Executive Summary
When a lawyer asks an AI assistant to analyze a client contract, the contract text transits through the AI provider's servers. When a doctor asks an AI to summarize patient notes, the patient data reaches the provider's infrastructure. When a financial adviser asks an AI to review a portfolio, the portfolio details travel across the internet to a data center operated by a third party.
In each case, the professional has created a compliance obligation. The contract text may be subject to attorney-client privilege. The patient notes are protected under HIPAA. The portfolio data falls under SEC regulations and state privacy laws. The moment this data reaches a third-party server, the professional must verify that the server operator meets the applicable compliance standard -- or accept the regulatory risk of non-compliance.
This paper examines the compliance landscape that AI usage creates for regulated professionals, the architectural distinction between transient inference and persistent storage, and why local-first AI architecture is not just a privacy preference but a regulatory necessity.
1. The Compliance Problem
1.1 Every AI Query Is a Data Transfer
When you type a question into ChatGPT, you are making a data transfer. The text of your query leaves your device, travels across the internet, reaches OpenAI's servers, is processed, and a response is returned. The same is true for Claude (Anthropic's servers), Gemini (Google's servers), and any other cloud AI service.
For consumer use -- asking about recipes, drafting personal emails, brainstorming vacation plans -- this data transfer is unremarkable. For professional use in regulated industries, it triggers a cascade of compliance requirements:
Healthcare (HIPAA). Any transfer of protected health information (PHI) to a third party requires a Business Associate Agreement (BAA). The third party must implement specific safeguards, maintain audit trails, and report breaches. OpenAI offers BAA-eligible plans through ChatGPT Enterprise, but not through ChatGPT Plus. A doctor using the consumer plan with patient data is in violation.
Legal (attorney-client privilege). Attorney-client communications are privileged. Transmitting client information to a third-party AI service may constitute a waiver of privilege if the transmission is not adequately protected. The American Bar Association's 2025 guidance on AI usage emphasized that lawyers must 'exercise reasonable efforts to prevent inadvertent or unauthorized disclosure' when using AI tools with client data.
Financial (SEC, FINRA, state regulations). Financial professionals handling client data must comply with Regulation S-P (safeguarding customer information), FINRA's cybersecurity rules, and various state privacy laws. Transmitting portfolio data to an AI service creates a vendor relationship that must be documented and audited.
General (GDPR, CCPA). For professionals handling personal data of European or Californian residents, AI usage creates data processing obligations. GDPR requires a lawful basis for processing, a data processing agreement with any third-party processor, and the right of data subjects to know where their data is processed.
1.2 The Compliance Cost
PwC's 2025 AI Governance Survey found that enterprises maintain compliance documentation for an average of 4.3 AI vendors, at an average compliance cost of $47,000 per vendor per year (PwC, 2025). This cost includes legal review, data processing agreements, audit preparation, and ongoing monitoring.
For a law firm, accounting practice, or medical group with 20-50 professionals, the compliance overhead of using cloud AI tools can exceed the cost of the AI subscriptions themselves. Gartner's 2025 AI Governance Survey found that 47% of enterprises have restricted or banned the use of consumer AI tools due to data residency concerns (Gartner, 2025).
The compliance problem is not that cloud AI is inherently unsafe. It is that cloud AI creates a compliance obligation that is expensive to satisfy, risky to ignore, and unnecessary if the architecture eliminates the data transfer entirely.
2. Transient vs. Persistent: The Critical Distinction
2.1 What the Provider Sees
The compliance risk of AI usage depends on two factors: what data reaches the provider's servers, and how long it stays there.
Most AI providers maintain data retention policies that specify how long user queries are stored:
| Provider | Data Retention | Training on Your Data? | BAA Available? |
|---|---|---|---|
| OpenAI (Consumer) | 30 days | Yes (free tier), opt-out available (Plus) | No |
| OpenAI (Enterprise) | 0 days (no retention) | No | Yes |
| Anthropic | 30 days | No (by default) | Enterprise only |
| Google (Consumer) | Up to 18 months | Yes (free tier) | No |
| Google (Enterprise) | Configurable | No | Yes |
Enterprise plans exist to address compliance requirements -- but they come at enterprise pricing ($60-100/seat/month), require organizational procurement, and are unavailable to solo practitioners, small firms, and independent professionals.
