclear policies and rising risk. Right Matt, no doubt. In your industry, how do you decide what tools to allow through and what to block? And what does your hard know while assessing approach looks like in practice? Look in terms of tools that we release to our network of brokers, we've got a very firm policy on what tools are allowed and what aren't. And because the risks involved, particularly off really accessible AI, that looks great. And Erica touched upon businesses at a startup that may fold in the future or might not have the same, I guess security processes in place, it's too dangerous for us to allow our network of brokers to use. So we've got a very strict policy in terms of using software and platforms that we have heavily vetted, tested, gone through pilot groups, trained. And also one of the things that I think we haven't touched upon is the continual governance of these platforms as well. Unlike static products where you can build and walk away from. And until they break, you don't have to worry about them as much. AI products are constantly evolving and constantly learning, which I think from a legal perspective would be a massive headache to kind of stay on top of. So we have to put processes in place to also look at governing the results of our tools as well, to make sure that over time, as our AI products evolve, they don't start to go into weird directions. So that's a really important part of the process as well. In terms of experimentation, though, in Head Office, where we're looking at new technologies all the time, there's a real shift in culture, I feel. And Mortgage Choice is a part of the wider business called REA Group. And REA owns a business called realestate.com au which you may have come across. And even though it's a wide and large business, we're starting to see a bit more of a startup vibe with experimentation with new products. And there's a real encouragement from leadership for our teams to actually think about what is out there and test and learn and experiment in controlled environments. So there's a real balance between releasing something to our network to make sure it's safe, but then also keeping, I guess, a finger on the pulse of what's coming up. And we have processes that are actually put into place now to think about how those start to filter up, to go through a due diligence process as well. I would just add to that. I think it is a tension point because on the one hand it's like transform the organization, but you're also expected to put tools in the hands of people so they can transform themselves. There's that call to action as well. And by the way, you've got to keep all this under control at the same time. And so I think what you described of having a process where you can sort of get things into experimentation mode and then have a clear understanding of when does it graduate to fully in production. But I would also add, if you have that culture, which I think everybody should right now, of experimentation and growth, you've also got to guard in that process. So at what point is somebody going back and going, oh, those 10 cool tools that we sort of greenlit on this pilot basis, is anybody going back and saying, is anyone still using these or should we clean them up and remove deprecate access to our systems? So anytime that we're going through transformation, experimentation, there's got to be a hygiene to it where it's a living process and somebody's going back and editing at any given point. Okay, these are the things that they were fun to tinker with for 30 days or so, but let's actually get them out of the environment now because no one's using them and they're just pointing a vulnerability for us. Absolutely. Like, we're not looking at, like, tech spiral and tech debt growing with these things. There's a process in place even just for that, to kind of make sure that, to your point, like, there's not any shadow AI being used in the business and being able to kind of come back and ensure that we are staying compliant internally as well, because it's just as important in terms of regulating and make sure that's being governed as well.

29:06Hidden Dangers: "Vibe Coding" & Security Vulnerabilities

Interesting. Well, that's obviously where governance can break down. What risks are companies underestimating, Erica? Especially with things like Vibe coding or unapproved tools? I think the Vibe coding one is a big area where it's in vogue right now. We want people working with systems and being able to understand how technology can overlay on them. But also there needs to be a point of view from your organization of what is the tier 0 or tier 1 data that your company operates off of day in and day out, and is one. It needs to be accurate at all times. It needs to be governed by permissions. You need to be able to have a third party come in and look at it and validate that you've done all those things correctly. And if you don't do that, it actually damages your relationship with your customers. So I think those are the surface areas where there needs to be a point of view of like, okay, this stuff is not the area that we want to Vibe code in. If you have a dashboard of insights that you build for yourself based off of your team's goals, et cetera, have at it. But if you have an area where there is customer data, regulated data, confidential information, that is not an area where I want our teams Vibe coding and having at it in a different way, nor would our customers expect that we're doing that as well. I think having a really clear point of view of where is that delineation sort of across. I think the second area is just making sure that you're constantly checking in on the security progress on specific tools. So if you have a security team, that means doing regular testing because the vulnerabilities are changing every day. And so you don't want to sort of set it and forget it. Like, you want a hygiene process where you're going back and evaluating that tool against a new environment. Making sure that you're doing the same level of testing. Because we're learning each day how these tools are made vulnerable. So I think just more fodder for it needs to be an evergreen process that's a living process and it doesn't just get put on an assembly line and then left and forget it.

