Regulated Brands Cannot Ship AI on Hope
Financial services, healthcare, insurance, and pharma Sitecore programs already have workflow, legal review, and audit requirements before a comma changes on a disclaimer. Adding Sidekick, Connect enrichment, and external model calls introduces new failure modes: prompt version drift, unauthorized field writes, retained PII in sandbox logs, and commerce data overwriting approved copy.
This post is a governance checklist for platform, legal, and editorial leads. It assumes XM with Sidekick, Connect for PIM or commerce, and git backed prompt definitions. Adapt retention numbers to your policy; we use 90 day sandbox retention as a common regulated baseline.
Roles: Author, Approver, Developer
Three roles minimum. Larger programs split Legal Approver from Marketing Approver.
| Role | Sitecore security | Sidekick | Connect fields | Prompt git |
|---|---|---|---|---|
| Author | Write on content branch; no publish to web | Suggest and apply in Draft per template | Read only | No access |
| Approver | Approve workflow; publish to staging | Apply on approved prompts only | Read only | Read |
| Developer | Admin on templates, layouts, prompts import | Configure scopes; no content approve | Deploy flows; no manual SKU edit in prod | Write with PR review |
| Legal approver | Workflow approve on legal templates | View audit trail | Read only | Approve forbidden term changes |
Separate Author from Approver on same item wherever SOX or FDA style controls apply. Shared accounts break audit trail.
Workflow States
Extend standard Draft, Awaiting Approval, Approved with AI specific states where needed.
- Draft: Sidekick suggest allowed; apply writes draft fields.
- AI Review: Optional machine output flagged; author confirms source grounding.
- Legal Review: Required for templates on legal registry.
- Approved: Publish allowed; Sidekick apply locked or logged only.
- Archived: Read only; Sidekick disabled.
Workflow command permissions map to roles above. Item in Legal Review rejects Sidekick bulk apply scripts.
Read-Only Connect Fields
Connect owned fields must be read only for Author and Approver in Content Editor and Experience Editor.
- Item security on commerce section of template
- Field title prefix “[System]” with help text “Synced from ERP. Do not edit.”
- Sidekick prompt scope excludes Connect field IDs explicitly
- Custom Content Editor warning when user is Developer overriding read only (logged)
Quarterly access review: export role memberships and compare to HR roster.
Prompt Version Git Tags
Every production prompt pack promoted from git carries an immutable tag.
prompt-pack-2026.06.2 headline-v3.json teaser-v2.json legal-disclaimer-v1.json
On import to CM, write tag name to site settings item /sitecore/content/Settings/AI/PromptPackVersion. Item history custom field stores promptId and pack version on each Sidekick apply.
Rollback procedure: redeploy previous tag; rerun fixture suite; notify authors via release notes.
Enrichment Profile Versions
Connect enrichment profiles (tone, length, vocabulary constraints sent to external models) version separately from Sidekick prompts. Track both in audit log.
| Artifact | Version store | Audit field on item |
|---|---|---|
| Sidekick prompt JSON | Git tag prompt-pack-x.y.z | SidekickPromptVersion |
| Connect enrichment profile | Connect flow semver + export JSON in git | EnrichmentProfileVersion |
| Model deployment | Azure OpenAI deployment name + date | ModelDeploymentId |
Legal sign off covers prompt text and enrichment profile together for claim sensitive templates.
Audit Trail
Minimum events to persist 7 years or per your records policy:
- Sidekick suggest request: user, item ID, field, promptId, model, timestamp
- Sidekick apply: approver if different from requester, before and after hash
- Connect field update: externalId, payload hash, flow version
- Workflow state transitions on legal templates
- Developer break glass edit on Connect field
Store in SQL audit table or SIEM forward from Sitecore logs. Do not rely on CM log files alone.
Retention: 90 Days Sandbox
Sandbox and QA environments accumulate realistic PII from content clones and Sidekick test runs. Policy baseline:
- Purge Sidekick request and response bodies after 90 days in non prod
- Refresh QA content clone from anonymized subset monthly
- No production webhook payloads in sandbox without tokenization
- DLQ messages in QA expire after 90 days automatically
Document exception process if legal holds extend retention on specific items.
Incident Response Steps
Sev 1: Wrong claim published from AI output
- Unpublish affected items within SLA minutes.
- Identify promptId, pack version, model deployment from audit field.
- Freeze prompt pack promotion pipeline.
- Legal and comms notified per runbook.
- Root cause: prompt change, template validation gap, unauthorized apply, or Connect overwrite.
