The regulations & AI-agent terms, in plain English.

US law requiring internal controls over financial reporting for public companies. The IT side (ITGC) covers access control, change management, and segregation of duties. SOX ITGC audit autopilot →

The IT controls a SOX audit leans on — logical access, change management, and computer operations. A gap here is what becomes a material-weakness finding. SOX ITGC audit autopilot →

A control deficiency severe enough that a material misstatement could go undetected. It's a public disclosure in the 10-K — restatements and weakness disclosures measurably move the share price.

No single person holds end-to-end authority over a sensitive process: whoever requests a change doesn't approve it, whoever approves doesn't deploy it. In an autopilot this maps to distinct human checkpoints held by different named owners. Bookkeeping autopilot →

US GAAP revenue-recognition standard: revenue is recognized when performance obligations are satisfied, not when cash arrives. Misclassification is a restatement risk, which is why a controller signs the close. Bookkeeping autopilot →

Restricts how tax preparers may use or disclose tax-return information — consent is required before data leaves the engagement. A credentialed preparer signs every filing. Tax-prep autopilot →

US Treasury rules governing practice before the IRS — the diligence and conduct standards a credentialed preparer is bound by before signing a return. Tax-prep autopilot →

Protects health information (PHI): minimum-necessary access, audit trails, breach notification, business-associate agreements. Any autopilot touching patient data runs inside these rails. Medical-coding autopilot →

Individually identifiable health information under HIPAA. Must be encrypted at rest and in transit and access-logged — the autopilot never moves it without that.

The HIPAA contract binding any vendor that handles PHI to the same safeguards as the covered entity. Missing BAAs are a top enforcement finding.

The diagnosis (ICD-10) and procedure (CPT) code sets US claims are built from — the raw material a medical-coding autopilot assigns and a certified coder signs. Medical-coding autopilot →

National Correct Coding Initiative edits — CMS rules flagging code pairs that can't be billed together. A mandatory check before a claim goes out. Medical-coding autopilot →

A CMS cap on the units of a service billable for one patient on one day. Exceeding it without justification triggers a denial.

The X12 837P EDI transaction — the standard electronic format for a professional healthcare claim submitted to a payer. The irreversible "write" in the coding flow.

Whether a service fits the diagnosis under payer policy (NCD/LCD). A prior-auth autopilot never auto-denies on this — missing criteria escalates to a medical director. Prior-auth autopilot →

Payer approval required before a treatment or drug is covered. A denial without a physician's signature is a legal landmine — so the denial path always routes through a human. Prior-auth autopilot →

Liability for submitting false claims to government programs — treble damages, per-claim penalties. The core legal risk in coding and billing automation, and the reason a certified coder signs the risky claims. Medical-coding autopilot →

FDA rule for electronic records and signatures: tamper-evident audit trails and validated systems in pharma and clinical workflows. Pharmacovigilance autopilot →

Detecting, assessing and reporting adverse drug events. A QPPV or drug-safety physician signs an E2B case before it's reported to regulators. Pharmacovigilance autopilot →

State-law prohibition on non-lawyers giving legal advice. Document automation can draft; the advice that crosses the UPL line carries a licensed attorney's signature. Legal-docs autopilot →

Checking counterparties against the US Treasury's SDN and sanctions lists. Strict liability — which is why screening is a mandatory flow step, not a periodic batch job. KYC/AML autopilot →

Know Your Customer / Anti-Money-Laundering: identity verification, sanctions and PEP screening, suspicious-activity monitoring and SAR filing. A compliance officer signs the escalations. KYC/AML autopilot →

The foundational US AML law: financial institutions must keep records and file reports — SARs, CTRs — that help detect money laundering. KYC/AML autopilot →

A FinCEN filing a BSA Officer must sign when activity looks like laundering or fraud. The autopilot drafts it from the evidence; a human signs; it's never auto-filed. KYC/AML autopilot →

Checking a customer against lists of Politically Exposed Persons, who carry elevated bribery and corruption risk under AML rules.

