Compliance teams face growing regulatory complexity across privacy, employment, financial, and industry-specific regulations. AI dramatically accelerates the research, drafting, and monitoring work while human judgment remains essential for interpretation and decisions.
Disclaimer: AI can assist with compliance work but is not a substitute for qualified legal counsel. All materials should be reviewed by licensed attorneys before implementation.
1. Regulatory Research
New Regulation Analysis
Prompt: Analyze this regulation and identify compliance requirements
for our organization.
Regulation: [Paste regulation text or describe regulation name]
Our organization: [Type, industry, size, geographic scope]
Current practices: [What we do now that may be affected]
Identify:
1. Which provisions directly apply to us
2. Deadlines and implementation timelines
3. Specific operational changes required
4. Documentation and recordkeeping requirements
5. Penalties for non-compliance
6. Any ambiguities requiring legal interpretation
7. Similar regulations we're already compliant with that may transferMulti-Jurisdiction Comparison
Prompt: Compare privacy law requirements across these jurisdictions
for our data practices.
Jurisdictions: California (CCPA/CPRA), EU (GDPR), UK (UK GDPR),
Virginia (CDPA), Colorado (CPA)
Our data practices:
- We collect: [List data types — email, behavioral, location, etc.]
- How we use it: [Marketing, analytics, product improvement, third-party sharing]
- Third-party sharing: [Yes — list recipients and purposes]
- Data retention: [Current retention periods]
Compare requirements across jurisdictions for:
1. Privacy notice requirements
2. Consent standards
3. Data subject rights (access, deletion, portability)
4. Opt-out mechanisms
5. Data processing agreements
6. Breach notification requirements
Identify: Where we can harmonize requirements vs. where jurisdiction-specific
variations are required.2. Policy Drafting
Privacy Policy
Prompt: Draft a privacy policy for our company.
Company type: [B2B SaaS / B2C / E-commerce / Healthcare / etc.]
Data collected: [List all data types]
Uses: [Marketing, analytics, service delivery, etc.]
Third-party sharing: [Who you share data with and why]
Retention periods: [How long you keep each data type]
User rights: [Rights you're committed to honoring]
Jurisdictions: [Where customers are located]
Regulatory requirements: [GDPR, CCPA, HIPAA, etc.]
Draft requirements:
- Written in plain language (not legal jargon)
- Organized with clear headings
- Complete coverage of all required disclosures
- Links to contact us section
- Effective date and version number
- Length: Comprehensive but readable
This is a draft for attorney review before publication.Employee Handbook Policy
Prompt: Draft a workplace policy on [topic].
Topic options and example: AI Use Policy at Work
Organization: [Type and size]
Current situation: [What employees are already doing; what's unaddressed]
Our stance: [What we want to allow, restrict, and require]
Roles to consider: [Different rules for different roles?]
Regulatory context: [Any industry regulations that affect this]
Policy should include:
1. Purpose and scope (who this applies to)
2. Acceptable use
3. Prohibited uses
4. Data and confidentiality requirements
5. Disclosure requirements (when to disclose AI involvement)
6. Compliance responsibilities
7. Violations and consequences
8. Review date
Professional policy format. Review required before implementation.Data Retention Policy
Prompt: Draft a data retention policy framework.
Organization type: [What you do]
Data categories we manage:
- Customer data: [Types]
- Employee data: [Types]
- Financial records: [Types]
- Business communications: [Types]
- Legal and compliance records: [Types]
Regulatory requirements (what we know):
- [List known regulatory retention requirements]
- [Industry-specific requirements]
Business requirements:
- [How long we need data for operational purposes]
- [Litigation hold considerations]
Create:
1. Retention schedule matrix (data type → retention period → legal basis)
2. Disposal procedures (how to securely delete at end of retention)
3. Legal hold process (when to suspend deletion)
4. Roles and responsibilities
5. Audit and documentation requirements3. Risk Assessment
Compliance Risk Assessment
Prompt: Help me build a compliance risk assessment framework.
Organization: [Type and industry]
Applicable regulations: [List primary regulations]
Business functions to assess: [Operations, HR, Finance, Marketing, IT, etc.]
For each business function, help me identify:
1. Regulatory requirements that apply
2. Current controls in place (I'll fill this in)
3. Risk rating methodology (likelihood × impact, 1-5 scale)
4. Common risk scenarios for each area
5. Industry benchmarks for what "good" looks like
Output format: Matrix that our compliance team can populate with
assessment findings and then prioritize remediation.Vendor Risk Assessment
Prompt: Create a vendor risk assessment questionnaire for vendors
who process our data.
