The conversation now — especially in legal, financial services, healthcare, and consulting — is: what's happening to the data?


⬡ New Series · The Compliance-Ready AI Stack · Issue 1 of 5

Monday · June 29, 2026 · Issue #037

Something has changed in the professional services AI conversation — and I want to name it directly before we spend a week on it.

Six months ago, the primary conversation was adoption. How do you get your team to use AI? Which tools are worth trying? How do you make a business case for the subscription?

That conversation is over. Adoption happened. Broadly, quickly, and in most cases without adequate controls.

The conversation now — especially in legal, financial services, healthcare, and consulting — is: what's happening to the data? Who's accountable when something goes wrong? And how do you build an AI stack that can survive a compliance audit without shutting down the productivity gains you've built?

⬡ Why This Week, Why Now

The EU AI Act's enforcement powers fully activated August 2, 2026. Texas TRAIGA took effect January 1, 2026. Colorado just rewrote its AI law. And 25% of organizations still don't know which AI tools are running in their environments.

The businesses that treated governance as a future problem are discovering it became a present one. This week's series is for the professional services firms that want to get ahead of it — not scramble to retrofit it later.

⬡ The Regulatory Landscape · What's Actually In Effect Right Now

I want to be honest about something before I get into frameworks: I'm not your lawyer, and this isn't legal advice. What I am is someone who reads the compliance landscape carefully, talks to firms navigating it daily, and has built an implementation practice that operates in regulated industries. What follows is a practical orientation — not a legal opinion.

EU AI Act — Full Commission Enforcement Powers Active

In effect · August 2, 2026 · Applies if you serve EU customers or partners

The world's first comprehensive AI regulation classifies systems by risk tier. High-risk systems — those used in employment decisions, credit scoring, insurance, and healthcare — face strict documentation, conformity assessment, and human oversight requirements. The penalty ceiling for the most serious violations: €35 million or 7% of global annual turnover, whichever is higher.

For most professional services firms, the immediate obligation is Article 4: AI literacy. Every person in the AI value chain — which increasingly means everyone — must have documented training on the AI tools they use and the risks they carry.

Bottom line: If you serve EU clients or have EU partners, the governance requirement isn't optional and the fine structure is designed to get board attention.

US State Laws — A Patchwork Getting Faster

Texas TRAIGA effective Jan 1, 2026 · Colorado rewritten May 2026 · No federal statute yet

Texas's TRAIGA — signed June 2025, effective January 2026 — uses intent-based liability and carries penalties from $10,000 to $200,000 per violation. It names NIST AI RMF compliance as an affirmative defense, which is the clearest signal yet that building to that framework is your best legal hedge in the US market.

Colorado's original AI Act is effectively dead — struck by federal court in April 2026, replaced with a narrower framework effective January 2027. If your compliance plan was built around the old Colorado law, it needs a rebuild.

Bottom line: There's no single US federal rule to comply with. The only durable strategy is building to the strongest common methodology — NIST AI RMF and ISO 42001 — and documenting it.

HIPAA, GDPR, CCPA — Already Apply to Every AI Tool Your Team Uses

This is where most day-to-day AI compliance risk actually lands · Already in force

Every pre-AI regulation — HIPAA, GDPR, CCPA — attaches the moment your team pastes sensitive data into a prompt. HIPAA requires that protected health information is only processed by tools that meet specific security and privacy standards. An employee at a healthcare practice pasting patient notes into an unapproved AI tool has just created a HIPAA violation, regardless of their intent. The law doesn't care about intent. It cares about what happened to the data.

GDPR requires clear documentation of how personal data is processed, by whom, and under what legal basis. If your team is using AI tools that the organization hasn't vetted, assessed, or documented, you cannot demonstrate compliance — full stop.

Bottom line: The new AI laws get the headlines, but these existing regulations are where most professional services firms have actual, immediate exposure today.