US Foreign Corrupt Practices Act — prohibits bribery of foreign officials. A sanctions-and-fraud control in procurement and payment-release flows. Procurement autopilot →

Fair Debt Collection Practices Act and the CFPB's Regulation F — contact limits (e.g. 7-in-7), required disclosures and prohibited practices in collections. Collections autopilot →

US fair-lending law: credit decisions must not discriminate on protected characteristics and must produce adverse-action notices. Lending autopilots carry disparate-impact testing as a gate. Mortgage autopilot →

Consent rules for calls/texts (TCPA) and caller-ID authentication (STIR/SHAKEN) — the constraints on any outbound voice or collections outreach. Collections autopilot →

Automated Underwriting Systems — Fannie Mae's Desktop Underwriter and Freddie Mac's Loan Product Advisor — that score a mortgage file to Approve/Refer. A DE underwriter signs clear-to-close. Mortgage autopilot →

American Land Title Association standards governing title insurance and the closing/settlement process. A licensed officer signs the title and authorizes the wire. Title & escrow autopilot →

Uniform Standards of Professional Appraisal Practice — the independence and methodology rules a state-certified appraiser signs every report against. Appraisal autopilot →

A statistical model estimating property value from comparable sales — assistive input the appraiser reconciles, not a replacement for the signed opinion. Appraisal autopilot →

An insurer's unreasonable denial or delay of a valid claim — the liability that makes a licensed adjuster sign every denial and termination. Workers-comp autopilot →

Federal Motor Carrier Safety Administration — its SAFER data (authority, insurance, safety rating) is what a freight broker vets a carrier against before booking. Freight autopilot →

Harmonized System / Harmonized Tariff Schedule codes that classify imported goods for duty — the line items a licensed customs broker signs on the entry. Customs autopilot →

The party legally responsible for a customs entry's accuracy and duties — the accountability the human signature on a customs autopilot attaches to. Customs autopilot →

EU General Data Protection Regulation: legal basis for processing, data-subject rights, DPIAs, and lawful cross-border transfer. Fines reach €20M or 4% of global turnover. GDPR for agent products →

Data Protection Impact Assessment — a GDPR-required analysis before high-risk processing of personal data.

Payment Card Industry Data Security Standard — network segmentation, encryption, scoping (SAQ) and scanning for anyone handling card data. PCI-DSS for commerce →

EU regulation classifying AI systems by risk. High-risk systems owe a conformity assessment, technical documentation and logged human oversight. Up to €35M or 7% of turnover. EU AI Act for AI systems →

The standard list of LLM application risks — prompt injection, sensitive-information disclosure, insecure output handling, excessive agency and more. OWASP LLM for agent products →

An attack where malicious input overrides an LLM's instructions to make it act against its operator — the top risk in production agent systems (OWASP LLM01). The reason irreversible actions sit behind a human gate.

A design where AI does the volume but a human reviews and signs the decisions that carry liability — accountability built into the execution path, not bolted on after. How the gate works →

A short document describing an AI model's intended use, performance and limitations — an EU AI Act and AI-governance expectation for high-risk systems.

A step where a named, qualified human reviews and signs before the flow continues. Every irreversible action — payment, denial, filing — sits behind one.

The single named human who answers for what an autopilot does — closing the "the AI did it" accountability gap. Every flow declares one.

A stable per-run identifier threaded into an irreversible write so a retry never double-submits — no duplicate payment, claim or filing.

How much damage an action can do if it's wrong — the basis for tagging a step reversible or not, and for requiring a signature before high-blast actions.

The cases an autopilot clears end-to-end with no human touch — high-confidence, low-risk, reversible work. Everything else escalates.

The threshold below which the autopilot refuses to act autonomously and routes the case to a person. Tunable per function, audited per decision.

Tamper-evident record of every autonomous decision: who decided, what, on what evidence, at what confidence. The artifact a regulator actually asks for.

A domain's regulations turned into flow steps, reviewers, and gates — attached automatically to the matching autopilot. All packs →