What is safe, controlled, or prohibited.
These patterns reflect common regulatory expectations across banking, insurance, audit, and fund services. The data classification, not the AI vendor, dictates whether a use-case is allowed.
Banking
Green zone
- Code scaffolding with synthetic data
- Policy documentation and controls mapping
- Internal knowledge summaries (approved sources)
Amber zone
- Private-tenant RAG over internal policies
- Incident report drafting with redacted data
Red zone
- Client transactions or account data in public AI
- KYC packages or regulatory filings in open chat
Insurance
Green zone
- Process documentation and underwriting templates
- Test generation with synthetic claims data
Amber zone
- Claims support summaries in private tenant
- Call-center scripts from approved playbooks
Red zone
- Raw claims files or medical data in public AI
- PII and PHI in non-auditable tools
Audit & Assurance
Green zone
- Engagement templates and audit checklists
- Sampling methodology explainers
Amber zone
- Evidence indexing with strict redaction
- Private AI over approved working papers
Red zone
- Client trial balances or payroll data in public AI
- Any uncontrolled model training on client data
Funds & Asset Management
Green zone
- Investor report templates (no identifiers)
- Operational checklists and SOPs
Amber zone
- NAV support summaries in private tenant
- Policy Q&A over approved docs
Red zone
- Holdings, positions, or investor identities in public AI
- Non-public performance data in open chat