Your team is probably already using AI tools. The compliance question isn’t whether to allow it — it’s whether you have any control over what’s happening.
Does anyone on your staff use ChatGPT, Microsoft Copilot, Google Gemini, or any other AI tool to help with work tasks? If you don’t have an explicit policy, the answer is almost certainly yes. And if you’re in a regulated industry — healthcare, financial services, legal, any business handling personal data — that’s a compliance conversation you need to have now.
This isn’t a reason to panic or ban AI. It’s a reason to deploy it deliberately. Here’s what the compliance implications actually look like, framework by framework.
HIPAA’s Privacy and Security Rules apply to protected health information (PHI) in any form. If a member of your staff pastes a patient name, date of birth, diagnosis, or any other PHI into an AI tool — to draft a letter, summarize a chart, help with a billing question — that PHI may be processed and retained by the AI vendor’s servers in ways your Business Associate Agreement (BAA) doesn’t contemplate.
Most general-purpose AI tools are not HIPAA-compliant by default. Some enterprise versions can be configured correctly, but that requires a BAA with the vendor, specific configuration of the tool, and ongoing verification that the configuration is functioning. “The vendor is big and trustworthy” isn’t a HIPAA compliance program.
For context on the broader HIPAA technology requirements, see Do you help us stay HIPAA compliant?
The GLBA Safeguards Rule requires financial institutions to maintain a written information security program and to oversee their service providers’ security practices. An AI tool that processes customer nonpublic personal information (NPI) — account numbers, income data, Social Security numbers, financial records — is a service provider under GLBA.
That means vendor assessment, a data processing agreement that addresses your Safeguards Rule obligations, and documented evidence that you’ve evaluated the vendor’s security practices. “We use Microsoft Copilot” is not a vendor oversight program. For the full GLBA picture, see our GLBA dictionary entry and Do you help financial advisors stay SEC, FINRA, and GLBA compliant?
PCI-DSS is built around scope minimization — the less infrastructure that touches cardholder data, the smaller your compliance burden. If an AI tool is being used in any workflow that involves cardholder data, that tool is potentially in scope. More commonly, the PCI risk isn’t the AI tool itself but the shadow IT dynamic — staff using personal AI tools on company devices that also handle payment data, creating data flows outside any controlled environment.
The SEC’s 2023 cybersecurity rules require registered investment advisers and public companies to disclose material cybersecurity incidents and to maintain documented cybersecurity risk management programs. AI tools create two specific exposures here.
First, AI-assisted client communications may need to be captured by your Books & Records archiving solution. If an advisor uses a standalone AI tool that routes output outside your normal communication channels, those communications may not be captured — a Books & Records gap.
Second, the SEC has already brought enforcement actions related to AI misrepresentation. If your firm makes any marketing claims about AI use in investment processes, those claims need to be accurate and documented.
Copilot deserves specific attention because it’s deployed at enterprise scale and its defaults are often not what compliance officers would choose. Copilot can access any document, email, or Teams message that the user has permission to access — which in a poorly configured Microsoft 365 tenant can be far more than intended. It can also surface sensitive information in generated outputs in ways that aren’t immediately obvious.
A compliant Copilot deployment requires sensitivity label policies, data loss prevention rules, permission scoping, retention policy alignment, and audit log configuration. None of these are enabled by default. We configure and verify all of them as part of our Microsoft 365 management for clients using Copilot.
For a broader look at AI risks for businesses, see The AI-Powered Company: Risks and What Businesses Need to Know. For AI in financial services specifically, see AI for Financial Services: What Advisors and Wealth Managers Need to Know. For the AI compliance checklist, see AI Compliance Risks: HIPAA, PCI, and Data Privacy.