15 min read Updated March 2026 Applies to all 16 industry profiles

Built to Protect What You Bring Into the Room.

Every decision rehearsal involves sensitive context — market intelligence, financial projections, strategic options that haven't been announced. MAIA's compliance architecture ensures that what you share stays protected, what MAIA outputs stays defensible, and your organization stays on the right side of the regulations that govern your industry.

16 Industries with dedicated
compliance rule sets

49 Structured DIAA detection
patterns across all industries

71 LAA prohibited language
rules with compliant rewrites

0 Bytes of flagged content
retained after detection

The Four-Layer Compliance Architecture

Most AI compliance strategies are a policy document and a terms-of-service clause. MAIA's compliance is running code — four independent layers, each operating at a different point in the pipeline, each enforceable without relying on the others.

Agent-level

Industry Agent Compliance Constraints

Every one of MAIA's 47 specialized agents carries a compliance envelope embedded in its governing rules — a defined scope of what it is authorized to analyze, what language it is prohibited from producing, and what patterns in its own reasoning require escalation before output is delivered. Compliance is architecture, not policy. When an agent's rules update, its compliance constraints update with it.

Pre-session gate

Navigator Policy Acknowledgment

Before a rehearsal begins, the Navigator confirms they understand the data handling obligations and prohibited input categories for their selected industry. First-session acknowledgment is comprehensive — covering universal rules and all industry-specific constraints. Return users in the same industry see a single-line confirmation. Changing industries triggers the new industry's full rule set. Every acknowledgment is timestamped and written to the session record.

Input boundary

Data Ingestion Audit Agent (DIAA)

Scans every input — uploaded documents, typed context, connector-sourced data — before it enters the pipeline. DIAA runs before redaction, on raw data, so it sees the full signal before credentials and secrets are masked. It holds prohibited content, notifies the Navigator in plain language, logs only the flag event (never the content itself), and offers three resolution paths: remove and resubmit, proceed without the source, or abort the session. Flagged content is discarded immediately — zero data retention on every flag.

Output boundary

Language Audit Agent (LAA)

Reviews every stage output before it reaches the Navigator. The LAA enforces three dimensions simultaneously: the universal MAIA language standard (MAIA surfaces and reveals — it never decides or mandates), your industry's prohibited language patterns (no investment advice, no clinical recommendations, no legal opinions), and scope boundary enforcement (MAIA cannot claim capabilities it does not have or frame rehearsal outputs as binding organizational commitments). Minor violations are rewritten silently. Industry-specific violations surface a brief plain-language notice. Outputs that cannot be rewritten compliantly are held and regenerated.

The compliance layer is invisible in normal operation. Neither DIAA nor LAA surface to the Navigator unless a flag is triggered. When a flag fires, you receive a brief plain-language notice — no rule citations, no agent names, no technical compliance language. The system is a guardrail, not an interrogation.

Every flag event from both agents writes to the session compliance audit log: timestamp, industry, stage, flag category, action taken. content_logged is always false. The flagged content is never recorded. Only the event is.

16 Industries. Every one governed.

MAIA launched with 14 industry profiles. The compliance architecture adds two more — Nonprofit/NGO and a Generic/Cross-industry fallback mode — bringing total coverage to 16. Each industry has its own dedicated compliance rule set: detection patterns for DIAA, prohibited language rules for LAA, scope boundaries, governing bodies, and ZDR requirements.