31:11AI's Reckoning: Confronting Data Architecture

Sounds like many of these issues like data governance, privacy, they're not new. Right. So, Erica, why is AI forcing companies to confront that they've been able to ignore, ignore for years? Oh, I think and Matt can check me on this because he's probably living it. I think the AI is having companies confront their data architecture more than ever. So good. Right on cue. We didn't rehearse that. There's violent nodding as soon as I said it. But we all know sort of the brittleness of constrained data systems that was true before AI. Like if you tried to join data, you tried to pull insights, it was. Data was never current, it was never right. The reality is AI is only as good as the data that feeds it. And so I think this is really bringing to bear a reckoning moment where companies are like, right, no matter how cool the tool is, no matter how much it promises to eliminate all friction and drive all efficiency, if you don't have the data structures underlying to be able to drop that tool in, then you're not going to be able to power it and the outcomes that come out of it are not going to be trustworthy or even if you can identify this is wrong, you don't know how to fix it and make it right. So I do think this is an area where the best companies will really invest in their data architecture and their data governance and make sure everything's in the places it needs to be. There's the right classification and there's the right permissions and security on top of that, then you can drop stuff onto that and let it move pretty quickly because it's got the right rails to operate off of. Yeah, I'm getting a bit of PTSD just thinking about this process. REA Group acquired mortgage choice around four and a half years ago. And mortgage choice is a 34 year old business that is built up from no less than four different brokering businesses that it's acquired over time as well. So you can imagine over 34 years, the attitude and standards towards how we actually govern data has shifted significantly. And the legislation around responsible use of data has also evolved constantly over that period of time. So one of our initiations with Mortgage Choice becoming part of rea Group was around trying to get a handle of our data for just standard business operating reasons. So even before AI was a huge, I guess, thing that everyone's focusing on, all encompassing, we were already working through those challenges just to be able to run the business as efficiently as we wanted to actually run that business. So to come back to your question, has it exposed anything? Nothing that we didn't know about, but it's absolutely highlighted the importance of building those foundations in place and investing in that work. Because that type of work is often grueling and grinding and sometimes hard to really prove out business value as well. But to be able to enable these AI features off that strong data foundation is something that you can then start to really prove out the value of that investment in that work. So nothing new, but definitely exposed. And one of the good things is with AI it's actually helped us to get a hold of our data as well. So, you know, conversations that we were having originally around how do we start to consolidate all this information coming from all these different platforms and systems. The estimations were huge in terms of thinking about this from a traditional, I guess, delivery process and you know, how we approach those problems. But AI has helped us actually really speed that up. And things that we estimated originally might take a few years are taking months now, which is a real huge kind of benefit for us as a business. That's great. There's no issue of exposing a challenge, then you can solve it. And it's better to know about it than not know about it and get called out. So I agree. Did you want to say something?

34:49The "Hidden Tax" of AI: Data Migration & Cleaning

Well, it reminds me, as you're talking through, it reminds me a little bit and I love that this is, this is where it gets really meta, where you can use AI to restructure data or get the taxonomy correct. And it is a supercharge, but it still remains true. It strikes me you have this AI transformation happening now. I remember when the cloud transformation was happening and there was the promise of cloud and digitizing your stacks and the hidden tax was migration. And so this is sort of the same where the promise of the technology sits over here, but there is a bridge underneath that you have to sort of traverse to unlock the value of the technology. So for on prem that was like migration to, you know, you didn't just turn on your cloud instance and it just worked. You had to like get everything over there. And the same thing is true with AI where you know, you have this promise of turning on AI, you have to do the lift of structuring your data, getting it into a clean state, you know, making sure that it works, that your data works for you. And I think that's the piece that people are coming to realize. And I'm not sure how many of you have experimented with AI, but I've certainly had scenarios even within the legal team as we tried to unlock the power of AI and the demo is great. And then you go to actually do the thing and you realize we don't have that integration or the integration's broken or the data's not working. So that's where the vendors that can really house a lot of your data and have it in a secure environment, but also know dynamically when to serve it up and when to expose it. And you know, HubSpot's one of those platforms where we, we endeavor to have a ton of context and data in one place at any given time. It can really spare a lot of the, like, hidden tax of unleashing the potential of AI.

36:27Leaders' Playbook: Scaling AI Responsibly

So true. I could talk about this all day, but we might have to move on. Let's make this actionable for the leaders in the room here as well. Matt, for you, what's one thing a leader should do in the next 30 days if they want to scale AI respons? Oh, does it have to be one? Can it be two or a couple? You can have two. Okay, I can have two. I think the first thing is not trying to jump towards a solution first. Think about the problem you're trying to actually solve. If your social media algorithms are anything like mine, when you're jumping online, there's always someone screaming about what you're doing today is old and redundant and you need to do the new thing or you can going to be left behind. So the first thing is really thinking about the problem that you're trying to solve and anchoring to that before you think about the tools that you want to build on. Because the reality is that technology moves really, really fast, but trust compounds really slowly. So the businesses that will win will not be the ones that are using the latest and greatest technology. It will be the ones that are actually maintaining and building the trust from their customers over that time. And this is why I think the governance conversation of thinking about that early risk and making sure that you are building foundations of trust, particularly in an environment where it's so dynamic and trust can be fleeting. So really, really protecting that, I think is an important thing that every business leader should be thinking about in this environment.

