Sidekick & AI

Regulated Brand Sites on XM: Workflow, Field Locks, and Sidekick Audit Trails

Data visualization on a display
Photo: Luke Chesser / Unsplash · Royalty-free

Regulated Brands Cannot Ship AI on Hope

Financial services, healthcare, insurance, and pharma Sitecore programs already have workflow, legal review, and audit requirements before a comma changes on a disclaimer. Adding Sidekick, Connect enrichment, and external model calls introduces new failure modes: prompt version drift, unauthorized field writes, retained PII in sandbox logs, and commerce data overwriting approved copy.

This post is a governance checklist for platform, legal, and editorial leads. It assumes XM with Sidekick, Connect for PIM or commerce, and git backed prompt definitions. Adapt retention numbers to your policy; we use 90 day sandbox retention as a common regulated baseline.

Compliance documents and checklist on desk
Governance is field level permissions and versioned prompts, not a policy PDF alone.
Photo by Scott Graham on Unsplash

Roles: Author, Approver, Developer

Three roles minimum. Larger programs split Legal Approver from Marketing Approver.

Role Sitecore security Sidekick Connect fields Prompt git
Author Write on content branch; no publish to web Suggest and apply in Draft per template Read only No access
Approver Approve workflow; publish to staging Apply on approved prompts only Read only Read
Developer Admin on templates, layouts, prompts import Configure scopes; no content approve Deploy flows; no manual SKU edit in prod Write with PR review
Legal approver Workflow approve on legal templates View audit trail Read only Approve forbidden term changes

Separate Author from Approver on same item wherever SOX or FDA style controls apply. Shared accounts break audit trail.

Workflow States

Extend standard Draft, Awaiting Approval, Approved with AI specific states where needed.

  • Draft: Sidekick suggest allowed; apply writes draft fields.
  • AI Review: Optional machine output flagged; author confirms source grounding.
  • Legal Review: Required for templates on legal registry.
  • Approved: Publish allowed; Sidekick apply locked or logged only.
  • Archived: Read only; Sidekick disabled.

Workflow command permissions map to roles above. Item in Legal Review rejects Sidekick bulk apply scripts.

Read-Only Connect Fields

Connect owned fields must be read only for Author and Approver in Content Editor and Experience Editor.

  • Item security on commerce section of template
  • Field title prefix “[System]” with help text “Synced from ERP. Do not edit.”
  • Sidekick prompt scope excludes Connect field IDs explicitly
  • Custom Content Editor warning when user is Developer overriding read only (logged)

Quarterly access review: export role memberships and compare to HR roster.

Prompt Version Git Tags

Every production prompt pack promoted from git carries an immutable tag.

prompt-pack-2026.06.2 headline-v3.json teaser-v2.json legal-disclaimer-v1.json

On import to CM, write tag name to site settings item /sitecore/content/Settings/AI/PromptPackVersion. Item history custom field stores promptId and pack version on each Sidekick apply.

Rollback procedure: redeploy previous tag; rerun fixture suite; notify authors via release notes.

Enrichment Profile Versions

Connect enrichment profiles (tone, length, vocabulary constraints sent to external models) version separately from Sidekick prompts. Track both in audit log.

Artifact Version store Audit field on item
Sidekick prompt JSON Git tag prompt-pack-x.y.z SidekickPromptVersion
Connect enrichment profile Connect flow semver + export JSON in git EnrichmentProfileVersion
Model deployment Azure OpenAI deployment name + date ModelDeploymentId

Legal sign off covers prompt text and enrichment profile together for claim sensitive templates.

Audit Trail

Minimum events to persist 7 years or per your records policy:

  • Sidekick suggest request: user, item ID, field, promptId, model, timestamp
  • Sidekick apply: approver if different from requester, before and after hash
  • Connect field update: externalId, payload hash, flow version
  • Workflow state transitions on legal templates
  • Developer break glass edit on Connect field

Store in SQL audit table or SIEM forward from Sitecore logs. Do not rely on CM log files alone.

Retention: 90 Days Sandbox

Sandbox and QA environments accumulate realistic PII from content clones and Sidekick test runs. Policy baseline:

  • Purge Sidekick request and response bodies after 90 days in non prod
  • Refresh QA content clone from anonymized subset monthly
  • No production webhook payloads in sandbox without tokenization
  • DLQ messages in QA expire after 90 days automatically

Document exception process if legal holds extend retention on specific items.

