Article
AI adoption is accelerating across the Carolinas, and it is creating data privacy exposures that most businesses have not yet mapped. Here is what North Carolina's current legal landscape requires, what is changing at the federal level, and how to keep your AI rollout from becoming a compliance liability.
Most North Carolina businesses that are deploying AI tools are doing so faster than their compliance teams can track. That is not a criticism. It reflects the speed at which the tools have become genuinely useful and the pace at which the regulatory landscape has struggled to keep up.
The problem is that the gap between what is deployed and what is documented is exactly where liability accumulates. A Copilot rollout that processes customer data without a data processing agreement. An Azure OpenAI integration that handles protected health information without a BAA in place. An employee-facing chatbot trained on internal documents that include personally identifiable information. None of these is a hypothetical. All of them are patterns we have encountered in Carolinas businesses in the past twelve months.
This post is a field-oriented overview of what North Carolina businesses actually face when they combine AI adoption with the current state and federal privacy landscape. It is not a substitute for legal counsel. It is a starting point for the conversation your IT and compliance teams should be having now, before an incident forces the conversation.
North Carolina does not have a comprehensive consumer privacy law with the scope of Virginia’s Consumer Data Protection Act or California’s CCPA. That gap is narrowing. Privacy legislation has moved through the General Assembly in recent sessions, and the trajectory of state-level privacy law across the Southeast is clearly toward broader consumer rights frameworks, not away from them.
What North Carolina does have, concretely, is the Identity Theft Protection Act and the NC SHIELD Act amendments that strengthened breach notification requirements in 2023. Here is what those mean in practice.
The NC SHIELD Act expanded the categories of personal information that trigger mandatory breach notification. The list now includes:
If your organization experiences a breach involving any of these categories, you are required to notify affected North Carolina residents without unreasonable delay, generally interpreted as within 30 days of discovery. Notification also goes to the NC Attorney General’s office if more than 1,000 residents are affected.
The AI connection: when you deploy tools like Microsoft 365 Copilot or Azure AI services, those tools index and access data across your Microsoft tenant. If your tenant contains the categories above and that data is accessed in an unauthorized way, your breach notification obligations are triggered. The AI tool does not change the obligation. It expands the surface area where the obligation can be triggered.
For the majority of Carolinas businesses we work with, the more immediate compliance pressure comes from federal sector-specific laws rather than state consumer privacy frameworks. The four that come up most often in our engagements:
HIPAA. Healthcare organizations, covered entities, and their business associates across the Carolinas face strict requirements around how protected health information can be processed by third-party tools. If you are a healthcare provider in Greenville, a hospital system in Charlotte, or a medical device company in the Research Triangle and you are deploying AI tools that access or process PHI, you need a Business Associate Agreement with Microsoft. Microsoft provides BAAs for covered Microsoft 365 and Azure services. The key is confirming which services fall within scope before you deploy, not after.
GLBA. Financial services companies, including mortgage brokers, investment advisors, and insurance companies, must protect customer financial information under the Gramm-Leach-Bliley Act. The FTC’s updated Safeguards Rule, which took effect in 2023, added specific requirements around access controls, encryption, and monitoring that apply directly to AI tool deployments. Charlotte-area financial firms deploying Copilot or Azure AI need to map those tools into their existing GLBA compliance documentation.
FERPA. Educational institutions and the companies that service them handle student records under strict federal rules. The Research Triangle’s significant higher education and edtech sector makes this relevant. AI tools that process student records without proper data processing agreements or that route data through non-FERPA-compliant infrastructure create exposure.
CMMC and DFARS. North Carolina has a substantial defense industrial base around Camp Lejeune, Fort Liberty (formerly Fort Bragg), and the network of defense contractors in the Piedmont and Eastern NC regions. Companies in this ecosystem that handle Controlled Unclassified Information are subject to DFARS and increasingly to CMMC requirements. AI tools introduce new CUI handling questions: what data is the model accessing? Where is processing happening? Is it within a compliant cloud boundary?
Privacy compliance for most businesses before AI was largely a question of access controls: who can see what data, and is that access logged? The compliance task was about boundaries and audit trails.
AI tools change the model in three ways that compliance frameworks have not fully caught up with.
A user asking Copilot a question about a client does not access a single record. Copilot surfaces relevant information from emails, documents, Teams messages, calendar entries, and SharePoint content, synthesized into a response. From a privacy standpoint, this is data aggregation happening continuously and at the request of any licensed user.
For companies that have kept data siloed as a compliance strategy, AI can inadvertently collapse those silos. An HR document, a legal memo, and a finance spreadsheet that were never meant to be viewed together can all surface in a single Copilot response. This is one reason why data governance work has to precede AI deployment, not follow it.
There is a category of data in most organizations that was “private by obscurity”: the email from 2019, the SharePoint folder nobody visits, the Teams channel from a discontinued project. The data was never deleted, but the practical probability of it being found was low.
AI eliminates practical obscurity. If the data is indexed and accessible, AI will surface it when it is relevant to a query. Personal information, confidential business information, and protected data that lived in low-traffic corners of your Microsoft tenant becomes fully queryable.
