Insights

Working notes on AI governance in regulated industries.

Reference architectures, controls, and the questions compliance officers actually ask — healthcare, legal, insurance, finance.

Govern

Visibility, policy, vendors, audit

Healthcare AI Governance · July 2026

Can a specialty pharmacy use LLMs with PHI?

Yes — HIPAA does not prohibit it. It prohibits doing it with no BAA, no audit trail, and no controls. The reference architecture that separates a defensible deployment from a reportable breach.

Read the article →

Legal AI Governance · July 2026

Can a law firm use LLMs with privileged documents?

No ethics rule prohibits LLMs on client matters — what puts privilege at risk is how firms use them today. The reference architecture: confidentiality terms, matter-level controls, per-matter audit logs, and lawyer review.

Read the article →

Insurance AI Governance · June 2026

Can an insurance agency or TPA use AI with claims and policyholder data?

Nothing in insurance regulation prohibits LLMs with policyholder information. What it punishes is the current default: claim details pasted into personal AI accounts, outside every carrier agreement the firm has signed.

Read the article →

Financial Services AI Governance · June 2026

Can a wealth management firm use LLMs with client data?

Yes — no securities rule prohibits it. What the rules prohibit is doing it with no DPA, no records, and no supervision. The architecture that separates an examination finding from a defensible deployment.

Read the article →

Audit & Compliance · May 2026

What auditors ask about AI now

The AI questions in an audit are not exotic — they are the same five questions auditors have always asked, pointed at a category of tool nobody registered. The five questions, and the boring document that answers all of them.

Read the article →

May 2026

How to run a 30-day shadow AI inventory

Sensitive data is probably reaching consumer AI tools today, through accounts you cannot see. A four-week method — discover, ask, classify, sanction — that builds the inventory before the policy, mostly from systems you already run.

Read the article →

May 2026

Enterprise tier vs. consumer tier: same AI product, different legal reality

“We use [vendor]” is not a compliance posture — the same vendor’s product exists in tiers with materially different terms. The model may be identical; the contract is the product.

Read the article →

Deploy

Building and adoption

Prove

Measurement and accountability

AI is coming to your industry either way. The only question is whether it arrives governed.