Insights
Working notes on AI governance in regulated industries.
Reference architectures, controls, and the questions compliance officers actually ask — healthcare, legal, insurance, finance.
Govern
Visibility, policy, vendors, audit
Healthcare AI Governance · July 2026
Can a specialty pharmacy use LLMs with PHI?
Yes — HIPAA does not prohibit it. It prohibits doing it with no BAA, no audit trail, and no controls. The reference architecture that separates a defensible deployment from a reportable breach.
Read the article →
Legal AI Governance · July 2026
Can a law firm use LLMs with privileged documents?
No ethics rule prohibits LLMs on client matters — what puts privilege at risk is how firms use them today. The reference architecture: confidentiality terms, matter-level controls, per-matter audit logs, and lawyer review.
Read the article →
Insurance AI Governance · June 2026
Can an insurance agency or TPA use AI with claims and policyholder data?
Nothing in insurance regulation prohibits LLMs with policyholder information. What it punishes is the current default: claim details pasted into personal AI accounts, outside every carrier agreement the firm has signed.
Read the article →
Financial Services AI Governance · June 2026
Can a wealth management firm use LLMs with client data?
Yes — no securities rule prohibits it. What the rules prohibit is doing it with no DPA, no records, and no supervision. The architecture that separates an examination finding from a defensible deployment.
Read the article →
Audit & Compliance · May 2026
What auditors ask about AI now
The AI questions in an audit are not exotic — they are the same five questions auditors have always asked, pointed at a category of tool nobody registered. The five questions, and the boring document that answers all of them.
Read the article →
May 2026
How to run a 30-day shadow AI inventory
Sensitive data is probably reaching consumer AI tools today, through accounts you cannot see. A four-week method — discover, ask, classify, sanction — that builds the inventory before the policy, mostly from systems you already run.
Read the article →
May 2026
Enterprise tier vs. consumer tier: same AI product, different legal reality
“We use [vendor]” is not a compliance posture — the same vendor’s product exists in tiers with materially different terms. The model may be identical; the contract is the product.
Read the article →
Deploy
Building and adoption
AI Security · July 2026
Autonomous AI pentesters have arrived. Can you point one at a system holding PHI?
Autonomous agents now run real exploits against your systems — capability the tool ships with. The five controls you supply: scope, model vendor, data handling, findings custody, and a named owner.
Read the article →
Healthcare Integration · June 2026
What HL7/FHIR access makes possible for AI workflows in Epic shops
Most AI-for-healthcare content is written by people who have never authenticated against an Epic environment. What FHIR access actually provides, what it changes about AI economics, and where the effort really goes.
Read the article →
Healthcare AI · June 2026
AI for prior authorization: what’s actually deployable in 2026
Prior authorization is the most automatable workflow in specialty pharmacy — and the most oversold. Where AI compresses the pipeline in 2026, and the two gates licensed humans must hold.
Read the article →
May 2026
Why AI pilots stall — and it’s almost never the technology
A majority of generative AI pilots never make it past proof of concept. The technology was fine — the pilot was designed to stall. The four failure modes, in descending frequency, and the discipline that prevents each one.
Read the article →
Prove
Measurement and accountability
April 2026
The CFO-ready AI ROI report
The exact five-section report delivered at day 76–90 of every engagement — baselines, hours recovered, dollars saved and avoided, risks retired, and the decision — published so you can hold any AI initiative to it.
Read the article →
How I Work · April 2026
Proof-or-pause: why your AI consultant’s contract should have an exit clause
A one-minute test for any AI consulting proposal: find the paragraph that describes how the engagement ends. Most don’t have one. Here is the clause mine carry instead — 90 days, a CFO-ready ROI report, and a forced decision.
Read the article →