The Protocol

What is it?

A framework for thinking about AI compliance as part of product development — not as a separate process that happens after features are built. The goal isn't a checklist; it's a way of asking the right questions at the right time, so compliance becomes something you design for, not something you retrofit.

gray concrete wall inside building
gray concrete wall inside building
The core idea: shift left

Most compliance work happens at the end — before an audit, before a big customer's security review, or after a problem surfaces. By then, the expensive decisions have already been made: what data a feature touches, where it's processed, how (or whether) it's logged. Shifting left means asking compliance questions during design and early development, when changes are still cheap.

white and black abstract painting
white and black abstract painting
Four areas this framework covers

Governance — Who's accountable for AI decisions, and how are those decisions documented? This includes model selection, vendor evaluation, and ongoing oversight as models or vendors change.

Privacy & Regulatory Fit — How does a feature handle regulated data (PHI, PII) when AI is involved? This is where HIPAA, GDPR, and similar frameworks intersect with how AI systems actually process data — often in ways the original regulations didn't anticipate.

Security & Trust — What happens to data once it leaves your system and enters a third-party AI service? Vendor risk, data residency, and prompt-level data exposure all fall here.

Observability & Evidence — Can you show, after the fact, what a system did and why? Logging, audit trails, and explainability aren't just technical features — they're what make a system defensible during a review or audit.

worm's-eye view photography of concrete building
worm's-eye view photography of concrete building

© 2026. All rights reserved.