Reference documents on AI defensibility under named frameworks
Substantive treatment of what each framework actually requires of AI-assisted workflows, where the exposure surfaces sit, and how to document defensibility. Published as standing methodology — intended to be cited, debated, and built into a custodian's governance file.
Regulated professionals using AI in their workflows face a documentation gap. The regulatory frameworks that govern their work (PHIPA, Title 21, Reg S-P, GLBA, Bill 25) predate generative AI. The frameworks still apply — but the documentation needed to demonstrate compliance has not yet been written for most practices.
This section publishes ArcaKey's methodology for thinking about AI defensibility under each named framework. Each document treats one framework substantively: what the statute actually requires, where AI-assisted workflows expose risk, what defensibility documentation looks like in practice, and a self-audit checklist a custodian can run without engaging any external party.
Each methodology document is grounded in named external standards. Each cites the statutory provisions, agency guidance, and NIST publications that underpin the analysis. Each is reviewed quarterly by the framework owner — a credentialed external expert in the framework's domain — to keep it current as regulation evolves.
None of these documents are legal counsel. They are reference methodology, intended to be the starting framework for a custodian's own analysis. Where any finding requires legal interpretation, the documents flag it explicitly and recommend engaging counsel.
Reference documents
AI Scribe Defensibility
LiveOntario · response to the 2026 Auditor General report on AI Scribe systemsSubstantive response to Section 4.3 + Recommendations 5–9 of the Office of the Auditor General of Ontario's 2026 Performance Audit. Each finding turned into a positive design requirement. Includes the Accuracy Gate pattern, a defensible-RFP criteria framework, and a 9-point self-audit checklist for clinics evaluating AI scribes.
Read the methodologyPHIPA
LiveOntario · health information custodiansAI defensibility under Ontario's Personal Health Information Protection Act. Statutory framing, exposure points, the encryption triad applied to clinical workflows, 9-point self-audit checklist.
Read the methodologyTitle 21 (FDA)
ForthcomingUnited States · pharmaceutical + biotech regulatory affairsAI defensibility under U.S. FDA 21 CFR Parts 11, 312, 314 + ICH E6(R3) + the 2024 FDA AI guidance. For IND amendments, FDA correspondence, sponsor periodic reports.
Coming soonReg S-P
ForthcomingUnited States · investment advisers + RIAsAI defensibility under SEC Regulation S-P + the Investment Advisers Act. For client communications, internal research, advisory documentation.
Coming soon
How to use these documents
Each document is structured the same way. Read it as a reference, not a tutorial. The sequence inside each document moves from statutory framing (what the framework requires) to exposure mapping (where AI workflows surface risk) to documentation pattern (what defensibility actually looks like on paper) to self-audit checklist (concrete questions a custodian can answer about their own practice).
Most readers come to one of these documents with a specific question — 'does my current AI tooling meet the standard?' — and find the self-audit checklist section first. That is the correct entry point for that use case. The framing sections support that read by making the standard explicit.
Some readers come for the citations — sponsors asking for documentation grounded in named external standards, counsel preparing a regulator response, or board-level governance officers building their AI policy. The sources section at the end of each document is the start point for that use case.
Each document is freely accessible. No registration. No download wall. No follow-up email sequence. The discipline behind publishing them this way is the same discipline behind the encryption-triad framework: substantive material made available where the right reader will find it.
Each methodology document is reference content, not legal counsel. ArcaKey AI is not a law firm and does not practice law. Where a finding in any document requires legal interpretation, the document explicitly recommends engaging counsel qualified in the relevant jurisdiction and framework.