The Compliance Stack

Every AI initiative that processes organizational data operates within a compliance stack. GDPR governs how personal data of EU residents is collected, processed, and stored — including data processed through AI models. HIPAA governs health information in US healthcare contexts. SOC 2 governs the security, availability, and confidentiality practices of service providers. Industry-specific regulations — FINRA in financial services, FERPA in education, FedRAMP in federal government — add additional layers.

The compliance stack is not optional. It is also not the change manager's domain of expertise — which is exactly why change managers lose to compliance objections. The compliance question from Legal or IT is legitimate, specific, and requires a compliance answer. If you do not map the compliance requirements before the rollout, you will discover them when a gatekeeper asks a question you cannot answer.

1. Map the applicable compliance framework before the IT meeting Identify every regulatory requirement that applies to the AI initiative based on data type (personal data, health data, financial data), geography (EU data subjects trigger GDPR regardless of company location), industry (healthcare, financial services, government all have additional layers), and contract (customer contracts may impose compliance requirements beyond regulatory minimums). Map this before IT asks. The change manager who can answer the compliance question before it is asked has demonstrated technical credibility.
2. Get the vendor compliance documentation in advance Request the AI vendor's compliance documentation before the IT review: SOC 2 Type II report, GDPR Data Processing Agreement, HIPAA Business Associate Agreement if applicable, relevant industry certifications. Vendors with enterprise-grade compliance practices have this documentation available immediately. Vendors who need time to produce it are telling you something about their compliance posture.
3. Identify the gaps before the review Compare your compliance requirements to the vendor's documentation and identify the gaps before the IT or Legal review. Gaps are either genuine blockers (the vendor cannot meet a hard regulatory requirement) or manageable configurations (the vendor meets the requirement with a specific configuration that must be implemented). Know which you have before the meeting. Walking into an IT review without this analysis produces the kind of surprise that delays rollouts by months.