Blog

Analysis on enterprise AI governance, inline policy enforcement, agentic AI security, and regulatory compliance.

Public Sector AI Compliance: OMB M-24-10, NIST AI RMF, and the State AI Laws That Apply to Agencies

OMB Memorandum M-24-10, issued March 28, 2024, set the AI governance baseline for federal civilian agencies including risk management for rights-impacting and safety-impacting AI, a Chief AI Officer designation, and public inventories of AI use cases. The Office of Personnel Management AI guidance, the Department of Homeland Security AI framework, and DOD Responsible AI Strategy add agency-specific obligations. The NIST AI Risk Management Framework provides the technical baseline. State-level laws including Colorado SB 24-205, Connecticut SB 2, and California AB 2930 add overlays on state-agency and state-contractor AI. The architecture that supports the OMB-required risk management has the same shape as private-sector high-risk AI compliance.

Industry Verticalsgovernmentpublic-sectorai-complianceomb-m-24-10nist-ai-rmffedramp
Read post →

Law Firm ChatGPT Confidentiality: ABA Opinion 512 and the Architecture Privilege Survives

ABA Formal Opinion 512, issued July 29, 2024, sets the duty of competence, confidentiality, and supervision standards for lawyers using generative AI tools. Model Rule 1.6 confidentiality, Rule 1.1 competence, and Rule 5.3 supervision of nonlawyer assistance all attach to AI workflows that touch client information. State bar opinions from California, Florida, New York, and Pennsylvania add jurisdiction-specific overlays. The architecture that supports a defensible position under examination is per-decision audit records that show what client data the AI received and what the firm did with the output.

Industry Verticalslegallaw-firmai-complianceaba-opinion-512confidentialityprivilege
Read post →

Insurance AI Pricing Under the EU AI Act and NAIC Bulletin: The High-Risk Architecture

Life and health insurance pricing using AI is classified as high-risk under EU AI Act Annex III point 5(c). The NAIC Model Bulletin on the Use of AI Systems by Insurers adopted in December 2023 has been incorporated by twenty-five US state insurance regulators as of 2025. Colorado SB21-169 sets concrete obligations for life insurers using external consumer data. The combined regime requires per-decision audit records, governance documentation, third-party risk management, and demonstrable testing for unfair discrimination across protected classes.

Industry Verticalsinsuranceai-complianceeu-ai-actnaicaudithigh-risk-ai
Read post →

AI Prompt Risk Scanner: A Free Tool To Check What Your AI Prompts Actually Expose

The AI Prompt Risk Scanner is a free tool that inspects a sample of your organization prompts against the same detection rules a production inspection layer would apply. Paste a prompt or upload a batch, and the scanner returns the data classes detected, the regulatory exposures triggered, and the policy outcomes that would fire under standard rules. This piece walks through what the scanner inspects, how the rules work, and what to do with the results.

AI Security Solutionsai-securityprompt-inspectiontoolsshadow-aicompliancedlp
Read post →

DORA AI Compliance for Banking: What the Operational Resilience Regime Requires from AI Systems

DORA took effect January 2025 across the EU financial sector and overlaps with the EU AI Act on the high-risk AI systems banks operate. The combined obligation includes operational resilience, third-party risk management, incident reporting, and per-decision audit records for AI-assisted financial decisions. This piece walks through what DORA actually requires of AI systems, how Article 6 and Annex III of the EU AI Act layer on top, and the architecture that satisfies both.

Industry Verticalsdorabankingai-complianceeu-ai-actauditfinancial-services
Read post →

HIPAA AI Compliance in Healthcare: The Architecture for PHI in Prompts

Cloud Radix reports that 57% of healthcare professionals use unauthorized AI to process PHI without a Business Associate Agreement. The HHS Office for Civil Rights treats unauthorized PHI disclosure as a breach regardless of intent. This piece walks through what HIPAA actually requires for AI processing of PHI, where most healthcare AI deployments are exposed, and the inspection architecture that produces the access logs and access controls HIPAA expects.

Industry Verticalshipaahealthcareai-compliancephiauditai-governance
Read post →

B2B SaaS AI Compliance: What Your Enterprise Customers Will Ask You and How To Answer

B2B SaaS founders shipping AI features face a new gate in every enterprise sales cycle: the AI security questionnaire. The questions trace back to specific regulations the customer is subject to (EU AI Act, HIPAA, SOC 2, DORA) and ask whether the SaaS product produces evidence the customer can use in its own audit. This piece walks through the seven questions that appear most often, what the answer has to demonstrate architecturally, and where most AI features fall short.

Industry Verticalsb2b-saasai-compliancesecurity-questionnaireeu-ai-actenterprise-salesaudit
Read post →

Employee ChatGPT Monitoring: The Practical Architecture and What It Has To Say in the Handbook

Most employee ChatGPT monitoring conversations get stuck on whether the organization is allowed to do it. The answer in most jurisdictions is yes, provided the disclosure language in the handbook is correct and the inspection is proportionate to the security purpose. This piece walks through the disclosure model that holds up under labor review, the inspection architecture that produces evidence, and what an employee policy actually has to say.

Problem-Awareshadow-aimonitoringemployee-policyai-governancecomplianceaudit
Read post →

Shadow AI Discovery Framework: The Six-Week Path From Blind to Inventoried

Most organizations that decide to address shadow AI start by buying a tool. The tool deploys, fires alerts on day one, and produces a report nobody can act on. A working discovery program is a sequenced six-week framework that begins with what the organization already has (DNS logs, expense reports, SSO data) and adds inspection only after the surface is mapped. This piece walks through the framework week by week.

Problem-Awareshadow-aidiscoveryai-governanceinventoryai-securityaudit
Read post →

Shadow AI Risks: Quantified Loss Exposure, Regulatory Liability, and the Per-Incident Math

Shadow AI risk lives in three separate ledgers: the per-incident breach cost, the regulatory liability that attaches to the deploying organization regardless of which employee pasted what, and the contractual liability already shifting from AI vendors to enterprises. This piece walks through each ledger with the numbers from IBM, the EU AI Act, Fannie Mae, and Gartner, and shows where the architecture closes the exposure.

Problem-Awareshadow-airiskai-governancecomplianceliabilityaudit
Read post →

Shadow AI Prevention: Why Blocklists Fail and What an Enforcement Architecture Has To Do

Most shadow AI prevention programs ship a blocklist of AI provider domains and call the work done. The block fires for fifteen of the top tools, employees route around it through personal devices and tethered phones, and the prompt traffic the policy was meant to stop continues. This piece walks through what prevention has to do mechanically to hold up under EU AI Act and HIPAA review, and where the enforcement layer sits.

Problem-Awareshadow-aipreventionenforcementai-securitycompliancepolicy
Read post →

Shadow AI Monitoring: What You Can Actually See and Where the Inspection Layer Has To Sit

Most shadow AI monitoring stops at the DNS layer or the CASB. Both miss the actual data leaving the organization because the prompt is the data, and the prompt sits inside an encrypted POST body. This piece walks through the four monitoring layers, what each one sees, where each one is blind, and the inspection architecture that produces evidence an EU AI Act or HIPAA auditor will accept.

Problem-Awareshadow-aimonitoringai-securitydlpinspectionaudit
Read post →