2 posts tagged with "Human-in-the-Loop"

SOX Section 302 requires the CEO and CFO to personally certify that financial reports are accurate and that they've reviewed the controls over financial reporting. Section 906 makes false certifications a criminal offense — up to 20 years in prison.

When an AI agent is generating financial reports, running disclosure checks, or preparing SEC filings, those certifications still apply. The executives signing them need to be able to vouch for the process that produced the numbers.

That's only possible if the AI's actions are auditable, the outputs are traceable to specific data sources, and a human reviewed the result before it was filed.

HIPAA was written in 1996. AI agents weren't part of the threat model. But the obligations translate directly: any AI agent that accesses, uses, or discloses Protected Health Information (PHI) is subject to the same rules as any other HIPAA-covered entity or business associate.

That means the clinical documentation AI, the patient communication bot, the diagnostic support tool, the prior authorization agent — all of them need HIPAA controls built in at the infrastructure level, not just the application level.