ICP & Account Playbooks

Advisors paste client portfolios, KYC docs, and meeting notes into ChatGPT to draft client communications.

Books of business contain PII, account numbers, and material non-public information. Leakage triggers SEC Reg S-P and FINRA 4511 violations.

1. 1.Has your CCO done an AI usage audit in the last 90 days?
2. 2.What's your written policy on Copilot vs ChatGPT for client-facing work?
3. 3.If a regulator asked for an AI inventory tomorrow, could you produce one?
4. 4.How do you prove a client's PII didn't go into a public LLM?

Branch and ops staff use ChatGPT to summarize loan files, customer complaints, and AML alerts.

OCC, FDIC, and CFPB have all issued AI risk guidance. Third-party LLM use without governance is a Matter Requiring Attention waiting to happen.

1. 1.How are you handling SR 11-7 model risk management for LLMs?
2. 2.Do you have visibility into which AI tools your call center is using?
3. 3.What's the plan for the OCC AI examination expected next cycle?

Underwriters and claims adjusters paste medical records, accident reports, and PHI into AI for faster decisions.

HIPAA, state DOI rules, and NAIC Model Bulletin 2023-1 all apply. Carriers face both regulatory and class-action exposure.

1. 1.Are you tracking AI usage by line of business?
2. 2.How do you prove non-discrimination in AI-assisted decisions?
3. 3.Who owns AI governance - IT, compliance, or the CUO?

Clinicians and billing staff paste PHI into ChatGPT to draft notes, appeal denials, and summarize charts.

Every paste is a potential HIPAA breach. OCR penalties can reach $1.9M per incident category.

1. 1.Do you have a BAA-covered AI option deployed?
2. 2.How are you discovering shadow AI use across departments?
3. 3.What happens when a clinician pastes a chart into ChatGPT today?

Associates and paralegals use ChatGPT to summarize contracts, draft motions, and research cases - including privileged matters.

ABA Formal Opinion 512 requires competent AI use. Privilege waiver from public LLM use is now a malpractice risk.

1. 1.How are you preventing privilege waiver via public LLMs?
2. 2.Which matters allow AI assistance and which don't?
3. 3.Could you produce an AI usage log for a client audit?

R&D and medical affairs paste proprietary compound data, trial results, and patient narratives into AI tools.

FDA 21 CFR Part 11, GxP, and trade-secret exposure. A leaked compound structure is irreversible IP loss.

1. 1.Do you have a sanctioned LLM for R&D?
2. 2.How are you handling AI in GxP-validated systems?
3. 3.What's your stance on Copilot in regulated workflows?

Cleared and uncleared staff use ChatGPT on documents that may contain CUI or ITAR-controlled data.

CMMC 2.0, NIST 800-171, and OMB M-24-10 require AI inventory and risk management. A single CUI leak can suspend a contract.

1. 1.Have you scoped AI within your SSP?
2. 2.Which AI tools are FedRAMP-authorized for your environment?
3. 3.How are you preventing CUI from reaching public LLMs?

Your clients are all asking about Shadow AI - and you don't have a productized answer yet.

Workforce AI Security is the next managed service. First-movers lock in 3-5 year MRR contracts.

1. 1.How many of your clients have asked about Copilot governance?
2. 2.What's your current AI services revenue?
3. 3.Do you want to white-label or co-sell?