Financial Services

5 DIAA patterns · SEC, FINRA, OCC

Healthcare Delivery

4 DIAA patterns · HIPAA, HITECH, CMS

Life Sciences & Pharma

4 DIAA patterns · FDA, EMA, ICH

Energy & Utilities

3 DIAA patterns · FERC, NERC, NRC

Manufacturing

4 DIAA patterns · OSHA, EPA, ITAR/EAR

Supply Chain & Logistics

3 DIAA patterns · CBP, OFAC, BIS

Enterprise SaaS & Cloud

3 DIAA patterns · FTC, CCPA/CPRA, SOC 2

Telecommunications

3 DIAA patterns · FCC, CALEA, ITU

Media & Information

2 DIAA patterns · FTC, state privacy

Retail & Consumer

2 DIAA patterns · FTC, CCPA, PCI DSS

Public Sector

3 DIAA patterns · FedRAMP, FISMA, APA

Defense & Aerospace

5 DIAA patterns · ITAR, EAR, CMMC, DoD

Transportation & Mobility

2 DIAA patterns · DOT, FAA, TSA

Education & Research

3 DIAA patterns · FERPA, COPPA, IRB

NP — New

Nonprofit & NGO

2 DIAA patterns · IRS, state AG offices

GI — Fallback

Generic / Cross-industry

Max caution mode · all universal patterns

The two new additions matter for different reasons. Nonprofit/NGO was added because nonprofit boards carry genuine fiduciary duties — documenting that major decisions were stress-tested is a governance asset, not a compliance burden, and MAIA's Visual Intelligence Package serves that purpose directly. Generic/Cross-industry is the compliance fallback mode: when MAIA cannot confirm a specific industry from the session context, it activates maximum-caution mode — all universal detection patterns active — and notifies the Navigator that industry-specific rules could not be confirmed.

Data Ingestion Audit Agent — How It Works

DIAA operates at the input boundary of the pipeline. Before any Navigator-supplied data enters agent processing, DIAA scans it against two pattern sets: universal patterns that fire regardless of industry, and the industry-specific patterns loaded from the active industry's compliance rule set.

Universal detection patterns (all industries)

These fire on every session regardless of which industry is selected:

SSN patterns — numeric sequences matching ###-##-#### format
Credit card patterns — 16-digit sequences matching Luhn algorithm
Classified document markings — TOP SECRET, SECRET, CONFIDENTIAL, CUI, NOFORN, FOUO
ITAR/EAR indicators — USML category references, ECCN codes, export license numbers
API keys and credentials — bearer tokens, OAuth secrets, private key headers
MNPI language patterns — unannounced earnings, pending acquisition language
PHI combination patterns — personal identifiers combined with medical or clinical terms
Attorney-client markers — privilege language combined with matter identifiers

Industry-specific pattern types

Each of the 49 industry-specific patterns is structured as a typed, executable object — not prose guidance. Each pattern carries an ID, description, type, keyword list or regex, context requirements, proximity window, flag category, and severity level. DIAA executes these directly against input text.

Pattern types in use: keyword_proximity — keyword present within N words of a context marker. regex — direct pattern match against input text. keyword_list — any keyword match triggers flag. pattern_combination — multiple signals required together. structural_scan — document structure analysis for classified header patterns.

What happens on a flag

When DIAA identifies a prohibited data pattern, it executes a four-step sequence:

Hold — The flagged data is withheld from the pipeline. Processing does not continue with flagged content.
Notify — The Navigator receives a plain-language notice identifying the flag category and the action required. No rule citations. No agent names.
Log — The flag event is written to the session compliance audit log: timestamp, session ID, flag category, industry, stage, action taken. The flagged content itself is never logged.
Offer — The Navigator is offered three options: remove or redact and resubmit; proceed without the flagged source; abort the session.

Zero Data Retention on every flag

When DIAA or LAA flags prohibited content, that content is discarded immediately. The audit log records the event — timestamp, industry, stage, flag category — but never the content itself. content_logged is hardcoded to false in the audit log schema. This is not configurable. It is not a policy setting. It is an architectural constraint that cannot be loosened without a code change and a documented legal sign-off.

0 bytes retained
on flag

Language Audit Agent — How It Works

LAA operates at the output boundary of every pipeline stage. Before any agent output reaches the Navigator, LAA reviews it across three independent dimensions. Normal operation is silent — the Navigator never sees LAA working. When a flag fires, the Navigator receives a brief notice. In severe cases where output cannot be rewritten compliantly, it is held and the stage regenerates.

Three audit dimensions

Dimension 1 — MAIA Language Standard. Enforced universally, every output, every stage, regardless of industry. MAIA surfaces, reveals, supports, and enables. MAIA never decides, mandates, forces, directs, or recommends. Minor violations are rewritten automatically without Navigator notification.

Dimension 2 — Industry Prohibited Language. Each industry's compliance rule set defines specific prohibited phrases and their compliant rewrites. Investment advice language in Financial Services. Clinical recommendation language in Healthcare. Legal opinion language in Legal Services. ITAR classification determinations in Defense. When LAA detects these patterns, it rewrites to the pre-defined compliant version and surfaces a brief inline notice.

Dimension 3 — Scope Boundary Enforcement. MAIA must not claim capabilities it does not have, assert certainty beyond what evidence supports, or frame rehearsal outputs as binding organizational commitments. Overreach language is flagged and softened.

