{ "edition": { "key": "2026-Q2", "label": "Q2 2026 — Inaugural Edition", "publishedDate": "2026-05-13", "vendorCount": 25, "highlights": [ "25 vendors scored across foundation models, productivity, legal, healthcare, and banking categories", "Banking-vertical coverage added in v1.2 (FICO Falcon Fraud Manager + FICO Score AI, Zest AI, Upstart, Hummingbird, Unit21) — SR 11-7 ×2 sector weight applies", "Best-in-class composite: Abridge (healthcare, A grade) — only vendor with explicit HHS-OCR Section 1557 algorithmic non-discrimination engagement", "No vendor in the inaugural edition holds ISO/IEC 42001 attestation — the largest cross-category gap", "Sector-vertical vendors (legal, healthcare, banking) outperform foundation models on the composite because of sector-overlay weight amplification", "Upstart is the only vendor in the Index with a CFPB no-action letter history — uniquely deep fair-lending audit defensibility" ], "nextEditionTarget": "2026-Q3" }, "methodology": { "url": "https://efros.com/research/us-ai-vendor-governance-index/methodology/", "axes": [ { "key": "baa", "label": "BAA / DPA available", "weightBaseline": 1 }, { "key": "trainingOptOut", "label": "Training-data opt-out", "weightBaseline": 1 }, { "key": "usDataResidency", "label": "US data residency option", "weightBaseline": 1 }, { "key": "soc2", "label": "SOC 2 Type II report", "weightBaseline": 1 }, { "key": "iso42001", "label": "ISO/IEC 42001 attestation", "weightBaseline": 1 }, { "key": "nistAiRmf", "label": "NIST AI RMF self-attestation", "weightBaseline": 1 }, { "key": "coloradoAiAct", "label": "Colorado AI Act readiness", "weightBaseline": 1 }, { "key": "section1557", "label": "HHS-OCR Section 1557 readiness", "weightBaseline": 1 }, { "key": "sr117", "label": "FRB SR 11-7 readiness", "weightBaseline": 1 }, { "key": "abaOp512", "label": "ABA Formal Op 512 readiness", "weightBaseline": 1 }, { "key": "subprocessor", "label": "Subprocessor list public", "weightBaseline": 1 } ], "sectorWeights": { "healthcare": { "section1557": 2, "baa": 1.5 }, "legal": { "abaOp512": 2, "baa": 1.5 }, "banking": { "sr117": 2, "baa": 1.5 } }, "gradeThresholds": { "A": 85, "B": 70, "C": 55, "D": 40, "F": 0 }, "trustCenterContribution": 0.1, "scoringRubric": { "yes": 1, "partial": 0.5, "no": 0, "na": null }, "frameworks": [ "NIST AI Risk Management Framework (AI RMF 1.0)", "Colorado AI Act (SB 24-205)", "HIPAA Business Associate Agreement requirements", "HHS-OCR Section 1557 Final Rule (May 2024)", "Federal Reserve SR 11-7 model risk management", "ABA Formal Opinion 512 (generative AI in legal practice)", "SOC 2 Type II", "ISO/IEC 42001 AI management systems" ] }, "vendors": [ { "slug": "openai-chatgpt", "name": "OpenAI ChatGPT & API", "vendor": "OpenAI, L.L.C.", "category": "foundation", "primarySector": "general", "homepage": "https://openai.com", "trustCenter": "https://trust.openai.com", "enterpriseTier": "ChatGPT Enterprise, ChatGPT Team, ChatGPT Edu, OpenAI API (paid)", "consumerTier": "ChatGPT Free, ChatGPT Plus", "shortDescription": "GPT-class foundation models delivered via ChatGPT consumer/enterprise tiers and a developer API. The most-deployed generative AI vendor in US enterprise.", "url": "https://efros.com/research/us-ai-vendor-governance-index/openai-chatgpt/", "composite": { "score": 53, "grade": "D", "scoredAxes": 8, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "partial", "note": "BAA available for ChatGPT Enterprise and OpenAI API on opt-in. ChatGPT Free, Plus, and Team have no BAA — never use for PHI.", "source": "OpenAI Enterprise Privacy", "sourceUrl": "https://openai.com/enterprise-privacy/" }, "trainingOptOut": { "status": "partial", "note": "Enterprise/Team/API default to no-train on customer data. ChatGPT Plus and Free require manual opt-out via settings (data still used for safety/abuse monitoring).", "source": "OpenAI Data Controls FAQ", "sourceUrl": "https://help.openai.com/en/articles/7039943-data-controls-faq" }, "usDataResidency": { "status": "partial", "note": "Data Residency in the US available for ChatGPT Enterprise/Edu and API. Not default — must be configured.", "source": "OpenAI Data Residency announcement", "sourceUrl": "https://openai.com/index/introducing-data-residency-in-the-us/" }, "soc2": { "status": "yes", "note": "SOC 2 Type II report available through OpenAI Trust Portal under NDA. ISO 27001:2022, 27017, 27018 also held.", "source": "OpenAI Trust Portal", "sourceUrl": "https://trust.openai.com" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation as of May 2026. OpenAI publishes a Preparedness Framework and Model Spec but no third-party AI MS audit.", "source": "OpenAI Trust Portal certificate index", "sourceUrl": "https://trust.openai.com" }, "nistAiRmf": { "status": "partial", "note": "Public alignment via OpenAI's Preparedness Framework and Model Spec. No formal NIST AI RMF self-attestation document.", "source": "OpenAI Preparedness Framework", "sourceUrl": "https://openai.com/safety/" }, "coloradoAiAct": { "status": "no", "note": "No public Colorado AI Act SB 24-205 compliance statement. Downstream deployers using OpenAI in high-risk decisions carry the compliance burden.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Foundation model — downstream healthcare deployer owns Section 1557 algorithmic non-discrimination obligation.", "source": "HHS-OCR Section 1557 Final Rule (May 2024) — deployer scope" }, "sr117": { "status": "na", "note": "Foundation model — downstream financial institution owns SR 11-7 validation responsibility.", "source": "FRB SR 11-7 — deployer scope" }, "abaOp512": { "status": "na", "note": "Foundation model — downstream law firm owns ABA Formal Opinion 512 obligation.", "source": "ABA Formal Op 512 — practitioner scope" }, "subprocessor": { "status": "yes", "note": "Subprocessor list public (Microsoft Azure hosting, Stripe billing, Snowflake analytics, etc.).", "source": "OpenAI Enterprise Privacy — Subprocessors", "sourceUrl": "https://openai.com/enterprise-privacy/" }, "trustCenter": { "score": 4, "note": "Active trust portal at trust.openai.com — audit reports under NDA, security whitepaper, public policy documents. Falls short of a 5 because no public ISO 42001 or Colorado AI Act statement yet.", "source": "OpenAI Trust Portal", "sourceUrl": "https://trust.openai.com" } }, "deepDive": { "overview": "OpenAI is the highest-volume US AI vendor in regulated buyer pipelines. The governance posture is strong on the enterprise tier (BAA, no-train default, US data residency, SOC 2 + ISO 27k stack) and weak on consumer (no BAA, manual opt-out, no residency control). The single biggest deployment risk we see is staff using consumer ChatGPT for work where Enterprise was assumed.", "strengths": [ "BAA available for ChatGPT Enterprise + API", "Default no-train on customer data at Enterprise/Team/API tiers", "Mature trust portal with under-NDA audit reports", "US data residency option for enterprise customers" ], "weaknesses": [ "No BAA on Plus/Team/Free — common shadow-AI source", "No ISO/IEC 42001 attestation as of May 2026", "No public Colorado AI Act compliance statement", "Sector-specific readiness (Section 1557, SR 11-7, ABA Op 512) is deployer responsibility — no vendor-side support" ], "bestUseCase": "Regulated organizations that have already standardized on ChatGPT Enterprise with the BAA in place, training opt-out enforced, and Data Residency in the US enabled — and have eliminated shadow consumer-tier use through DLP + identity policy.", "avoidWhen": "PHI workflows on ChatGPT Plus, Team, or Free; clinical decision support without a separately validated Section 1557 layer; bank credit decisioning without an SR 11-7 wrapper on top." }, "lastReviewed": "2026-05-13" }, { "slug": "anthropic-claude", "name": "Anthropic Claude", "vendor": "Anthropic, PBC", "category": "foundation", "primarySector": "general", "homepage": "https://www.anthropic.com", "trustCenter": "https://trust.anthropic.com", "enterpriseTier": "Claude for Work (Team, Enterprise), Anthropic API (paid)", "consumerTier": "Claude Free, Claude Pro", "shortDescription": "Claude foundation model family delivered via claude.ai (Free/Pro/Team/Enterprise) and a developer API. Differentiated on Constitutional AI training and safety research orientation.", "url": "https://efros.com/research/us-ai-vendor-governance-index/anthropic-claude/", "composite": { "score": 58, "grade": "C", "scoredAxes": 8, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "partial", "note": "BAA available for Claude for Work Enterprise and Anthropic API on opt-in. Free and Pro tiers have no BAA.", "source": "Anthropic Trust Center — HIPAA", "sourceUrl": "https://trust.anthropic.com" }, "trainingOptOut": { "status": "yes", "note": "Default no-train across all paid tiers and the API. Free/Pro consumer prompts also not used for training by default since 2024.", "source": "Anthropic Privacy Policy", "sourceUrl": "https://www.anthropic.com/legal/privacy" }, "usDataResidency": { "status": "partial", "note": "Hosted on AWS US-East. No documented residency configuration option for enterprise customers as of May 2026.", "source": "Anthropic Trust Center", "sourceUrl": "https://trust.anthropic.com" }, "soc2": { "status": "yes", "note": "SOC 2 Type II report available through the Anthropic Trust Center under NDA. ISO 27001:2022 also held.", "source": "Anthropic Trust Center", "sourceUrl": "https://trust.anthropic.com" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation as of May 2026.", "source": "Anthropic Trust Center certificate list", "sourceUrl": "https://trust.anthropic.com" }, "nistAiRmf": { "status": "partial", "note": "Public alignment through Anthropic's Responsible Scaling Policy and Acceptable Use Policy. No formal NIST AI RMF self-attestation.", "source": "Anthropic Responsible Scaling Policy", "sourceUrl": "https://www.anthropic.com/news/anthropics-responsible-scaling-policy" }, "coloradoAiAct": { "status": "no", "note": "No public Colorado AI Act SB 24-205 compliance statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Foundation model — downstream healthcare deployer owns Section 1557 obligation.", "source": "HHS-OCR Section 1557 — deployer scope" }, "sr117": { "status": "na", "note": "Foundation model — downstream financial institution owns SR 11-7 validation.", "source": "FRB SR 11-7 — deployer scope" }, "abaOp512": { "status": "na", "note": "Foundation model — downstream law firm owns ABA Formal Opinion 512 obligation.", "source": "ABA Formal Op 512 — practitioner scope" }, "subprocessor": { "status": "yes", "note": "Subprocessor list public via trust center (AWS, Google Cloud, billing/payments processors).", "source": "Anthropic Trust Center — Subprocessors", "sourceUrl": "https://trust.anthropic.com" }, "trustCenter": { "score": 4, "note": "Active trust center with NDA-gated audit reports, public Responsible Scaling Policy and Usage Policy. No public ISO 42001 or Colorado AI Act statement.", "source": "Anthropic Trust Center", "sourceUrl": "https://trust.anthropic.com" } }, "deepDive": { "overview": "Anthropic's posture is closest peer to OpenAI on enterprise governance. The differentiator is the explicit safety-research orientation — Constitutional AI, Responsible Scaling Policy, public model behavior commitments. Default no-train across all tiers is a meaningful win versus OpenAI's opt-out-required consumer tiers. Residency configurability is weaker than OpenAI.", "strengths": [ "Default no-train across all tiers, including consumer", "BAA available for Claude for Work Enterprise + API", "Responsible Scaling Policy is the most explicit public AI safety commitment of any foundation vendor", "SOC 2 Type II + ISO 27001" ], "weaknesses": [ "No US data residency configuration option", "No ISO/IEC 42001", "No Colorado AI Act compliance statement", "BAA only on Enterprise + API — shadow-AI risk on Pro/Free tiers" ], "bestUseCase": "Regulated organizations adopting Claude for Work Enterprise with the BAA, where default no-train across all tiers reduces the consumer-tier leakage risk. Strongest fit for organizations where the Responsible Scaling Policy aligns with internal AI safety governance.", "avoidWhen": "Strict US-data-residency requirements where the contract calls for documented residency control (Anthropic has less mature residency configurability than OpenAI Enterprise)." }, "lastReviewed": "2026-05-13" }, { "slug": "google-gemini", "name": "Google Gemini for Workspace", "vendor": "Google LLC", "category": "foundation", "primarySector": "general", "homepage": "https://gemini.google.com", "trustCenter": "https://cloud.google.com/trust-center", "enterpriseTier": "Gemini for Workspace (Enterprise, Business), Vertex AI", "consumerTier": "Gemini consumer (gemini.google.com)", "shortDescription": "Gemini foundation models delivered through Google Workspace integration (Docs, Gmail, Drive) and the Vertex AI developer platform. Highest pull for Workspace-standardized organizations.", "url": "https://efros.com/research/us-ai-vendor-governance-index/google-gemini/", "composite": { "score": 58, "grade": "C", "scoredAxes": 8, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "partial", "note": "BAA available for Gemini for Workspace and Vertex AI when covered under the existing Google Workspace BAA. Consumer Gemini at gemini.google.com is not BAA-covered.", "source": "Google Cloud HIPAA Compliance", "sourceUrl": "https://cloud.google.com/security/compliance/hipaa" }, "trainingOptOut": { "status": "partial", "note": "Workspace and Vertex AI inputs not used to train consumer models. Consumer Gemini conversations are stored and may be reviewed for product improvement unless manually disabled.", "source": "Google Gemini Apps Privacy", "sourceUrl": "https://support.google.com/gemini/answer/13594961" }, "usDataResidency": { "status": "yes", "note": "Vertex AI and Workspace support US data residency through Google Cloud regions. Documented configuration option.", "source": "Google Cloud Data Residency", "sourceUrl": "https://cloud.google.com/security/compliance/data-residency" }, "soc2": { "status": "yes", "note": "Google Cloud holds SOC 2 Type II, SOC 3, ISO 27001/17/18. Reports available through Compliance Reports Manager.", "source": "Google Cloud Compliance", "sourceUrl": "https://cloud.google.com/security/compliance" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation for Gemini/Vertex AI as of May 2026.", "source": "Google Cloud Compliance" }, "nistAiRmf": { "status": "partial", "note": "Public mapping through Google's AI Principles and the Google Cloud Secure AI Framework (SAIF). No formal NIST AI RMF self-attestation document.", "source": "Google Secure AI Framework", "sourceUrl": "https://safety.google/cybersecurity-advancements/saif/" }, "coloradoAiAct": { "status": "no", "note": "No public Colorado AI Act compliance statement for Gemini.