A solo attorney who uses ChatGPT Plus ($20/month) to analyze client contracts is sending privileged information to OpenAI's servers with a 30-day retention period and no BAA. The compliance exposure is real, and the enterprise-grade solution that would mitigate it costs 3-5x more and requires an organizational contract.
2.2 Kent's Architectural Separation
Kent's architecture creates a clean separation between persistent intelligence and transient inference:
Persistent intelligence (local). The knowledge graph, conversation history, skill library, configuration, and all accumulated context live on the user's device. This data never leaves the machine. It is not subject to any provider's data retention policy. It does not trigger any data processing obligation with any third party.
Transient inference (cloud or local). When a user executes a skill or asks a question, Kent constructs a prompt from the skill template and relevant context, sends it to the configured AI provider, and receives a response. The provider sees the prompt and generates a response. This is a transient computation -- no different, architecturally, from a web search.
The critical difference: the provider never sees the full knowledge graph. It never sees the conversation history. It never sees the accumulated context that makes Kent's responses contextually rich. It sees only the current query with the minimum relevant context needed to generate a useful response.
This separation means that the compliance surface is limited to the content of individual queries -- not to the entire corpus of user knowledge. A lawyer who asks Kent to 'summarize this contract clause' sends the clause text to the provider. The lawyer's complete client file, case history, and work product remain local.
2.3 The Ollama Option: Zero Compliance Surface
For the most sensitive queries, Kent supports fully local inference through Ollama. When configured for private mode, Kent processes queries using open-source models running on the user's hardware. Zero network calls. Zero data transfer. Zero compliance surface.
The query never leaves the machine. The response is generated locally. No provider is involved. No data processing agreement is needed. No BAA is required. No audit trail extends beyond the user's own device.
This is the compliance equivalent of thinking in your head rather than saying it out loud. The data was never transmitted, so no transmission-based regulation applies.
3. Regulatory Landscapes
3.1 Healthcare: HIPAA and Beyond
HIPAA's Privacy Rule applies to 'covered entities' (healthcare providers, health plans, healthcare clearinghouses) and their 'business associates' (entities that perform functions involving PHI on behalf of covered entities). When a healthcare provider uses a cloud AI service with patient data, the AI provider becomes a business associate and must sign a BAA.
The problem: consumer AI plans do not offer BAAs. ChatGPT Plus, Claude Pro, and Gemini Advanced are consumer products. Using them with PHI is a HIPAA violation regardless of how the provider handles the data internally.
Kent with Ollama eliminates this problem entirely. PHI stays on the provider's device. No business associate relationship is created. No BAA is required. The healthcare provider maintains full HIPAA compliance because no covered data was transmitted to a third party.
Kent with cloud providers creates a reduced compliance surface: only the specific query content reaches the provider, not the full patient record. Whether this requires a BAA depends on whether the query content itself constitutes PHI -- a determination that is much simpler when the query is a targeted question rather than a bulk data transfer.
3.2 Legal: Privilege and Confidentiality
The American Bar Association's 2025 Formal Opinion on AI usage in legal practice established three principles:
- Lawyers must understand how AI tools process client information before using them
- Lawyers must exercise reasonable efforts to prevent unauthorized disclosure
- Lawyers must inform clients about AI usage when it may affect the representation
The practical implication: a lawyer who sends client data to a cloud AI service must understand the provider's data handling practices, ensure they meet confidentiality standards, and potentially disclose the usage to the client.
Kent's architecture simplifies this analysis. The knowledge graph (containing the full client file) never leaves the lawyer's device. Cloud inference receives only the specific text the lawyer highlights and the skill template. The compliance question narrows from 'did I send my entire case file to a third party?' to 'did I send this specific clause to a third party for summarization?'
For the most sensitive matters -- merger negotiations, litigation strategy, privileged communications -- Ollama provides fully local inference with zero confidentiality risk.
3.3 Finance: Regulation S-P and Data Protection
Financial professionals are subject to SEC Regulation S-P, which requires firms to adopt written policies for protecting customer information. FINRA's cybersecurity rules add additional obligations for broker-dealers. State regulations (particularly New York's NYDFS Cybersecurity Regulation) impose specific technical requirements on financial services firms.
Cloud AI usage with customer financial data triggers vendor management obligations under all of these frameworks. The financial firm must conduct due diligence on the AI provider, execute a written service agreement, monitor the provider's security practices, and include the relationship in regulatory filings.