The MAIA Language Standard

MAIA's language standard is the simplest and most powerful compliance protection in the system. It keeps MAIA clearly in the decision support category — never the decision making category, which is where AI regulation is concentrating across financial services, healthcare, insurance, and legal. The LAA enforces this automatically on every output before the Navigator sees it.

Never in MAIA output

✗MAIA decides / MAIA mandates / MAIA requires

✗This will happen / This is certain / Guaranteed outcome

✗You must / You should [as a MAIA directive]

✗As a legal / medical / financial expert

✗MAIA recommends this trade / treatment / position

✗The answer is / The conclusion is [stated as fact]

✗This is HIPAA compliant / ITAR exempt / legally permitted

Always in MAIA output

✓This rehearsal surfaces / reveals / enables

✓Rehearsal evidence suggests / indicates

✓The Navigator may consider

✓This analysis maps / models / traces

✓MAIA surfaces the following considerations

✓For Navigator and advisor review

✓Rehearsal evidence surfaces considerations that [professional] may evaluate

The language standard is a regulatory buffer. It keeps MAIA clearly positioned as a decision support tool across every industry where AI regulation is most active. No output from MAIA constitutes investment advice, medical advice, legal opinion, actuarial determination, or regulatory compliance guidance.

The Compliance Audit Log

Every flag event from both DIAA and LAA writes a structured record to the session compliance audit log. The log travels with the session — it is embedded in the Visual Intelligence Package that exports when the rehearsal completes. Enterprise compliance officers and legal reviewers can access it from the package metadata. No separate compliance dashboard is required. The record ships with the decision brief.

Each log entry records: session ID, timestamp (UTC), agent (DIAA or LAA), active industry, pipeline stage, flag category, action taken, whether the Navigator was notified, and resolution status. content_logged is always false. No log entry ever contains the text that triggered the flag.

Audit trail as a governance asset. In industries where decision documentation is required — financial services, healthcare governance, nonprofit boards, government — MAIA produces a documented record of structured decision-making by design. The compliance audit log embedded in the Visual Intelligence Package demonstrates not just what decision was made, but that the process of making it was governed, stress-tested, and compliant. That record is available for board review, regulatory examination, and legal audit without any additional work.

How MAIA Compares on Compliance

Capability	MAIA Decision OS	Strategy consultant	Generic AI assistant
Industry-specific input scanning	✓ 49 structured patterns, 16 industries	Practitioner-dependent	—
Prohibited language enforcement on output	✓ 71 LAA rules, automatic rewrite	Manual review	—
Zero data retention on flagged content	✓ Architecturally enforced	Policy-dependent	—
Compliance audit trail with deliverable	✓ Embedded in Visual Intelligence Package	Separate engagement record	—
Navigator acknowledgment gate pre-session	✓ Industry-specific, timestamped	Engagement letter	—
Standalone ZDR deployment for regulated industries	✓ Cloudflare-hosted, no Claude accounts required	N/A	—
Language standard enforcement — no advice framing	✓ Automatic, every output, every stage	Attorney review required	—

What This Means for Your Role

Enterprise IT & Legal

The governance infrastructure that gets AI past your review — not around it

DIAA and LAA are running code, not policy documents. Every flag is logged. Every rewrite is documented. The compliance audit trail ships with the Visual Intelligence Package. ZDR compliance is architectural on the Standalone App. This is what your legal team needs to see before approving AI in decision workflows.

C-Suite & Board

Decision rehearsals that produce boardroom-ready documentation by design

MAIA's Visual Intelligence Package is a structured decision brief with an embedded compliance record. When you present to the board or answer to the audit committee, the documentation of how the decision was stress-tested — and what compliance constraints governed the process — is already in the package. That is not available anywhere else.

Regulated Industries

Industry-specific rules built into the pipeline, not bolted on afterward

Healthcare won't see clinical recommendation language. Financial Services won't receive investment advice framing. Defense won't see ITAR classification determinations. The rules for your industry are embedded in the agents, the input scanner, and the output reviewer — active from session start, invisible when everything is clean.

Startup Founders & Operators

Enterprise-grade protection without a legal team to operate it

You're making consequential decisions with sensitive context you can't afford to expose. MAIA's ZDR architecture means what you bring into a rehearsal doesn't persist. The compliance architecture runs automatically. You get the protection without the overhead, at the $29/month Charter Member price point.

Ready to rehearse with the compliance architecture your decision deserves?

Start a rehearsal in Claude today. No separate software. No IT deployment required for the Claude Tool version.

Start Your Rehearsal → View Pricing