Incident Response Steps

Sev 1: Wrong claim published from AI output

  1. Unpublish affected items within SLA minutes.
  2. Identify promptId, pack version, model deployment from audit field.
  3. Freeze prompt pack promotion pipeline.
  4. Legal and comms notified per runbook.
  5. Root cause: prompt change, template validation gap, unauthorized apply, or Connect overwrite.
  6. Corrective action: rollback tag, add forbidden term, tighten workflow.
  7. Post incident report within 5 business days.

Sev 2: Connect overwrite of marketing field

  1. Stop Connect flow via feature flag.
  2. Restore field from item version history or serialization backup.
  3. Fix field ownership map and flow field filter.
  4. Replay DLQ only after hash guard verified.

Sev 3: Prompt pack leaked in public git

  1. Rotate API keys for model endpoint.
  2. Assess if system instructions contain confidential strategy.
  3. Revise prompts if needed; legal review on diff.
Security monitoring dashboard
Incident runbooks should name where audit fields live on the item template.
Photo by Towfiqu barbhuiya on Unsplash

Field Locks in Standard Values

Use standard values and branch templates to pre lock fields that must never be Sidekick written.

  • Regulatory boilerplate in rich text: lock via workflow and help text; Sidekick scope exclude
  • ISBN, NDC, or registration numbers: Connect or manual only
  • Effective date and version label for disclosures: manual approver only

Validation rules on locked fields reject programmatic write unless service account role matches Connect or approved Sidekick apply role.

Legal Review Gates

Maintain template registry requiring Legal Review workflow state before web publish.

Template Sidekick allowed fields Legal gate Forbidden term list
Product Claim Page Teaser only; not Indications Required pharma-forbidden.txt
Financial Promo Headline, CTA label Required fin-forbidden.txt
Blog Article Headline, meta, teaser Optional brand-forbidden.txt
Legal Disclaimer Partial None Required manual only n/a

Legal approves prompt pack and enrichment profile when registry row changes Sidekick allowed fields.

full Governance Checklist Tables

Pre launch

Control Evidence Owner Done
Role matrix implemented in Sitecore Security export PDF Platform
Workflow states include AI and Legal review Workflow diagram Platform
Connect fields read only for authors Screenshot EE field lock Platform
Prompt git repo with tag process Tag prompt-pack-0.1.0 in prod Developer
Audit fields on legal templates Template serialization Developer
Forbidden term CI on fixtures Pipeline green artifact QA
Sandbox 90 day retention job Scheduler config DevOps
Incident runbook signed by legal Confluence link Legal

Ongoing quarterly

Control Evidence Owner Done
Access review Author vs Approver HR aligned spreadsheet Security
Prompt pack drift: prod tag vs git Settings item compare Platform
Connect field ownership audit Mapping table sample Commerce
Legal registry templates match production Template diff report Legal
Sandbox PII scan DLP tool report DevOps
Tabletop incident exercise Meeting notes Compliance

Per prompt promotion

Control Evidence Owner Done
Fixture suite green on staging CI artifact QA
Legal sign off on diff if registry template Ticket approval Legal
Author release note published Help topic URL Editorial
Rollback tag identified Previous git tag noted Developer

Developer Guardrails

  • No prompt edits directly in production CM without git backport same day.
  • Service accounts named per integration; no shared Sidekick admin password.
  • Production model calls log promptId only; redact source notes in non prod logs.
  • Feature flag to disable Sidekick apply globally without disabling CM.

Data Classification for AI Inputs

Authors paste source notes into Sidekick from internal briefs, clinician interviews, or unreleased product specs. Classify fields in template documentation: Public, Internal, Confidential, Restricted. Sidekick calls for Restricted templates should use private endpoint models with no training retention and no cross tenant logging. Connect enrichment profiles inherit classification: do not send Confidential SKU cost data to a prompt that generates public marketing teaser.

Field Classification Sidekick allowed Log retention
Source Notes Internal Yes, private endpoint 90 days QA, 7 days prod bodies
Public Teaser Public Yes Metadata only prod
ERP Cost Restricted No No model call
Patient Case Study Notes Restricted No without BAA path Policy specific

Third Party and Vendor Review

Regulated brands require DPAs and BAAs with model providers. Governance checklist includes: subprocessors list current, data residency matches Sitecore hosting region, breach notification SLA documented, annual vendor questionnaire on AI features. Legal sign off before enabling Sidekick on healthcare templates even in QA with synthetic data.

