Fintech baseline
KYC tiers, sanctions screening, transaction ceilings, immutable audit.
- ✓Pre-dispatch KYC tier enforcement
- ✓Real-time sanctions screen (OFAC / EU / UN)
- ✓Per-transaction USD ceiling with manual review path
- ✓Immutable 7-year audit retention
Healthcare HIPAA baseline
PHI redaction, consent binding, breach thresholds, dual approval on high-risk surfaces.
- ✓PHI redaction with drop strategy by default
- ✓Consent-purpose binding (HIPAA §164.506)
- ✓Breach notification threshold @ 500 records
- ✓Dual approval for high-risk actions
E-commerce trust & safety
Velocity caps, refund/chargeback ratios, IP·billing mismatch, PII redaction.
- ✓Per-user velocity caps (100 events / hour)
- ✓Chargeback ratio alert @ 1%
- ✓Refund ratio alert @ 8%
- ✓IP · billing geo-mismatch review path
Food & supply chain6 controlsFood & supply safety
Supplier MFA, geo sanctions, manual review queue, immutable audit.
- ✓MFA-required supplier sessions
- ✓Geo blocklist (sanctioned jurisdictions)
- ✓Manual review queue for flagged events
- ✓Immutable 3-year audit retention
SaaS access baseline
Role gates, MFA, IP allowlist, audit log — a sensible starting point for any B2B SaaS.
- ✓Role-gated entry (admin role by default)
- ✓MFA ≤ 15 minutes
- ✓Configurable IP allowlist
- ✓PII redaction + 1-year audit
AI SDR Guardrails
Block pricing hallucinations, competitor mentions, guarantee claims, and tone violations before they reach a real inbox.
- ✓Pre-dispatch pricing hallucination block
- ✓Competitor mention routing to human reviewer
- ✓Guarantee / refund claim hard block
- ✓Aggressive tone flagging (exclamation marks, all-caps)
Support Bot Baseline
Catch unauthorized refund commitments, legal opinions, and PII leaks before your support bot sends them.
- ✓Refund commitment routing to human reviewer
- ✓Legal opinion hard block
- ✓Unauthorized discount detection
- ✓PII echo detection
Zero-trust admin console
IP allowlist, 5-min MFA, dual approval, breach threshold — defense-in-depth for privileged surfaces.
- ✓IP allowlist (configure your org CIDRs)
- ✓MFA freshness ≤ 5 minutes on privileged actions
- ✓Dual approval before high-impact writes
- ✓Breach alert @ 100 records
Financial Services10 controlsFINRA broker-dealer compliance
KYC tier 3, full OFAC/EU/UN screening, 7-year audit, dual approval on large trades.
- ✓KYC tier 3 enforcement (highest level)
- ✓Full OFAC / EU / UN sanctions screen
- ✓Trade ceiling with dual-approval escalation
- ✓7-year immutable audit (FINRA Rule 4511)
Crypto & Web3 platform
KYC, OFAC, geo blocklist, velocity caps, and immutable audit for digital-asset platforms.
- ✓KYC tier 2 with OFAC / EU / UN sanctions screen
- ✓Geo blocklist (embargoed jurisdictions: KP, IR, SY, CU, RU)
- ✓Per-user velocity cap (20 txn/hr) to limit wash trading
- ✓Transaction ceiling + compliance queue
HIPAA patient copilot
PHI drop, consent binding, HITL escalation — safe AI for patient-facing surfaces.
- ✓PHI drop strategy (not mask — drop)
- ✓Consent-purpose binding: treatment + payment only
- ✓HITL escalation to clinician within 2 hours
- ✓Breach notification threshold @ 500 records
Pharma / Life Sciences8 controlsPharma MLR gate
Block unapproved claims, pricing, and competitor references before AI-generated content leaves medical review.
- ✓Hard block on unauthorized pricing claims
- ✓Hard block on guarantee and efficacy claims
- ✓Competitor mention routed to MLR reviewer
- ✓Tone check with configurable threshold
Legal AI agent
Privilege protection, consent-bound access, dual sign-off on high-risk outputs.
- ✓Consent-purpose binding: legal matter + client service
- ✓PII masking before logs and downstream sinks
- ✓Dual approval: senior partner countersign
- ✓Immutable 7-year professional responsibility log
HR / Recruiting9 controlsHR & recruiting AI
EEOC-safe consent binding, PII masking, HITL escalation for high-stakes hiring decisions.
- ✓Consent-purpose binding: recruitment + employment
- ✓Candidate PII masking (SSN, DOB, salary)
- ✓HITL escalation for AI hire/no-hire recommendations
- ✓Breach alert on bulk candidate data access
Insurance claims AI
Consent binding, PHI redaction, large-claim dual approval, immutable claims audit.
- ✓Consent-purpose binding: claims + underwriting
- ✓PHI drop for medical claims data
- ✓Large-claim ceiling with senior-adjuster dual approval
- ✓Breach alert @ 500 policyholder records
EdTech COPPA & FERPA
Student PII masking, consent-bound data access, breach notification, limited retention.
- ✓Student PII masking (student ID, DOB, grades)
- ✓Consent-purpose binding: education + learning analytics only
- ✓Breach notification threshold @ 500 student records
- ✓1-year data retention limit (COPPA: delete when no longer needed)
Real estate AI — Fair Housing
Fair Housing Act compliance: block discriminatory guarantees, review pricing claims, audit every AI recommendation.
- ✓Hard block on guarantee claims (no 'guaranteed appreciation')
- ✓Pricing claim review (FHA / Fair Housing guard)
- ✓Consent-purpose binding: property transaction
- ✓PII masking for buyer and seller data
Privacy / Compliance8 controlsGDPR EU baseline
Consent-purpose binding, PII masking, 2-year retention cap, breach notification queue.
