The Compliance Gate
Customer compliance — not technology — is the one thing between the live platform and revenue.
The most important honest statement in this whole pitch: the blocker is customer compliance and consent, not technology. The CLI is built and demonstrated. The X10 integration works. What stops revenue is enterprise customers' ability to say yes.
What's blocking
Deloitte: enthusiastic, then blocked
Deloitte engineers want it; Deloitte management is blocked on compliance. World Pay shows the same pattern — it's the pattern across all large customers.
Governance is severe and concrete
84 member firms approve AI independently. Approval runs 3 months to 3.5 years per product. US Deloitte cannot use Claude or Grok at all. Vendor review runs through 128 security questions.
Open internal items
| Item | Owner | Status |
|---|---|---|
| Deloitte compliance-conversation approach | Jacob | In progress |
| Code-security sign-off | Paul | Open since early this year |
| Data Access Policy (telemetry returning to VCT) | Rob | Open since early this year |
The answer we already have
The platform's design is itself most of the compliance answer:
Redact before any model
Deterministic sanitization (pattern matching, no AI) strips PII, secrets, and hostnames before any external model is invoked. No external model ever sees raw customer data.
Bring your own model
Customers supply their own model keys — so AI provider is their decision, which clears a large class of objections (including US Deloitte's model restrictions).
Explicit, documented consent
Customers acknowledge and consent before any processing — in the interface and contractually. "Ask forgiveness, not permission" explicitly does not apply to AI.
Prove with one design partner
Solve it concretely with one customer, then reuse that compliance package as the template for the rest.
The path in, per the Deloitte UPMA briefing: enter through the Splunk GEMS and SIMS teams, with an introduction toward Deloitte Consulting AI leadership. Compliance is a relationship to work, not a wall to wait at.
Why this is the right thing to lead with — not hide
Naming the blocker first is how we win the room. It says we understand the real risk, we have a named owner and a concrete answer, and the engineering is not the gamble. The Health Assessment is deliberately the easiest offering to clear review, because the data is sanitized before any model sees it.