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Foundation model — downstream healthcare deployer owns Section 1557 obligation. (Med-PaLM is a separate offering with distinct posture.)", "source": "HHS-OCR Section 1557 — deployer scope" }, "sr117": { "status": "na", "note": "Foundation model — downstream financial institution owns SR 11-7 validation.", "source": "FRB SR 11-7 — deployer scope" }, "abaOp512": { "status": "na", "note": "Foundation model — downstream law firm owns ABA Formal Opinion 512 obligation.", "source": "ABA Formal Op 512 — practitioner scope" }, "subprocessor": { "status": "yes", "note": "Google Cloud subprocessor list public and granular.", "source": "Google Cloud Subprocessors", "sourceUrl": "https://cloud.google.com/terms/subprocessors" }, "trustCenter": { "score": 4, "note": "Mature Google Cloud trust center, broad compliance coverage. Loses a point because Gemini-specific AI governance documentation (Colorado AI Act, ISO 42001) lags behind cloud-side posture.", "source": "Google Cloud Trust Center", "sourceUrl": "https://cloud.google.com/trust-center" } }, "deepDive": { "overview": "Gemini's governance posture inherits from Google Cloud — strong on certifications, US residency, subprocessor transparency, BAA coverage. AI-specific governance (Colorado AI Act, ISO 42001) lags behind cloud-side maturity. The strongest fit is Workspace-standardized organizations where Gemini is a configuration toggle rather than a new vendor relationship.", "strengths": [ "BAA via Google Workspace inheritance", "Mature US data residency via Vertex AI / Workspace", "Strong subprocessor transparency", "Cloud-side SOC 2 + ISO 27k coverage" ], "weaknesses": [ "No ISO/IEC 42001 attestation", "No Colorado AI Act compliance statement", "Consumer Gemini has weaker default privacy posture", "AI-governance documentation behind cloud-side maturity" ], "bestUseCase": "Workspace-standardized organizations that already have a Google Workspace BAA and US data-residency settings configured — Gemini deployment is a contract-line-item exercise rather than a new vendor onboarding.", "avoidWhen": "Organizations without Google Workspace standardization — the cloud-side posture is what makes Gemini governance work, and bolting it onto a non-Google environment loses most of the advantage." }, "lastReviewed": "2026-05-13" }, { "slug": "meta-llama", "name": "Meta Llama", "vendor": "Meta Platforms, Inc.", "category": "foundation", "primarySector": "general", "homepage": "https://llama.com", "trustCenter": null, "enterpriseTier": "Self-hosted (open weights) or cloud-hosted via Bedrock, Azure AI, Vertex AI, Together, Fireworks, Groq", "consumerTier": "Meta AI consumer (meta.ai)", "shortDescription": "Open-weight foundation model family (Llama 3.x, Llama 4) distributed under a community license. Used primarily as a self-hosted or partner-hosted alternative to API-only vendors.", "url": "https://efros.com/research/us-ai-vendor-governance-index/meta-llama/", "composite": { "score": 25, "grade": "F", "scoredAxes": 8, "trustCenterNormalized": 0.25 }, "scoring": { "baa": { "status": "no", "note": "Meta does not offer a BAA directly. BAA must be obtained from the hosting partner (AWS Bedrock, Azure AI Studio, GCP Vertex) where Llama is deployed. Self-hosted deployments shift the entire BAA burden to the deploying organization.", "source": "Meta Llama Community License", "sourceUrl": "https://llama.com/llama3/license" }, "trainingOptOut": { "status": "yes", "note": "Open weights — no training feedback loop to Meta. Inputs to your hosted deployment never leave your tenant.", "source": "Meta Llama license terms" }, "usDataResidency": { "status": "yes", "note": "Self-hosted or partner-hosted on a US region — deploying organization controls residency entirely.", "source": "Deployment-controlled" }, "soc2": { "status": "no", "note": "Meta does not provide SOC 2 for Llama directly. Hosting partner (AWS/Azure/GCP) provides cloud-side SOC 2.", "source": "Meta Trust Center" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation.", "source": "Public posture review" }, "nistAiRmf": { "status": "no", "note": "No NIST AI RMF self-attestation. Meta publishes Responsible Use Guide and Model Card; deploying organization performs RMF mapping.", "source": "Meta Responsible Use Guide", "sourceUrl": "https://llama.com/responsible-use-guide/" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act compliance statement. Deployer responsibility entirely.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Foundation model — Section 1557 is deployer responsibility.", "source": "HHS-OCR Section 1557 — deployer scope" }, "sr117": { "status": "na", "note": "Foundation model — SR 11-7 is deployer responsibility.", "source": "FRB SR 11-7 — deployer scope" }, "abaOp512": { "status": "na", "note": "Foundation model — ABA Op 512 is deployer responsibility.", "source": "ABA Formal Op 512 — practitioner scope" }, "subprocessor": { "status": "no", "note": "Self-hosted: no Meta subprocessor chain. Partner-hosted: hosting partner's subprocessor list applies.", "source": "Deployment-controlled" }, "trustCenter": { "score": 2, "note": "Meta publishes Responsible Use Guide, model cards, license terms. No trust portal in the OpenAI/Anthropic sense. Compliance posture lives at the hosting layer.", "source": "llama.com", "sourceUrl": "https://llama.com" } }, "deepDive": { "overview": "Llama scores poorly on a vendor-governance scorecard because Meta delegates governance to the deploying organization. This is by design — open weights mean the deployer owns the entire stack. The right way to evaluate Llama is to score the hosting partner (AWS Bedrock, Azure AI, Vertex AI) instead, because that's where the BAA, SOC 2, residency, and subprocessor controls actually live.", "strengths": [ "Open weights — full deployer control of data, residency, retention", "No training feedback loop to Meta", "Cost advantage at scale via self-hosting" ], "weaknesses": [ "No vendor-side BAA, SOC 2, residency, or subprocessor controls", "Deployer owns 100% of governance burden", "No NIST AI RMF self-attestation, no Colorado AI Act statement" ], "bestUseCase": "Organizations with mature ML/AI platform teams that need full data control, are running on-prem or sovereign-cloud workloads, or have validated hosting on AWS Bedrock / Azure AI Studio / GCP Vertex with the hosting partner's BAA in place.", "avoidWhen": "Smaller organizations without an internal AI platform team. The cost of building deployer-side governance on top of Llama exceeds the cost of paying for OpenAI Enterprise or Claude for Work in most mid-market scenarios." }, "lastReviewed": "2026-05-13" }, { "slug": "perplexity", "name": "Perplexity AI", "vendor": "Perplexity AI, Inc.", "category": "foundation", "primarySector": "general", "homepage": "https://www.perplexity.ai", "trustCenter": null, "enterpriseTier": "Perplexity Enterprise Pro, Perplexity API (Sonar)", "consumerTier": "Perplexity Free, Perplexity Pro", "shortDescription": "Answer engine combining proprietary retrieval with multiple foundation models (GPT, Claude, Sonar). Differentiated on citation-grounded responses over raw chat.", "url": "https://efros.com/research/us-ai-vendor-governance-index/perplexity/", "composite": { "score": 19, "grade": "F", "scoredAxes": 8, "trustCenterNormalized": 0.25 }, "scoring": { "baa": { "status": "no", "note": "No BAA available as of May 2026 — Perplexity is not a HIPAA business associate. Do not use for PHI workflows.", "source": "Perplexity Privacy Policy", "sourceUrl": "https://www.perplexity.ai/hub/legal/privacy-policy" }, "trainingOptOut": { "status": "partial", "note": "Enterprise Pro contract terms exclude customer data from training. Consumer tiers: opt-out available via account settings.", "source": "Perplexity Enterprise Privacy", "sourceUrl": "https://www.perplexity.ai/hub/legal/perplexity-enterprise-privacy" }, "usDataResidency": { "status": "no", "note": "No documented US data residency configuration for enterprise customers as of May 2026.", "source": "Public posture review" }, "soc2": { "status": "partial", "note": "Perplexity has publicly claimed SOC 2 Type II completion. Report distribution via direct request, not a self-serve trust portal.", "source": "Perplexity Enterprise security page", "sourceUrl": "https://www.perplexity.ai/enterprise" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation.", "source": "Public posture review" }, "nistAiRmf": { "status": "no", "note": "No public NIST AI RMF self-attestation.", "source": "Public posture review" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act compliance statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Section 1557 is deployer responsibility for any clinical use — but the absence of a BAA makes Perplexity unsuitable for PHI use cases.", "source": "HHS-OCR Section 1557 — deployer scope" }, "sr117": { "status": "na", "note": "SR 11-7 is deployer responsibility for any banking use.", "source": "FRB SR 11-7 — deployer scope" }, "abaOp512": { "status": "na", "note": "ABA Op 512 is practitioner responsibility for any legal research use.", "source": "ABA Formal Op 512 — practitioner scope" }, "subprocessor": { "status": "partial", "note": "Perplexity uses multiple model vendors as subprocessors (OpenAI, Anthropic, Mistral). Subprocessor list available to enterprise customers under NDA.", "source": "Perplexity Enterprise Privacy" }, "trustCenter": { "score": 2, "note": "No self-serve trust portal. Enterprise security documentation available on request. Material gap for regulated buyers.", "source": "Perplexity Enterprise", "sourceUrl": "https://www.perplexity.ai/enterprise" } }, "deepDive": { "overview": "Perplexity is best understood as an answer-engine layer that fans out to multiple foundation models behind the scenes. The governance gap is structural: Perplexity inherits some posture from upstream models but doesn't sign HIPAA BAAs and doesn't publish a Colorado AI Act / NIST AI RMF posture. Strong for general research, weak for regulated workflows.", "strengths": [ "Citation-grounded responses reduce hallucination risk vs. raw chat", "Enterprise contract excludes customer data from training", "SOC 2 Type II claim" ], "weaknesses": [ "No BAA — disqualifies for PHI", "No US data residency option", "No NIST AI RMF, ISO 42001, or Colorado AI Act statement", "No self-serve trust portal" ], "bestUseCase": "General-purpose research use cases where the citation-grounded format is a real advantage and no regulated data is involved.", "avoidWhen": "Any PHI, regulated financial data, or privileged legal content. Do not deploy in clinical, banking, or law firm production workflows without an alternative." }, "lastReviewed": "2026-05-13" }, { "slug": "microsoft-365-copilot", "name": "Microsoft 365 Copilot", "vendor": "Microsoft Corporation", "category": "productivity", "primarySector": "general", "homepage": "https://www.microsoft.com/en-us/microsoft-365/copilot", "trustCenter": "https://servicetrust.microsoft.com", "enterpriseTier": "Microsoft 365 Copilot, Copilot for Microsoft 365 (per-user license)", "consumerTier": null, "shortDescription": "Generative AI overlay on the Microsoft 365 stack — Outlook, Word, Excel, PowerPoint, Teams. Available exclusively to commercial M365 tenants.", "url": "https://efros.com/research/us-ai-vendor-governance-index/microsoft-365-copilot/", "composite": { "score": 75, "grade": "B", "scoredAxes": 11, "trustCenterNormalized": 1 }, "scoring": { "baa": { "status": "yes", "note": "BAA available under the standard Microsoft Online Services HIPAA BAA — covers Copilot for Microsoft 365 within the M365 commercial environment.", "source": "Microsoft HIPAA BAA + Trust Center", "sourceUrl": "https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech" }, "trainingOptOut": { "status": "yes", "note": "Customer data is not used to train foundation models. M365 Copilot prompts and responses stay within the tenant boundary.", "source": "Microsoft Copilot Trust Center", "sourceUrl": "https://www.microsoft.com/en-us/trust-center" }, "usDataResidency": { "status": "yes", "note": "M365 Copilot inherits M365 tenant data residency — US tenants stay in US datacenters by default. Advanced Data Residency add-on available.", "source": "Microsoft 365 Data Residency", "sourceUrl": "https://learn.microsoft.com/en-us/microsoft-365/enterprise/m365-dr-overview" }, "soc2": { "status": "yes", "note": "M365 commercial environment holds SOC 2 Type II, SOC 1 Type II, SOC 3, ISO 27001, ISO 27017, ISO 27018, FedRAMP High, IRAP, and others.", "source": "Microsoft Service Trust Portal", "sourceUrl": "https://servicetrust.microsoft.com" }, "iso42001": { "status": "partial", "note": "Microsoft has announced ISO/IEC 42001 alignment work; certification scope public for Azure AI services. M365 Copilot scope confirmation pending.", "source": "Microsoft Responsible AI Standard", "sourceUrl": "https://www.microsoft.com/en-us/ai/responsible-ai" }, "nistAiRmf": { "status": "partial", "note": "Microsoft publishes a Responsible AI Standard and Transparency Report mapped against NIST AI RMF functions. No formal self-attestation document.", "source": "Microsoft Responsible AI Transparency Report", "sourceUrl": "https://www.microsoft.com/en-us/ai/responsible-ai" }, "coloradoAiAct": { "status": "partial", "note": "Microsoft published a Colorado AI Act readiness statement framing M365 Copilot as a general-purpose AI tool with deployer responsibility for high-risk uses.", "source": "Microsoft AI law tracker" }, "section1557": { "status": "partial", "note": "BAA in place. Section 1557 compliance is deployer responsibility for clinical decision use; Microsoft documents the technical controls available.", "source": "Microsoft HIPAA documentation" }, "sr117": { "status": "partial", "note": "Microsoft documents model risk management controls; SR 11-7 validation remains deployer responsibility.", "source": "Microsoft Financial Services compliance" }, "abaOp512": { "status": "partial", "note": "Microsoft publishes legal-sector AI guidance covering matter wall configuration in Copilot. ABA Op 512 obligations remain firm-level.", "source": "Microsoft Legal industry resources" }, "subprocessor": { "status": "yes", "note": "Microsoft Online Services subprocessor list public and granular.", "source": "Microsoft Service Trust Portal — Subprocessors", "sourceUrl": "https://servicetrust.microsoft.com" }, "trustCenter": { "score": 5, "note": "Microsoft Service Trust Portal is the gold-standard reference — public certificate library, audit reports under NDA, granular subprocessor and residency documentation.", "source": "Microsoft Service Trust Portal", "sourceUrl": "https://servicetrust.microsoft.com" } }, "deepDive": { "overview": "M365 Copilot has the most complete governance posture in the productivity category. BAA, no-train, US residency, full SOC/ISO stack, public subprocessor list, and the most mature trust portal in the market. The risk is operational rather than vendor: matter-wall and DLP configuration in M365 is where firms fail Copilot governance, not the underlying BAA.", "strengths": [ "BAA under standard Microsoft Online Services HIPAA BAA", "Default no-train, US residency, full compliance stack", "Most mature trust portal of any AI vendor", "Inherits enterprise-grade M365 identity and DLP controls" ], "weaknesses": [ "ISO 42001 certification scope not yet confirmed for Copilot", "Sector-specific readiness (Section 1557, SR 11-7, ABA Op 512) is deployer responsibility — Microsoft provides controls, not turnkey compliance", "Matter-wall and DLP configuration is non-trivial; many deployments fail at the configuration layer" ], "bestUseCase": "Organizations already standardized on Microsoft 365 commercial with mature DLP, Conditional Access, and SharePoint/OneDrive governance in place. Lowest-friction enterprise AI rollout in the regulated mid-market.", "avoidWhen": "Tenants without DLP, label, or Conditional Access maturity — Copilot inherits the existing access surface, so a tenant with weak governance becomes a worse tenant with Copilot." }, "lastReviewed": "2026-05-13" }, { "slug": "notion-ai", "name": "Notion AI", "vendor": "Notion Labs, Inc.", "category": "productivity", "primarySector": "general", "homepage": "https://www.notion.so/product/ai", "trustCenter": "https://www.notion.so/help/notion-trust", "enterpriseTier": "Notion Business, Notion Enterprise (per-user AI add-on)", "consumerTier": "Notion Free, Notion Plus", "shortDescription": "AI overlay on Notion's collaborative workspace. Used for summarization, drafting, semantic search, and database automation within Notion content.", "url": "https://efros.com/research/us-ai-vendor-governance-index/notion-ai/", "composite": { "score": 33, "grade": "F", "scoredAxes": 8, "trustCenterNormalized": 0.5 }, "scoring": { "baa": { "status": "no", "note": "Notion does not sign BAAs. Notion has explicitly stated it is not HIPAA-compliant and should not store PHI.", "source": "Notion HIPAA support article", "sourceUrl": "https://www.notion.so/help/is-notion-hipaa-compliant" }, "trainingOptOut": { "status": "partial", "note": "Notion AI does not train on workspace content by default for Business and Enterprise plans. Free and Plus: opt-out toggle available.", "source": "Notion AI Privacy", "sourceUrl": "https://www.notion.so/help/notion-ai-privacy" }, "usDataResidency": { "status": "no", "note": "No US data residency configuration option as of May 2026. Notion uses AWS US-East default.", "source": "Notion Trust Center" }, "soc2": { "status": "yes", "note": "SOC 2 Type II report available via Notion Trust Center under NDA. ISO 27001:2022 also held.", "source": "Notion Trust", "sourceUrl": "https://www.notion.so/help/notion-trust" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation.", "source": "Public posture review" }, "nistAiRmf": { "status": "no", "note": "No public NIST AI RMF self-attestation.", "source": "Public posture review" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act compliance statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Not BAA-eligible — Section 1557 use case disqualified by HIPAA gap.", "source": "HHS-OCR Section 1557 — deployer scope" }, "sr117": { "status": "na", "note": "SR 11-7 is deployer responsibility for banking use, but the lack of BAA already disqualifies most regulated bank deployments.", "source": "FRB SR 11-7 — deployer scope" }, "abaOp512": { "status": "na", "note": "ABA Op 512 is practitioner responsibility; no BAA significantly raises the privilege bar for law firm use.", "source": "ABA Formal Op 512 — practitioner scope" }, "subprocessor": { "status": "yes", "note": "Notion subprocessor list public (OpenAI as Notion AI subprocessor, AWS, Stripe, etc.).", "source": "Notion Subprocessors", "sourceUrl": "https://www.notion.so/help/subprocessors" }, "trustCenter": { "score": 3, "note": "Mature trust portal with SOC 2 + ISO under NDA. AI-specific governance documentation is thin — no Colorado AI Act, no NIST AI RMF, no ISO 42001.", "source": "Notion Trust", "sourceUrl": "https://www.notion.so/help/notion-trust" } }, "deepDive": { "overview": "Notion AI is one of the most-deployed shadow-AI vectors in the regulated mid-market. The product is good and widely loved — but the lack of BAA, lack of residency, and thin AI-specific governance documentation make it a poor fit for any regulated workload. Most firms we audit have Notion AI in use and PHI/PII in Notion without realizing the BAA gap.", "strengths": [ "No-train default for Business/Enterprise", "Mature SOC 2 + ISO 27001 posture", "Public subprocessor list" ], "weaknesses": [ "No BAA — not HIPAA-compliant", "No US data residency option", "No AI-specific governance documentation", "Common shadow-AI vector for regulated data" ], "bestUseCase": "Non-regulated workspace use where no PHI, PII, or privileged data enters Notion. Internal-only knowledge management for non-regulated workloads.", "avoidWhen": "Any environment where PHI, regulated financial data, or privileged legal content might enter a Notion workspace. DLP at the email/upload boundary is the right preventive control." }, "lastReviewed": "2026-05-13" }, { "slug": "otter-ai", "name": "Otter.ai", "vendor": "AISense, Inc.", "category": "productivity", "primarySector": "general", "homepage": "https://otter.ai", "trustCenter": "https://otter.ai/security", "enterpriseTier": "Otter Business, Otter Enterprise", "consumerTier": "Otter Basic, Otter Pro", "shortDescription": "Real-time meeting transcription and summarization. Common deployment in sales/CS, sometimes leaking into clinical or legal meeting workflows where governance gaps matter.", "url": "https://efros.com/research/us-ai-vendor-governance-index/otter-ai/", "composite": { "score": 25, "grade": "F", "scoredAxes": 8, "trustCenterNormalized": 0.25 }, "scoring": { "baa": { "status": "no", "note": "Otter.ai does not currently offer a BAA. Otter has stated HIPAA compliance is not supported.", "source": "Otter.ai Security FAQ", "sourceUrl": "https://otter.ai/security" }, "trainingOptOut": { "status": "partial", "note": "Enterprise tier: customer audio/transcripts not used for model training. Free/Pro: opt-out toggle available; defaults vary by feature.", "source": "Otter Privacy Policy", "sourceUrl": "https://otter.ai/privacy-policy" }, "usDataResidency": { "status": "no", "note": "No documented US data residency configuration as of May 2026.", "source": "Public posture review" }, "soc2": { "status": "yes", "note": "SOC 2 Type II completed; report available via direct request.", "source": "Otter Security", "sourceUrl": "https://otter.ai/security" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation.", "source": "Public posture review" }, "nistAiRmf": { "status": "no", "note": "No public NIST AI RMF self-attestation.", "source": "Public posture review" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act compliance statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Not BAA-eligible — disqualifies clinical use.", "source": "HHS-OCR Section 1557 — deployer scope" }, "sr117": { "status": "na", "note": "SR 11-7 is deployer responsibility.", "source": "FRB SR 11-7 — deployer scope" }, "abaOp512": { "status": "na", "note": "Practitioner responsibility; lack of BAA significantly raises privilege risk for law firm use.", "source": "ABA Formal Op 512 — practitioner scope" }, "subprocessor": { "status": "partial", "note": "Subprocessor list available to enterprise customers on request. Not self-serve public.", "source": "Otter Security FAQ" }, "trustCenter": { "score": 2, "note": "Security page exists but is thin. AI-specific governance documentation absent. Lower-maturity trust posture.", "source": "otter.ai/security", "sourceUrl": "https://otter.ai/security" } }, "deepDive": { "overview": "Otter.ai is widely deployed in sales/CS organizations and routinely creeps into clinical, financial, and legal meeting workflows without governance review. The product is competent; the governance posture is not aligned to regulated use. The most common audit finding involving Otter is patient or attorney-client conversations transcribed without a BAA or privilege protocol.", "strengths": [ "SOC 2 Type II", "Enterprise no-train default", "Mature transcription product" ], "weaknesses": [ "No BAA, no HIPAA support", "No US residency option", "Thin AI-specific governance documentation", "Subprocessor list not self-serve public" ], "bestUseCase": "Non-regulated meeting transcription — sales call notes, internal team meetings, marketing planning sessions.", "avoidWhen": "Patient encounters, attorney-client conversations, confidential financial advisory meetings. Use a BAA-covered alternative (Microsoft Teams transcription under M365 BAA, or sector-specific tools like DAX Copilot)." }, "lastReviewed": "2026-05-13" }, { "slug": "salesforce-einstein", "name": "Salesforce Einstein / Agentforce", "vendor": "Salesforce, Inc.", "category": "productivity", "primarySector": "general", "homepage": "https://www.salesforce.com/products/einstein", "trustCenter": "https://compliance.salesforce.com", "enterpriseTier": "Einstein 1 Platform, Agentforce, Einstein Trust Layer (included in core Salesforce licenses)", "consumerTier": null, "shortDescription": "AI and agent infrastructure built into Salesforce CRM. The Einstein Trust Layer enforces no-train, masking, and audit logging at the platform level.", "url": "https://efros.com/research/us-ai-vendor-governance-index/salesforce-einstein/", "composite": { "score": 69, "grade": "C", "scoredAxes": 10, "trustCenterNormalized": 1 }, "scoring": { "baa": { "status": "yes", "note": "BAA available under Salesforce Health Cloud and applicable to Einstein/Agentforce within the BAA-covered environment.", "source": "Salesforce HIPAA compliance", "sourceUrl": "https://compliance.salesforce.com/en/hipaa" }, "trainingOptOut": { "status": "yes", "note": "Einstein Trust Layer enforces zero data retention by the underlying LLM provider. Customer data never used for model training.", "source": "Einstein Trust Layer", "sourceUrl": "https://www.salesforce.com/artificial-intelligence/trusted-ai" }, "usDataResidency": { "status": "yes", "note": "Salesforce supports US data residency through US-based Hyperforce regions. Customer-configurable.", "source": "Salesforce Hyperforce", "sourceUrl": "https://www.salesforce.com/platform/hyperforce" }, "soc2": { "status": "yes", "note": "Salesforce holds SOC 2 Type II, SOC 1, ISO 27001/17/18, FedRAMP, and additional sector certifications.", "source": "Salesforce Compliance", "sourceUrl": "https://compliance.salesforce.com" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation for Einstein/Agentforce as of May 2026.", "source": "Salesforce Compliance" }, "nistAiRmf": { "status": "partial", "note": "Salesforce publishes a Trusted AI Principles framework with explicit mapping to NIST AI RMF functions. No formal self-attestation document.", "source": "Salesforce Trusted AI", "sourceUrl": "https://www.salesforce.com/artificial-intelligence/trusted-ai" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act-specific public statement; Salesforce documents the deployer responsibility model.", "source": "Public posture review" }, "section1557": { "status": "partial", "note": "BAA available; Section 1557 compliance for clinical decision support is deployer responsibility. Salesforce Health Cloud documents the technical controls.", "source": "Salesforce Health Cloud compliance" }, "sr117": { "status": "partial", "note": "Salesforce Financial Services Cloud documents model risk controls; SR 11-7 validation is deployer responsibility.", "source": "Salesforce Financial Services compliance" }, "abaOp512": { "status": "na", "note": "Not legal-vertical positioned.", "source": "Salesforce positioning review" }, "subprocessor": { "status": "yes", "note": "Salesforce subprocessor list public and granular.", "source": "Salesforce Subprocessors", "sourceUrl": "https://www.salesforce.com/company/legal/subprocessors" }, "trustCenter": { "score": 5, "note": "Mature compliance portal at compliance.salesforce.com — public certificates, subprocessor list, audit reports, sector-specific BAA addenda.", "source": "Salesforce Compliance", "sourceUrl": "https://compliance.salesforce.com" } }, "deepDive": { "overview": "Salesforce's governance posture is one of the strongest in the enterprise category because Einstein/Agentforce inherits the Salesforce platform compliance stack — BAA, US residency, FedRAMP, SOC 2, granular subprocessors. The Einstein Trust Layer's zero-retention enforcement at the LLM-provider boundary is operationally meaningful. The gap is sector-specific posture: deployers still own clinical or financial validation work.", "strengths": [ "BAA, US residency, FedRAMP — full platform compliance stack", "Einstein Trust Layer enforces zero LLM-provider retention", "Most mature compliance portal in the productivity category", "Vertical Cloud (Health, Financial Services) integration" ], "weaknesses": [ "No ISO/IEC 42001", "No Colorado AI Act-specific statement", "Section 1557 / SR 11-7 readiness is deployer-side" ], "bestUseCase": "Salesforce-standardized organizations rolling out Agentforce within existing Health Cloud / Financial Services Cloud / Einstein Trust Layer configuration — governance inherits cleanly from the platform.", "avoidWhen": "Organizations without an existing Salesforce platform — the value of Einstein governance depends entirely on platform standardization." }, "lastReviewed": "2026-05-13" }, { "slug": "glean", "name": "Glean", "vendor": "Glean Technologies, Inc.", "category": "productivity", "primarySector": "general", "homepage": "https://www.glean.com", "trustCenter": "https://www.glean.com/trust", "enterpriseTier": "Glean Work AI, Glean Apps (per-user licensing)", "consumerTier": null, "shortDescription": "Enterprise generative search and AI agent platform that indexes the SaaS stack (Drive, SharePoint, Slack, Confluence, Salesforce, etc.) and