- Corrective action: rollback tag, add forbidden term, tighten workflow.
- Post incident report within 5 business days.
Sev 2: Connect overwrite of marketing field
- Stop Connect flow via feature flag.
- Restore field from item version history or serialization backup.
- Fix field ownership map and flow field filter.
- Replay DLQ only after hash guard verified.
Sev 3: Prompt pack leaked in public git
- Rotate API keys for model endpoint.
- Assess if system instructions contain confidential strategy.
- Revise prompts if needed; legal review on diff.
Field Locks in Standard Values
Use standard values and branch templates to pre lock fields that must never be Sidekick written.
- Regulatory boilerplate in rich text: lock via workflow and help text; Sidekick scope exclude
- ISBN, NDC, or registration numbers: Connect or manual only
- Effective date and version label for disclosures: manual approver only
Validation rules on locked fields reject programmatic write unless service account role matches Connect or approved Sidekick apply role.
Legal Review Gates
Maintain template registry requiring Legal Review workflow state before web publish.
| Template | Sidekick allowed fields | Legal gate | Forbidden term list |
|---|---|---|---|
| Product Claim Page | Teaser only; not Indications | Required | pharma-forbidden.txt |
| Financial Promo | Headline, CTA label | Required | fin-forbidden.txt |
| Blog Article | Headline, meta, teaser | Optional | brand-forbidden.txt |
| Legal Disclaimer Partial | None | Required manual only | n/a |
Legal approves prompt pack and enrichment profile when registry row changes Sidekick allowed fields.
full Governance Checklist Tables
Pre launch
| Control | Evidence | Owner | Done |
|---|---|---|---|
| Role matrix implemented in Sitecore | Security export PDF | Platform | |
| Workflow states include AI and Legal review | Workflow diagram | Platform | |
| Connect fields read only for authors | Screenshot EE field lock | Platform | |
| Prompt git repo with tag process | Tag prompt-pack-0.1.0 in prod | Developer | |
| Audit fields on legal templates | Template serialization | Developer | |
| Forbidden term CI on fixtures | Pipeline green artifact | QA | |
| Sandbox 90 day retention job | Scheduler config | DevOps | |
| Incident runbook signed by legal | Confluence link | Legal |
Ongoing quarterly
| Control | Evidence | Owner | Done |
|---|---|---|---|
| Access review Author vs Approver | HR aligned spreadsheet | Security | |
| Prompt pack drift: prod tag vs git | Settings item compare | Platform | |
| Connect field ownership audit | Mapping table sample | Commerce | |
| Legal registry templates match production | Template diff report | Legal | |
| Sandbox PII scan | DLP tool report | DevOps | |
| Tabletop incident exercise | Meeting notes | Compliance |
Per prompt promotion
| Control | Evidence | Owner | Done |
|---|---|---|---|
| Fixture suite green on staging | CI artifact | QA | |
| Legal sign off on diff if registry template | Ticket approval | Legal | |
| Author release note published | Help topic URL | Editorial | |
| Rollback tag identified | Previous git tag noted | Developer |
Developer Guardrails
- No prompt edits directly in production CM without git backport same day.
- Service accounts named per integration; no shared Sidekick admin password.
- Production model calls log promptId only; redact source notes in non prod logs.
- Feature flag to disable Sidekick apply globally without disabling CM.
Data Classification for AI Inputs
Authors paste source notes into Sidekick from internal briefs, clinician interviews, or unreleased product specs. Classify fields in template documentation: Public, Internal, Confidential, Restricted. Sidekick calls for Restricted templates should use private endpoint models with no training retention and no cross tenant logging. Connect enrichment profiles inherit classification: do not send Confidential SKU cost data to a prompt that generates public marketing teaser.
| Field | Classification | Sidekick allowed | Log retention |
|---|---|---|---|
| Source Notes | Internal | Yes, private endpoint | 90 days QA, 7 days prod bodies |
| Public Teaser | Public | Yes | Metadata only prod |
| ERP Cost | Restricted | No | No model call |
| Patient Case Study Notes | Restricted | No without BAA path | Policy specific |
Third Party and Vendor Review
Regulated brands require DPAs and BAAs with model providers. Governance checklist includes: subprocessors list current, data residency matches Sitecore hosting region, breach notification SLA documented, annual vendor questionnaire on AI features. Legal sign off before enabling Sidekick on healthcare templates even in QA with synthetic data.
