|
⬡ The Compliance-Ready AI Stack Series · Issue 5 of 5 · The Master Framework
|
|
|
Friday · June 27, 2026 · Issue #037
We started Monday with the regulatory landscape. Tuesday: law firms. Wednesday: financial services. Thursday: healthcare. Today we close the series with the framework that underlies all of it.
This is what we build to at The Promptory when we're implementing AI in a regulated industry. Not a policy template you fill out once and file away. A six-step operational methodology that, when executed, produces a compliance-ready AI stack that holds up in an audit, survives a client governance questionnaire, and compounds as you add more tools.
Save this one. Share it with your compliance officer, your operations lead, or any partner who's been asking about your AI governance approach. This is your starting document.
|
|
⬡ What This Week Established
Every industry we covered this week shared three structural findings that cut across all the industry-specific nuances.
First: The compliance risk isn't primarily from AI-specific regulations. It's from existing regulations — HIPAA, GDPR, CCPA, professional conduct rules, fiduciary duty — that already apply to data and decisions, and that now apply to AI-assisted data and decisions by extension.
Second: The most common violation pattern is shadow AI — employees using personal, free-tier accounts for work tasks because nobody built them a governed alternative. The solution is access, not restriction: give people a governed pathway to the tools that work, and the ungoverned alternatives become unnecessary.
Third: Governance built in from the start costs a fraction of governance retrofitted after an incident. Every firm in this series that delayed the governance conversation eventually had a conversation they wished had happened sooner.
|
|
|
⬡ The 6-Step Compliance-Ready AI Stack Framework
|
|
|
1
|
Inventory what your team is actually using — not what you've approved
|
This is the step most firms skip because it's uncomfortable. Ask every team member to list every AI tool they've used for work in the last 30 days — including personal accounts, browser extensions, free tiers, and anything they signed up for on their own. The list will be longer than leadership expects. That gap between "approved tools" and "tools in active use" is your shadow AI exposure.
|
Deliverable
A complete AI tool inventory — tool name, user(s), account type (free consumer vs. business/enterprise), primary use case, data types processed. This is the document your model inventory is built from.
|
|
|
|
2
|
Classify your data by sensitivity — before you touch the tools
|
Map every data type your firm handles to one of three categories: public (can be used with any tool), internal (can be used with enterprise-tier tools under signed DPA), and restricted (PHI, client NPI, privileged communications, PII — never enters a general AI tool without BAA/DPA and documented controls). This classification is the foundation every data-handling policy is built on. Without it, every tool decision is a guess.
|
Deliverable
A data classification matrix: data type → sensitivity tier → permitted AI tools → prohibited AI tools. One page. This document is what you hand to a new team member on day one.
|
|
|
|
3
|
Deploy the governance layer before expanding the stack
|
The governance layer — Airia, or equivalent — is not the last step in building a compliance-ready AI stack. It's the foundation every other tool is built on top of. Deploy it before you expand your stack, not after. It centralizes AI access, enforces data policies in real time, generates the audit documentation, and eliminates shadow AI by giving every team member a governed alternative to the personal accounts they're currently using.
The sequence matters: governance infrastructure first, then the productivity tools layered on top of it. Not the other way around. Every firm that deploys productivity tools and retrofits governance later discovers that the retrofitting is more expensive than building it in from the start — and that the audit trail for the period before governance was in place is impossible to reconstruct.
|
Deliverable
Airia (or equivalent) deployed, configured with your data classification matrix from Step 2, generating audit logs, with data policies enforced at the API level — before any additional tools are added or expanded.
|
|
|
|
4
|
Vet every tool against your data classification — not just their marketing
|
Every tool evaluation now goes through four questions before anything else: What data types will this tool process? Does the tool's data handling match our classification tier requirements? Is there a signed DPA or BAA in place? What is the tool's data residency and training data policy?
The tools we've featured throughout this series passed this evaluation — which is why they're in the vault in the first place. The Promptory's 5-point vetting standard includes clean data practices as a non-negotiable criterion. No tool that trains on your inputs without consent, has unclear data residency, or doesn't publish its privacy architecture makes the vault. That's the curation that matters for regulated industries.
|
Deliverable
A tool evaluation checklist — 4 data governance questions answered in writing before any new tool is approved. Attach signed DPAs/BAAs to each approved tool's record in your model inventory.
|
|
|
|
5
|
Train your team on what governance actually means in daily practice
|
The EU AI Act Article 4 mandates AI literacy for every person in the AI value chain. That mandate exists because governance frameworks fail when they stay at the policy level and never reach the people who make daily decisions about what to type into a prompt.