- ✓Consent-purpose binding: marketing, analytics, service delivery
- ✓PII masking (email, phone, IP address)
- ✓2-year retention maximum (data minimization principle)
- ✓Breach notification queue with 72-hour SLA (Art. 33)
SOX financial controls
Dual approval on financial writes, 7-year audit, CFO-level sign-off on large transactions.
- ✓Dual approval on financial writes (CFO countersign)
- ✓Large transaction ceiling with audit committee queue
- ✓Breach alert @ 100 financial records
- ✓7-year immutable audit (SOX Section 802)
Investor Relations8 controlsPublic company IR & comms AI
Block Reg FD violations, pricing claims, and competitor commentary before IR AI publishes them.
- ✓Hard block on pricing / forward-looking claims (Reg FD)
- ✓Guarantee claims blocked (SEC enforcement risk)
- ✓Competitor mentions routed to general counsel
- ✓Dual approval: legal counsel countersign
Government / federal agency AI
FISMA MFA, IP allowlist, PII + PHI drop, geo blocklist, dual approval — OMB M-24-10 aligned.
- ✓IP allowlist (government network CIDRs)
- ✓FISMA-compliant MFA ≤ 15 minutes
- ✓PII + PHI drop strategy (not mask)
- ✓Geo blocklist (OFAC embargoed jurisdictions)
Retail AI promotions & offers
FTC endorsement rules: block deceptive guarantees, review pricing claims, cap promo velocity.
- ✓Hard block on deceptive guarantee claims (FTC)
- ✓Pricing and comparative claim review
- ✓Tone check for aggressive marketing language
- ✓Per-user velocity cap to prevent promo abuse
Startup MVP baseline
Lightweight MFA, rate limits, and PII masking — ship fast without leaving compliance behind.
- ✓MFA on all sessions (30-minute grace)
- ✓Rate limit: 300 req/min per endpoint
- ✓PII masking before any log destination
- ✓90-day audit trail (upgrade to extend)
Enterprise API gateway
IP allowlist, role gates, high-throughput rate limits, PII masking, and 3-year audit.
- ✓IP allowlist (declare your service CIDRs)
- ✓Role-gated access (api_client + service_account)
- ✓High-throughput limits: 1000 req/min, 500 events/hr per user
- ✓PII masking before downstream sinks
AI content moderation platform
High-throughput tone check, HITL escalation, PII masking, and breach alerting for content platforms.
- ✓Tone check on every AI evaluation
- ✓HITL escalation within 1 hour for flagged content
- ✓PII masking before moderation logs
- ✓High-throughput limits: 3000 req/min
Customer Success8 controlsCustomer success AI copilot
Block unapproved renewal offers, flag pricing claims, and mask account PII in CS AI responses.
- ✓Unauthorized pricing offer review (deal desk guard)
- ✓Guarantee and commitment language review
- ✓Account PII masking (email, phone, account ID)
- ✓HITL escalation within 4 hours for flagged CS AI replies
Travel & Hospitality9 controlsTravel & hospitality booking AI
OFAC screening, chargeback control, geo-mismatch review, PII masking for booking platforms.
- ✓OFAC sanctions screen on every booking
- ✓IP · billing geo-mismatch review path
- ✓Transaction ceiling @ $25K with compliance queue
- ✓Chargeback and refund ratio monitoring
Telecom TCPA & CPNI compliance
Consent-purpose binding, CPNI access audit, velocity caps, and 5-year retention for telecom AI.
- ✓Consent-purpose binding: service, billing, marketing
- ✓CPNI field access audit (phone, account number, SSN)
- ✓Per-user velocity cap (100/hr) to block robocall patterns
- ✓HITL review for outbound AI-generated customer comms
Customer support governance
Block unauthorized refunds, liability admissions, and compensation promises before they reach customers.
- ✓Unauthorized refund commitment block
- ✓Liability admission hard stop
- ✓Mass compensation promise block
- ✓SLA guarantee review path
HR & recruiting guardrails
Stop AI from guaranteeing jobs, quoting salaries, or using discriminatory hiring language.
- ✓Employment guarantee block
- ✓Salary promise block
- ✓ADEA / age-discrimination block
- ✓Manual review queue for edge cases
Executive & IR communications
Block forward-looking financial statements and unauthorized M&A announcements.
- ✓Forward-looking statement block
- ✓Unauthorized acquisition announcement block
- ✓Dual approval on high-impact comms
- ✓7-year immutable audit (SOX-aligned retention)
WhatsApp Business compliance
Block cold outreach and freeform messages outside the 24h template window.
- ✓Cold outreach block (opt-in required)
- ✓24h template window enforcement
- ✓TCPA escalation to BLOCK on WhatsApp
- ✓Hold-token callback flow for live-chat review
SMS & TCPA compliance
Hard-block cold SMS and enforce STOP/HELP opt-out on every message.
- ✓Cold SMS block (prior written consent required)
- ✓STOP/HELP keyword enforcement (CTIA §5.2)
- ✓TCPA autodialer escalation to BLOCK
- ✓10DLC campaign compliance
LinkedIn outreach policy
Block automated solicitations and flag scraped-profile references.
- ✓Automated solicitation block (ToS 8.2)
- ✓Scraped-profile reference detection
- ✓Competitor mention catch
- ✓Pricing hallucination block
Omnichannel RevOps
Full-stack governance for AI bots across email, WhatsApp, SMS, LinkedIn, Telegram, and Slack.
- ✓All 8 channel-specific rules in one bundle
- ✓Pricing + competitor catch across all channels
- ✓Prompt injection protection
- ✓Hold-token callback for live-chat review