Sectors

One ungoverned AI tool is one audit finding

Healthcare carried a $9.77M average breach cost in IBM's 2024 report; defense contractors face ITAR penalties up to $1.27M per violation, with no intent required. Law enforcement answers to CJIS Security Policy v6.0, and each sector below carries its own cited exposure with a named regulator behind it.

By sector

Sector exposure and obligations

Six regulated sectors, each paired with a cited exposure and the obligation Verillian is built to map to. The controls live on Solutions and Platform.

Healthcare

HIPAA, 42 CFR Part 2

When clinicians paste notes, labs, or chart data into generative AI tools, PHI can cross the boundary to an outside provider with no record it happened. Under HIPAA, each exposure carries breach-notification, OCR enforcement, and per-record penalties. Without a record of what data left and what policy did, the institution cannot answer the first question a HIPAA audit asks.

Law enforcement

CJIS Security Policy v6.0, 28 CFR Part 23

An analyst pasting case files into a generative AI assistant moves criminal justice information outside the boundary with no record of what left or who sent it. With nothing in place, a single ungoverned tool turns a productivity gain into an unauditable disclosure of CJI, exactly the activity CJIS Security Policy v6.0 requires you to log and retain.

Government

FedRAMP-aligned, FISMA

When agency staff query citizen data through generative AI tools with nothing governing them, no enforced boundary stops sensitive records from leaving the agency, and no verifiable evidence shows what was sent or returned. If an inspector general asks what the AI saw and did, an agency with nothing in place cannot produce a tamper-evident answer.

Defense contractors

CMMC 2.0, NIST 800-171, ITAR

When an employee pastes ITAR-controlled technical data or CUI into a generative AI tool, that export leaves your boundary with no record of what was disclosed, to which provider, or by whom. Civil ITAR liability does not require willful intent, so a single negligent disclosure is an enforceable per-violation event, and each transfer can be counted separately.

Financial services

GLBA, SOX, SR 11-7

When AI tools operate with no enforced policy and no tamper-evident record, customer and account data can leave the boundary unredacted, with no defensible account of what any model did. Examiners under SR 11-7, SOX, and GLBA expect a reconstructable record of model behavior. Without one, the institution carries breach and penalty exposure.

Education

FERPA, COPPA

When teachers and staff feed student records into generative AI tools with nothing governing where that data goes, FERPA- and COPPA-protected information leaves the boundary unredacted and unrecorded. The institution carries the legal exposure for every record disclosed, with no enforceable boundary at the point of use and no tamper-evident record of what was sent.

See it on your traffic

Book a demo and watch a live AI request intercepted on a device, decided against real policy, and sealed into a tamper-evident chain entry you can verify.