⬡ What's Coming This Week · The Compliance-Ready AI Stack Series

TUESDAY · LEGAL

The Compliance-Ready AI Stack for Law Firms

Attorney-client privilege, confidentiality obligations, bar rules on competence — plus the 5 tools that let your firm use AI aggressively without creating professional liability.

WEDNESDAY · FINANCE

The Compliance-Ready AI Stack for Financial Services

SEC AI risk guidelines, OCC model risk management, fiduciary duty in the age of AI recommendations — and the stack that keeps advisors moving fast without regulatory exposure.

THURSDAY · HEALTHCARE

The Compliance-Ready AI Stack for Healthcare Practices

HIPAA, FDA Software as Medical Device guidance, and the patient safety obligations that make healthcare AI governance non-negotiable — with the specific tools that satisfy them.

FRIDAY · THE MASTER FRAMEWORK

The 6-Step Compliance-Ready AI Stack Framework for Any Professional Services Firm

The universal methodology behind everything we build for regulated industries — adaptable to any professional services context, publishable as your firm's AI governance starting point.

⬡ Jordan · AI Solutions Director · thepromptory.com

Free · No account required · No sales call after

E

I'm the managing partner at a 12-person accounting firm. We've been using AI tools for about eight months — mostly ChatGPT and a couple of other things — but we've never formally assessed what our exposure is. A client recently asked us about our AI governance policies and we didn't have a good answer. Where do we actually start?

J

The client question is exactly the right forcing function — and it's happening more and more as enterprise buyers add AI governance requirements to their vendor assessments. You start with two things: an inventory of what your team is actually using, and a one-paragraph policy on what data should never go into an AI tool. Those two things, done this week, close most of your immediate exposure. Then we build the formal governance layer around what you have. Let me ask: do you currently know every AI tool your team is using — including the personal accounts and free tiers?

Jordan · thepromptory.com →

Not sure where your firm's AI governance gaps are? Jordan will walk through it → thepromptory.com

💡 The One Thing

Governance built right doesn't slow AI down. Research from BCG shows responsible AI implementation triples the rate of capturing full AI benefits.

That's the counterintuitive truth about compliance-ready AI stacks: firms that build governance in from the start spend less time in audit, less time in procurement review, and less time defending tool decisions to nervous clients. The governance layer isn't a brake on AI adoption. It's the thing that makes adoption sustainable.

This week we're building you the exact framework. Tune in tomorrow for the legal edition. And if you want a governance assessment for your practice now: thepromptory.com →

The Promptory Daily

Stay ahead of AI .Curated AI news, tool spotlights, tips & real-world use cases — delivered every weekday morning in 5 minutes or less.

Read more from The Promptory Daily

!-- FRIDAY · VAULT DROP — ⬡ Shadow AI & Building Your Policy · Issue 5 of 5 · The Template Friday · July 10, 2026 · Issue #038 Happy Friday. We close the week where we said we would — with something concrete you can use. Today you get the one-page AI policy template. Below that, you'll find three things that make AI policies fail after they're published — because writing the policy is only half the job. Getting people to follow it is the other half, and it's the part most firms skip. One...

⬡ Shadow AI & Building Your Policy · Issue 4 of 5 Thursday · July 9, 2026 · Issue #038 Today we start building. Before I get into the framework, one thing I want to be clear about: an AI policy is not a legal document. It doesn't need to be reviewed by a lawyer before it exists. It needs to be reviewed by a lawyer before it becomes binding on employees or clients in high-stakes ways — but the version you write this week is a governance starting point, not a legal instrument. Treat it that way...

⬡ Shadow AI & Building Your Policy · Issue 3 of 5 Wednesday · July 8, 2026 · Issue #038 Before you can write a policy, you need to know what you're governing. Most firms that decide to address AI governance skip straight to the policy document — and end up writing rules around tools they think their team uses, for workflows they assume are the risky ones, based on data they've never actually collected. The policy looks fine on paper. It governs a business that doesn't quite exist. Today's...