Insights

TL;DR — 5 key points

• GLBA Safeguards Rule now requires vendor oversight of AI tools touching policyholder NPI — most carriers are not in compliance.

• NAIC Model Bulletin (adopted by 24+ states) puts the AI compliance burden on the carrier, not the vendor — you cannot outsource accountability.

• NY DFS Circular Letter No. 7 (July 2024) is actively examining AI vendor data flows; public LLM exposure is a documented examination concern.

• Samsung, Redis, and ChatGPT macOS incidents illustrate that the risk is not just external attacks — it is architecture failures in tools your employees use daily.

• Private AI deployment is the only architecture that satisfies both GLBA data sovereignty and NAIC 668 audit trail requirements.

TL;DR — 5 key points

• Pasting ITAR-controlled technical data into ChatGPT may already be a crime — up to $1M per knowing violation under the Arms Export Control Act.

• Public LLMs defeat your trade secret protection. The DTSA requires "reasonable measures" — ChatGPT almost certainly fails that standard.

• NERC CIP compliance prohibits operational data in shared infrastructure. Public LLM API calls with SCADA data = per-day CIP violations.

• Your supplier NDAs are being breached by your own engineers. ChatGPT Enterprise is a third-party service under every major OEM NDA.

• Air-gapped private AI infrastructure fixes this without requiring your engineers to stop working faster. Build cost: $35K–$55K.