Free to readField note · Governance

AI compliance: what regulated firms must get right

Can you prove, after the fact, that your AI behaved the way you said? The parts regulated firms have to get right.

The Nichetel research desk · 5 min read · Updated 2026-06-05

AI compliance for a regulated firm comes down to a question most marketing skips: can you prove, after the fact, that your AI behaved the way you said it would? Buying a tool with a compliance page is easy. Being able to show a regulator how it handled a client's data, who reviewed its output, and what you did when it was wrong is the part that takes work.

This note is the practical read on what regulated firms actually have to get right, drawn from our governance and data-protection reports.

The three things regulators care about

Data handling comes first. Where does client data go when it enters the tool, does it leave your jurisdiction, and does it train a model other customers benefit from? A regulated firm needs a clear, documented answer, and "the vendor handles it" is not one.

Accountability comes second. For any AI output that affects a client, there has to be a named human who reviewed or can review it, and a record that the review happened. Regulators are consistent on this: automation does not move responsibility off the firm.

Auditability comes third. If asked, can you reconstruct what the tool did on a given matter, what it was given, and what it produced? A tool with no log is a tool you cannot defend. The firms that pass scrutiny are the ones that kept the boring records.

Where firms get caught out

The most common gap is shadow AI: staff using tools the firm never approved, feeding client data into them without anyone tracking it. You cannot be compliant about a tool you do not know exists, so the inventory is the precondition for everything else.

The second gap is the disclosure obligation. Where AI processes personal data, the data-protection regimes across Europe expect the firm to tell the data subject. Several vendors update client-facing disclosures automatically; others leave it to you, and firms forget. The recent regulator guidance on AI processing in professional contexts has made this explicit.

The third is assuming a vendor's compliance badge transfers. A SOC 2 logo on the supplier's site does not make your use of their tool compliant. It is evidence about them, not about how you deploy it.

A workable compliance baseline

Keep an inventory of every AI tool touching client data. For each, document where the data goes and whether it trains a model. Define the human-review point for outputs that affect clients, and keep a record that review happens. Confirm your client-facing disclosures cover AI processing. Check the vendor's evidence rather than its badge.

That baseline is proportionate for a small firm and it is most of what a regulator wants to see. It is not a heavy programme, it is a habit applied consistently. The report behind this note turns each line into specific questions and a checklist a regulated firm can work through.

Go deeper

The report behind this note.

This note is the free preview. The report has the tools tested, pricing verified with each vendor, and the full methodology.

Tier 4 · DEEP-DIVE

AI Governance & Client-Confidentiality for Regulated Service Firms

Compliance-heavy SMEs: legal, financial-service boutiques, clinics.

Updated 2026-04-02

€35Open →

Tier 3 · DEEP-DIVE LITE

Data Protection & AI Tools: A Practical Brief for Service Businesses

Owners and DPO-equivalents at SMEs handling client or customer data.

Updated 2026-04-05

€25Open →

Common questions

Quick answers.

Documented data handling (where client data goes, whether it trains a model), named human accountability for AI outputs that affect clients with a record of review, and auditability so you can reconstruct what the tool did. The responsibility stays with the firm, not the vendor.

No. A vendor's SOC 2 or similar badge is evidence about them, not about how you deploy their tool. Your compliance depends on your own data handling, review, and records.

Shadow AI: staff using unapproved tools and feeding client data in without tracking. You cannot be compliant about a tool you do not know exists, which is why an inventory is the precondition for everything else.

Where AI processes personal data, European data-protection regimes expect disclosure to the data subject, and recent regulator guidance has made this explicit for professional contexts. Check whether your vendor updates client-facing disclosures or leaves it to you.

Keep reading