u/Wild-Annual-4408

AI has apparently overtaken USB drives and insecure email as the leading vector for corporate-to-personal unauthorized data movement.

What makes this genuinely hard is that the Samsung and JPMorgan incidents weren't junior employees ignoring policy. These were technically sophisticated organizations. The CISA acting director had a ChatGPT leak incident. The problem isn't policy awareness, it's judgment in the moment. People know the policy exists and paste anyway because the friction of stopping feels higher than the perceived risk.

Blocking AI tools entirely doesn't work either. You end up with shadow AI on personal phones and the same exposure, just less visible.

Curious how others in this community are actually handling the personal-account problem specifically. Technical controls on corporate devices get you maybe halfway there. What's the other half?

Just came across reporting that Berkshire Hathaway, Chubb, and Travelers have won approval to exclude AI-related damages from general liability policies in over 80% of their state requests. The article mentioned underwriters are now explicitly asking for evidence of AI governance controls during renewals.

I work on the risk side at a mid-size company that's been piloting AI tools across ops and customer service. We haven't hit renewal yet, but this is making me wonder what our broker conversation is going to look like in Q3.

Anyone here already navigating this? Are carriers actually walking through your AI use cases, or is it still high-level checkboxes? And if they're asking for "documented governance controls," what does that even look like in practice? Is it policies, training records, audit trails, all of the above?

Curious what the underwriting questions have been for those of you who've already been through a renewal cycle in 2026.

The EU AI Act's Article 4 human oversight requirements took effect August 2025. No grace period. For high-risk AI systems, the regulation doesn't just say "have a human in the loop." It says that human must be competent to understand the system, interpret outputs, and decide when not to use or override them.

Most of the compliance programs I'm seeing focus on documentation: training completion logs, policy acknowledgments, attestation forms. But when an auditor or regulator asks "show me your team can actually evaluate AI output," a completion certificate doesn't answer that question.

The gap: we're training people to USE AI (prompt engineering, tool access, efficiency gains) but not to EVALUATE it (spot hallucinations, verify sources, assess confidence, know when to override). Different skill, different evidence requirement.

I'm curious how other compliance teams are approaching the competency documentation piece. Are you building assessment into your AI training programs? Using scenario-based testing? Relying on manager attestation?

What does "audit-defensible evidence of AI judgment competency" actually look like in practice?

For EdTech folks and district leaders: how is this playing out on the ground? Are districts waiting for state mandates, or building policies proactively? The July 1 deadline in Ohio is two months away, I'm curious if that's enough time to build anything coherent or if it's going to be a scramble to meet compliance.

Also wondering about the enforcement angle. A policy that says "require human oversight" is easy to write, much harder to verify in practice.