Save this one. Share it with your compliance officer, your operations lead, or any partner who's been asking about your AI governance approach. This is your starting document


⬡ The Compliance-Ready AI Stack Series · Issue 5 of 5 · The Master Framework

Friday · June 27, 2026 · Issue #037

We started Monday with the regulatory landscape. Tuesday: law firms. Wednesday: financial services. Thursday: healthcare. Today we close the series with the framework that underlies all of it.

This is what we build to at The Promptory when we're implementing AI in a regulated industry. Not a policy template you fill out once and file away. A six-step operational methodology that, when executed, produces a compliance-ready AI stack that holds up in an audit, survives a client governance questionnaire, and compounds as you add more tools.

Save this one. Share it with your compliance officer, your operations lead, or any partner who's been asking about your AI governance approach. This is your starting document.

⬡ What This Week Established

Every industry we covered this week shared three structural findings that cut across all the industry-specific nuances.

First: The compliance risk isn't primarily from AI-specific regulations. It's from existing regulations — HIPAA, GDPR, CCPA, professional conduct rules, fiduciary duty — that already apply to data and decisions, and that now apply to AI-assisted data and decisions by extension.

Second: The most common violation pattern is shadow AI — employees using personal, free-tier accounts for work tasks because nobody built them a governed alternative. The solution is access, not restriction: give people a governed pathway to the tools that work, and the ungoverned alternatives become unnecessary.

Third: Governance built in from the start costs a fraction of governance retrofitted after an incident. Every firm in this series that delayed the governance conversation eventually had a conversation they wished had happened sooner.

⬡ The 6-Step Compliance-Ready AI Stack Framework
1

Inventory what your team is actually using — not what you've approved

This is the step most firms skip because it's uncomfortable. Ask every team member to list every AI tool they've used for work in the last 30 days — including personal accounts, browser extensions, free tiers, and anything they signed up for on their own. The list will be longer than leadership expects. That gap between "approved tools" and "tools in active use" is your shadow AI exposure.

Deliverable

A complete AI tool inventory — tool name, user(s), account type (free consumer vs. business/enterprise), primary use case, data types processed. This is the document your model inventory is built from.

2

Classify your data by sensitivity — before you touch the tools

Map every data type your firm handles to one of three categories: public (can be used with any tool), internal (can be used with enterprise-tier tools under signed DPA), and restricted (PHI, client NPI, privileged communications, PII — never enters a general AI tool without BAA/DPA and documented controls). This classification is the foundation every data-handling policy is built on. Without it, every tool decision is a guess.

Deliverable

A data classification matrix: data type → sensitivity tier → permitted AI tools → prohibited AI tools. One page. This document is what you hand to a new team member on day one.

3

Deploy the governance layer before expanding the stack

The governance layer — Airia, or equivalent — is not the last step in building a compliance-ready AI stack. It's the foundation every other tool is built on top of. Deploy it before you expand your stack, not after. It centralizes AI access, enforces data policies in real time, generates the audit documentation, and eliminates shadow AI by giving every team member a governed alternative to the personal accounts they're currently using.

The sequence matters: governance infrastructure first, then the productivity tools layered on top of it. Not the other way around. Every firm that deploys productivity tools and retrofits governance later discovers that the retrofitting is more expensive than building it in from the start — and that the audit trail for the period before governance was in place is impossible to reconstruct.

Deliverable

Airia (or equivalent) deployed, configured with your data classification matrix from Step 2, generating audit logs, with data policies enforced at the API level — before any additional tools are added or expanded.

4

Vet every tool against your data classification — not just their marketing

Every tool evaluation now goes through four questions before anything else: What data types will this tool process? Does the tool's data handling match our classification tier requirements? Is there a signed DPA or BAA in place? What is the tool's data residency and training data policy?

The tools we've featured throughout this series passed this evaluation — which is why they're in the vault in the first place. The Promptory's 5-point vetting standard includes clean data practices as a non-negotiable criterion. No tool that trains on your inputs without consent, has unclear data residency, or doesn't publish its privacy architecture makes the vault. That's the curation that matters for regulated industries.

Deliverable

A tool evaluation checklist — 4 data governance questions answered in writing before any new tool is approved. Attach signed DPAs/BAAs to each approved tool's record in your model inventory.

5

Train your team on what governance actually means in daily practice

The EU AI Act Article 4 mandates AI literacy for every person in the AI value chain. That mandate exists because governance frameworks fail when they stay at the policy level and never reach the people who make daily decisions about what to type into a prompt.

Effective training isn't an annual compliance video. It's a 90-minute session that answers three questions for every team member: what data types am I working with, which AI tools am I authorized to use for each type, and what do I do when I'm not sure? That last question — the escalation path when someone isn't certain — is the most important part of any governance training. People will encounter edge cases. They need to know what to do, not just what not to do.

Deliverable

A 90-minute team training session documented with attendance records (satisfying EU AI Act Article 4 literacy requirements), covering approved tools by data tier, prohibited use cases, and escalation paths. Repeat annually and when new tools are added.

