The 6 controls your compliance team needs before approving an AI assistant

Published 2026-07-09

Someone in your organization wants to use an AI assistant, and you are the person who has to say yes or no. The request looks harmless: a productivity tool with a chat box. But approving it means client names, contract terms, health details, or internal strategy will flow through that box, and where it goes next is your problem. This is the checklist for that decision: six controls, each verifiable, each with the question to put to the vendor.

Quick answer: Before approving an AI assistant, verify six things: a data-flow map you can check, training exclusion and retention terms in writing, API keys you control and can revoke, an audit trail of what the AI accessed, working deletion and export, and a no-cloud fallback for the data that can never leave. A vendor who can't answer these isn't ready for regulated work.

Why is this suddenly on your desk?

Two reasons, and neither settles the question for you.

First, the EU AI Act's enforcement for general-purpose AI starts August 2, 2026. Most of that lands on the model providers, not on you: if your organization only uses AI assistants, you are a deployer, and the headline fines are aimed elsewhere. But the law reshapes the tools you buy, and "we use AI" now invites questions from auditors and clients that "we use spreadsheets" never did. The enforcement-date breakdown covers who owes what.

Second, GDPR enforcement on AI is unsettled rather than resolved. Italy's €15M fine against OpenAI was annulled by the Court of Rome in March 2026 on procedural grounds — not a ruling that the practices were fine, just that the case was mishandled. Nobody should read that as "GDPR doesn't apply to AI." It means the case law you'd like to lean on doesn't exist yet, so your approval process has to do the work the regulators haven't.

What are the six controls?

1. A data-flow map you can verify

Ask the vendor to draw the path of a single prompt: from the user's browser, through the vendor's servers, to whichever model provider does the inference, and back. Two legs matter. The vendor leg: does the app's own backend see, log, or store prompts? The provider leg: which model company receives them, in which region, under whose account? If the vendor cannot produce this diagram, or it changes depending on who you ask, stop there.

2. Training exclusion and retention terms, in writing

"Your data is private" is not a term; it is a slogan. What you want is the specific contractual layer that governs the AI traffic. Model providers' API terms are materially stronger than their consumer terms: as of mid-2026, OpenAI's API excludes data from training by default and retains abuse-monitoring logs for around 30 days, and Anthropic's commercial terms exclude training with API inputs and outputs deleted within 30 days by default. Zero-data-retention agreements exist at both but are approval-gated, and they no longer cover everything: as of June 2026, Anthropic's newest frontier models are excluded from ZDR entirely. The question for the vendor: which of these terms actually applies to my traffic, and can you show me? The BYOK explainer covers why the API-vs-consumer split is the single most important line in this area.

3. Keys you own and can revoke

If the assistant runs on the vendor's pooled API key, your data governance depends entirely on the vendor's contract. If it runs on your key (bring your own key), you are in direct privity with the provider: your account, your DPA, your spend caps, and, critically, your kill switch. Revoking a key in your own provider console cuts the tool's model access instantly, without asking the vendor for anything. That is what offboarding should look like. Bonus question: how does the vendor store your key at rest, and can they name the encryption?

4. An audit trail of what the AI saw and did

When the assistant answers, can anyone reconstruct what it accessed to produce that answer? For agentic assistants that create tasks, query notes, or call tools, this means a log of every tool call, tagged with who triggered it and how it authenticated. For assistants with memory, it means every remembered fact is individually inspectable: what was learned, when, and from where. If the memory is an opaque blob the vendor "summarizes for quality," you cannot audit it, and what an auditable memory looks like is the standard to hold them to.

5. Deletion and export that actually work

GDPR's access and portability rights don't stop applying because the data lives inside an AI tool. Two tests. Export: can a user pull everything (notes, tasks, remembered facts) in a documented format, on every tier, without a support ticket? Deletion: when a fact or document is deleted, is it gone from the model's working context, or merely hidden from the interface? A vendor who answers the deletion question with confidence and specifics has thought about it; one who hesitates has not.

6. A no-cloud fallback for the data that can never leave

Some data cannot go to any cloud provider under any terms: matters under professional secrecy, some health records, whatever your own policy carves out. The control here is architectural, not contractual. Does the tool support a fully local mode: a model running on your own hardware, with zero cloud egress, ideally alongside self-hosted storage? A tool with a genuine local mode gives you one approval that covers both the ordinary case and the hard case. A cloud-only tool forces you to carve exceptions by hand, forever.

What does a passing answer look like?

For calibration, here is how Calmara answers these, since it is built for exactly this review: prompts route under your own provider keys (BYOK on every tier, keys AES-256-GCM encrypted at rest and never returned to the browser), a PII sanitizer strips identifiers before any cloud call, every MCP tool call lands in an audit log tagged by auth method, memory is stored as individually inspectable facts with timestamps and provenance, the full knowledge store exports as schema-versioned JSON on every tier, and a hard local-only mode refuses cloud calls outright while a local model handles inference. That is one product's shape of the six controls; whatever tool you evaluate, the shape is what to look for — the regulated-professionals page goes deeper on the architecture.

The practical next step: take the six questions above into your next vendor call, in order. The first "we'll get back to you" tells you most of what you need to know.

FAQ

What should a compliance team check before approving an AI assistant?

Six controls: a verifiable data-flow map, written training-exclusion and retention terms, customer-owned revocable API keys, an audit trail of tool calls and memory, working deletion and export, and a local no-cloud mode for data that can never leave. Each is checkable in a vendor call.

Does the EU AI Act apply to companies that just use AI assistants?

Mostly indirectly. Organizations that only use AI are deployers, and the August 2, 2026 general-purpose AI enforcement aims its heaviest obligations and fines at providers. Deployers carry lighter duties, like AI literacy for staff (applicable since February 2025) and disclosure rules if they publish AI-generated content; the heavier oversight obligations apply only to high-risk systems. The law also reshapes the tools they buy.

Is AI use a GDPR problem?

GDPR fully applies, but enforcement against AI is unsettled. Italy's €15M fine against OpenAI was annulled in March 2026 on procedural grounds, which removed a precedent without blessing the practices. Treat GDPR as live risk with thin case law, not as resolved either way.

What is the difference between an AI vendor's consumer terms and API terms?

Consumer terms often allow training on user content (opt-out based) with long retention. API and commercial terms at the major providers exclude training by default and delete or age out content on short windows, roughly 30 days at both OpenAI and Anthropic as of mid-2026. Which terms govern your traffic depends on how the tool connects.

Why do revocable API keys matter for compliance?

A key you issued is a kill switch you control: revoking it in your provider console instantly cuts the tool's model access with no vendor cooperation. It also puts you in a direct contractual relationship with the provider, so your DPA and your retention terms apply rather than the vendor's.

What is an AI audit trail?

A reconstructable record of what the assistant accessed and did: tool calls with caller and authentication method, and memory entries with source and timestamp. It is what lets you answer "why did the AI say that" and "what has it stored about this client" with evidence instead of guesses.

Can any AI assistant work with data that must never leave our network?

Only tools with a genuine local mode: inference on your own hardware via a local model, paired with self-hosted storage. Contractual protections reduce cloud risk; only architecture eliminates it. If some of your data is in that category, make a local mode a hard requirement.

← All articles

Written by Dan Hagen

Try Calmara

Auditable AI memory, tasks, calendar, and notes. Self-hostable, BYOK, free tier.

Get started free