// COMPLIANCE_CHECKLIST
Before funding an AI workflow, executives need a first-pass view of data class, decision impact, residency, auditability, and retention. Those answers determine whether the architecture can use public APIs, private cloud, or on-premise controls.
Run zero-data assessment// FIVE_QUESTIONS
01
Will the workflow process personal, client, financial, employee, health, legal, or regulated operational records?
Good signal
The data class is known, and the team can separate low-risk metadata from sensitive content.
Concern
The workflow mixes sensitive data with broad prompts, exports, or logs without clear classification.
Architecture implication
Use sensitivity tiers, private retrieval boundaries, and prompt/log minimization.
02
Could the AI output influence a customer, employee, credit, compliance, hiring, legal, or safety decision?
Good signal
AI supports preparation or recommendation; humans retain accountable decision authority.
Concern
The model can trigger material actions without explicit review or appeal path.
Architecture implication
Add human approval gates, escalation thresholds, and decision logs.
03
Where can prompts, embeddings, documents, outputs, and logs be processed and stored?
Good signal
Allowed hosting locations and vendor boundaries are documented before model selection.
Concern
The team chooses a public API before confirming residency, retention, or vendor exposure limits.
Architecture implication
Route by sensitivity: public API for low-risk content, private cloud or on-prem for restricted workflows.
04
Can the business explain what the model used, what it produced, who approved it, and when?
Good signal
Outputs can be traced to source context, prompt configuration, reviewer, and version.
Concern
The workflow produces answers or actions that cannot be reconstructed later.
Architecture implication
Maintain source citations, model/version records, reviewer trail, and exception logs.
05
What happens to prompts, files, embeddings, intermediate outputs, and logs after the workflow completes?
Good signal
Retention windows are explicit and match legal, operational, and security expectations.
Concern
The implementation stores everything because no deletion policy exists.
Architecture implication
Define retention by artifact type and avoid storing raw sensitive inputs when derived metadata is enough.
// READINESS_BANDS
The purpose of the checklist is not to certify compliance. It tells leaders which architecture lane is responsible enough to explore.
Green
Low-risk advisory or productivity use
Proceed with lightweight controls and monitoring.
Amber
Internal workflow with sensitive context or operational impact
Use private boundaries, human review, and audit logs before scaling.
Red
Regulated data, material decisions, or unclear data rights
Pause implementation until legal, security, and process owners define constraints.