AI tools don't get a pass on compliance just because they're new — and the businesses using them don't either.
There's an assumption quietly running through a lot of AI adoption conversations right now: that because the tool is from a reputable vendor, or because it's cloud-based, or because everyone else seems to be using it, the compliance question is already handled. It usually isn't.
AI tools process data. In many business environments, that data includes patient records, payment card information, financial details, or other information that carries specific legal and regulatory obligations. The framework those obligations create doesn't change because the software doing the processing is powered by AI. It applies the same way it always has — and in some respects, AI creates new wrinkles the old frameworks weren't designed for.
This article covers what businesses need to understand before they hand sensitive data to an AI tool, and how to adopt AI in a way that doesn't create a compliance problem.
When an AI agent reads your inbox, drafts responses, accesses patient records to answer scheduling questions, or analyzes financial data to generate reports — it is processing that data. The fact that the processing happens automatically and intelligently doesn't change what the data is or what rules apply to it.
Every compliance framework NerdSquad works with regularly — HIPAA, PCI-DSS, SOC 2, GLBA, SEC/FINRA — has something to say about how data gets processed, who processes it, where it goes, and what protections have to be in place. AI tools sit squarely inside that framework. They don't sit outside it.
HIPAA governs how protected health information (PHI) is handled. If you run a medical or dental practice and you're using an AI tool that has access to patient names, appointment records, clinical notes, insurance information, or any other PHI — HIPAA applies to that tool.
Specifically:
Any vendor whose software processes PHI on your behalf is a Business Associate under HIPAA, and you are required to have a signed Business Associate Agreement (BAA) with them before PHI touches their system. Most major cloud AI vendors — Microsoft, Google, certain enterprise AI platforms — will sign BAAs for their enterprise-tier products. Many consumer-tier products won't, which means using the consumer version of an AI tool with patient data is a HIPAA violation regardless of how the output is used.
Signing up for ChatGPT's free tier and using it to summarize patient notes is not HIPAA compliant. Full stop.
Many AI tools, particularly at consumer pricing tiers, use user inputs to train or improve their models. If PHI goes in, it may be retained, used for training, or accessible to the vendor in ways that violate HIPAA's minimum necessary standard and prohibition on unauthorized disclosure. Enterprise agreements typically include data processing terms that prevent this. Consumer agreements often don't.
HIPAA requires that access to PHI be logged and auditable. If an AI agent is accessing patient data autonomously — reading records, generating summaries, sending communications — those actions need to be logged the same way any other system access would be. The agent needs to be configured to support this, and the logs need to be retained and reviewable.
PCI-DSS governs how payment card data is handled. If your business accepts credit cards — and nearly every business does — you operate within the PCI framework whether you think about it much or not.
The risk with AI and payment data is usually less about the AI processing cardholder data directly and more about AI tools that have broad system access inadvertently touching systems or logs that contain card data. An AI agent with access to your email might encounter forwarded receipts or payment confirmations containing partial card numbers. An AI analytics tool with access to transaction data might ingest more than it needs to.
The PCI principle of scope minimization applies here: AI tools should have access only to the data they need to do their job, and systems containing cardholder data should be carefully evaluated before any AI tool is granted access. If an AI agent's scope of access overlaps with your PCI cardholder data environment, that overlap puts the AI tool inside your PCI scope — with all the security and audit requirements that entails.
The Gramm-Leach-Bliley Act requires financial services firms to protect the nonpublic personal information (NPI) of their customers. AI tools that process client financial data, investment information, account details, or any other NPI are subject to GLBA's Safeguards Rule — which requires, among other things, that third-party service providers who access NPI be contractually required to maintain appropriate safeguards.
For financial advisors, insurance agencies, accounting firms, and similar businesses in South Florida, this means the same BAA-equivalent due diligence that medical practices do for HIPAA applies to any AI tool that touches client financial data: written contracts, data processing terms, and confirmation that the vendor's security posture meets the standard.
Even outside specific regulated industries, data privacy law is tightening. Florida's Digital Bill of Rights, California's CCPA/CPRA, and a growing patchwork of state-level privacy laws create obligations around how personal data is collected, processed, retained, and disclosed — obligations that AI tools can trip over in ways businesses don't anticipate.
Key considerations:
None of this means you can't use AI. It means you should ask the right questions first.
We've been helping South Florida businesses navigate compliance requirements across healthcare, financial services, legal, and retail for years. AI doesn't change the underlying frameworks — it adds new tools that need to be evaluated within them.
When we help a client deploy an AI agent or integrate an AI tool into their environment, compliance is part of the conversation from day one. That means identifying which frameworks apply, reviewing vendor terms, configuring access correctly, building in the audit logging the frameworks require, and making sure the deployment doesn't inadvertently expand the scope of what's subject to audit or examination.
We're not compliance attorneys and we don't certify compliance — that's the auditor's job. What we do is make sure the technical and operational environment supports compliance, and that AI tools are deployed in a way that doesn't undermine the work you've already done to protect your clients' data.
If you're already working with us on cybersecurity or compliance, adding AI governance to that conversation is a natural next step. If you're not, and you're thinking about deploying AI tools that will touch regulated data, it's a good time to start.
Questions about AI and compliance? Let's talk through your specific situation.