← All posts

Industry Verticals

20 posts on industry verticals.

AI in OT Environments: What IEC 62443 and NIS2 Require When LLMs Touch Industrial Control Systems

Manufacturing OT environments now host AI tools for predictive maintenance, anomaly detection, work-instruction generation, quality inspection, and operator copilots. The AI calls cross zones that IEC 62443 was designed to segment and bring NIS2 incident reporting and supply chain obligations into the operational technology footprint. Most OT deployments use AI through cloud APIs that violate the segmentation assumptions of the IEC 62443 reference model. This piece walks through where AI sits in modern OT, what IEC 62443 and NIS2 require for the AI traffic, and the inspection architecture that produces records the regulator and the customer auditor will accept.

ot-securitymanufacturingiec-62443nis2ai-securityindustrial-control
Read post →

FERPA and AI: What School Records Confidentiality Requires from AI Tools in K-12 and Higher Ed

FERPA protects the confidentiality of education records. Schools and the edtech vendors operating on their behalf are now putting student data through AI tools for tutoring, grading assistance, behavioral analytics, and parent communication. The "school official" exception in FERPA covers vendors only when specific written agreement, legitimate educational interest, and direct control conditions are satisfied. Most AI vendor relationships were not constructed with those conditions in mind. This piece walks through what FERPA actually requires when AI processes education records, where the school official exception breaks for AI vendors, and the architecture that satisfies the disclosure controls.

ferpaedtechstudent-dataai-complianceauditk12
Read post →

Finance AI and Pre-Announcement Earnings Exposure: How AI Tools Create MNPI Leakage

Pre-announcement earnings exposure inside finance teams now flows through AI tools that finance teams use for drafting, modeling, and summarization. The exposure is functionally a material non-public information leak when an employee pastes a draft press release, a working forecast, or a board-pack excerpt into an unauthorized AI tool. SEC Regulation FD, insider trading regimes, and individual market-abuse regulations in the EU and the UK reach the conduct regardless of whether the leak was intentional. This piece walks through where the AI exposure sits inside the financial close and earnings preparation cycle, what controls regulators expect, and the inspection architecture that prevents MNPI from leaving the perimeter.

mnpireg-fdfinanceai-securityshadow-aimarket-abuse
Read post →

Fannie Mae LL-2026-04: What the Lender AI Governance Mandate Requires from Mortgage Originators

On April 8, 2026, Fannie Mae issued Lender Letter LL-2026-04, a governance framework for AI and ML in mortgage origination and servicing. It takes effect August 6, 2026, 120 days after publication. Freddie Mac Section 1302.8 has been enforced since March 3, 2026. The combined GSE regime requires inventory, governance, audit trails, and disclosure on demand for AI used in any step of the loan lifecycle, including vendor AI tools the lender does not control. This piece walks through what the mandate requires, where lender deployments are exposed, and the inspection architecture that satisfies the disclosure obligation.

fannie-maemortgageai-governanceai-complianceauditlender-letter
Read post →

AI Credit Scoring Under Annex III Point 5(b): What High-Risk Classification Requires of Banks

Annex III point 5(b) of the EU AI Act classifies AI used to evaluate the creditworthiness of natural persons or establish a credit score as high-risk. From August 2, 2026 the deployer obligations under Article 26 and the provider obligations under Articles 8 through 17 apply. The text exempts AI used only for the detection of financial fraud. Most bank credit deployments today combine scoring, fraud detection, and bureau enrichment in a single pipeline that triggers high-risk classification end-to-end. This piece walks through what the classification means, where bank pipelines blur the fraud-vs-scoring line, and the architecture that produces audit records the supervisor will accept.

eu-ai-actcredit-scoringbankingai-complianceauditannex-iii
Read post →

EU AI Act for Fintech: How Credit Scoring and Fraud Detection Become High-Risk in August 2026

On August 2, 2026 the EU AI Act high-risk system requirements begin to apply to fintech credit scoring, creditworthiness assessment, and several adjacent financial decisions. The classification falls under Annex III point 5(b). Deployers inherit Article 26 obligations including per-decision logging, human oversight, instructions for use, and incident notification. The provisions overlap with DORA on third-party risk and incident reporting. This piece walks through which fintech AI use cases become high-risk, what the deployer obligation actually requires, and where most lender deployments are exposed.