Our context: [Industry, what data we share with vendors]
Regulatory requirements: [GDPR, HIPAA, SOC 2, etc.]
Risk tiers: Critical (access to PII/sensitive data) / Standard / Low
Assessment questionnaire covering:
1. Security controls (10 questions)
2. Data handling practices (8 questions)
3. Sub-processor management (5 questions)
4. Incident response and breach notification (6 questions)
5. Business continuity (5 questions)
6. Regulatory compliance certifications (4 questions)
7. Audit rights (3 questions)
For each section:
- Questions
- Acceptable vs. unacceptable response indicators
- Follow-up questions for concerning answers4. Compliance Training
Training Content Development
Prompt: Create compliance training content on [topic].
Topic: Data Privacy Fundamentals
Audience: All employees (non-legal, varying tech literacy)
Required regulations to cover: GDPR basics, CCPA basics, company policies
Current gaps: Survey shows employees don't know what counts as personal data
Training format: 20-minute online module + short quiz
Content outline:
1. What is personal data? (with relatable examples)
2. Why it matters (company values + legal requirements + consequences)
3. Our data handling rules (simplified, actionable)
4. Recognizing and responding to a data request from a customer
5. Recognizing and reporting a potential data breach
6. 10-question knowledge check
Write the script for Section 2 and Section 4 as examples.
Plain language, scenario-based, avoiding jargon.Phishing and Security Awareness Scenarios
Prompt: Create realistic phishing simulation scenarios for employee training.
Organization type: [Professional services / Healthcare / Financial services]
Attack sophistication: [Mix of basic and sophisticated]
Training goal: Help employees recognize and report suspicious communications
Create 5 realistic phishing scenarios including:
- Email content (verbatim)
- Red flags employees should notice
- Correct action to take
- Why this scenario is realistic (current threat environment)
- How to report it in our organization
Scenarios should range from:
1. Basic (obvious misspellings, generic)
2. Intermediate (legitimate-looking sender, credential harvesting)
3. Sophisticated (spear phish, executive impersonation, business email compromise)
4. Internal threat simulation (internal-looking request for data)
5. SMS/vishing scenario (voice/text based)5. Audit Preparation
Audit Readiness Checklist
Prompt: Create an audit readiness checklist for [type of audit].
Audit type: SOC 2 Type II / HIPAA / PCI DSS / ISO 27001 / Internal
Our organization: [Type, size, systems in scope]
Audit timeline: [When the audit is, how much prep time]
Checklist should cover:
1. Documentation to gather and update (be specific)
2. Evidence collection requirements (specific artifacts needed)
3. Common audit findings in our industry to proactively address
4. Personnel to interview and prepare
5. Systems to document
6. Policies requiring updates before audit
7. Timeline working backwards from audit date
For each item: owner role, deadline, and what "ready" looks like.Audit Response Drafting
Prompt: Help me draft a response to this audit finding.
Finding: [Describe the auditor's finding]
Finding severity: [High/Medium/Low as rated by auditor]
Root cause (our assessment): [What actually caused this]
Current status: [Already fixed? Partially fixed? Not yet addressed?]
Remediation plan: [What we will do to fix it]
Timeline: [When remediation will be complete]
Draft a formal response that:
- Acknowledges the finding appropriately
- Explains root cause without being defensive
- Describes remediation steps specifically
- Provides realistic timeline
- Describes monitoring to prevent recurrence
- Professional regulatory/audit response tone6. Incident Response
Breach Notification Assessment
Prompt: Help me assess breach notification obligations.
Incident: [Describe what happened — unauthorized access, lost device,
phishing email with data access, etc.]
Data involved: [What data may have been accessed — types and approximate volumes]
Affected individuals: [Who — employees, customers, vendors; approximate count]
Timeframe: [When did the breach occur, when discovered]
Our locations: [State/country jurisdictions of affected individuals]
Assess:
1. Whether this likely triggers notification obligations
2. Jurisdictions requiring notification and their thresholds
3. Notification deadlines for each jurisdiction
4. Required content for notifications
5. Regulators to notify (if required)
6. Recommended breach response timeline
Note: Final determination requires legal counsel with breach response expertise.AI accelerates compliance work significantly — regulatory research that took days can be summarized in minutes, policy drafts that took weeks can be generated in hours. The human roles that remain essential: regulatory interpretation, legal judgment, stakeholder buy-in, and the irreplaceable experience of navigating regulators in your specific industry.