Your Company Is Probably Breaking the Law With AI Right Now
I went looking for the audit checklist regulators actually use. What I found should worry anyone who's ever pasted a client name into ChatGPT.
There’s a specific kind of silence that happens in compliance meetings now. Someone asks, “Wait, are we actually allowed to put that into the AI tool?” and nobody in the room has a confident answer. Not legal. Not IT. Not the VP who approved the subscription six months ago.
That silence is the whole story. AI adoption inside companies has outrun every policy, every audit, every governance document meant to keep it in check. People are pasting contracts, patient notes, source code, and HR files into tools that were never vetted for any of it — not because anyone is being reckless, but because nobody told them not to, and the tools are genuinely useful.
I started digging into this after a conversation with a friend who works in compliance at a mid-sized healthcare company. She wasn’t worried about a hacker breaking in. She was worried about her own staff, using completely ordinary AI tools, in completely ordinary ways, creating a paper trail that regulators could use against the company.
The gap nobody budgeted for
Here’s the pattern that keeps showing up. Companies adopt AI tools at the pace of individual employees discovering them — a developer speeding up code review, a paralegal summarizing a deposition, an analyst dropping a spreadsheet into a chatbot to save twenty minutes. None of these people think they’re doing anything wrong. Most of them aren’t, technically. But collectively, this is exactly how a company ends up with sensitive data sitting on servers it never approved, inside systems it never audited, with zero record of what went in or where it went.
This is sometimes called shadow AI — AI use that happens entirely outside any official governance process. And it’s not a fringe problem. It’s the default state for most organizations right now, because the tools showed up faster than the rules did.
The uncomfortable part is that this isn’t really an IT problem you can patch. It’s closer to a structural one. Policies that say “please don’t paste sensitive data into AI tools” rely entirely on employees remembering, caring, and correctly judging what counts as sensitive — under deadline pressure, every single time. That’s not a control. That’s a hope.
What an actual audit looks for
I came across a genuinely thorough breakdown of how this is supposed to be audited properly — not a vague “be careful with AI” memo, but a real checklist covering the seven areas regulators actually look at: knowing every AI tool in use, mapping what data flows into each one, checking GDPR and HIPAA obligations, testing for security gaps like prompt injection, verifying bias and explain ability controls, confirming data residency, and proving the whole thing is monitored continuously rather than reviewed once a year and forgotten.
It’s worth sitting with for a few minutes if you’ve never seen one laid out this completely: AI Audit Checklist for Enterprise AI Compliance Reading through it, what struck me wasn’t any single requirement — it’s how many of them assume something most companies don’t actually have: a real-time, gateway-level way of catching sensitive data before it ever reaches an AI model, rather than trying to clean up after the fact.
Why “just write a policy” doesn’t hold up
Every company I’ve talked to about this has some version of an AI usage policy. Almost none of them have a technical way to enforce it. That distinction matters more than it sounds like it should.
A policy tells people what they’re supposed to do. It does nothing to stop the one moment, on a Friday afternoon, when someone needs an answer fast and pastes in exactly the wrong thing. Multiply that moment across a thousand employees and a few hundred workdays a year, and the policy isn’t a safeguard — it’s a liability waiver written in advance.
What the better-run organizations are doing instead is putting something between employees and the AI tools they use — a layer that automatically strips or tokenizes sensitive information before it ever leaves the building, regardless of which AI tool someone picked or whether they remembered the policy at all. Questa AI is one of the products built specifically around that idea: an intelligent gateway that sits between a workforce and any large language model, sanitizing data in real time and generating the audit trail that compliance teams are increasingly required to produce on demand. You can see how that approach is built at Questa-AI
That’s not an endorsement of any one vendor over another — it’s just a useful illustration of the shape of the fix. The technical answer to a human-error problem is rarely “ask humans to make fewer errors.” It’s removing the moment where the error is even possible.
Where most companies actually stand
If you ran this audit on your own organization today, where would you land? For most companies, the honest answer is somewhere near the bottom: informal policies that exist mostly on paper, no real inventory of which AI tools are actually in use department by department, and zero technical enforcement of anything written in the employee handbook.
That’s not a moral failing. It’s just what happens when a technology moves faster than the institutions built to govern it. The problem isn’t that companies are behind — it’s that very few of them have stopped to measure how far behind they are, because nobody has handed them a checklist concrete enough to score themselves against.
That’s the real value of working through a structured audit like the one above — not as a one-time compliance exercise to file away, but as a mirror. It tells you, specifically, which of the seven domains your organization has covered and which ones are quietly empty.
The actual question worth asking this week
Not “are we using AI responsibly” — that’s too vague to act on. The sharper version is: if a regulator asked us tomorrow to produce a complete map of every AI tool in use, what data flows into each one, and what stops sensitive information from leaking out — could we actually produce that document?
For most organizations, the honest answer is no. That’s the gap. And it’s closing on its own timeline whether companies are ready or not — fines under the EU AI Act and escalating GDPR enforcement actions aren’t theoretical anymore, they’re already being issued. I wrote a longer version of this piece a while back, going deeper into the legal exposure side of the shadow AI problem specifically — worth a read if this is hitting close to home: Your Company’s AI Is Probably Breaking the Law Right Now — Here’s How to Check.
If you’ve read this far because something in here sounded a little too familiar, that’s usually a sign it’s worth twenty minutes with your own team this week — before someone else asks the question for you.