← All posts

Industry Verticals

34 posts on industry verticals.

Tennessee's AI therapist-impersonation ban is now in force: the enforcement problem for healthcare chatbot deployers

Tennessee SB 1580 took effect July 1, 2026 and prohibits AI systems from presenting themselves as licensed mental-health professionals. Digital-health, EAP, and payer platforms running patient-facing conversational AI now face a concrete evidence problem: proving the model never claimed licensure across millions of conversation turns. Tennessee Attorney General enforcement applies. This piece walks through the statute, the enforcement architecture (response-side policy plus per-decision audit logs), and how the same controls extend to the 2026 state chatbot wave landing in Utah, California, and New York.

healthcare-aicomplianceregulationchatbotauditstate-ai-laws
Read post →

AI Security for KYC Onboarding: BSA, FINRA, and the Per-Decision Record Regulators Inspect

KYC onboarding is one of the highest-volume AI use cases inside banks, broker-dealers, payments firms, and crypto exchanges. The regulatory stack covers the Bank Secrecy Act customer-identification rules, FINRA know-your-customer obligations, FinCEN beneficial-ownership reporting, and (in EU operations) the EBA AML package. This article walks through the AI integration points inside a KYC pipeline, the per-decision audit fields the relevant regulators inspect, and the gateway-layer controls that produce records sufficient for an enforcement inquiry.

ai-securityfinancial-serviceskycamlcomplianceaudit
Read post →

AI Security for Prior Authorization: HIPAA, State Laws, and the Identity-Bound Decision Record

Prior authorization is the highest-volume AI use case inside payer organizations and a growing one inside health systems. The compliance stack covers HIPAA, the new state utilization-review laws (California SB-1120, Texas SB-815, Colorado SB 26-189), and the ongoing CMS scrutiny of AI denial patterns. This article walks through the identity, classification, and audit requirements specific to prior authorization, the failure modes documented in recent enforcement actions, and the gateway-layer controls that produce decision records the regulators have started asking for.

ai-securityhealthcareprior-authorizationhipaacomplianceaudit
Read post →

Shadow AI for the CISO: The Three Boards a Detection Program Has to Cover

Cloud Radix data shows 90% of CISOs rank shadow AI as their top security concern for the year. The detection program has to cover three boards a typical detection stack does not look at: browser extensions, IDE plug-ins, and chat-platform apps. This piece walks through the three populations, the detection signal for each, the regulatory exposure under EU AI Act Article 26 and HIPAA, and the policy enforcement layer that closes the loop after detection.

shadow-aicisodetectionenforcementai-security
Read post →

DORA + AI: What EU Banks Need to Map Before the January 2027 ICT Third-Party Register Deadline

The Digital Operational Resilience Act (DORA) treats LLM providers as critical ICT third parties when usage reaches scale. EU banks have to register, monitor, and document exit strategies for these dependencies. The deadline for the consolidated ICT third-party register goes live in January 2027. This article walks through the register requirements, the exit-strategy mandate, the concentration-risk test, and what changes when bank inference runs through OpenAI, Anthropic, and AWS Bedrock simultaneously. Gateway-level audit logs satisfy the per-decision evidence requirement DORA assumes.

doracomplianceregulationai-complianceai-governanceaudit
Read post →

Colorado SB 26-189: Why HIPAA-Covered AI Deployers Lost Their Exemption

On May 14, 2026, Governor Jared Polis signed SB 26-189 into law, scaling back the Colorado AI Act ahead of its February 2026 effective date. The revised statute drops the broad HIPAA covered-entity exemption that the original act carried and replaces it with a narrower carve-out tied to a specific "consequential decision" test. Clinical AI deployers in Colorado who assumed they were out of scope now have to map the systems that influence diagnosis, treatment selection, or coverage decisions against the new criteria. The effective date moves to January 1, 2027, with a 60-day Attorney General cure period. This article walks through what changed, which clinical AI systems pick up new obligations, and the per-decision evidence the new regime will expect.

colorado-ai-acthealthcare-aihipaastate-regulationclinical-aicompliance
Read post →

FERPA and AI: What School Records Confidentiality Requires from AI Tools in K-12 and Higher Ed

FERPA protects the confidentiality of education records. Schools and the edtech vendors operating on their behalf are now putting student data through AI tools for tutoring, grading assistance, behavioral analytics, and parent communication. The "school official" exception in FERPA covers vendors only when specific written agreement, legitimate educational interest, and direct control conditions are satisfied. Most AI vendor relationships were not constructed with those conditions in mind. This piece walks through what FERPA actually requires when AI processes education records, where the school official exception breaks for AI vendors, and the architecture that satisfies the disclosure controls.

ferpaedtechstudent-dataai-complianceauditk12
Read post →

Shadow AI for Government: FedRAMP, CUI, and the OMB M-24-10 Mandate

Federal agencies and government contractors face a shadow AI exposure that compounds across FedRAMP boundary controls, CUI protection under NIST SP 800-171, and the OMB M-24-10 AI governance memo. Pasting controlled unclassified information into a non-FedRAMP-authorized model violates the boundary by definition. This piece walks through where shadow AI surfaces in agency work, what M-24-10 actually requires, and what the architecture for compliant AI use looks like.

shadow-aigovernmentfedrampcuiombai-security
Read post →

Shadow AI for Legal: Privilege, Confidentiality, and the ABA Opinion 512

Law firms and in-house legal teams face a sharper version of the shadow AI problem. Client confidences pasted into a model can break attorney-client privilege under the inadvertent disclosure doctrine. ABA Formal Opinion 512, issued in July 2024, sets out the duties of competence, confidentiality, and supervision that apply to lawyer use of generative AI. This piece walks through where shadow AI surfaces in legal work, what Opinion 512 actually requires, and what the architectural fix looks like.

shadow-ailegalprivilegeconfidentialityabaai-security
Read post →

Shadow AI for Finance: MNPI, DORA, and the Audit Gap

Financial services firms face a compounding shadow AI exposure: material non-public information moving into unauthorized models, DORA Article 28 third-party AI risk obligations, and SEC enforcement under existing books-and-records rules. The historical DLP and surveillance stack was built for email and chat, not for AI prompts. This piece walks through how shadow AI surfaces in trading, research, and operations, and what the architectural fix actually requires under DORA, SR 11-7, and the EU AI Act.

shadow-aifinancedoramnpicomplianceai-security
Read post →

Shadow AI for Healthcare: PHI, HIPAA, and the BAA Gap

Cloud Radix found that 57% of healthcare professionals use unauthorized AI tools to process PHI - SOAP notes, diagnostic plans, prior authorization summaries - without a Business Associate Agreement in place. The Office for Civil Rights treats unauthorized PHI disclosure as a HIPAA violation regardless of intent. This piece walks through how shadow AI shows up in clinical settings, why traditional DLP fails to catch it, and what the architecture for HIPAA-compliant AI usage actually requires.

shadow-aihealthcarehipaaphicomplianceai-security
Read post →

AI Gateway for Banks: The Inspection Layer for Regulated AI Traffic Under OCC, FFIEC, and the EU AI Act

Banks handle AI traffic that touches credit decisions, fraud screening, customer service transcripts, internal research copilots, and increasingly model-assisted regulatory reporting. Each route carries a different supervisory expectation. This piece walks through the regulatory regimes a US or EU bank operates under, the inspection target the gateway covers per route, the audit record format that satisfies OCC SR 11-7, FFIEC AIO guidance, EU AI Act Article 12, and the deployment topology that fits a bank-grade environment.

bankingfinanceoccffieceu-ai-actmodel-risk-management
Read post →