Written byHubSecure Editorial Team

Practical guides for secure client portals, RBAC, onboarding and regulated client operations.

Reviewed byHubSecure Security & Compliance Review

Reviewed for security positioning, workflow accuracy and implementation clarity.

Last updatedMay 7, 2026

Checked against the current HubSecure marketing site and product positioning.

Artificial intelligence is already embedded in regulated workflows. Document drafting, client risk scoring, AML transaction monitoring, medical diagnosis support — AI is not hypothetical, it is operational. The question for regulated businesses is not whether to use AI, but how to use it responsibly, lawfully, and in a way that satisfies your regulator.

This guide covers the regulatory landscape, how to classify AI use cases by risk, what an internal AI policy must contain, and sector-specific considerations for law firms, financial services, and healthcare.

Related HubSecure buying path

Secure Client Portal guidesecure client portalRooms moduleGoogle Workspace comparisonsecure client portal guideGuide Librarybook a workflow demo

Related security, privacy and governance resources

Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.

Related use case

This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.

The Regulatory Landscape

EU AI Act (Regulation 2024/1689): The world's first comprehensive AI regulation. It entered into force in August 2024. Key compliance dates:

  • February 2025 — Prohibitions on unacceptable-risk AI apply
  • August 2025 — GPAI model rules apply (applies to providers)
  • August 2026 — High-risk AI system obligations apply (affects users/deployers)
  • August 2027 — Full application including legacy high-risk systems

GDPR Article 22: Prohibits solely automated decisions with significant legal or similar effects on individuals. Any AI system that makes or significantly contributes to credit decisions, insurance pricing, employment decisions, or legal case outcomes requires a human in the loop — unless consent, contract necessity, or EU/member state law provides a basis.

Sector regulators: The FCA (UK/EU), EBA, ESMA, and national financial regulators have published guidance warning that accountability for AI decisions cannot be delegated to a model. You remain liable for the output. The SRA has warned solicitors that using AI without adequate supervision may breach professional obligations.

EU AI Act: Risk Classification for Regulated Businesses

Prohibited AI (banned from 1 Feb 2025)

AI systems that manipulate behaviour subconsciously, exploit vulnerabilities of specific groups, social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow exceptions), and predictive policing. These are absolute prohibitions — no compliance path, no exemptions for regulated businesses.

High-risk AI (major obligations from Aug 2026)

AI used in: credit scoring, insurance underwriting, employment and HR decisions, educational scoring, law enforcement, migration/asylum, administration of justice. Also includes AI integrated into regulated products (medical devices, machinery).

Obligations include: risk management system, data governance, technical documentation, transparency to affected persons, human oversight, accuracy and robustness requirements, and registration in the EU AI database.

Limited-risk AI (transparency obligations)

Chatbots, AI that generates or manipulates content (deepfakes, synthetic text). Must disclose that the user is interacting with an AI. AI-generated content must be labelled where deception is possible. Applies now (from February 2025).

Minimal-risk AI (no specific obligations)

Spam filters, AI in video games, AI-assisted document drafting (where human reviews and takes responsibility), recommendation systems, productivity tools. The vast majority of enterprise AI falls here — but you still need GDPR compliance and professional responsibility to apply.

Sector-Specific AI Use Case Analysis

Legal — AI-assisted document drafting

Generating first drafts of contracts, letters, summaries from case notes. Lawyer reviews and takes professional responsibility.

Minimal risk — OK with review

Legal — AI risk assessment for litigation outcome

Using AI to predict litigation success probability used in client advice.

High risk — GDPR Art.22 + AI Act

Finance — AML transaction monitoring

AI flags transactions as suspicious; human compliance officer reviews and makes SAR decision.

High risk — compliant with human oversight

Finance — Automated credit scoring

AI makes or heavily weights credit approval decisions affecting individuals.

High risk — GDPR Art.22 applies

Healthcare — AI diagnostic support

AI suggests diagnoses based on symptoms or imaging; doctor makes final clinical decision.

High risk — compliant with clinician oversight

All sectors — Client AI chatbot

AI handles initial client queries. Must disclose it is an AI. Cannot give regulated advice without human review.

Limited risk — disclosure required

HR — CV screening AI

AI ranks or screens job applicants automatically, with HR making final decision.

High risk — GDPR + AI Act obligations

All sectors — Productivity / summarisation

AI summarises meeting notes, drafts emails, transcribes calls. Staff input checked before use.

Minimal risk — data minimisation applies

What Your Internal AI Policy Must Contain

1. Permitted and prohibited AI tools

An explicit list of approved AI tools, and a list of tools that may not be used for client or regulated work (e.g. consumer-grade ChatGPT where data is used for training, tools without a DPA, tools hosted outside approved jurisdictions). "Not on the approved list" must mean not permitted — shadow AI is your biggest governance risk.

2. Data classification rules for AI input

Clear rules on what data may be entered into which AI tools. No client personal data, no AML/KYC records, no legally privileged communications into any AI tool that does not have an approved DPA. Consider tiering: public tools for anonymised/public data only; approved enterprise tools for internal data.

3. Human-in-the-loop requirements

Any AI output that informs a regulated decision, professional advice, or communication to a client must be reviewed and approved by a qualified human. Define who has authority to approve AI-assisted outputs for each function. The AI is a tool; the professional is responsible for the output.

4. AI incident and error reporting

Staff must know how to report AI errors, hallucinations, or outputs that were acted on incorrectly. AI incidents should be logged, reviewed, and fed back into training and policy. This is especially critical if the AI output was shared with a client or informed a regulatory filing.

5. Record-keeping for AI-assisted decisions

For high-risk AI decisions, you must be able to explain the decision and demonstrate human oversight. Retain records of: which AI tool was used, what input was provided (in summary), what output was produced, and what the reviewing professional decided. This is your audit trail for a regulator or subject access request.

6. Third-party AI vendor governance

All AI tools used for professional or regulated work must have a DPA in place. Vendors must be assessed for: data residency, training data use, sub-processor chain, incident response, and AI Act compliance (for high-risk systems). Procurement sign-off should require compliance team approval for new AI tools.

7. Staff training and awareness

All staff must complete AI policy training before using any approved AI tool. Training must cover: what the tool can and cannot do, what data must not be entered, how to review outputs critically, and how to report issues. Annual refresher training is mandatory.

HubSecure AI Operator

AI built for regulated businesses

The HubSecure AI Operator runs within your compliance boundary — 71 tools, 34 models, full audit trail, no cross-account training. Every AI action is logged with the user, timestamp, input summary, and output for your audit record.

Book a demo → View AI modules