The practical implication: retention policies matter more in an AI environment than they did before. Data you are not required to keep should be deleted. If you do not have a retention policy enforced through Microsoft Purview or an equivalent tool, AI deployment is the forcing function to implement one.
When you use Azure OpenAI Service to build a custom application that processes customer data, you are establishing a data processing relationship with Microsoft’s cloud infrastructure. When you send customer data to a third-party AI API, you are establishing a data processing relationship with that provider. Most privacy frameworks require those relationships to be documented in data processing agreements or data processing addenda.
The number of undocumented AI data processing relationships in the average mid-size business is currently higher than most compliance teams realize. Every developer who integrated an AI API, every team that started using a third-party AI writing tool, every operations team that plugged their data into an AI analytics platform: each of those is a data processing relationship that should be in your vendor inventory.
One of the practical reasons Microsoft AI tools have shorter procurement cycles in regulated industries is the compliance infrastructure that comes with the Microsoft platform. This is not marketing. It is a genuine structural advantage.
Microsoft’s Online Services Terms and the Microsoft Products and Services Data Protection Addendum (DPA) provide explicit data processing commitments for Microsoft 365 and Azure services. The commitments include:
For Copilot specifically: Microsoft has committed that Copilot for Microsoft 365 does not use your tenant data to train the underlying language models. The data stays within your tenant boundary. This commitment is in the DPA and carries contractual weight, which is why it moves through legal review faster than third-party AI tools with less explicit terms.
Microsoft Purview is the compliance and data governance layer that sits across Microsoft 365 and Azure. For AI deployments, the most relevant capabilities are:
Sensitivity labels. Documents, emails, and data classified with sensitivity labels can be configured so that AI tools respect those classifications. Content marked Confidential or Highly Confidential can be excluded from Copilot responses, reducing the risk of AI surfacing information to users who should not see it.
Data Loss Prevention policies. DLP policies can detect when Copilot or other AI tools are about to output content that contains sensitive information types (SSNs, credit card numbers, healthcare record identifiers) and either block the output or trigger an alert.
Retention and deletion policies. Enforced retention policies ensure that AI tools do not surface data that should have been deleted. Automated deletion based on retention schedules reduces the footprint of accessible data.
Audit logs. Microsoft Purview Audit provides logging of Copilot interactions. If you face a breach notification question or a regulatory inquiry about what data was accessed, the audit trail is available.
For organizations building custom AI applications on Azure, the platform’s compliance certifications reduce the scoping burden. Azure operates under FedRAMP, HIPAA, SOC 2, ISO 27001, and a long list of additional frameworks. When you build on Azure rather than a less-certified alternative, the compliance boundary of your custom AI application inherits the platform’s controls.
This is particularly relevant for Carolinas defense contractors pursuing CMMC compliance and for healthcare organizations that need HIPAA-covered infrastructure. Azure Government and Microsoft 365 Government Community Cloud (GCC) and GCC High provide additional boundaries for the most sensitive regulated workloads.
Based on the assessments we have conducted for mid-market organizations in North and South Carolina over the past year, the most common compliance gaps in AI deployments are not about the technology configuration. They are about documentation and process.
Most organizations have an IT-sanctioned AI deployment (often Copilot or an Azure service) and a separate, larger, informal set of AI tools that employees are using without IT or compliance review. Grammarly, ChatGPT, AI writing assistants built into applications, browser extensions that use AI to summarize content. These tools are processing company data, often including personal information, and they are not in the vendor inventory.
The first step is not to ban the unsanctioned tools. That rarely works. The first step is to inventory them, assess which ones are processing regulated data, and either bring them within the compliance framework or replace them with sanctioned alternatives.
If your vendor inventory and data processing agreements were last reviewed before 2023, they almost certainly do not address AI processing. Existing SaaS vendors have been adding AI features to products without always updating their DPAs. It is worth reviewing the AI-related terms for the top 20 to 30 vendors you share personal data with.
For Microsoft specifically, review whether you have executed the Microsoft DPA and confirmed that it covers the specific Microsoft 365 and Azure services where you are using AI features.
For organizations that collect personal information from customers or website visitors, the privacy policy needs to address AI. What AI tools process personal data? What is that data used for? Does AI processing change the retention period? These are questions your privacy policy should answer before a customer or regulator asks them.
NC SHIELD and sector-specific laws do not yet mandate AI-specific privacy disclosures in most contexts, but the direction of regulation is toward more disclosure, not less. Getting ahead of this now is lower cost than retrofitting it after legislation requires it.
Your incident response plan likely covers traditional breach scenarios. Does it cover scenarios specific to AI? Examples include: AI tool surfaces personal information to an unauthorized user, AI-generated output includes data that violates a confidentiality obligation, or a third-party AI API experiences a breach affecting data you submitted.
These scenarios are different enough from traditional breach scenarios that they warrant a specific section in your incident response documentation.
The Research Triangle’s biotech and life sciences sector and the healthcare systems operating across the Carolinas face the most immediate AI compliance pressure. HIPAA requirements are specific and the penalties for non-compliance are material.