Evidence for Auditors

Auditors ask for proof controls operated, not only that they existed on paper. Export quarterly:

  • Workflow history report on legal template sample items
  • Prompt pack promotion tickets with legal approval timestamps
  • Connect field override log (should be empty or break glass only)
  • Sidekick disabled incident log if feature flag used
  • Sandbox purge job success log for 90 day retention

Store exports in immutable storage with hash. Link DEC IDs from migration or prompt changes to audit sample period.

Cross Border Publishing

Multi country Sitecore trees may forbid AI generated copy in EU markets until localized prompt pack reviewed. Use branch security and Sidekick scope rules per country site root. Connect may sync global SKU data while Sidekick prompts differ per language. Field ownership matrix needs a column for jurisdiction.

Board and Executive Reporting

Monthly one page metric summary for leadership: Sidekick apply count, legal workflow reject rate, Connect conflict count, open incidents, prompt pack version in prod. Non technical audience cares about incidents and reject rate trends, not prompt JSON structure.

Penetration Test and Red Team Scope

Include Sidekick API and Connect webhook endpoints in annual pen test scope. Test cases: prompt injection via source notes field, unauthorized Sidekick apply without workflow, webhook signature bypass, IDOR on audit export API if custom built. Remediate before expanding Sidekick to additional templates, not after.

Records Hold and Litigation

When legal hold applies to content subtree, pause sandbox purge jobs for items in hold scope. Audit trail exports for held items continue until hold releases. Document interaction between hold tooling and 90 day Sidekick log retention so ops does not auto delete evidence.

Maturity Model

Stage 1: Sidekick suggest only with manual copy. Stage 2: apply on approver with audit fields. Stage 3: Connect and Sidekick field ownership enforced in CM. Stage 4: automated CI plus quarterly auditor evidence pack. Regulated brands should not skip stages. Stage 4 without Stage 2 audit fields fails every compliance review we have seen.

Contractual Language for MSAs

Enterprise MSAs increasingly ask whether AI features send customer content to third party models. Platform legal should attach exhibit listing: model provider name, data residency, retention caps, training opt out status, subprocessors. Match exhibit to actual Sidekick and Connect configuration. Drift between contract and PromptPackVersion settings item is audit finding material.

Offboarding and Access Revocation

When approver leaves company, revoke Sitecore role same day. Quarterly access review catches lag. Sidekick service account passwords rotate on schedule independent of human SSO. Connect webhook secrets rotate when vendor portal allows; update Hub subscription without dual write window longer than one maintenance period.

Integration with Existing GRC Tools

Map Sitecore audit events to ServiceNow or Archer if enterprise GRC mandates central store. Field mapping: Sidekick apply maps to “content change automated”; Connect overwrite maps to “integration data change”. Incidents Sev 1 and 2 open GRC ticket with predefined category for AI content. Reduces duplicate spreadsheets between marketing ops and compliance.

Annual Policy Refresh

Revisit governance checklist when Sitecore releases major AI features, model provider changes, or new regulations affect your vertical. Schedule Q4 working session with legal, platform, and editorial. Update forbidden term lists, retention days if counsel advises, and template registry rows. Export signed PDF of checklist tables for audit binder even if daily operations live in wiki.

Assign checklist owner role rotating yearly so knowledge does not leave with one senior developer. Handoff includes git repo access, Connect flow documentation, and last auditor feedback letter.

Regulated programs should rehearse one tabletop incident per quarter using a synthetic wrong claim scenario. Measure time to unpublish and time to identify prompt pack version. Results feed into executive monthly summary.

Document which checklist rows are in scope for SOC 2 vs FDA vs financial conduct rules if your program spans multiple frameworks. One Sitecore implementation may satisfy overlapping controls with a single audit field design.

Closing Checklist

  • Author, Approver, Developer, and Legal roles defined with Sitecore security evidence
  • Workflow states cover Draft, AI Review, Legal Review, Approved, Archived with Sidekick rules per state
  • Connect owned fields read only in EE and CE for non service accounts
  • Prompt versions tracked via git tags and PromptPackVersion settings item
  • Enrichment profile versions linked in audit trail beside Sidekick prompt version
  • Audit trail captures suggest, apply, Connect update, and break glass events
  • Sandbox Sidekick and DLQ retention capped at 90 days with documented purge job
  • Incident response runbook covers wrong claim, Connect overwrite, and git leak scenarios
  • Field locks in standard values on regulatory boilerplate and identifier fields
  • Legal review gates on template registry with forbidden term lists per vertical
  • Pre launch, quarterly, and per promotion checklist tables assigned to owners