Regulatory Compliance Check AI Prompts for Founders
Legal problems kill startups. Not because founders are malicious, but because they are ignorant. They do not know what regulations apply to them. They do not know when they need to comply. They do not know what they do not know.
By the time the problem surfaces, it is often too late. A startup has collected user data without proper consent mechanisms. A fintech company has processed payments without the right licenses. A healthcare startup has handled patient data without HIPAA compliance. The result is fines, legal action, or the inability to operate in a market.
The solution is not to hire a team of lawyers upfront. It is to understand your compliance obligations early, build a roadmap, and engage legal counsel strategically for the things that require expertise.
AI can help you understand the landscape, identify gaps, and prepare for legal review efficiently. It cannot replace legal counsel for actual compliance decisions. But it can help you ask better questions and have more productive conversations with lawyers.
AI Unpacker provides prompts designed to help founders conduct regulatory compliance checks and build compliance roadmaps.
TL;DR
- Most startups fail compliance audits not from malice but from ignorance.
- Understanding your regulatory environment early prevents expensive fixes later.
- AI can help identify gaps and prepare for legal review.
- Compliance is a process, not a one-time checklist.
- Some compliance requires specialized legal counsel, do not skip it.
- Build compliance into your product development, not as an afterthought.
Introduction
Regulatory compliance is the gap between what you are doing and what you are allowed to do. It touches every part of your business: how you collect data, how you process payments, how you handle customer information, how you market your product, how you treat your employees.
For most startups, compliance is an afterthought. Founders focus on building product, acquiring customers, and raising capital. Legal and compliance come later, when they become urgent.
The problem is that retrofitting compliance is expensive and sometimes impossible. If you have built your product on a data architecture that violates privacy regulations, changing it later can take months and require engineering resources you do not have.
The better approach is to understand your compliance obligations early and build accordingly. AI can help you get started, but do not mistake AI assistance for legal advice.
1. Regulatory Landscape Assessment
Before you can comply, you need to understand what regulations apply to your business and when they apply.
Prompt for Regulatory Landscape Assessment
Assess regulatory landscape for startup.
Company: B2B SaaS platform for healthcare administrators
Stage: Seed stage, 12 employees, Series A planned in 12 months
Market: United States, considering EU expansion in Year 2
Product: Workflow automation for hospital administrative tasks
What I know about our regulatory situation:
- We handle some patient data (appointment schedules, not clinical data)
- We are not sure if HIPAA applies to us
- We use third-party payment processing (Stripe)
- We have a privacy policy but have not audited it against specific regulations
What I need to understand:
1. Which regulations apply to us (HIPAA, SOC 2, GDPR, etc.)?
2. When do we need to comply (at what stage, revenue, or user count)?
3. What are the specific requirements we need to meet?
4. What evidence or documentation do we need to demonstrate compliance?
Regulatory framework analysis:
Data privacy regulations:
1. HIPAA (if applicable)
- Applies to: Healthcare providers, plans, clearinghouses, and business associates
- Does it apply to us: Possibly if we are considered a business associate
- Key requirements: BAA required, data security standards, breach notification
2. GDPR (if serving EU users)
- Applies to: Companies serving EU residents
- Does it apply to us: Not yet, but planning EU expansion
- Key requirements: Consent, data portability, right to be forgotten
3. CCPA/CPRA (California)
- Applies to: Companies meeting California thresholds
- Does it apply to us: Not yet, but plan to expand to CA customers
- Key requirements: Privacy notice, opt-out rights, data deletion
Financial regulations:
1. PCI DSS (payment processing)
- Applies to: Any company that handles card data
- Does it apply to us: We use Stripe, so mostly no, but depends on implementation
- Key requirements: If using Stripe iframe, minimal; if handling raw card data, full compliance
Security certifications:
1. SOC 2
- Applies to: Companies handling customer data, especially enterprise customers
- Does it apply to us: Likely required for enterprise sales
- Key requirements: Security, availability, confidentiality, privacy
Industry-specific regulations:
1. State healthcare regulations
2. Hospital vendor requirements
3. Insurance requirements for healthcare vendors
Compliance roadmap by stage:
- Now (Seed): Privacy policy, basic security practices, data processing agreements
- Series A: SOC 2 Type I, HIPAA assessment, vendor security reviews
- Series B: SOC 2 Type II, full HIPAA compliance if applicable, GDPR preparation
Tasks:
1. Map regulations to company activities
2. Identify which regulations require immediate attention
3. Develop compliance timeline based on growth plan
4. Prioritize gap remediation by risk
5. Create legal counsel engagement plan
Generate regulatory landscape assessment with compliance roadmap.2. Compliance Gap Analysis
Once you know what should apply, you need to assess where you are and what the gaps are.
Prompt for Compliance Gap Analysis
Conduct compliance gap analysis.
