Blog

Analysis on enterprise AI governance, inline policy enforcement, agentic AI security, and regulatory compliance.

AI-Assisted SOAP Notes Under HIPAA: What the Audit Trail Has To Show

Clinicians using generative AI to draft SOAP notes from ambient recordings of patient encounters trigger the HIPAA Security Rule the moment PHI enters the prompt. The audit controls expectation under 45 CFR 164.312(b), the access control expectation under 164.312(a), and the transmission security expectation under 164.312(e) all attach. Vendor BAAs cover the vendor side; the covered entity has to produce its own evidence on its own side of the API. This piece walks through the architecture that satisfies the Security Rule for ambient-AI scribe workflows.

Industry Verticalshealthcarehipaasoap-notesai-scribephi-redactionaudit-controls
Read post →

Public Sector AI Compliance: OMB M-24-10, NIST AI RMF, and the State AI Laws That Apply to Agencies

OMB Memorandum M-24-10, issued March 28, 2024, set the AI governance baseline for federal civilian agencies including risk management for rights-impacting and safety-impacting AI, a Chief AI Officer designation, and public inventories of AI use cases. The Office of Personnel Management AI guidance, the Department of Homeland Security AI framework, and DOD Responsible AI Strategy add agency-specific obligations. The NIST AI Risk Management Framework provides the technical baseline. State-level laws including Colorado SB 24-205, Connecticut SB 2, and California AB 2930 add overlays on state-agency and state-contractor AI. The architecture that supports the OMB-required risk management has the same shape as private-sector high-risk AI compliance.

Industry Verticalsgovernmentpublic-sectorai-complianceomb-m-24-10nist-ai-rmffedramp
Read post →

Law Firm ChatGPT Confidentiality: ABA Opinion 512 and the Architecture Privilege Survives

ABA Formal Opinion 512, issued July 29, 2024, sets the duty of competence, confidentiality, and supervision standards for lawyers using generative AI tools. Model Rule 1.6 confidentiality, Rule 1.1 competence, and Rule 5.3 supervision of nonlawyer assistance all attach to AI workflows that touch client information. State bar opinions from California, Florida, New York, and Pennsylvania add jurisdiction-specific overlays. The architecture that supports a defensible position under examination is per-decision audit records that show what client data the AI received and what the firm did with the output.

Industry Verticalslegallaw-firmai-complianceaba-opinion-512confidentialityprivilege
Read post →

Insurance AI Pricing Under the EU AI Act and NAIC Bulletin: The High-Risk Architecture

Life and health insurance pricing using AI is classified as high-risk under EU AI Act Annex III point 5(c). The NAIC Model Bulletin on the Use of AI Systems by Insurers adopted in December 2023 has been incorporated by twenty-five US state insurance regulators as of 2025. Colorado SB21-169 sets concrete obligations for life insurers using external consumer data. The combined regime requires per-decision audit records, governance documentation, third-party risk management, and demonstrable testing for unfair discrimination across protected classes.

Industry Verticalsinsuranceai-complianceeu-ai-actnaicaudithigh-risk-ai
Read post →

Identity Propagation Closes the Attribution Gap on AI-Generated Passwords

On May 8, 2026, GitGuardian classified 28,000 passwords on public GitHub as LLM-generated. The mechanism is per-model Markov chain analysis applied to a dataset of 34 million credentials observed between November 2025 and March 2026. Detection at the leak point is the start of the forensic chain. Attribution comes next: which authenticated user issued the prompt, which model returned it, under what role. Those answers come from AI traffic logs that captured identity at the call boundary. This post covers what that capture looks like in practice.

ai-securitysecrets-managementai-trafficforensicsidentityauditllm-credentials
Read post →

Five Eyes Just Defined Agentic AI Risk in Five Categories. Three Live on the Traffic Plane.

On April 30, 2026, six national cybersecurity agencies published Careful Adoption of Agentic AI Services. It defines five risk categories for agentic AI: privilege, design and configuration, behavioral, structural, and accountability. Three of those (privilege, behavioral, accountability) are enforceable at the agent-to-LLM traffic boundary. The other two belong to deployment architecture. This post maps the three operational categories to the runtime control patterns that satisfy them.

ai-securityagentic-aiai-governancefive-eyesnsa-cisaauditidentity
Read post →

Why you need an AI system of record for audit readiness

UK AISI put agent task-completion duration on a two-month doubling curve. Quarterly audit cadences fall behind almost immediately. The gap looks like an audit calendar problem, but the mechanism underneath is a missing system of record for AI decisions, written synchronously at decision time, identity-bound, and signed inline.

ai-securityai-governanceauditcomplianceagentic-aisystem-of-record
Read post →

What Is Zero-Trust AI Enforcement?

Zero-trust AI enforcement applies the "never trust, always verify" principle to AI traffic. Every LLM request is authorized per authenticated identity, inspected against policy on the request side before forwarding, and recorded in a tamper-evident audit ledger as part of the same request lifecycle. The model receives only prompts that have already cleared policy.

AISecurityZero TrustEnterprise AIGovernanceArchitecture
Read post →

How to Build a Defensible AI Audit Trail

A defensible AI audit trail is a per-request record of identity, input, policy decision, mutation, output, and policy version, committed to append-only storage with a per-record cryptographic signature that lets any single record be verified independently. It survives FRE 901 authentication, HHS OCR requests, and EU AI Act Article 12 scrutiny. Most AI deployments produce logs. Few produce evidence.

AuditForensicsAISecurityComplianceGovernanceCISO
Read post →

HIPAA Compliance for AI Systems in 2026: What CISOs Need to Know

HIPAA Technical Safeguards under 45 CFR 164.312 apply to AI systems the moment PHI enters a prompt. The Security Rule requires audit controls, transmission security, and access control on your side of the API. A Business Associate Agreement with an LLM vendor governs the vendor only. Your obligations remain.

HIPAAAIComplianceHealthcareSecurityPHICISO
Read post →

EU AI Act High-Risk AI Systems: What Enterprises Must Do Before August 2026

The EU AI Act obligations for high-risk AI systems apply from August 2, 2026. Article 9 requires a documented risk management system. Article 12 requires automatic record-keeping. Article 13 requires transparency to deployers. Article 14 requires human oversight. Enterprises deploying high-risk AI systems need enforcement and audit infrastructure in place before that date.

EU AI ActAIComplianceRegulationHigh-Risk AICISOGovernance
Read post →

22-Second Breach Windows Mean Your AI Enforcement Must Be Inline

Mandiant M-Trends 2026 reports that attack handoff time collapsed from 8 hours to 22 seconds. At that tempo, log-and-alert on AI traffic is structurally incapable of preventing damage. If your AI enforcement operates on a review cycle measured in minutes, the breach is complete before the first alert fires. AI traffic enforcement must be inline and synchronous.

ai-securityai-governanceagentic-aiincident-responsereal-time-enforcement
Read post →