6

Monitor, measure, and treat governance as a living system — not a one-time project

AI governance has a half-life. The tools change. The regulations update. The team grows. New use cases emerge. A governance framework that was comprehensive in January may have three gaps by July — not because anything went wrong, but because the environment moved.

The benchmark that matters: what percentage of your team's AI usage is going through governed, documented, policy-compliant pathways? For a healthcare practice, that benchmark should be 98-99%. For a law firm, the same. For a financial advisory, the same. Airia gives you this number automatically. If it starts drifting — if shadow AI is reappearing, if new tools are showing up outside the inventory — that's the governance signal to investigate and close the gap.

Deliverable

A monthly governance review: shadow AI percentage, new tools detected, policy updates required, training refresh needed. 30 minutes. Scheduled. Non-negotiable. This is the difference between governance as an event and governance as a practice.

⬡ The 6-Step Framework · Quick Reference

STEP 1 · Inventory

Every AI tool your team uses, including unauthorized ones → deliverable: complete model inventory

STEP 2 · Classify

Every data type → public / internal / restricted → deliverable: data classification matrix

STEP 3 · Govern

Deploy governance layer first, before expanding stack → deliverable: Airia configured and enforcing

STEP 4 · Vet

Every new tool through 4 data governance questions → deliverable: evaluation checklist + signed DPAs

STEP 5 · Train

90-minute session, documented attendance, annual refresh → deliverable: AI literacy records (EU AI Act Article 4)

STEP 6 · Monitor

Monthly 30-minute governance review → deliverable: shadow AI %, policy gaps, training refresh schedule

⬡ Jordan · AI Solutions Director · thepromptory.com

Free · No account required · No sales call after

R

I've read the whole series. I'm a managing partner at a 6-person consulting firm. We serve healthcare and financial services clients — so governance matters double for us. I want to implement this framework but I'm not sure what Step 1 actually looks like in practice. How do I get my team to honestly tell me what AI tools they're using?

J

The framing matters. Don't ask as a compliance exercise — people underreport when they think they'll get in trouble. Ask as an optimization exercise: "We're building a better AI system for the firm. To do that, I need to understand what's already working. What AI tools have you been using in the last 30 days that you find genuinely useful?" You'll get a much more complete picture. Then from that list, you run the governance assessment. Want to work through Step 1 together for your specific firm?

Jordan · thepromptory.com →

Ready to run a governance assessment on your current AI stack? → thepromptory.com

💡 The One Thing — Series Close

Governance built right doesn't slow AI adoption. It triples the rate of capturing full AI benefits.

That BCG statistic is the most important number in this entire series. The firms treating governance as an obstacle to AI adoption have it exactly backwards. The firms treating it as the foundation are the ones that move fastest, with the least risk, and with the evidence base to expand confidently.

This week we covered the regulatory landscape, legal governance, financial services governance, healthcare governance, and the 6-step framework that underlies all of it. The complete series lives in the newsletter archive at The Promptory. Share it with anyone in your firm who needs to understand why governance isn't optional — and how to build it without slowing down.

Have a good weekend. And if you want Jordan to run a governance assessment on your current AI stack — that conversation starts at thepromptory.com.

📬 Next Week · Issue #038

Week 12 goes back to tools — but with the governance lens from this week built in. How to evaluate any AI tool for compliance-readiness before you buy it: the five questions that separate tools built for regulated industries from tools that only work in demos and slide decks.

Want The Promptory's implementation team to build your governance stack? Start with Jordan → thepromptory.com

The Promptory Daily

Stay ahead of AI .Curated AI news, tool spotlights, tips & real-world use cases — delivered every weekday morning in 5 minutes or less.

Read more from The Promptory Daily

!-- FRIDAY · VAULT DROP — ⬡ Shadow AI & Building Your Policy · Issue 5 of 5 · The Template Friday · July 10, 2026 · Issue #038 Happy Friday. We close the week where we said we would — with something concrete you can use. Today you get the one-page AI policy template. Below that, you'll find three things that make AI policies fail after they're published — because writing the policy is only half the job. Getting people to follow it is the other half, and it's the part most firms skip. One...

⬡ Shadow AI & Building Your Policy · Issue 4 of 5 Thursday · July 9, 2026 · Issue #038 Today we start building. Before I get into the framework, one thing I want to be clear about: an AI policy is not a legal document. It doesn't need to be reviewed by a lawyer before it exists. It needs to be reviewed by a lawyer before it becomes binding on employees or clients in high-stakes ways — but the version you write this week is a governance starting point, not a legal instrument. Treat it that way...

⬡ Shadow AI & Building Your Policy · Issue 3 of 5 Wednesday · July 8, 2026 · Issue #038 Before you can write a policy, you need to know what you're governing. Most firms that decide to address AI governance skip straight to the policy document — and end up writing rules around tools they think their team uses, for workflows they assume are the risky ones, based on data they've never actually collected. The policy looks fine on paper. It governs a business that doesn't quite exist. Today's...