37:53Avoid These AI Adoption Mistakes

And Erica, on the flip side, what's the mistakes that you see business, businesses make right now that the leaders here should try to avoid. I think the biggest one is if you are in a company where you have the benefit of security, compliance, legal, et cetera, resources, if you don't know who those people are and you haven't sat down and had a conversation about, okay, this is crazy right now, the pace of things. If you haven't had that moment where you've all looked at each other and go, is anybody feeling super stressed about the number of tools that you're trying to put into the system all at once and lock arms together and say, here's what we're going to commit to. We're going to commit to bringing each other in early. We're going to commit to having regular conversations around this where we review the tool stack. We're going to commit to having a shared understanding that we communicate with the rest of the org about what are the non negotiables versus where are the areas that we can fast track things more. If you're not doing that or haven't already done that, I think you haven't really set up the engine for transforming yourselves with AI and being able to move with AI speed. And so I would encourage you to do that. Wonderful. Good advice. Thank you. Well, we're getting towards the end of the session now, so it's really clear that trust is what determines whether AI stays an experiment or becomes a scalable growth driver. I think that's very clear after this conversation. So my key takeaways here were seek clarity for why you're using them and what outcome you're trying to achieve. Bring stakeholders in early and work together as a team. I think that was evident. That makes a massive impact. I had a conversation with someone today where they didn't do that earlier and they regret that and define who and the what and set the guardrails really early. So with that, I just want to say thank you so much to Erica and Matt for sharing your insight today. We actually have a few minutes left so we're actually going to open up for a Q and a. We've got time for one question, maybe two. If there's any brave people in the audience. Would anyone like to ask a question? Here we go. There they all are. We have a roaming mic, I believe. Oh, there you go. In the front row here. Just please. Thank you. When the company doesn't have an internal legal team, who would you recommend as the key stakeholders or how do you recommend to go about it? How big is your company? 150 and growing pretty fast. Okay, so you probably have like a head of it. Yeah, I think. And feel free to chime in. I think that tends to be a great person to put the mantle of responsibility on, but also empower them, too. Right. To ask for the right resources and whatever else they need to do to scale things. But I think that's a natural place where that person is going to be the bottleneck for, can I integrate this? Can I drop this tool into the environment? So I think if you don't have a legal or security team, that's the natural place to start. And that's always a stakeholder that's at the center of our conversations. Even in a larger company. Yeah, I'd agree. Even in a larger company. The stakeholders that I engage with with these conversations are risk, security, and technology. So often our architects are people that will help frame these things that are really important to consider. Risk is more about, I guess, making sure that we are following that process, ensuring that happens so that can be someone else as well. But I think legal is definitely your friend in these situations and particularly in this environment, as it's navigating so quickly, being able to have those guardrails in place to think about the longer term of your business, not just the quick wins and the dopamine hits of these cool new features that are coming out late tomorrow. That's all we've got time for. I hope you enjoyed the session. Can I just ask for a big round of applause for Erica and Matt?

Small businesses should ask five key questions: Does the vendor use my data to train AI? Is my data secure, and what standards do they follow (e.g., ISO 27001, SOC2)? Who can access my data and where is it stored? Will they help me comply with laws like GDPR? And what is their process for deleting my data? Additionally, choosing an enterprise tier license typically offers better protections.

AI is forcing companies to confront their data architecture because the effectiveness of AI tools is directly dependent on the quality of the data that feeds them. Without clean, structured data, proper classification, permissions, and security, the promised efficiencies and capabilities of AI cannot be realized. This highlights the critical need to invest in data foundations to unlock AI's true value.

Leaders should prioritize understanding the specific problem they are trying to solve before jumping to a technological solution. It is crucial to focus on building and maintaining customer trust, as trust develops slowly, unlike rapidly evolving technology. Establishing strong governance and foundational trust is paramount in a dynamic AI environment where trust can be fleeting.

Leaders should avoid not engaging security, compliance, and legal resources early in the AI deployment process. It's essential for these teams to collaborate from the start, regularly review the tool stack, and establish a shared understanding of non-negotiables versus areas where processes can be fast-tracked. Failing to do so prevents the organization from building an efficient engine for AI transformation.

Customers are primarily concerned with where their data sits, who controls and owns it, and what AI technology is allowed to do with it, particularly regarding model training. Companies address this by using data for personalized outcomes or aggregated trend analysis, explaining data usage clearly, and offering opt-out choices. They also ensure third-party models do not train on customer data.

Companies often underestimate the risks associated with "Vibe coding" or using unapproved tools, especially with sensitive tier 0 or tier 1 data (customer, regulated, confidential information), where accuracy and strict governance are critical. Another underestimated risk is neglecting continuous security checks and testing, as AI vulnerabilities evolve daily, requiring an evergreen process rather than a "set it and forget it" approach.

Trust is a limiting factor in Australia because the region takes a principles-based approach to AI, unlike the faster, less regulated US or the heavily regulated Europe. Australia has many traditional sectors with sensitive customer data, making it crucial to adopt AI in a way that doesn't disrupt long-built brand trust, which can disappear quickly if not managed carefully.