← All posts

Industry Verticals

29 posts on industry verticals.

Colorado SB 26-189: Why HIPAA-Covered AI Deployers Lost Their Exemption

On May 14, 2026, Governor Jared Polis signed SB 26-189 into law, scaling back the Colorado AI Act ahead of its February 2026 effective date. The revised statute drops the broad HIPAA covered-entity exemption that the original act carried and replaces it with a narrower carve-out tied to a specific "consequential decision" test. Clinical AI deployers in Colorado who assumed they were out of scope now have to map the systems that influence diagnosis, treatment selection, or coverage decisions against the new criteria. The effective date moves to January 1, 2027, with a 60-day Attorney General cure period. This article walks through what changed, which clinical AI systems pick up new obligations, and the per-decision evidence the new regime will expect.

colorado-ai-acthealthcare-aihipaastate-regulationclinical-aicompliance
Read post →

FERPA and AI: What School Records Confidentiality Requires from AI Tools in K-12 and Higher Ed

FERPA protects the confidentiality of education records. Schools and the edtech vendors operating on their behalf are now putting student data through AI tools for tutoring, grading assistance, behavioral analytics, and parent communication. The "school official" exception in FERPA covers vendors only when specific written agreement, legitimate educational interest, and direct control conditions are satisfied. Most AI vendor relationships were not constructed with those conditions in mind. This piece walks through what FERPA actually requires when AI processes education records, where the school official exception breaks for AI vendors, and the architecture that satisfies the disclosure controls.

ferpaedtechstudent-dataai-complianceauditk12
Read post →

Shadow AI for Government: FedRAMP, CUI, and the OMB M-24-10 Mandate

Federal agencies and government contractors face a shadow AI exposure that compounds across FedRAMP boundary controls, CUI protection under NIST SP 800-171, and the OMB M-24-10 AI governance memo. Pasting controlled unclassified information into a non-FedRAMP-authorized model violates the boundary by definition. This piece walks through where shadow AI surfaces in agency work, what M-24-10 actually requires, and what the architecture for compliant AI use looks like.

shadow-aigovernmentfedrampcuiombai-security
Read post →

Shadow AI for Legal: Privilege, Confidentiality, and the ABA Opinion 512

Law firms and in-house legal teams face a sharper version of the shadow AI problem. Client confidences pasted into a model can break attorney-client privilege under the inadvertent disclosure doctrine. ABA Formal Opinion 512, issued in July 2024, sets out the duties of competence, confidentiality, and supervision that apply to lawyer use of generative AI. This piece walks through where shadow AI surfaces in legal work, what Opinion 512 actually requires, and what the architectural fix looks like.

shadow-ailegalprivilegeconfidentialityabaai-security
Read post →

Shadow AI for Finance: MNPI, DORA, and the Audit Gap

Financial services firms face a compounding shadow AI exposure: material non-public information moving into unauthorized models, DORA Article 28 third-party AI risk obligations, and SEC enforcement under existing books-and-records rules. The historical DLP and surveillance stack was built for email and chat, not for AI prompts. This piece walks through how shadow AI surfaces in trading, research, and operations, and what the architectural fix actually requires under DORA, SR 11-7, and the EU AI Act.

shadow-aifinancedoramnpicomplianceai-security
Read post →

Shadow AI for Healthcare: PHI, HIPAA, and the BAA Gap

Cloud Radix found that 57% of healthcare professionals use unauthorized AI tools to process PHI - SOAP notes, diagnostic plans, prior authorization summaries - without a Business Associate Agreement in place. The Office for Civil Rights treats unauthorized PHI disclosure as a HIPAA violation regardless of intent. This piece walks through how shadow AI shows up in clinical settings, why traditional DLP fails to catch it, and what the architecture for HIPAA-compliant AI usage actually requires.

shadow-aihealthcarehipaaphicomplianceai-security
Read post →

AI Gateway for Banks: The Inspection Layer for Regulated AI Traffic Under OCC, FFIEC, and the EU AI Act

Banks handle AI traffic that touches credit decisions, fraud screening, customer service transcripts, internal research copilots, and increasingly model-assisted regulatory reporting. Each route carries a different supervisory expectation. This piece walks through the regulatory regimes a US or EU bank operates under, the inspection target the gateway covers per route, the audit record format that satisfies OCC SR 11-7, FFIEC AIO guidance, EU AI Act Article 12, and the deployment topology that fits a bank-grade environment.

bankingfinanceoccffieceu-ai-actmodel-risk-management
Read post →

HIPAA AI Compliance in Healthcare: The Architecture for PHI in Prompts

Cloud Radix reports that 57% of healthcare professionals use unauthorized AI to process PHI without a Business Associate Agreement. The HHS Office for Civil Rights treats unauthorized PHI disclosure as a breach regardless of intent. This piece walks through what HIPAA actually requires for AI processing of PHI, where most healthcare AI deployments are exposed, and the inspection architecture that produces the access logs and access controls HIPAA expects.

hipaahealthcareai-compliancephiauditai-governance
Read post →

DORA AI Compliance for Banking: What the Operational Resilience Regime Requires from AI Systems

DORA took effect January 2025 across the EU financial sector and overlaps with the EU AI Act on the high-risk AI systems banks operate. The combined obligation includes operational resilience, third-party risk management, incident reporting, and per-decision audit records for AI-assisted financial decisions. This piece walks through what DORA actually requires of AI systems, how Article 6 and Annex III of the EU AI Act layer on top, and the architecture that satisfies both.

dorabankingai-complianceeu-ai-actauditfinancial-services
Read post →

DeepInspect for AI Platform Engineers: Inline Enforcement Without the Latency Tax

AI platform engineers operate the gateway, the model routing, the identity plumbing, and the eval pipeline that production AI runs on. Adding inline enforcement and per-decision audit at the request boundary determines whether the platform can absorb the security and compliance asks.

ai-platform-engineerinline-enforcementai-securityidentity-and-authorizationarchitecturellm-security
Read post →

DeepInspect for Heads of Security: AI Risk as a Production Control

Heads of Security own the production controls that prevent damage at machine speed. AI traffic is the data channel where the controls have to operate. The Mandiant 22-second handoff window and the IBM shadow AI numbers determine what counts as a working control today.

ai-securityinline-enforcementcybersecurityshadow-aiidentity-and-authorizationzero-trust
Read post →