returns permission-aware AI answers.", "url": "https://efros.com/research/us-ai-vendor-governance-index/glean/", "composite": { "score": 69, "grade": "C", "scoredAxes": 8, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "BAA available for enterprise customers. Glean supports HIPAA-covered deployments.", "source": "Glean Trust", "sourceUrl": "https://www.glean.com/trust" }, "trainingOptOut": { "status": "yes", "note": "Customer data not used to train Glean's models. Default tenant isolation.", "source": "Glean Trust", "sourceUrl": "https://www.glean.com/trust" }, "usDataResidency": { "status": "yes", "note": "US data residency option available for enterprise customers (US-only deployment).", "source": "Glean Trust" }, "soc2": { "status": "yes", "note": "SOC 2 Type II, ISO 27001:2022, ISO 27017, ISO 27018.", "source": "Glean Trust", "sourceUrl": "https://www.glean.com/trust" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation as of May 2026.", "source": "Glean Trust" }, "nistAiRmf": { "status": "partial", "note": "Public governance documentation aligns with NIST AI RMF functions; no formal self-attestation.", "source": "Glean Responsible AI" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act-specific public statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Not positioned for clinical decision support.", "source": "Glean positioning review" }, "sr117": { "status": "na", "note": "Not positioned as a banking decisioning system.", "source": "Glean positioning review" }, "abaOp512": { "status": "na", "note": "Not legal-vertical positioned.", "source": "Glean positioning review" }, "subprocessor": { "status": "yes", "note": "Subprocessor list available to customers via the trust portal.", "source": "Glean Trust — Subprocessors" }, "trustCenter": { "score": 4, "note": "Mature trust portal with public certificate library, audit reports under NDA, customer-facing documentation. Lacks AI-specific certifications (ISO 42001) and explicit Colorado AI Act statement.", "source": "Glean Trust", "sourceUrl": "https://www.glean.com/trust" } }, "deepDive": { "overview": "Glean is an interesting governance case because it sits between cloud productivity tools and AI agents — permission-aware enterprise search that doesn't store source content but does perform retrieval-augmented generation. The governance stack is strong on the platform fundamentals (BAA, residency, SOC 2 + ISO) but doesn't claim sector-specific readiness because it's not a decisioning system.", "strengths": [ "BAA + US residency + SOC 2 + ISO 27k stack", "Permission-aware retrieval respects source-system ACLs", "Default tenant isolation, no cross-customer training", "Mature subprocessor transparency" ], "weaknesses": [ "No ISO/IEC 42001", "No Colorado AI Act compliance statement", "Sector overlays (Section 1557, SR 11-7, ABA Op 512) not in scope by positioning" ], "bestUseCase": "Mid-market and enterprise organizations needing AI-grade enterprise search across a SaaS stack, with HIPAA BAA or general regulated-data handling requirements.", "avoidWhen": "Use cases that need vendor-side decisioning support — Glean is retrieval and answer-generation, not regulated-decision automation." }, "lastReviewed": "2026-05-13" }, { "slug": "harvey", "name": "Harvey", "vendor": "Counsel AI Corporation (Harvey)", "category": "legal", "primarySector": "legal", "homepage": "https://www.harvey.ai", "trustCenter": null, "enterpriseTier": "Harvey Assistant, Harvey Workflows, Harvey Vault (firm-wide licensing)", "consumerTier": null, "shortDescription": "Generative AI platform purpose-built for law firms. Backed by OpenAI; primarily deployed at Am Law 100/200 firms for drafting, research, and matter-aware workflows.", "url": "https://efros.com/research/us-ai-vendor-governance-index/harvey/", "composite": { "score": 74, "grade": "B", "scoredAxes": 9, "trustCenterNormalized": 0.5 }, "scoring": { "baa": { "status": "yes", "note": "Harvey signs enterprise data-handling agreements equivalent to BAA scope for client-confidential workloads. Firm-level deployment terms address privilege handling.", "source": "Harvey Security", "sourceUrl": "https://www.harvey.ai/security" }, "trainingOptOut": { "status": "yes", "note": "Harvey does not train on client data. Tenant isolation contractually enforced. Foundation models accessed via Harvey are configured with zero-retention enterprise contracts.", "source": "Harvey Security" }, "usDataResidency": { "status": "yes", "note": "US data residency available for enterprise customers. Harvey runs primarily on Azure US regions.", "source": "Harvey Security" }, "soc2": { "status": "yes", "note": "SOC 2 Type II completed. Report available to enterprise customers via direct request.", "source": "Harvey Security" }, "iso42001": { "status": "no", "note": "No public ISO/IEC 42001 attestation as of May 2026.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "Harvey publishes governance documentation aligned to NIST AI RMF principles. No formal self-attestation.", "source": "Harvey governance documentation" }, "coloradoAiAct": { "status": "partial", "note": "Harvey acknowledges Colorado AI Act deployer responsibility model in customer documentation; firms own end-deployer obligations.", "source": "Harvey customer documentation" }, "section1557": { "status": "na", "note": "Legal-vertical positioning.", "source": "Harvey positioning review" }, "sr117": { "status": "na", "note": "Legal-vertical positioning.", "source": "Harvey positioning review" }, "abaOp512": { "status": "yes", "note": "Harvey publishes ABA Formal Op 512 alignment documentation: data isolation, no training on client data, audit logging, privilege-aware retention controls.", "source": "Harvey ABA Op 512 documentation" }, "subprocessor": { "status": "partial", "note": "Subprocessor information available to enterprise customers under NDA. Not self-serve public.", "source": "Harvey enterprise documentation" }, "trustCenter": { "score": 3, "note": "Security page documents core controls; enterprise-grade documentation available on request. Less self-serve maturity than cloud-platform vendors.", "source": "harvey.ai/security", "sourceUrl": "https://www.harvey.ai/security" } }, "deepDive": { "overview": "Harvey is the highest-profile legal vertical AI vendor. The governance posture is strong on the dimensions that matter most for law firms (no-train, US residency, BAA-equivalent, ABA Op 512 alignment) but trust-portal maturity lags cloud-platform vendors. The competitive position depends on the firm-specific workflow value rather than cross-cutting governance differentiation.", "strengths": [ "Purpose-built for legal — privilege handling and matter walls native to product", "ABA Op 512 alignment documented", "Default no-train, US residency, BAA-equivalent", "Foundation-model upstreams contractually configured for zero-retention" ], "weaknesses": [ "No ISO/IEC 42001", "No formal NIST AI RMF self-attestation", "Trust portal less mature than cloud-platform peers", "Subprocessor transparency NDA-gated" ], "bestUseCase": "Am Law 100/200 firms with established AI governance, where Harvey's privilege-aware workflow and matter-context features deliver value beyond what a foundation model alone provides.", "avoidWhen": "Smaller firms (under 50 attorneys) where the per-attorney pricing doesn't amortize, and the ChatGPT Enterprise + ABA Op 512 protocol delivers acceptable functionality at lower cost." }, "lastReviewed": "2026-05-13" }, { "slug": "thomson-reuters-cocounsel", "name": "Thomson Reuters CoCounsel", "vendor": "Thomson Reuters", "category": "legal", "primarySector": "legal", "homepage": "https://www.thomsonreuters.com/en/artificial-intelligence/cocounsel.html", "trustCenter": null, "enterpriseTier": "CoCounsel Core, CoCounsel for Tax, CoCounsel for Legal (firm/individual licensing)", "consumerTier": null, "shortDescription": "Legal AI assistant from Thomson Reuters (the parent of Westlaw and Practical Law). Acquired Casetext in 2023. Tightly integrated with Westlaw and Practical Law content.", "url": "https://efros.com/research/us-ai-vendor-governance-index/thomson-reuters-cocounsel/", "composite": { "score": 80, "grade": "B", "scoredAxes": 9, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "CoCounsel is covered under Thomson Reuters' enterprise data-handling agreements. BAA scope addressed for firms with PHI in matter content.", "source": "Thomson Reuters Trust Center" }, "trainingOptOut": { "status": "yes", "note": "CoCounsel does not train models on customer data. Tenant isolation enforced.", "source": "Thomson Reuters CoCounsel Privacy" }, "usDataResidency": { "status": "yes", "note": "US data residency available for enterprise customers.", "source": "Thomson Reuters Trust Center" }, "soc2": { "status": "yes", "note": "Thomson Reuters Cloud Platform (which hosts CoCounsel) holds SOC 2 Type II and ISO 27001.", "source": "Thomson Reuters Trust Center" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation as of May 2026.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "Thomson Reuters publishes AI Principles and governance documentation; no formal NIST AI RMF self-attestation.", "source": "Thomson Reuters AI Principles" }, "coloradoAiAct": { "status": "partial", "note": "Thomson Reuters documents the deployer responsibility model under Colorado AI Act.", "source": "Thomson Reuters customer documentation" }, "section1557": { "status": "na", "note": "Legal-vertical positioning.", "source": "Thomson Reuters CoCounsel positioning" }, "sr117": { "status": "na", "note": "Legal-vertical positioning.", "source": "Thomson Reuters CoCounsel positioning" }, "abaOp512": { "status": "yes", "note": "Thomson Reuters publishes ABA Op 512 alignment documentation specific to CoCounsel deployment.", "source": "Thomson Reuters CoCounsel ABA Op 512 documentation" }, "subprocessor": { "status": "yes", "note": "Subprocessor list published as part of Thomson Reuters Cloud Platform terms.", "source": "Thomson Reuters Subprocessors" }, "trustCenter": { "score": 4, "note": "Thomson Reuters Trust Center is mature for cloud-platform compliance; AI-specific governance for CoCounsel is documented but less granular than the platform compliance.", "source": "Thomson Reuters Trust Center" } }, "deepDive": { "overview": "CoCounsel benefits from the parent Thomson Reuters compliance stack — well above what most legal-vertical AI vendors offer on their own. Tight integration with Westlaw and Practical Law content reduces hallucination risk on legal research workflows. The governance posture is more mature than Harvey on platform fundamentals; the workflow differentiation depends on firm preference.", "strengths": [ "Inherits Thomson Reuters Cloud Platform compliance stack", "ABA Op 512 alignment documented", "Tight integration with Westlaw / Practical Law — citation grounding", "Mature subprocessor transparency" ], "weaknesses": [ "No ISO/IEC 42001", "No formal NIST AI RMF self-attestation", "Pricing structure is more complex than per-seat alternatives" ], "bestUseCase": "Firms already standardized on Westlaw and Practical Law, where CoCounsel's content integration delivers operational value beyond raw generative drafting.", "avoidWhen": "Firms standardized on Lexis content — CoCounsel's research integration value depends on Westlaw/Practical Law alignment." }, "lastReviewed": "2026-05-13" }, { "slug": "lexis-plus-ai", "name": "Lexis+ AI", "vendor": "LexisNexis (RELX)", "category": "legal", "primarySector": "legal", "homepage": "https://www.lexisnexis.com/en-us/products/lexis-plus-ai.page", "trustCenter": null, "enterpriseTier": "Lexis+ AI (firm/individual licensing)", "consumerTier": null, "shortDescription": "LexisNexis's legal AI assistant integrated with the Lexis content corpus. Differentiated on citation grounding from the Lexis case-law and secondary-source database.", "url": "https://efros.com/research/us-ai-vendor-governance-index/lexis-plus-ai/", "composite": { "score": 76, "grade": "B", "scoredAxes": 9, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "LexisNexis enterprise data-handling agreements address client-confidential data for firms.", "source": "LexisNexis Privacy" }, "trainingOptOut": { "status": "yes", "note": "Lexis+ AI does not train on customer prompts or content. Tenant isolation enforced.", "source": "LexisNexis Lexis+ AI Privacy" }, "usDataResidency": { "status": "yes", "note": "US data residency available for US customers; Lexis+ AI hosted on US infrastructure.", "source": "LexisNexis Trust" }, "soc2": { "status": "yes", "note": "LexisNexis platform holds SOC 2 Type II and ISO 27001.", "source": "LexisNexis Trust" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation as of May 2026.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "LexisNexis publishes Responsible AI principles; no formal NIST AI RMF self-attestation.", "source": "LexisNexis Responsible AI" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act-specific public statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Legal-vertical positioning.", "source": "Lexis+ AI positioning" }, "sr117": { "status": "na", "note": "Legal-vertical positioning.", "source": "Lexis+ AI positioning" }, "abaOp512": { "status": "yes", "note": "LexisNexis publishes ABA Op 512 alignment documentation for Lexis+ AI.", "source": "LexisNexis Lexis+ AI ABA Op 512 documentation" }, "subprocessor": { "status": "yes", "note": "LexisNexis subprocessor list available via standard enterprise terms.", "source": "LexisNexis Subprocessors" }, "trustCenter": { "score": 4, "note": "Mature LexisNexis platform compliance documentation. AI-specific governance present but less granular than cloud-platform peers.", "source": "LexisNexis Trust" } }, "deepDive": { "overview": "Lexis+ AI is the direct Lexis-content counterpart to CoCounsel. The governance posture is roughly equivalent on platform fundamentals (BAA, residency, SOC 2, ABA Op 512). The differentiator is which legal content corpus the firm has standardized on. Both are appropriate for ABA Op 512-aware deployment.", "strengths": [ "Citation grounding from Lexis case-law and secondary sources", "ABA Op 512 alignment documented", "Default no-train, US residency, BAA-equivalent", "Inherits LexisNexis platform compliance stack" ], "weaknesses": [ "No ISO/IEC 42001", "No Colorado AI Act-specific public statement", "No formal NIST AI RMF self-attestation" ], "bestUseCase": "Firms standardized on Lexis content, where Lexis+ AI's content integration matches existing research workflows.", "avoidWhen": "Firms standardized on Westlaw — the content integration advantage shifts to CoCounsel." }, "lastReviewed": "2026-05-13" }, { "slug": "westlaw-precision-ai", "name": "Westlaw Precision AI", "vendor": "Thomson Reuters", "category": "legal", "primarySector": "legal", "homepage": "https://legal.thomsonreuters.com/en/products/westlaw-precision", "trustCenter": null, "enterpriseTier": "Westlaw Precision with AI-Assisted Research (firm/individual licensing)", "consumerTier": null, "shortDescription": "Westlaw's AI-assisted research layer — natural-language query, AI-generated case summaries, and AI memo drafting grounded in Westlaw's primary-source database.", "url": "https://efros.com/research/us-ai-vendor-governance-index/westlaw-precision-ai/", "composite": { "score": 76, "grade": "B", "scoredAxes": 9, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "Covered under Thomson Reuters enterprise data-handling agreements.", "source": "Thomson Reuters Trust Center" }, "trainingOptOut": { "status": "yes", "note": "Westlaw Precision AI does not train on customer research queries or content. Tenant isolation enforced.", "source": "Thomson Reuters Privacy" }, "usDataResidency": { "status": "yes", "note": "US data residency available for US customers.", "source": "Thomson Reuters Trust Center" }, "soc2": { "status": "yes", "note": "Thomson Reuters Cloud Platform holds SOC 2 Type II and ISO 27001.", "source": "Thomson Reuters Trust Center" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation as of May 2026.