Evidence for Auditors
Auditors ask for proof controls operated, not only that they existed on paper. Export quarterly:
- Workflow history report on legal template sample items
- Prompt pack promotion tickets with legal approval timestamps
- Connect field override log (should be empty or break glass only)
- Sidekick disabled incident log if feature flag used
- Sandbox purge job success log for 90 day retention
Store exports in immutable storage with hash. Link DEC IDs from migration or prompt changes to audit sample period.
Cross Border Publishing
Multi country Sitecore trees may forbid AI generated copy in EU markets until localized prompt pack reviewed. Use branch security and Sidekick scope rules per country site root. Connect may sync global SKU data while Sidekick prompts differ per language. Field ownership matrix needs a column for jurisdiction.
Board and Executive Reporting
Monthly one page metric summary for leadership: Sidekick apply count, legal workflow reject rate, Connect conflict count, open incidents, prompt pack version in prod. Non technical audience cares about incidents and reject rate trends, not prompt JSON structure.
Penetration Test and Red Team Scope
Include Sidekick API and Connect webhook endpoints in annual pen test scope. Test cases: prompt injection via source notes field, unauthorized Sidekick apply without workflow, webhook signature bypass, IDOR on audit export API if custom built. Remediate before expanding Sidekick to additional templates, not after.
Records Hold and Litigation
When legal hold applies to content subtree, pause sandbox purge jobs for items in hold scope. Audit trail exports for held items continue until hold releases. Document interaction between hold tooling and 90 day Sidekick log retention so ops does not auto delete evidence.
Maturity Model
Stage 1: Sidekick suggest only with manual copy. Stage 2: apply on approver with audit fields. Stage 3: Connect and Sidekick field ownership enforced in CM. Stage 4: automated CI plus quarterly auditor evidence pack. Regulated brands should not skip stages. Stage 4 without Stage 2 audit fields fails every compliance review we have seen.
Contractual Language for MSAs
Enterprise MSAs increasingly ask whether AI features send customer content to third party models. Platform legal should attach exhibit listing: model provider name, data residency, retention caps, training opt out status, subprocessors. Match exhibit to actual Sidekick and Connect configuration. Drift between contract and PromptPackVersion settings item is audit finding material.
Offboarding and Access Revocation
When approver leaves company, revoke Sitecore role same day. Quarterly access review catches lag. Sidekick service account passwords rotate on schedule independent of human SSO. Connect webhook secrets rotate when vendor portal allows; update Hub subscription without dual write window longer than one maintenance period.
Integration with Existing GRC Tools
Map Sitecore audit events to ServiceNow or Archer if enterprise GRC mandates central store. Field mapping: Sidekick apply maps to “content change automated”; Connect overwrite maps to “integration data change”. Incidents Sev 1 and 2 open GRC ticket with predefined category for AI content. Reduces duplicate spreadsheets between marketing ops and compliance.
Annual Policy Refresh
Revisit governance checklist when Sitecore releases major AI features, model provider changes, or new regulations affect your vertical. Schedule Q4 working session with legal, platform, and editorial. Update forbidden term lists, retention days if counsel advises, and template registry rows. Export signed PDF of checklist tables for audit binder even if daily operations live in wiki.
Assign checklist owner role rotating yearly so knowledge does not leave with one senior developer. Handoff includes git repo access, Connect flow documentation, and last auditor feedback letter.
Regulated programs should rehearse one tabletop incident per quarter using a synthetic wrong claim scenario. Measure time to unpublish and time to identify prompt pack version. Results feed into executive monthly summary.
Document which checklist rows are in scope for SOC 2 vs FDA vs financial conduct rules if your program spans multiple frameworks. One Sitecore implementation may satisfy overlapping controls with a single audit field design.
Closing Checklist
- Author, Approver, Developer, and Legal roles defined with Sitecore security evidence
- Workflow states cover Draft, AI Review, Legal Review, Approved, Archived with Sidekick rules per state
- Connect owned fields read only in EE and CE for non service accounts
- Prompt versions tracked via git tags and PromptPackVersion settings item
- Enrichment profile versions linked in audit trail beside Sidekick prompt version
- Audit trail captures suggest, apply, Connect update, and break glass events
- Sandbox Sidekick and DLQ retention capped at 90 days with documented purge job
- Incident response runbook covers wrong claim, Connect overwrite, and git leak scenarios
- Field locks in standard values on regulatory boilerplate and identifier fields
- Legal review gates on template registry with forbidden term lists per vertical
- Pre launch, quarterly, and per promotion checklist tables assigned to owners