eu-ai-actfintechcredit-scoringai-compliancefinancial-servicesaudit
Read post →

B2B SaaS with AI Features: How Enterprise Security Reviews Now Block the Deal

B2B SaaS vendors that added AI features in the last twelve months are now meeting an enterprise security review process that did not exist when the product was scoped. Buyers ask about identity context at the model API call, per-decision audit records, prompt-level data classification, and the deployment regime under the EU AI Act. Sales cycles stall on questions the engineering team did not anticipate. This piece walks through what enterprise security reviews now ask of SaaS-with-AI vendors, where most product architectures are exposed, and the inspection layer that closes the gap before procurement does.

b2b-saasai-compliancesecurity-revieweu-ai-actenterpriseaudit
Read post →

EU AI Act for Healthcare: What Articles 6, 12, and Annex III Require of Hospital AI Deployments

EU AI Act high-risk classification applies to several healthcare AI use cases including AI as a safety component of medical devices under Article 6(1) and the Annex III categories covering access to essential services, biometric categorization, and emergency triage. From August 2, 2026, hospitals deploying these AI systems take on deployer obligations under Article 26 and have to support providers in meeting Articles 8 through 17. The Medical Device Regulation and the EU AI Act layer for software-as-a-medical-device. The architecture that satisfies the high-risk regime is per-decision audit records that capture identity, data class, policy state, and decision outcome on the hospital side.

healthcareeu-ai-actmedical-devicesmdrai-compliancehospital-ai
Read post →

AI-Assisted SOAP Notes Under HIPAA: What the Audit Trail Has To Show

Clinicians using generative AI to draft SOAP notes from ambient recordings of patient encounters trigger the HIPAA Security Rule the moment PHI enters the prompt. The audit controls expectation under 45 CFR 164.312(b), the access control expectation under 164.312(a), and the transmission security expectation under 164.312(e) all attach. Vendor BAAs cover the vendor side; the covered entity has to produce its own evidence on its own side of the API. This piece walks through the architecture that satisfies the Security Rule for ambient-AI scribe workflows.

healthcarehipaasoap-notesai-scribephi-redactionaudit-controls
Read post →

Public Sector AI Compliance: OMB M-24-10, NIST AI RMF, and the State AI Laws That Apply to Agencies

OMB Memorandum M-24-10, issued March 28, 2024, set the AI governance baseline for federal civilian agencies including risk management for rights-impacting and safety-impacting AI, a Chief AI Officer designation, and public inventories of AI use cases. The Office of Personnel Management AI guidance, the Department of Homeland Security AI framework, and DOD Responsible AI Strategy add agency-specific obligations. The NIST AI Risk Management Framework provides the technical baseline. State-level laws including Colorado SB 24-205, Connecticut SB 2, and California AB 2930 add overlays on state-agency and state-contractor AI. The architecture that supports the OMB-required risk management has the same shape as private-sector high-risk AI compliance.

governmentpublic-sectorai-complianceomb-m-24-10nist-ai-rmffedramp
Read post →

Law Firm ChatGPT Confidentiality: ABA Opinion 512 and the Architecture Privilege Survives

ABA Formal Opinion 512, issued July 29, 2024, sets the duty of competence, confidentiality, and supervision standards for lawyers using generative AI tools. Model Rule 1.6 confidentiality, Rule 1.1 competence, and Rule 5.3 supervision of nonlawyer assistance all attach to AI workflows that touch client information. State bar opinions from California, Florida, New York, and Pennsylvania add jurisdiction-specific overlays. The architecture that supports a defensible position under examination is per-decision audit records that show what client data the AI received and what the firm did with the output.

legallaw-firmai-complianceaba-opinion-512confidentialityprivilege
Read post →

Insurance AI Pricing Under the EU AI Act and NAIC Bulletin: The High-Risk Architecture

Life and health insurance pricing using AI is classified as high-risk under EU AI Act Annex III point 5(c). The NAIC Model Bulletin on the Use of AI Systems by Insurers adopted in December 2023 has been incorporated by twenty-five US state insurance regulators as of 2025. Colorado SB21-169 sets concrete obligations for life insurers using external consumer data. The combined regime requires per-decision audit records, governance documentation, third-party risk management, and demonstrable testing for unfair discrimination across protected classes.

insuranceai-complianceeu-ai-actnaicaudithigh-risk-ai
Read post →