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "Thomson Reuters AI Principles framework; no formal NIST AI RMF self-attestation.", "source": "Thomson Reuters AI Principles" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act-specific public statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Legal-vertical positioning.", "source": "Westlaw Precision AI positioning" }, "sr117": { "status": "na", "note": "Legal-vertical positioning.", "source": "Westlaw Precision AI positioning" }, "abaOp512": { "status": "yes", "note": "Thomson Reuters publishes ABA Op 512 alignment documentation applicable to Westlaw Precision AI.", "source": "Thomson Reuters Westlaw Precision AI ABA Op 512 documentation" }, "subprocessor": { "status": "yes", "note": "Thomson Reuters subprocessor list published.", "source": "Thomson Reuters Subprocessors" }, "trustCenter": { "score": 4, "note": "Same trust posture as CoCounsel — mature platform compliance, less granular AI-specific governance.", "source": "Thomson Reuters Trust Center" } }, "deepDive": { "overview": "Westlaw Precision AI is the AI-assisted research overlay on Westlaw — most directly comparable to Lexis+ AI's research workflow rather than CoCounsel's drafting workflow. The governance posture mirrors CoCounsel because both run on the same Thomson Reuters Cloud Platform.", "strengths": [ "Citation grounding from Westlaw primary sources", "ABA Op 512 alignment documented", "Inherits Thomson Reuters Cloud Platform compliance" ], "weaknesses": [ "No ISO/IEC 42001", "No Colorado AI Act-specific public statement", "Pricing tied to Westlaw Precision tier — not a standalone purchase" ], "bestUseCase": "Firms standardized on Westlaw who want AI-assisted research without moving to CoCounsel's drafting workflow.", "avoidWhen": "Firms standardized on Lexis — the research-content advantage shifts to Lexis+ AI." }, "lastReviewed": "2026-05-13" }, { "slug": "spellbook", "name": "Spellbook", "vendor": "Rally Now, Inc. (Spellbook)", "category": "legal", "primarySector": "legal", "homepage": "https://www.spellbook.legal", "trustCenter": null, "enterpriseTier": "Spellbook Associate, Spellbook Partner", "consumerTier": null, "shortDescription": "Generative AI contract drafting and review assistant integrated with Microsoft Word. Targets small-to-mid law firms with focused contract workflows.", "url": "https://efros.com/research/us-ai-vendor-governance-index/spellbook/", "composite": { "score": 45, "grade": "D", "scoredAxes": 9, "trustCenterNormalized": 0.25 }, "scoring": { "baa": { "status": "yes", "note": "Spellbook signs BAAs for enterprise customers where required.", "source": "Spellbook Security" }, "trainingOptOut": { "status": "yes", "note": "Spellbook does not train on customer documents. Tenant isolation enforced.", "source": "Spellbook Privacy", "sourceUrl": "https://www.spellbook.legal/privacy" }, "usDataResidency": { "status": "partial", "note": "Spellbook hosted on US/Canada cloud infrastructure. Explicit US-only residency configuration not documented as of May 2026.", "source": "Spellbook Security" }, "soc2": { "status": "partial", "note": "Spellbook is SOC 2 Type II under audit / completed; report distribution via direct enterprise request.", "source": "Spellbook Security" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation.", "source": "Public posture review" }, "nistAiRmf": { "status": "no", "note": "No public NIST AI RMF self-attestation.", "source": "Public posture review" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act-specific public statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Legal-vertical positioning.", "source": "Spellbook positioning" }, "sr117": { "status": "na", "note": "Legal-vertical positioning.", "source": "Spellbook positioning" }, "abaOp512": { "status": "partial", "note": "Spellbook publishes general legal-ethics alignment documentation; explicit ABA Op 512 mapping less detailed than top-tier legal-vertical vendors.", "source": "Spellbook documentation" }, "subprocessor": { "status": "partial", "note": "Subprocessor information available via enterprise request; not self-serve public.", "source": "Spellbook Security" }, "trustCenter": { "score": 2, "note": "Security page documents core controls. Trust-portal maturity below cloud-platform and top-tier legal-vertical peers.", "source": "spellbook.legal/security" } }, "deepDive": { "overview": "Spellbook targets a smaller-firm market than Harvey, Lexis+ AI, or CoCounsel. The governance posture reflects the smaller-vendor scale — solid fundamentals on the dimensions that matter most for contracts (BAA, no-train) but less mature on trust-portal documentation, sector-specific governance, and AI-specific certifications.", "strengths": [ "BAA-eligible for enterprise", "Default no-train", "Word-integrated workflow lowers adoption friction" ], "weaknesses": [ "Less mature trust portal", "No explicit US-only residency configuration", "Subprocessor list NDA-gated", "ABA Op 512 mapping less detailed than top-tier legal vendors" ], "bestUseCase": "Small-to-mid firms (5-50 attorneys) focused on transactional / contract work, where Word-integration and per-attorney pricing match the budget and workflow.", "avoidWhen": "Firms with strict regulatory scrutiny (especially BigLaw or in-house teams under heavy compliance scrutiny) that need top-tier trust documentation." }, "lastReviewed": "2026-05-13" }, { "slug": "ironclad-ai", "name": "Ironclad AI", "vendor": "Ironclad, Inc.", "category": "legal", "primarySector": "legal", "homepage": "https://ironcladapp.com", "trustCenter": "https://ironcladapp.com/trust", "enterpriseTier": "Ironclad Business, Ironclad Enterprise (AI features included)", "consumerTier": null, "shortDescription": "Contract lifecycle management platform with AI features for contract drafting, review, and metadata extraction. Targets in-house legal teams.", "url": "https://efros.com/research/us-ai-vendor-governance-index/ironclad-ai/", "composite": { "score": 63, "grade": "C", "scoredAxes": 9, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "Ironclad signs BAAs for enterprise customers with PHI obligations.", "source": "Ironclad Trust", "sourceUrl": "https://ironcladapp.com/trust" }, "trainingOptOut": { "status": "yes", "note": "Customer contract content not used for training Ironclad's AI models.", "source": "Ironclad Trust" }, "usDataResidency": { "status": "yes", "note": "US data residency available for enterprise customers.", "source": "Ironclad Trust" }, "soc2": { "status": "yes", "note": "Ironclad holds SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018.", "source": "Ironclad Trust", "sourceUrl": "https://ironcladapp.com/trust" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation.", "source": "Public posture review" }, "nistAiRmf": { "status": "no", "note": "No public NIST AI RMF self-attestation.", "source": "Public posture review" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act-specific public statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Not positioned for clinical use.", "source": "Ironclad positioning" }, "sr117": { "status": "na", "note": "Not positioned as a banking decisioning system.", "source": "Ironclad positioning" }, "abaOp512": { "status": "partial", "note": "Ironclad publishes general AI governance documentation; explicit ABA Op 512 mapping less prominent than legal-research-focused vendors.", "source": "Ironclad AI governance documentation" }, "subprocessor": { "status": "yes", "note": "Subprocessor list public via trust portal.", "source": "Ironclad Trust" }, "trustCenter": { "score": 4, "note": "Mature trust portal with public certificate library, audit reports under NDA, subprocessor list. AI-specific governance less prominent than platform fundamentals.", "source": "ironcladapp.com/trust" } }, "deepDive": { "overview": "Ironclad is best understood as a CLM platform with AI features rather than a pure legal AI vendor. The governance posture is strong on platform fundamentals (BAA, residency, SOC 2 + ISO stack) — matches the standard a corporate legal team would require for any CLM. AI-specific governance is less prominent because the AI is an overlay on the contract workflow.", "strengths": [ "BAA + US residency + SOC 2 + ISO 27k stack", "Mature trust portal", "Default no-train", "Public subprocessor list" ], "weaknesses": [ "No ISO/IEC 42001", "No NIST AI RMF self-attestation", "ABA Op 512 mapping less prominent than research-focused legal vendors" ], "bestUseCase": "In-house legal teams using Ironclad as primary CLM, where AI features are workflow overlays rather than standalone deliverables.", "avoidWhen": "Litigation or research-heavy practices — Ironclad's AI is contract-workflow-oriented, not research or matter-aware drafting." }, "lastReviewed": "2026-05-13" }, { "slug": "nuance-dax-copilot", "name": "Nuance DAX Copilot (Microsoft)", "vendor": "Microsoft Corporation (Nuance)", "category": "healthcare", "primarySector": "healthcare", "homepage": "https://www.nuance.com/healthcare/dragon-ai-clinical-solutions/dax-copilot.html", "trustCenter": null, "enterpriseTier": "DAX Copilot (per-clinician licensing, EHR-integrated)", "consumerTier": null, "shortDescription": "Ambient clinical AI scribe — captures clinician-patient encounters and generates structured clinical notes. EHR-integrated (Epic, Cerner, athenahealth, others).", "url": "https://efros.com/research/us-ai-vendor-governance-index/nuance-dax-copilot/", "composite": { "score": 70, "grade": "B", "scoredAxes": 9, "trustCenterNormalized": 1 }, "scoring": { "baa": { "status": "yes", "note": "DAX Copilot is covered under Microsoft Online Services HIPAA BAA. Inherits the full M365/Azure BAA scope.", "source": "Microsoft Nuance DAX HIPAA", "sourceUrl": "https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech" }, "trainingOptOut": { "status": "yes", "note": "Clinical encounter audio and generated notes are not used for foundation-model training. Customer-isolated processing.", "source": "Nuance DAX Copilot documentation" }, "usDataResidency": { "status": "yes", "note": "US data residency via Azure US regions. Customer-configurable.", "source": "Microsoft Azure Data Residency" }, "soc2": { "status": "yes", "note": "Microsoft Azure / M365 commercial environment compliance stack applies (SOC 2 Type II + SOC 1 + SOC 3 + ISO 27001/17/18 + FedRAMP).", "source": "Microsoft Service Trust Portal" }, "iso42001": { "status": "no", "note": "No DAX Copilot-specific ISO/IEC 42001 attestation as of May 2026.", "source": "Microsoft Service Trust Portal" }, "nistAiRmf": { "status": "partial", "note": "Microsoft Responsible AI framework applies. No DAX-specific NIST AI RMF self-attestation document.", "source": "Microsoft Responsible AI" }, "coloradoAiAct": { "status": "no", "note": "No DAX-specific Colorado AI Act public statement.", "source": "Public posture review" }, "section1557": { "status": "partial", "note": "BAA in place. Section 1557 algorithmic non-discrimination obligations for clinical decision support remain deployer responsibility; Microsoft documents the technical controls.", "source": "Microsoft Healthcare compliance" }, "sr117": { "status": "na", "note": "Healthcare-vertical positioning.", "source": "DAX positioning" }, "abaOp512": { "status": "na", "note": "Healthcare-vertical positioning.", "source": "DAX positioning" }, "subprocessor": { "status": "yes", "note": "Microsoft Online Services subprocessor list applies.", "source": "Microsoft Service Trust Portal" }, "trustCenter": { "score": 5, "note": "Inherits Microsoft Service Trust Portal — the gold-standard reference. DAX-specific documentation present on the Nuance side.", "source": "Microsoft Service Trust Portal" } }, "deepDive": { "overview": "DAX Copilot has the strongest healthcare-vertical governance posture in the market because it inherits the Microsoft/Azure/M365 compliance stack while being healthcare-positioned at the product layer. The result is best-in-class platform compliance combined with clinical workflow fit. The remaining gap is Section 1557 readiness, where the deployer still owns clinical-decision-support validation.", "strengths": [ "Inherits Microsoft/Azure HIPAA BAA, US residency, SOC 2, ISO 27k, FedRAMP", "EHR-integrated (Epic, Cerner, athenahealth, etc.)", "Default no-train, customer-isolated processing", "Most mature trust portal of any healthcare AI vendor" ], "weaknesses": [ "No DAX-specific ISO/IEC 42001", "No Colorado AI Act-specific statement", "Section 1557 clinical-decision-support readiness is deployer-side" ], "bestUseCase": "Health systems and clinics with Microsoft 365 / Azure standardization where DAX Copilot's EHR integration matches the deployed EHR (Epic + DAX is the highest-leverage combination).", "avoidWhen": "Practices on EHRs without DAX integration (some smaller specialty EHRs) — the workflow value depends on EHR integration depth." }, "lastReviewed": "2026-05-13" }, { "slug": "abridge", "name": "Abridge", "vendor": "Abridge AI, Inc.", "category": "healthcare", "primarySector": "healthcare", "homepage": "https://www.abridge.com", "trustCenter": "https://www.abridge.com/trust", "enterpriseTier": "Abridge