Company: B2B SaaS for healthcare administrators
Regulation: HIPAA (we believe we may be business associates)
Current state:
Data practices:
- We collect: Names, email addresses, appointment schedules, work schedules
- We store: In AWS with standard encryption at rest
- We access: Engineers can access for debugging, but no formal process
- We share: With third-party vendors (Twilio, Stripe) but no data processing agreements
Security practices:
- Password policy: Minimum 8 characters, no MFA required
- Access control: All engineers have broad access to production
- Incident response: No formal incident response plan
- Vendor management: No formal vendor security review process
Documentation:
- Privacy policy: Published on website, last updated 18 months ago
- Terms of service: Standard template, never reviewed by lawyer
- Data processing agreements: None in place with vendors
- BAA (Business Associate Agreement): Not in place
What I do not know:
- Whether we are actually a business associate under HIPAA
- What specific technical safeguards are required
- How to conduct a proper security risk assessment
- What our incident response obligations are
Gap analysis framework:
Category 1: Administrative safeguards
- Risk assessment: Not done
- Workforce training: No formal training program
- Incident response plan: Does not exist
- Vendor management: No formal program
Category 2: Physical safeguards
- Workstation security: Personal devices allowed, no MDM
- Server room security: AWS handles physical security
Category 3: Technical safeguards
- Access control: No role-based access, no automatic logoff
- Audit controls: Logging exists but not reviewed
- Transmission security: HTTPS but no formal certificate management
Category 4: Organizational safeguards
- Business associate agreements: Not in place
- Minimum necessary standard: Not implemented
Category 5: Documentation
- Policies and procedures: No formal documentation
- Evidence of compliance: Cannot demonstrate
Prioritization:
1. Critical (potential immediate risk): BAA with covered entities, data processing agreements with vendors
2. High (required for compliance): Access controls, incident response plan
3. Medium (best practice): Workforce training, security risk assessment
4. Lower (time-intensive): Full documentation, formal policies
What AI can help with:
- Drafting policy templates (not legal advice, but starting points)
- Identifying common requirements for specific regulations
- Creating checklists for gap assessment
- Structuring vendor security review questionnaires
What AI cannot do:
- Determine if you are actually subject to a regulation
- Provide legal advice on compliance requirements
- Replace lawyer review of your specific situation
Tasks:
1. Conduct initial gap assessment against each category
2. Prioritize gaps by risk and effort
3. Identify which gaps can be addressed with AI tooling vs require legal counsel
4. Develop remediation plan with timeline
5. Create evidence documentation framework
Generate compliance gap analysis with prioritization and remediation plan.3. Compliance Roadmap Development
A compliance roadmap turns gaps into action. It needs to be realistic about resources and prioritize by risk.
Prompt for Compliance Roadmap Development
Develop compliance roadmap for startup.
Company: B2B SaaS, 12 employees, Seed stage
Budget: $20K allocated for compliance in next 12 months
Timeline: Series A in 12 months, enterprise customers are key target
Compliance gaps identified:
1. No BAA with customers (critical for healthcare)
2. No formal access controls (high priority)
3. No incident response plan (high priority)
4. No vendor security reviews (medium priority)
5. No SOC 2 (required for enterprise sales)
6. No formal security policies (medium priority)
Resource constraints:
- One part-time engineer dedicated to security (0.1 FTE)
- No dedicated legal (using outside counsel on hourly basis)
- Engineering capacity is the bottleneck (all bandwidth goes to product)
Series A requirements:
- Investors will ask about security and compliance
- Enterprise customers require SOC 2
- Due diligence will include data security review
Phased roadmap:
Phase 1: Foundation (Months 1-3)
Goal: Address critical gaps and prepare for due diligence
Actions:
1. Implement BAA template and get signed with existing customers
2. Enable MFA everywhere, implement basic access controls
3. Create incident response plan template (even if not fully implemented)
4. Create vendor security questionnaire
Cost estimate: $5K (legal review of BAA template, security tooling)
Phase 2: Core Compliance (Months 4-6)
Goal: Achieve SOC 2 Type I certification
Actions:
1. Engage SOC 2 audit firm for readiness assessment
2. Implement technical controls required for SOC 2
3. Document security policies and procedures
4. Complete security awareness training for all employees
Cost estimate: $30K (audit fees, tooling, consultant)
Phase 3: Certification (Months 7-9)
Goal: Complete SOC 2 Type II or Type I certification
Actions:
1. Complete SOC 2 Type I audit
2. Address any findings from readiness assessment
3. Begin continuous monitoring for Type II
4. Implement vendor management program
Cost estimate: $40K (audit fees)
Phase 4: Maturity (Months 10-12)
Goal: Be enterprise-ready for Series A
Actions:
1. Complete SOC 2 Type II (if timeline allows)
2. Prepare due diligence data room for investors
3. Develop customer security package for enterprise sales
4. Conduct annual security risk assessment
Cost estimate: $20K (ongoing audit, legal)
What to prioritize given budget constraints:
1. If budget is reduced: Focus on Phase 1 only, defer SOC 2
2. If timeline is compressed: Engage consultant to accelerate, accept higher cost
3. If engineering bandwidth is limited: Prioritize tooling over documentation
Milestones to track:
- Month 3: BAAs signed, MFA enabled, basic policies drafted
- Month 6: SOC 2 readiness complete, policies documented
- Month 9: SOC 2 Type I certified
- Month 12: SOC 2 Type II in progress, enterprise-ready
Tasks:
1. Refine roadmap based on specific constraints
2. Identify dependencies (what must be done before what)
3. Create resource plan (who does what)
4. Develop budget allocation across phases
5. Set milestone definitions and tracking approach
Generate compliance roadmap with phased approach, milestones, and resource requirements.4. Legal Counsel Preparation
Some things require a lawyer. AI can help you prepare for those conversations and be more efficient when you have them.
