Customers and regulators rarely ask “which model?” first. They ask: what data went in, who could see it, who approved the side-effect, and can you reproduce the decision six months later when legal calls?
AI compliance is not a checkbox on a vendor questionnaire. It is an audit trail — a chain of evidence that lets you answer those questions without reconstructing memory from Slack threads and someone's laptop.
Controls we implement
- Immutable logs of prompts, completions, and tool calls — secrets redacted at write time, not “we'll scrub later.”
- Human approval gates for irreversible actions: refunds, account deletion, external email, IAM changes.
- Data classification before retrieval — not every doc belongs in context, and not every user should see every retrieved chunk.
- Retention and deletion paths that match the contract. If the customer says 90 days, 90 days means automated purge, not a policy PDF.
This is not paperwork theatre. It is how you sell AI into serious companies without waking up to a breach disclosure or a procurement block at the final stage.
What legal and security actually ask
After dozens of enterprise reviews, the questions repeat:
- Data residency. Where do prompts and outputs land? Which region, which account, which subprocessors?
- Training use. Does customer data train anyone's model? The answer should be no, and provable.
- Access control. Who can invoke the agent, and with what scope? Agent IAM is not “give it admin because it's convenient.”
- Reproducibility. Given a decision ID, can you show the prompt version, inputs, model, and output?
If you cannot answer four out of four from logs — not from architecture slides — you are not ready for a serious procurement cycle.
Edge work before launch
Edge is where compliance meets runtime. We treat it as week-one work, not a post-incident retrofit:
- Separate logging for user input vs retrieved content vs model output. Mixing them makes redaction impossible.
- Prompt and model version IDs on every log line. “We changed something in March” is not an audit answer.
- Break-glass access documented: who can read raw logs, under what approval, with what retention.
- Data processing agreements mapped to actual infrastructure — not to a generic “we use AWS” statement.
Embed agents inherit these controls by default. Forge prototypes get a lighter version, but we never demo to enterprise buyers without being able to show where the trail would live in production.
What not to do
Do not bolt compliance on after the agent has mailbox access. Do not log everything to a shared S3 bucket with no lifecycle policy. Do not treat “we'll add SOC 2 later” as a sales strategy — your buyer's security team has heard that before.
The goal is not perfect governance on day one. The goal is a trail good enough that when something goes wrong — and something will — you can investigate, contain, and explain without guessing.