for Enterprise (per-clinician licensing, EHR-integrated)", "consumerTier": null, "shortDescription": "Ambient clinical AI documentation. Differentiated on clinician-experience design, citation-grounded notes, and deep EHR integration (notably Epic).", "url": "https://efros.com/research/us-ai-vendor-governance-index/abridge/", "composite": { "score": 87, "grade": "A", "scoredAxes": 9, "trustCenterNormalized": 1 }, "scoring": { "baa": { "status": "yes", "note": "Abridge signs BAAs for all enterprise customers.", "source": "Abridge Trust", "sourceUrl": "https://www.abridge.com/trust" }, "trainingOptOut": { "status": "yes", "note": "Customer audio and notes not used for general model training. Tenant isolation enforced.", "source": "Abridge Trust" }, "usDataResidency": { "status": "yes", "note": "Abridge hosted on US infrastructure. US data residency standard for US customers.", "source": "Abridge Trust" }, "soc2": { "status": "yes", "note": "Abridge holds SOC 2 Type II.", "source": "Abridge Trust", "sourceUrl": "https://www.abridge.com/trust" }, "iso42001": { "status": "partial", "note": "Abridge has publicly indicated ISO/IEC 42001 alignment work in progress. Certification not yet posted as of May 2026.", "source": "Abridge governance documentation" }, "nistAiRmf": { "status": "partial", "note": "Abridge publishes a Responsible AI framework mapped against NIST AI RMF functions.", "source": "Abridge Responsible AI" }, "coloradoAiAct": { "status": "partial", "note": "Abridge has publicly engaged on the Colorado AI Act deployer-responsibility model; product documentation addresses high-risk classification.", "source": "Abridge customer documentation" }, "section1557": { "status": "yes", "note": "Abridge has publicly addressed Section 1557 algorithmic non-discrimination — bias testing, model card publication, ongoing monitoring documentation.", "source": "Abridge Section 1557 documentation" }, "sr117": { "status": "na", "note": "Healthcare-vertical positioning.", "source": "Abridge positioning" }, "abaOp512": { "status": "na", "note": "Healthcare-vertical positioning.", "source": "Abridge positioning" }, "subprocessor": { "status": "yes", "note": "Abridge subprocessor list public via trust center.", "source": "Abridge Trust" }, "trustCenter": { "score": 5, "note": "Abridge's trust center is one of the most mature in clinical AI — public Responsible AI framework, Section 1557 documentation, model cards, subprocessor transparency.", "source": "Abridge Trust", "sourceUrl": "https://www.abridge.com/trust" } }, "deepDive": { "overview": "Abridge is one of the very few clinical AI vendors that has directly engaged the Section 1557 algorithmic non-discrimination requirement — most vendors in the category punt this to deployer responsibility. Combined with strong platform fundamentals (BAA, residency, SOC 2) and a mature trust center, Abridge has the cleanest US healthcare AI governance posture in the index.", "strengths": [ "Direct Section 1557 algorithmic non-discrimination engagement", "Public Responsible AI framework + model cards", "BAA, US residency, SOC 2 Type II", "Mature trust center" ], "weaknesses": [ "ISO/IEC 42001 in progress, not yet certified", "Pricing typically higher than Microsoft DAX Copilot at scale" ], "bestUseCase": "Health systems prioritizing best-in-class clinical AI governance — particularly those with active OCR scrutiny on Section 1557 or those running quality programs that benefit from public model card documentation.", "avoidWhen": "Microsoft 365-standardized health systems where DAX Copilot's M365/Azure inheritance and EHR integration breadth fit existing IT operations better." }, "lastReviewed": "2026-05-13" }, { "slug": "suki", "name": "Suki AI", "vendor": "Suki AI, Inc.", "category": "healthcare", "primarySector": "healthcare", "homepage": "https://www.suki.ai", "trustCenter": "https://www.suki.ai/security", "enterpriseTier": "Suki Assistant (per-clinician licensing, EHR-integrated)", "consumerTier": null, "shortDescription": "Clinical AI voice assistant for ambient note generation, dictation, and EHR navigation. EHR-integrated (Epic, Athenahealth, Cerner, Meditech, NextGen).", "url": "https://efros.com/research/us-ai-vendor-governance-index/suki/", "composite": { "score": 72, "grade": "B", "scoredAxes": 9, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "Suki signs BAAs for enterprise customers.", "source": "Suki Security", "sourceUrl": "https://www.suki.ai/security" }, "trainingOptOut": { "status": "yes", "note": "Suki does not train models on customer audio or notes.", "source": "Suki Security" }, "usDataResidency": { "status": "yes", "note": "Suki US-hosted on US cloud infrastructure.", "source": "Suki Security" }, "soc2": { "status": "yes", "note": "Suki holds SOC 2 Type II and HITRUST CSF certification.", "source": "Suki Security" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation as of May 2026.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "Suki publishes governance documentation aligning with NIST AI RMF principles; no formal self-attestation.", "source": "Suki Responsible AI" }, "coloradoAiAct": { "status": "partial", "note": "Suki engages on the Colorado AI Act deployer-responsibility model in customer documentation.", "source": "Suki customer documentation" }, "section1557": { "status": "partial", "note": "Suki documents bias testing and clinical safety governance; explicit Section 1557 public statement less detailed than Abridge.", "source": "Suki governance documentation" }, "sr117": { "status": "na", "note": "Healthcare-vertical positioning.", "source": "Suki positioning" }, "abaOp512": { "status": "na", "note": "Healthcare-vertical positioning.", "source": "Suki positioning" }, "subprocessor": { "status": "yes", "note": "Subprocessor list available to enterprise customers.", "source": "Suki Security" }, "trustCenter": { "score": 4, "note": "Mature security documentation with HITRUST + SOC 2. AI-specific governance less granular than Abridge.", "source": "Suki Security" } }, "deepDive": { "overview": "Suki has strong fundamentals — BAA, US residency, SOC 2, HITRUST — and a more pragmatic positioning than Abridge. The Section 1557 engagement is less prominent than Abridge but adequate for most ambulatory deployments. HITRUST CSF certification is a meaningful differentiator for health-system buyers that require it.", "strengths": [ "BAA, US residency, SOC 2 Type II + HITRUST CSF", "Broad EHR integration", "Default no-train, customer-isolated" ], "weaknesses": [ "No ISO/IEC 42001", "Section 1557 documentation less prominent than Abridge", "Smaller scale than DAX Copilot or Abridge in market" ], "bestUseCase": "Ambulatory practices needing HITRUST-aligned procurement, broad EHR integration, and strong clinician workflow fit.", "avoidWhen": "Hospital systems with active OCR Section 1557 scrutiny — Abridge's public Section 1557 engagement is more defensible during audit." }, "lastReviewed": "2026-05-13" }, { "slug": "heidi-health", "name": "Heidi Health", "vendor": "Heidi Health Pty Ltd", "category": "healthcare", "primarySector": "healthcare", "homepage": "https://www.heidihealth.com", "trustCenter": null, "enterpriseTier": "Heidi Pro, Heidi Together (per-clinician licensing)", "consumerTier": null, "shortDescription": "Clinical AI documentation assistant — Australia-headquartered with US market expansion. Used heavily in solo and small-practice deployments due to lower price point.", "url": "https://efros.com/research/us-ai-vendor-governance-index/heidi-health/", "composite": { "score": 45, "grade": "D", "scoredAxes": 9, "trustCenterNormalized": 0.25 }, "scoring": { "baa": { "status": "yes", "note": "Heidi signs BAAs for US enterprise customers.", "source": "Heidi Security" }, "trainingOptOut": { "status": "yes", "note": "Heidi does not train models on customer encounter data.", "source": "Heidi Privacy" }, "usDataResidency": { "status": "partial", "note": "Heidi offers US-region hosting for US customers. Default configuration may use multi-region infrastructure; explicit US-only residency requires enterprise contract.", "source": "Heidi Security" }, "soc2": { "status": "partial", "note": "Heidi reports SOC 2 audit completion; report distribution via direct enterprise request.", "source": "Heidi Security" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation as of May 2026.", "source": "Public posture review" }, "nistAiRmf": { "status": "no", "note": "No public NIST AI RMF self-attestation. Heidi's primary regulatory anchoring is Australian (TGA) given its origin market.", "source": "Public posture review" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act-specific public statement.", "source": "Public posture review" }, "section1557": { "status": "partial", "note": "Heidi documents general clinical safety; explicit Section 1557 public statement less developed than US-headquartered peers.", "source": "Heidi documentation" }, "sr117": { "status": "na", "note": "Healthcare-vertical positioning.", "source": "Heidi positioning" }, "abaOp512": { "status": "na", "note": "Healthcare-vertical positioning.", "source": "Heidi positioning" }, "subprocessor": { "status": "partial", "note": "Subprocessor information available on request; not self-serve public.", "source": "Heidi Security" }, "trustCenter": { "score": 2, "note": "Security documentation present but less mature than US-headquartered peers. AI-specific governance for US market expanding but behind Abridge / Suki / DAX.", "source": "heidihealth.com/security" } }, "deepDive": { "overview": "Heidi is the price-leader in clinical AI documentation — meaningfully cheaper than DAX Copilot, Abridge, or Suki at small-practice scale. The governance posture reflects the smaller-vendor scale and the Australian origin: BAA available but trust-portal maturity and US-regulatory-specific documentation (Section 1557, Colorado AI Act, NIST AI RMF) are less developed than US-headquartered peers.", "strengths": [ "BAA-eligible", "Significantly lower price point than US-headquartered peers", "Default no-train" ], "weaknesses": [ "Trust portal less mature than US peers", "Section 1557 documentation less developed", "No NIST AI RMF or Colorado AI Act statement", "Explicit US-only residency requires enterprise contract" ], "bestUseCase": "Solo and small practices (1-15 providers) where price sensitivity is high and the governance burden is correspondingly smaller (lower OCR scrutiny than a multi-state health system).", "avoidWhen": "Health systems, hospital networks, or any organization under active OCR Section 1557 scrutiny. The trust-portal maturity gap and weaker public US-regulatory engagement create defensibility risk during audit." }, "lastReviewed": "2026-05-13" }, { "slug": "fico-falcon-fraud-manager", "name": "FICO Falcon Fraud Manager + FICO Score AI", "vendor": "Fair Isaac Corporation", "category": "banking", "primarySector": "banking", "homepage": "https://www.fico.com", "trustCenter": "https://www.fico.com/en/trust", "enterpriseTier": "FICO Falcon Fraud Manager, FICO Score 10 T (ML-driven credit scoring), FICO Platform", "consumerTier": null, "shortDescription": "Decades-deep machine-learning portfolio across fraud detection (Falcon) and credit decisioning (FICO Score 10 T). The reference SR 11-7 documentation in the industry; most US banks already operate against FICO's validation patterns.", "url": "https://efros.com/research/us-ai-vendor-governance-index/fico-falcon-fraud-manager/", "composite": { "score": 80, "grade": "B", "scoredAxes": 9, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "FICO signs DPAs / data-handling agreements for enterprise customers. BAA available where PHI exposure exists in customer datasets.", "source": "FICO Trust", "sourceUrl": "https://www.fico.com/en/trust" }, "trainingOptOut": { "status": "yes", "note": "Customer transaction data is processed under contracted purpose limitation; not used for cross-customer model training without explicit consortium opt-in.", "source": "FICO Trust" }, "usDataResidency": { "status": "yes", "note": "US data residency available for US bank customers. FICO operates US-region data centers + AWS GovCloud for federal-aligned deployments.", "source": "FICO Trust" }, "soc2": { "status": "yes", "note": "FICO holds SOC 2 Type II, ISO 27001, FedRAMP. Most banks have FICO compliance documentation already on file.", "source": "FICO Trust", "sourceUrl": "https://www.fico.com/en/trust" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation as of May 2026.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "FICO publishes a Responsible AI framework with explicit NIST AI RMF mapping; no formal self-attestation document.", "source": "FICO Responsible AI" }, "coloradoAiAct": { "status": "partial", "note": "FICO has publicly engaged on the Colorado AI Act and deployer-responsibility documentation for credit decisioning customers.", "source": "FICO customer documentation" }, "section1557": { "status": "na", "note": "Banking-vertical positioning.", "source": "FICO positioning" }, "sr117": { "status": "yes", "note": "FICO model documentation is the reference SR 11-7 validation packet in the credit-scoring industry. Validation reports, conceptual soundness reviews, ongoing performance monitoring all packaged for examiner review.", "source": "FICO SR 11-7 documentation packet" }, "abaOp512": { "status": "na", "note": "Banking-vertical positioning.", "source": "FICO positioning" }, "subprocessor": { "status": "yes", "note": "FICO subprocessor list available to enterprise customers.", "source": "FICO Trust" }, "trustCenter": { "score": 4, "note": "Mature compliance documentation, broad certificate library, SR 11-7-grade model validation reports. AI-specific governance documentation (Colorado AI Act, ISO 42001) trails platform certifications.", "source": "FICO Trust", "sourceUrl": "https://www.fico.com/en/trust" } }, "deepDive": { "overview": "FICO is the default safe-choice AI vendor for US banks because the SR 11-7 documentation packet is already what every examiner expects. Forty-plus years of credit-scoring model validation is now extended to ML-driven fraud detection (Falcon) and credit scoring (FICO Score 10 T). The governance posture is the strongest in the banking category because validation isn't an add-on — it's the product.", "strengths": [ "Reference SR 11-7 validation documentation", "FedRAMP + SOC 2 + ISO 27001 compliance stack", "BAA-eligible for PHI overlap; DPA standard for enterprise", "Public Responsible AI framework with NIST AI RMF mapping" ], "weaknesses": [ "No ISO/IEC 42001 attestation", "Pricing structure can be opaque at smaller community-bank scale", "AI-specific governance documentation trails core platform certifications" ], "bestUseCase": "Mid-market and large US banks running fraud detection or credit decisioning where examiner expectations have already standardized on FICO documentation. Lowest-friction SR 11-7 audit posture in the banking category.", "avoidWhen": "Smaller community banks (under $500M AUM) where the licensing economics don't amortize and lighter-weight alternatives like Hummingbird (AML) or Unit21 (transaction monitoring) match the actual exposure." }, "lastReviewed": "2026-05-13" }, { "slug": "zest-ai", "name": "Zest AI", "vendor": "Zest AI", "category": "banking", "primarySector": "banking", "homepage": "https://www.zest.ai", "trustCenter": null, "enterpriseTier": "Zest Model Management System, Zest Underwriting (for banks, credit unions, auto lenders)", "consumerTier": null, "shortDescription": "AI-driven credit underwriting platform with strong fair-lending documentation. Differentiated on explicit ECOA/Reg B + adverse-action explainability output, designed for examiner-facing defensibility.", "url": "https://efros.com/research/us-ai-vendor-governance-index/zest-ai/", "composite": { "score": 74, "grade": "B", "scoredAxes": 9, "trustCenterNormalized": 0.5 }, "scoring": { "baa": { "status": "yes", "note": "Zest AI signs DPAs / data-handling agreements for enterprise customers. BAA available where PHI exposure is in scope.", "source": "Zest AI Security" }, "trainingOptOut": { "status": "yes", "note": "Customer underwriting data not used for cross-customer model training. Tenant isolation enforced.", "source": "Zest AI Privacy" }, "usDataResidency": { "status": "yes", "note": "US data residency standard for US customers.", "source": "Zest AI Security" }, "soc2": { "status": "yes", "note": "Zest AI holds SOC 2 Type II.", "source": "Zest AI Security" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation as of May 2026.