Kent's local-first architecture eliminates these obligations for the knowledge graph (which contains the persistent customer context) and reduces them for transient inference (which contains only query-specific content). The regulatory burden is proportional to the data exposure -- and Kent minimizes the exposure by design.
3.4 GDPR: Data Processing in the AI Age
The EU's General Data Protection Regulation requires a lawful basis for processing personal data, a data processing agreement with any third-party processor, and the ability to honor data subject requests (access, deletion, portability).
For European professionals using cloud AI, GDPR creates specific challenges:
- The AI provider is a 'data processor' who must be governed by a data processing agreement
- Data transfers outside the EU (to US-based AI providers) require additional safeguards under the EU-US Data Privacy Framework
- Data subject access requests may extend to the AI provider's stored data about the subject
Kent's architecture provides a clean GDPR posture. Personal data in the knowledge graph is processed locally -- no third-party processor is involved, and the user is both the controller and the processor. Transient queries to cloud providers contain only the minimum data necessary for the specific task, which can be framed as a legitimate interest processing activity with a minimal data footprint.
4. The Export Control Dimension
4.1 When Compliance Meets Geopolitics
The Fable 5 episode added a new dimension to the compliance landscape: export controls applied to AI models mid-deployment. For regulated professionals, this creates a dual risk:
Direct risk. If the AI provider you use for regulated work is suspended by a government directive, your workflows are disrupted. Patient summaries do not get written. Contract analyses do not get completed. Portfolio reviews do not happen. The regulatory requirements for your work do not pause because your AI provider was suspended.
Indirect risk. If your AI provider is suspended and your accumulated professional context (patient history, case notes, financial records) was stored on the provider's servers, that data is now inaccessible. You cannot serve your clients because you cannot access the information you need to serve them.
Kent eliminates both risks. The knowledge graph is local -- it cannot be suspended by a government directive against an AI provider. The skill library is local -- it does not depend on any provider's platform. The routing switches to an alternative provider in seconds, and the local Ollama fallback operates with zero provider dependence.
4.2 The Compliance Advantage of Local-First
The compliance advantage of local-first AI can be summarized in one sentence: you cannot create a compliance obligation with data that never leaves your device.
No BAA is needed for data that is never shared with a business associate. No data processing agreement is needed for data that is never sent to a processor. No export control can restrict data that never crosses a border. No attorney-client privilege can be waived by a transmission that never happens.
Local-first is not just a privacy preference. It is a compliance architecture. For regulated professionals, it is the difference between navigating a complex web of vendor agreements, audit requirements, and regulatory obligations -- and simply doing their work with AI tools that keep their data on their own machine.
Conclusion
The regulatory landscape for AI usage is not getting simpler. HIPAA enforcement is increasing. Bar associations are tightening AI guidance. Financial regulators are adding AI-specific requirements. GDPR enforcement actions are growing in frequency and severity. Export controls on AI models are now precedent.
Every one of these regulatory pressures creates friction for cloud-first AI usage. Every one of them is eliminated or substantially reduced by local-first AI architecture.
Kent does not argue that cloud AI should not be used in regulated industries. Cloud inference is a powerful capability that produces better results than local models for many tasks. The argument is that persistent intelligence -- the knowledge graph, the accumulated context, the professional memory -- should never leave the user's device. The provider should receive transient queries and return transient responses. The intelligence stays local.
Your data. Your device. Your jurisdiction.
References
- PwC. (2025). 'AI Governance and Compliance Cost Survey.'
- Gartner. (2025). 'AI Governance Survey: Enterprise AI Risk Management Practices.'
- American Bar Association. (2025). 'Formal Opinion on AI Usage in Legal Practice.'
- U.S. Department of Health and Human Services. (2013). 'HIPAA Privacy Rule.' 45 CFR Part 164.
- Securities and Exchange Commission. (2000). 'Regulation S-P: Privacy of Consumer Financial Information.'
- European Commission. (2016). 'General Data Protection Regulation.' Regulation (EU) 2016/679.
- New York Department of Financial Services. (2023). 'Cybersecurity Regulation.' 23 NYCRR Part 500.
Published by Kent Research, July 2026. This paper is intended for informational purposes and does not constitute legal, regulatory, or compliance advice. Professionals should consult qualified counsel for guidance specific to their jurisdiction and practice area.