The practical checklist for healthcare AI deployment: confirm BAA coverage before deploying, use sensitivity labels to tag PHI in Microsoft 365, configure DLP policies to prevent PHI from appearing in AI outputs where it should not, and document the AI tools in your HIPAA risk assessment.
Charlotte-area financial services firms, from regional banks to mortgage brokers to investment advisors, need to map AI tool deployments into their GLBA Safeguards Rule compliance programs. The updated Safeguards Rule requires a qualified individual (effectively, a security lead or CISO equivalent) to oversee the information security program, including AI tools that process customer financial information.
For larger Charlotte financial institutions subject to OCC or FDIC oversight, the 2023 interagency guidance on AI risk management in financial services provides a framework for AI governance that maps reasonably well to Microsoft’s Responsible AI framework.
The defense industrial base in Eastern North Carolina and the Piedmont region is at the leading edge of AI compliance pressure for a different reason. CMMC Level 2 requires protection of CUI in a way that is specific about cloud boundaries, access controls, and audit trails. AI tools introduce new questions about where CUI is processed and who can access it.
Microsoft 365 GCC and Azure Government are the defensible cloud environments for most CMMC Level 2 workloads. If you are a defense contractor using commercial Microsoft 365 or commercial Azure for workloads that touch CUI, and you have AI features enabled, that is a boundary issue that needs to be addressed before your CMMC assessment.
Manufacturing companies face a different AI compliance profile. The primary concern is trade secrets and operational technology data rather than consumer personal information. When AI tools ingest manufacturing process data, quality control data, or supplier information, the applicable legal frameworks are more about trade secret protection and contract obligations than consumer privacy law.
The practical question for Greenville area manufacturers: what data are your AI tools accessing, and is any of it covered by NDA or trade secret protections that restrict how it can be processed or where it can be stored?
The compliance work around AI does not have to be done all at once. The sequence that makes sense for most Carolinas businesses:
First: inventory what you have. Catalog the AI tools in use across the organization, both IT-sanctioned and employee-adopted. For each tool, identify what categories of data it accesses and whether those categories are regulated.
Second: confirm data processing agreements. For any AI tool touching regulated data, verify that you have a current data processing agreement or DPA that explicitly covers AI processing. For Microsoft services, confirm that the Microsoft DPA is executed and review the Copilot-specific terms.
Third: implement the Microsoft Purview baseline. If you are using Microsoft 365, sensitivity labels, DLP policies for regulated data types, and audit logging for Copilot are the three controls that give you the most compliance coverage for the least implementation effort.
Fourth: update your documentation. Add AI tools to your privacy policy, your vendor inventory, your incident response plan, and your HIPAA risk assessment (if applicable). The goal is that your compliance documentation reflects your actual technology footprint.
Fifth: establish a review cadence. The AI landscape and the regulatory response to it are both moving fast. A quarterly review of new AI tools deployed and their compliance status is a reasonable cadence for most organizations.
North Carolina’s legislature has introduced and debated comprehensive consumer privacy legislation in multiple recent sessions. The trend across neighboring states is toward passage: Virginia has had the CDPA since 2023, Tennessee and Texas have passed comprehensive frameworks, and the Southeast is moving in the same direction as the Mid-Atlantic and West Coast.
When North Carolina does pass a comprehensive consumer privacy law, the requirements will likely include consumer rights to access, delete, and opt out of sale or processing of personal data. They will likely impose data minimization and purpose limitation requirements that interact directly with how AI tools are configured to access organizational data.
Businesses that have done the foundational work now, including data governance with Purview, data processing agreement reviews, and retention policy enforcement, will be in a much better position when that law takes effect than businesses starting from scratch. The compliance infrastructure is not wasted effort. It is preparation for a regulatory environment that is moving toward them.
Devsoft Solutions works with businesses across North and South Carolina on Microsoft 365 compliance, Azure deployments, and AI implementation within regulated industries. If you are navigating AI adoption alongside compliance requirements, reach out to our team.
— Continue reading
Achieving SOC 2 Type II used to mean months of manual evidence collection and expensive consultants. For Carolinas SaaS companies and technology businesses, AI-powered Microsoft 365 tools are compressing that timeline significantly. Here is what is actually working.
Businesses across North and South Carolina are investing in AI, and most of that investment runs through Microsoft. Here is what a Microsoft Partner actually does, how the certification system works, and when the relationship pays off.
AI tools are arriving in healthcare workflows across North and South Carolina. What Microsoft 365 Copilot actually requires to stay HIPAA compliant, where the real risks are, and what to configure before your first clinical deployment.
— Related services
Microsoft Copilot rollout, custom copilots with Copilot Studio, and Azure OpenAI integrations for the parts of your business where AI actually pays back.
Tailored Microsoft 365 plans, deployment, and ongoing support — designed for businesses that need reliable productivity infrastructure without the in-house overhead.
Azure infrastructure, Microsoft 365 environments, and the operational glue between them. Right-sized, secured, and supported.