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "Zest publishes Responsible AI documentation mapped to NIST AI RMF principles.", "source": "Zest AI Responsible AI" }, "coloradoAiAct": { "status": "partial", "note": "Zest has engaged on Colorado AI Act high-risk classification for credit decisioning.", "source": "Zest AI customer documentation" }, "section1557": { "status": "na", "note": "Banking-vertical positioning.", "source": "Zest AI positioning" }, "sr117": { "status": "yes", "note": "Zest publishes SR 11-7-grade model validation, ongoing monitoring, and fair-lending audit documentation. CFPB Circular 2023-03 adverse-action explainability built into the output format.", "source": "Zest AI SR 11-7 documentation" }, "abaOp512": { "status": "na", "note": "Banking-vertical positioning.", "source": "Zest AI positioning" }, "subprocessor": { "status": "partial", "note": "Subprocessor list available to enterprise customers under NDA.", "source": "Zest AI Security" }, "trustCenter": { "score": 3, "note": "Strong fair-lending + SR 11-7 documentation. Trust portal less self-serve than FICO; documentation distribution via enterprise relationship.", "source": "Zest AI Security" } }, "deepDive": { "overview": "Zest AI is the strongest pure-play banking AI vendor on fair-lending defensibility. The adverse-action explainability output is designed for CFPB Circular 2023-03 — explanations are model-derived rather than post-hoc, which matters in supervisory examination. Best fit for community and mid-size banks that need SR 11-7-aligned underwriting without standing up internal MRM capacity.", "strengths": [ "CFPB Circular 2023-03 adverse-action explainability built into output", "SR 11-7-grade model validation documentation", "Tenant-isolated, US residency, BAA-eligible", "Purpose-built for fair-lending defensibility" ], "weaknesses": [ "No ISO/IEC 42001", "Trust portal less mature than FICO", "Smaller subprocessor transparency" ], "bestUseCase": "Community and mid-size banks ($500M-$10B AUM) deploying AI for personal lending, auto, or small-business decisioning where fair-lending audit defensibility is the binding constraint.", "avoidWhen": "Very large banks with deep internal MRM capacity may prefer to build on FICO or in-house given the volume." }, "lastReviewed": "2026-05-13" }, { "slug": "upstart", "name": "Upstart", "vendor": "Upstart Holdings, Inc.", "category": "banking", "primarySector": "banking", "homepage": "https://www.upstart.com", "trustCenter": null, "enterpriseTier": "Upstart Referral Network, Upstart Auto Retail, Upstart for Banks (white-label AI lending platform)", "consumerTier": null, "shortDescription": "AI lending platform with CFPB no-action letter history. Operates as a partner for community banks and credit unions that want AI-driven origination without building it internally. CFPB scrutiny + fair-lending audit history is unusually deep.", "url": "https://efros.com/research/us-ai-vendor-governance-index/upstart/", "composite": { "score": 74, "grade": "B", "scoredAxes": 9, "trustCenterNormalized": 0.5 }, "scoring": { "baa": { "status": "yes", "note": "Upstart signs DPAs and data-handling agreements with partner banks. BAA-eligible where PHI exposure exists in partner-bank datasets.", "source": "Upstart Security" }, "trainingOptOut": { "status": "yes", "note": "Partner-bank customer data processed under contracted purpose limitation. Cross-bank model training only with consortium consent.", "source": "Upstart Privacy" }, "usDataResidency": { "status": "yes", "note": "US data residency standard.", "source": "Upstart Security" }, "soc2": { "status": "yes", "note": "Upstart holds SOC 2 Type II.", "source": "Upstart Security" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "Upstart publishes Responsible AI + fair-lending governance documentation.", "source": "Upstart Responsible AI" }, "coloradoAiAct": { "status": "partial", "note": "Upstart has publicly engaged on Colorado AI Act readiness for credit decisioning.", "source": "Upstart customer documentation" }, "section1557": { "status": "na", "note": "Banking-vertical positioning.", "source": "Upstart positioning" }, "sr117": { "status": "yes", "note": "Upstart has CFPB no-action letter history (Sept 2017 + 2020 renewal) — uniquely deep fair-lending audit defensibility. SR 11-7-grade validation documentation maintained for partner-bank examiner needs.", "source": "CFPB No-Action Letter history" }, "abaOp512": { "status": "na", "note": "Banking-vertical positioning.", "source": "Upstart positioning" }, "subprocessor": { "status": "partial", "note": "Subprocessor list available to enterprise customers.", "source": "Upstart Security" }, "trustCenter": { "score": 3, "note": "Mature security documentation; CFPB engagement history is the differentiating compliance artifact. Trust portal less self-serve than enterprise platform vendors.", "source": "Upstart Security" } }, "deepDive": { "overview": "Upstart is uniquely defensible on fair-lending because of the CFPB no-action letter history — no other US AI lending vendor has that paper trail. The white-label partner model lets community banks deploy AI lending under Upstart's compliance umbrella, which is operationally easier than standing up internal validation. The cost is platform dependence: partner banks operate within Upstart's product roadmap rather than building proprietary capability.", "strengths": [ "CFPB no-action letter history (Sept 2017 + 2020 renewal)", "Fair-lending audit defensibility uniquely deep", "Partner-bank model — origination under Upstart compliance umbrella", "SR 11-7-grade validation maintained for partner needs" ], "weaknesses": [ "Platform dependence — partner banks operate within Upstart's roadmap", "No ISO/IEC 42001", "Subprocessor transparency NDA-gated" ], "bestUseCase": "Community banks and credit unions wanting AI-driven personal lending or auto origination without internal model risk management capacity. The CFPB engagement history reduces partner-bank examiner risk.", "avoidWhen": "Banks that want proprietary AI capability or are concerned about platform dependence — building on FICO or licensing Zest AI keeps decisioning closer to in-house." }, "lastReviewed": "2026-05-13" }, { "slug": "hummingbird", "name": "Hummingbird", "vendor": "Hummingbird RegTech, Inc.", "category": "banking", "primarySector": "banking", "homepage": "https://www.hummingbird.co", "trustCenter": null, "enterpriseTier": "Hummingbird AML Case Management, Investigations, SAR Filing", "consumerTier": null, "shortDescription": "Modern compliance operations platform — BSA/AML case management, investigations, SAR filing, transaction monitoring overlay. Used by community banks, credit unions, and crypto-adjacent institutions for examiner-ready AML workflow.", "url": "https://efros.com/research/us-ai-vendor-governance-index/hummingbird/", "composite": { "score": 56, "grade": "C", "scoredAxes": 9, "trustCenterNormalized": 0.5 }, "scoring": { "baa": { "status": "yes", "note": "Hummingbird signs DPAs for enterprise customers; BAA-eligible where PHI overlap exists.", "source": "Hummingbird Security" }, "trainingOptOut": { "status": "yes", "note": "Customer case data not used for cross-customer model training.", "source": "Hummingbird Privacy" }, "usDataResidency": { "status": "yes", "note": "US data residency standard.", "source": "Hummingbird Security" }, "soc2": { "status": "yes", "note": "Hummingbird holds SOC 2 Type II.", "source": "Hummingbird Security" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation.", "source": "Public posture review" }, "nistAiRmf": { "status": "no", "note": "No public NIST AI RMF self-attestation. Hummingbird positions primarily as a workflow tool rather than an AI decisioning system; AI features (investigation summarization, transaction analytics) score lighter on RMF posture.", "source": "Public posture review" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act-specific public statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Banking-vertical positioning.", "source": "Hummingbird positioning" }, "sr117": { "status": "partial", "note": "Hummingbird workflow does not directly perform credit decisioning; SR 11-7 applies to upstream transaction-monitoring model vendors. Hummingbird documents the audit trail expected for examiner-facing case management.", "source": "Hummingbird customer documentation" }, "abaOp512": { "status": "na", "note": "Banking-vertical positioning.", "source": "Hummingbird positioning" }, "subprocessor": { "status": "partial", "note": "Subprocessor list available to enterprise customers.", "source": "Hummingbird Security" }, "trustCenter": { "score": 3, "note": "Security documentation mature; AI-specific governance documentation absent. Strong workflow audit-trail features for BSA/AML examiner readiness.", "source": "Hummingbird Security" } }, "deepDive": { "overview": "Hummingbird is best understood as an AML workflow + audit-trail platform with AI overlay, rather than a decisioning AI vendor. The governance posture reflects this — strong on platform fundamentals (SOC 2, DPA, US residency) but light on AI-specific governance (NIST AI RMF, Colorado AI Act). SR 11-7 applies indirectly: Hummingbird documents the workflow, but upstream transaction-monitoring vendors own model risk.", "strengths": [ "SOC 2 Type II, US residency, DPA standard", "Mature BSA/AML workflow + examiner audit trail", "Default tenant isolation" ], "weaknesses": [ "No NIST AI RMF self-attestation", "No Colorado AI Act statement", "AI-specific governance documentation thin", "Workflow-positioned rather than AI decisioning — model risk lives upstream" ], "bestUseCase": "Community banks, credit unions, and crypto-adjacent institutions needing modern BSA/AML case management with examiner-ready audit trails. Pair with a dedicated transaction-monitoring model vendor (Unit21, Verafin, NICE Actimize) for the AI model risk piece.", "avoidWhen": "Institutions looking for a single-vendor BSA/AML AI solution — Hummingbird is workflow + investigation, not the underlying decisioning model." }, "lastReviewed": "2026-05-13" }, { "slug": "unit21", "name": "Unit21", "vendor": "Unit21, Inc.", "category": "banking", "primarySector": "banking", "homepage": "https://www.unit21.ai", "trustCenter": null, "enterpriseTier": "Unit21 Transaction Monitoring, Case Management, Fraud Detection", "consumerTier": null, "shortDescription": "Modern transaction-monitoring + fraud detection platform. Deployed at fintech-adjacent banks, neobanks, payments processors, and crypto-aligned institutions where legacy AML vendors don't fit.", "url": "https://efros.com/research/us-ai-vendor-governance-index/unit21/", "composite": { "score": 68, "grade": "C", "scoredAxes": 9, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "Unit21 signs DPAs for enterprise customers; BAA available where PHI overlap exists.", "source": "Unit21 Security" }, "trainingOptOut": { "status": "yes", "note": "Customer transaction data not used for cross-customer model training.", "source": "Unit21 Privacy" }, "usDataResidency": { "status": "yes", "note": "US data residency standard.", "source": "Unit21 Security" }, "soc2": { "status": "yes", "note": "Unit21 holds SOC 2 Type II.", "source": "Unit21 Security" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "Unit21 publishes governance documentation aligned to NIST AI RMF; no formal self-attestation.", "source": "Unit21 Responsible AI" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act-specific public statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "Banking-vertical positioning.", "source": "Unit21 positioning" }, "sr117": { "status": "partial", "note": "Unit21 documents SR 11-7 model risk practices for partner banks; full validation packet typically delivered under enterprise engagement rather than self-serve.", "source": "Unit21 customer documentation" }, "abaOp512": { "status": "na", "note": "Banking-vertical positioning.", "source": "Unit21 positioning" }, "subprocessor": { "status": "yes", "note": "Subprocessor list public via trust documentation.", "source": "Unit21 Security" }, "trustCenter": { "score": 4, "note": "Mature security documentation, modern compliance stack, public subprocessor list. AI-specific governance documentation present but lighter than FICO/Zest.", "source": "Unit21 Security" } }, "deepDive": { "overview": "Unit21 is the modern transaction-monitoring + fraud detection platform built for fintech-era institutions. The governance posture is solid on platform fundamentals (SOC 2, DPA, US residency, subprocessor transparency) and improving on AI-specific governance — but trails the