Compliance
GDPR compliance for AI workloads
GDPR doesn't change for AI: lawful basis, minimization, and the right to explanation still apply. Prism produces the records each Article expects.
- Article 22 safeguards for automated decisioning
- Article 25 data protection by design through PII redaction
- Article 30 records of processing for AI workloads
- Article 33 breach evidence within 72 hours
About this framework
Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), is the EU's general privacy framework. It applies to any organization processing personal data of EU residents, regardless of where the controller is based. AI does not get a carve-out — Article 22 in particular gives data subjects rights regarding solely automated decisions with legal or similarly significant effects. The EDPB has issued AI-specific guidance reaffirming this.
Who needs to comply
Industries this applies to
Any controller of EU personal data
GDPR applies extraterritorially — applies to AI processing EU personal data anywhere.
Banking
Credit decisioning AI implicates Art. 22; KYC AI implicates Arts. 6, 9, 25.
Insurance
Underwriting and claims AI processing health/financial data.
Healthcare
Special-category data under Art. 9 with strict additional safeguards.
Mapping
GDPR Articles and Prism
| Obligation | Capability | Evidence |
|---|---|---|
| Art. 22 — automated decisioning | Prism Agent Trajectories | Per-decision step record demonstrating human-meaningful logic, not just a model output |
| Art. 25 — data protection by design | Prism Guardrails (PII redaction at ingestion) | PII never lands in storage; documented in the DPIA |
| Art. 30 — records of processing | Prisms + Audit Export | Per-interaction record exportable as Art. 30 evidence |
| Art. 33 — breach notification | Prism Sessions + Prism X Audit Events | 72-hour reconstruction of any AI-related incident |
Obligation
Art. 22 — automated decisioning
Capability
Prism Agent Trajectories
Evidence
Per-decision step record demonstrating human-meaningful logic, not just a model output
Obligation
Art. 25 — data protection by design
Capability
Prism Guardrails (PII redaction at ingestion)
Evidence
PII never lands in storage; documented in the DPIA
Obligation
Art. 30 — records of processing
Capability
Prisms + Audit Export
Evidence
Per-interaction record exportable as Art. 30 evidence
Obligation
Art. 33 — breach notification
Capability
Prism Sessions + Prism X Audit Events
Evidence
72-hour reconstruction of any AI-related incident
Read the source
Go straight to the regulator
Not familiar with this framework? These are the authoritative sources, opened in a new tab.
Built for: EU controllers and processors deploying AI on personal data
Related
LLM Guardrails
Real-time detection and enforcement for PII, PHI, prompt injection, content policy violations, and off-topic responses, scoped per agent, per project, per knowledge base.
Agent Observability
Trajectory evaluation decomposes multi-step agent runs into ordered steps and scores each run on goal adherence, tool compliance, efficiency, and safety, automatically on ingest.
Shadow AI Audit Log
Structured events back to your tenant support security operations, compliance review, and regulatory evidence, at the granularity your privacy model allows.
EU AI Act Compliance
The EU AI Act's high-risk category includes credit, employment, and insurance scoring. Prism is built to satisfy the logging, transparency, and oversight articles.
ISO/IEC 42001 AI Management System
ISO 42001 is the first auditable management-system standard for AI. Prism produces the operational evidence each clause asks an internal auditor to see.
HIPAA Compliance for AI in Healthcare
PHI cannot reach a model uncontrolled. Prism redacts it before storage; Prism X blocks it before it leaves the employee browser.
AI compliance and risk management for banks
From underwriting copilots to fraud-screening agents, banks need the same model risk discipline they have for traditional models. Prism is built around it.
AI governance for insurance
Insurers face NAIC's Model Bulletin and a patchwork of state-level AI rules. Prism gives carriers one platform to produce the evidence each one demands.
AI risk management for fintech
Sponsor banks expect SR 11-7 hygiene. CFPB and state AGs care about ECOA. Prism makes both legible without slowing your release pace.
AI compliance for healthcare payers
PHI cannot reach a model unscrubbed. Prism Guardrails strip 18 Safe Harbor identifiers at ingestion; Prism X blocks employees from pasting PHI into consumer AI tools.
Start tracing in 5 minutes
One SDK. Five minutes. Full audit trails, PII redaction, and guardrail enforcement, from day one.