Prompt for Legal Counsel Preparation
Prepare for legal counsel engagement on compliance.
Company: B2B SaaS, 12 employees
Issue: Understanding HIPAA compliance obligations
What I have done:
- Conducted regulatory landscape assessment
- Identified gaps and created roadmap
- Privacy policy drafted (not reviewed by lawyer)
- BAA template found online (not reviewed by lawyer)
What I need from legal counsel:
1. Determine if HIPAA applies to us (business associate vs not)
2. Review BAA template before signing with customers
3. Advise on minimum necessary compliance steps
4. Review data processing agreements with vendors
Questions I am prepared to answer:
- What data we collect and how we store it
- Which customers are covered entities
- What vendors we use and what data they access
- Our current security practices and policies
Information to prepare for counsel:
1. Data flow documentation
- What data we collect
- Where it is stored
- Who has access
- How it is transmitted
- How it is deleted
2. Vendor list
- Vendor names
- What service they provide
- What data they access
- Whether we have existing agreements
3. Customer contracts
- Standard contract terms
- Any existing BAAs
- Customer requests for security documentation
4. Security documentation
- Existing policies
- Security controls in place
- Any prior security assessments
How to work efficiently with outside counsel:
1. Do your homework first (understand the basics before the call)
2. Prepare specific questions (not "what do we need to do?")
3. Bring documentation (data flows, vendor list, contracts)
4. Be ready to make decisions (do not leave with just information)
5. Ask about alternatives (what is the minimum viable compliance?)
Typical counsel engagement structure:
1. Initial assessment (2-4 hours): Understand situation, identify issues
2. Gap analysis review (4-8 hours): Review your analysis, provide feedback
3. Document preparation (variable): Draft BAA, policies, agreements
4. Ongoing advisory (as needed): Answer specific questions as they arise
Budget expectations for startup compliance:
- Initial assessment: $2,000-5,000
- BAA and DPA templates: $1,000-3,000
- Policy development: $3,000-10,000 depending on complexity
- SOC 2 audit preparation: Included in audit fees, but counsel for readiness may be $5,000-15,000
What to avoid:
- Do not ask counsel to educate you from scratch
- Do not expect them to implement anything (they advise, you implement)
- Do not send vague requests ("please review our compliance")
- Do not skip the fundamentals (counsel cannot help if you do not understand)
Tasks:
1. Prepare data flow documentation
2. Compile vendor list with service descriptions
3. Gather existing contracts and policies
4. Draft specific questions for counsel
5. Develop engagement brief (problem statement, what you need, what you have done)
Generate legal counsel preparation package with documentation and questions.FAQ
When should startups start thinking about compliance?
From day one for basic things (privacy policy, terms of service, data processing agreements). For specific regulations like HIPAA or SOC 2, start assessing 12-18 months before you need it. Retrofitting compliance is expensive and sometimes impossible. Building from the start is cheaper.
How do I know if a regulation applies to my startup?
This is genuinely complex and requires legal analysis. Factors include: what data you handle, who your customers are, where they are located, your revenue, and your growth plans. AI can help you understand the general landscape, but specific applicability determinations need legal counsel.
What compliance is absolutely required vs nice to have?
Required by law: varies by regulation and your situation. Required by customers: usually SOC 2 for enterprise B2B SaaS, HIPAA for healthcare. Nice to have: ISO 27001, pen testing certifications. Start with what customers require, then what the law requires, then consider what differentiates you.
Can AI replace lawyers for compliance?
No. AI can help you understand regulations, identify gaps, draft templates, and prepare for legal review. It cannot provide legal advice or take legal responsibility for compliance decisions. Use AI to be more informed and efficient, not to avoid lawyers.
Conclusion
Regulatory compliance is not optional or avoidable. Every startup faces compliance obligations, whether they know it or not. The question is whether you discover compliance requirements through proactive planning or reactive crises.
AI Unpacker gives you prompts to assess your regulatory landscape, identify gaps, and build roadmaps. But the judgment about which regulations apply to you, the decisions about how to prioritize, and the engagement with legal counsel for complex issues — those come from you.
The goal is not to be the most compliant company. The goal is to understand your obligations, meet them appropriately, and not be surprised by gaps when you least can afford them.