skip to content
Nikolay Donets

Large Language Models in Regulated Industries

/ 3 min read

This is a summary of my presentation at meetup. In the talk, I shared what I know about the initiation of a project that is using Large Language Models.


Large language models are useful for managing content and retrieving information. They can make the processes of developing content and getting information better. They also play an important part in improving services and user experiences, and they offer AI aides and smart co-pilots.


Using LLMs in regulated industries requires careful consideration of regulatory compliance, particularly regarding the handling and use of personal information and the removal of Personally Identifiable Information. Also, making LLMs conform to a company’s standards, like keeping the quality of information high, staying in line with brand guidelines, and earning user trust, can be complex. Central to these challenges is the need for understandable results and consistency.

Documents to review

  • California Consumer Privacy Act CCPA.
  • Data Protection Act DPA.
  • General Data Protection Regulation GDPR.
  • Health Insurance Portability and Accountability Act HIPAA.
  • Gramm-Leach-Bliley Act GLBA.
  • Children’s Online Privacy Protection Act COPPA.

Dangers of non-compliance

  • CCPA. $7500 for every intentional violation of the law.
  • DPA. Fines for up to 2%-4% of global turnover or 10-20 million euros.
  • GDPR. Fines for up to 2%-4% of global turnover or 10-20 million euros.
  • HIPAA. $127-$63973 per violation. Calendar Year Cap for Violation of Identical Requirement or Prohibition is $25000-$1919173.
  • GLBA. $100000 for each violation. $10000 for each violation for officers and directors. Up to 5 years in prison for officers and directors.
  • COPPA. Up to $50120 per violation.

Getting Started

In order to adopt Large Language Models in a regulated industry, it is typically recommended to establish a comprehensive incident response plan as a crucial initial step. This plan involves several main components:

  1. Classifying and Assessing Severity. This means figuring out what kind of incident it is and how serious it is.
  2. Containing and Limiting Damage. After the initial assessment, you should try to stop the incident from getting worse and reduce its effects.
  3. Investigating and Keeping Evidence. This involves looking closely at the incident and keeping any relevant evidence for later.
  4. Fixing and Recovering. The last step is to fix the problem and start recovering, with the end goal of getting back to normal business operations as quickly as possible.

Take a careful look at the worst possible situation and start from the end. This can help you create a solid and reliable plan, and make it easier to start a project with Large Language Models.

Note: Some regulators require a risk assessment and an incident response plan