Effective training isn't an annual compliance video. It's a 90-minute session that answers three questions for every team member: what data types am I working with, which AI tools am I authorized to use for each type, and what do I do when I'm not sure? That last question — the escalation path when someone isn't certain — is the most important part of any governance training. People will encounter edge cases. They need to know what to do, not just what not to do.
|
Deliverable
A 90-minute team training session documented with attendance records (satisfying EU AI Act Article 4 literacy requirements), covering approved tools by data tier, prohibited use cases, and escalation paths. Repeat annually and when new tools are added.
|
|
|
|
6
|
Monitor, measure, and treat governance as a living system — not a one-time project
|
AI governance has a half-life. The tools change. The regulations update. The team grows. New use cases emerge. A governance framework that was comprehensive in January may have three gaps by July — not because anything went wrong, but because the environment moved.
The benchmark that matters: what percentage of your team's AI usage is going through governed, documented, policy-compliant pathways? For a healthcare practice, that benchmark should be 98-99%. For a law firm, the same. For a financial advisory, the same. Airia gives you this number automatically. If it starts drifting — if shadow AI is reappearing, if new tools are showing up outside the inventory — that's the governance signal to investigate and close the gap.
|
Deliverable
A monthly governance review: shadow AI percentage, new tools detected, policy updates required, training refresh needed. 30 minutes. Scheduled. Non-negotiable. This is the difference between governance as an event and governance as a practice.
|
|
|
|
⬡ The 6-Step Framework · Quick Reference
|
STEP 1 · Inventory
Every AI tool your team uses, including unauthorized ones → deliverable: complete model inventory
|
|
STEP 2 · Classify
Every data type → public / internal / restricted → deliverable: data classification matrix
|
|
STEP 3 · Govern
Deploy governance layer first, before expanding stack → deliverable: Airia configured and enforcing
|
|
STEP 4 · Vet
Every new tool through 4 data governance questions → deliverable: evaluation checklist + signed DPAs
|
|
STEP 5 · Train
90-minute session, documented attendance, annual refresh → deliverable: AI literacy records (EU AI Act Article 4)
|
|
STEP 6 · Monitor
Monthly 30-minute governance review → deliverable: shadow AI %, policy gaps, training refresh schedule
|
|
|
|
⬡ Jordan · AI Solutions Director · thepromptory.com
Free · No account required · No sales call after
|
|
R
|
I've read the whole series. I'm a managing partner at a 6-person consulting firm. We serve healthcare and financial services clients — so governance matters double for us. I want to implement this framework but I'm not sure what Step 1 actually looks like in practice. How do I get my team to honestly tell me what AI tools they're using?
|
|
J
|
The framing matters. Don't ask as a compliance exercise — people underreport when they think they'll get in trouble. Ask as an optimization exercise: "We're building a better AI system for the firm. To do that, I need to understand what's already working. What AI tools have you been using in the last 30 days that you find genuinely useful?" You'll get a much more complete picture. Then from that list, you run the governance assessment. Want to work through Step 1 together for your specific firm?
Jordan · thepromptory.com →
|
|
|
Ready to run a governance assessment on your current AI stack? → thepromptory.com
|
|
|
|
💡 The One Thing — Series Close
Governance built right doesn't slow AI adoption. It triples the rate of capturing full AI benefits.
That BCG statistic is the most important number in this entire series. The firms treating governance as an obstacle to AI adoption have it exactly backwards. The firms treating it as the foundation are the ones that move fastest, with the least risk, and with the evidence base to expand confidently.
This week we covered the regulatory landscape, legal governance, financial services governance, healthcare governance, and the 6-step framework that underlies all of it. The complete series lives in the newsletter archive at The Promptory. Share it with anyone in your firm who needs to understand why governance isn't optional — and how to build it without slowing down.
Have a good weekend. And if you want Jordan to run a governance assessment on your current AI stack — that conversation starts at thepromptory.com.
|
|
|
📬 Next Week · Issue #038
Week 12 goes back to tools — but with the governance lens from this week built in. How to evaluate any AI tool for compliance-readiness before you buy it: the five questions that separate tools built for regulated industries from tools that only work in demos and slide decks.
Want The Promptory's implementation team to build your governance stack? Start with Jordan → thepromptory.com
|
|
|