pure-play SR 11-7 vendors (FICO, Zest) on validation packet depth. Best fit for institutions whose legacy AML vendor doesn't match their operational model.", "strengths": [ "SOC 2 Type II, US residency, DPA standard", "Modern transaction-monitoring architecture", "Public subprocessor list", "Default tenant isolation" ], "weaknesses": [ "No ISO/IEC 42001", "No Colorado AI Act statement", "SR 11-7 validation packet depth lighter than FICO/Zest" ], "bestUseCase": "Neobanks, payments processors, crypto-adjacent institutions, and fintech-aligned community banks where legacy AML/transaction-monitoring vendors don't fit the data model or operational tempo.", "avoidWhen": "Traditional banks where examiners already standardized on FICO Falcon or NICE Actimize — the migration cost may exceed the operational benefit." }, "lastReviewed": "2026-05-13" }, { "slug": "arctic-wolf", "name": "Arctic Wolf", "vendor": "Arctic Wolf Networks, Inc.", "category": "security-mssp", "primarySector": "general", "homepage": "https://arcticwolf.com", "trustCenter": "https://arcticwolf.com/about-us/trust-center/", "enterpriseTier": "Managed Detection and Response, Cloud Detection and Response, Managed Risk, Concierge Security Team (CST) AI features", "consumerTier": null, "shortDescription": "Concierge MDR with named-team accountability and AI-augmented threat detection across endpoint, cloud, network, and identity. AI features primarily as detection acceleration rather than autonomous decisioning.", "url": "https://efros.com/research/us-ai-vendor-governance-index/arctic-wolf/", "composite": { "score": 69, "grade": "C", "scoredAxes": 8, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "Arctic Wolf signs BAAs for healthcare customers handling PHI within scope of MDR telemetry.", "source": "Arctic Wolf Trust Center", "sourceUrl": "https://arcticwolf.com/about-us/trust-center/" }, "trainingOptOut": { "status": "yes", "note": "Customer telemetry is not used for cross-customer model training; tenant data remains in customer-scoped pipelines.", "source": "Arctic Wolf Trust Center", "sourceUrl": "https://arcticwolf.com/about-us/trust-center/" }, "usDataResidency": { "status": "yes", "note": "US data centers available; region configurable per customer engagement.", "source": "Arctic Wolf Trust Center", "sourceUrl": "https://arcticwolf.com/about-us/trust-center/" }, "soc2": { "status": "yes", "note": "SOC 2 Type II, ISO 27001, HIPAA, and PCI DSS attestations all held; reports available under NDA via Trust Center.", "source": "Arctic Wolf Trust Center", "sourceUrl": "https://arcticwolf.com/about-us/trust-center/" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 AI management system attestation as of May 2026.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "AI-augmented detection features documented in product materials but no formal NIST AI RMF self-attestation document published.", "source": "Arctic Wolf product documentation", "sourceUrl": "https://arcticwolf.com/solutions/managed-detection-and-response/" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act SB 24-205 readiness statement. MDR services are platform-neutral; downstream customer scope.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "MSSP — platform-neutral; Section 1557 algorithmic non-discrimination obligation sits with the healthcare customer.", "source": "Arctic Wolf positioning" }, "sr117": { "status": "na", "note": "MSSP — SR 11-7 model risk obligation sits with the financial institution customer.", "source": "Arctic Wolf positioning" }, "abaOp512": { "status": "na", "note": "MSSP — ABA Formal Opinion 512 obligation sits with the law firm customer.", "source": "Arctic Wolf positioning" }, "subprocessor": { "status": "yes", "note": "Subprocessor list public via Trust Center.", "source": "Arctic Wolf Trust Center", "sourceUrl": "https://arcticwolf.com/about-us/trust-center/" }, "trustCenter": { "score": 4, "note": "Mature trust center with SOC 2, ISO 27001, HIPAA, PCI documentation. AI-specific governance documentation lighter than platform compliance posture.", "source": "Arctic Wolf Trust Center", "sourceUrl": "https://arcticwolf.com/about-us/trust-center/" } }, "deepDive": { "overview": "Arctic Wolf's Concierge model with a named Concierge Security Team is the closest peer in the US MDR market to EFROS's named-senior-analyst positioning. Platform compliance is strong; AI features function as detection acceleration rather than autonomous response. The CST is the differentiator — customers get a named team rather than rotating tier-1 analysts.", "strengths": [ "Named Concierge Security Team accountability model", "SOC 2 Type II + ISO 27001 + HIPAA + PCI all held", "US data residency standard with configurable region", "Subprocessor list published" ], "weaknesses": [ "No ISO/IEC 42001 AI management system attestation", "No Colorado AI Act readiness statement", "AI-specific governance documentation thinner than platform compliance", "Standard playbook constraints — customization beyond defaults is engagement-dependent" ], "bestUseCase": "Mid-market organizations wanting outsourced MDR with named-team accountability across endpoint, cloud, network, and identity, where the operational tempo of a standardized concierge playbook is a feature rather than a constraint.", "avoidWhen": "Customers needing deep customization or pre-authorized containment actions beyond Arctic Wolf's standard playbook, or environments requiring AI-decisioning transparency at the model level rather than detection-output level." }, "lastReviewed": "2026-05-13" }, { "slug": "huntress", "name": "Huntress", "vendor": "Huntress Labs Incorporated", "category": "security-mssp", "primarySector": "general", "homepage": "https://www.huntress.com", "trustCenter": "https://www.huntress.com/trust", "enterpriseTier": "Managed EDR, Managed Identity Threat Detection and Response (ITDR), SAT (Security Awareness Training), AI-augmented threat hunting", "consumerTier": null, "shortDescription": "Endpoint and M365 identity threat detection with AI-augmented threat hunting, sized for SMB-to-mid-market organizations without enterprise MDR budget. Decision-support AI rather than autonomous response.", "url": "https://efros.com/research/us-ai-vendor-governance-index/huntress/", "composite": { "score": 69, "grade": "C", "scoredAxes": 8, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "Huntress signs BAAs for healthcare customers where PHI overlaps with telemetry scope.", "source": "Huntress Trust", "sourceUrl": "https://www.huntress.com/trust" }, "trainingOptOut": { "status": "yes", "note": "Customer telemetry not used for cross-customer model training; tenant data is scoped to the customer's environment.", "source": "Huntress Trust", "sourceUrl": "https://www.huntress.com/trust" }, "usDataResidency": { "status": "yes", "note": "US data residency standard.", "source": "Huntress Trust", "sourceUrl": "https://www.huntress.com/trust" }, "soc2": { "status": "yes", "note": "SOC 2 Type II report available via Trust portal; reports gated under NDA.", "source": "Huntress Trust", "sourceUrl": "https://www.huntress.com/trust" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "AI-augmented threat hunting features documented; no formal NIST AI RMF self-attestation document.", "source": "Huntress product documentation", "sourceUrl": "https://www.huntress.com/platform/managed-edr" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act readiness statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "MSSP — Section 1557 obligation sits with the healthcare customer.", "source": "Huntress positioning" }, "sr117": { "status": "na", "note": "MSSP — SR 11-7 obligation sits with the financial institution customer.", "source": "Huntress positioning" }, "abaOp512": { "status": "na", "note": "MSSP — ABA Formal Opinion 512 obligation sits with the law firm customer.", "source": "Huntress positioning" }, "subprocessor": { "status": "yes", "note": "Subprocessor list public via Trust portal.", "source": "Huntress Trust", "sourceUrl": "https://www.huntress.com/trust" }, "trustCenter": { "score": 4, "note": "Trust portal includes SOC 2, subprocessor list, security documentation. AI governance documentation lighter than platform compliance posture.", "source": "Huntress Trust", "sourceUrl": "https://www.huntress.com/trust" } }, "deepDive": { "overview": "Huntress is best-in-class for endpoint and M365 identity threat detection at the SMB-to-mid-market scale. The AI features function as decision-support for human threat hunters rather than autonomous response. Distribution is partner-led (MSP channel + direct), and pricing is calibrated below enterprise MDR.", "strengths": [ "Strong endpoint and M365 identity coverage for the price point", "SOC 2 Type II, US residency, BAA available", "Subprocessor transparency via Trust portal", "Decision-support AI keeps human-in-the-loop accountability clear" ], "weaknesses": [ "No ISO/IEC 42001 attestation", "No Colorado AI Act readiness statement", "Coverage scope intentionally narrower than full-XDR MDR (no native network or OT)", "AI-specific governance documentation thinner than platform compliance" ], "bestUseCase": "Organizations with limited internal security capacity wanting strong endpoint and M365 identity threat detection without paying enterprise MDR pricing. Particularly strong fit for MSP-distributed delivery to SMB end customers.", "avoidWhen": "Enterprises needing full-spectrum XDR with native network, OT, or cloud workload protection — Huntress's coverage is intentionally focused rather than comprehensive." }, "lastReviewed": "2026-05-13" }, { "slug": "esentire", "name": "eSentire", "vendor": "eSentire, Inc.", "category": "security-mssp", "primarySector": "general", "homepage": "https://www.esentire.com", "trustCenter": "https://www.esentire.com/about-us/trust-center", "enterpriseTier": "MDR for Endpoint, Network, Cloud, Identity; eSentire Atlas AI platform", "consumerTier": null, "shortDescription": "Enterprise MDR with proprietary threat hunting depth and the most explicit AI-platform branding (Atlas AI) in the MDR category. Threat hunt depth is the differentiator over breadth-first competitors.", "url": "https://efros.com/research/us-ai-vendor-governance-index/esentire/", "composite": { "score": 69, "grade": "C", "scoredAxes": 8, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "eSentire signs BAAs for healthcare customers; PHI scope addressed within MDR engagement.", "source": "eSentire Trust Center", "sourceUrl": "https://www.esentire.com/about-us/trust-center" }, "trainingOptOut": { "status": "yes", "note": "Customer telemetry not used for cross-customer model training within Atlas AI; tenant-scoped pipelines.", "source": "eSentire Trust Center", "sourceUrl": "https://www.esentire.com/about-us/trust-center" }, "usDataResidency": { "status": "yes", "note": "US data residency available; multi-region architecture with customer configuration.", "source": "eSentire Trust Center", "sourceUrl": "https://www.esentire.com/about-us/trust-center" }, "soc2": { "status": "yes", "note": "SOC 2 Type II, ISO 27001, HIPAA, PCI, and FedRAMP-aligned posture documented via Trust Center.", "source": "eSentire Trust Center", "sourceUrl": "https://www.esentire.com/about-us/trust-center" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation for the Atlas AI platform as of May 2026.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "Atlas AI platform documented with model governance materials but no formal NIST AI RMF self-attestation published.", "source": "eSentire Atlas AI documentation", "sourceUrl": "https://www.esentire.com/what-we-do/esentire-atlas-ai" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act SB 24-205 readiness statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "MSSP — Section 1557 obligation sits with the healthcare customer.", "source": "eSentire positioning" }, "sr117": { "status": "na", "note": "MSSP — SR 11-7 obligation sits with the financial institution customer.", "source": "eSentire positioning" }, "abaOp512": { "status": "na", "note": "MSSP — ABA Formal Opinion 512 obligation sits with the law firm customer.", "source": "eSentire positioning" }, "subprocessor": { "status": "yes", "note": "Subprocessor list public via Trust Center.", "source": "eSentire Trust Center", "sourceUrl": "https://www.esentire.com/about-us/trust-center" }, "trustCenter": { "score": 4, "note": "Mature trust center with full attestation stack and FedRAMP-aligned posture. Atlas AI platform branding is the most explicit AI-MDR positioning in the category, though formal AI governance attestation (ISO 42001) is absent.", "source": "eSentire Trust Center", "sourceUrl": "https://www.esentire.com/about-us/trust-center" } }, "deepDive": { "overview": "eSentire's Atlas AI is the most explicit AI-platform branding in the MDR category and threat hunt depth is the operational differentiator. The TRU (Threat Response Unit) does proprietary detection engineering paired with AI augmentation. Best fit for enterprises that prioritize hunt depth over coverage breadth.", "strengths": [ "Full attestation stack — SOC 2, ISO 27001, HIPAA, PCI, FedRAMP-aligned", "Atlas AI platform with explicit AI-MDR positioning", "Threat Response Unit (TRU) proprietary detection engineering", "Subprocessor transparency via Trust Center" ], "weaknesses": [ "No ISO/IEC 42001 attestation for Atlas AI", "No Colorado AI Act readiness statement", "Premium pricing tier vs. SMB-focused MDR alternatives", "AI governance posture lighter than platform compliance maturity" ], "bestUseCase": "Enterprises that prioritize threat hunt depth over breadth — particularly those needing proprietary detection engineering against targeted threat actors rather than commodity malware coverage.", "avoidWhen": "Cost-sensitive SMBs where Huntress-tier coverage is sufficient, or organizations that need explicit ISO 42001 AI governance attestation as a procurement requirement." }, "lastReviewed": "2026-05-13" }, { "slug": "connectwise", "name": "ConnectWise", "vendor": "ConnectWise, LLC", "category": "security-mssp", "primarySector": "general", "homepage": "https://www.connectwise.com", "trustCenter": null, "enterpriseTier": "ConnectWise Asio platform with AI-augmented automation, RMM AI, PSA AI", "consumerTier": null, "shortDescription": "RMM + PSA platform with AI features for ticket automation, asset insights, and IT workflow acceleration. MSP-centric — sold to managed service providers who deliver downstream services to end customers.", "url": "https://efros.com/research/us-ai-vendor-governance-index/connectwise/", "composite": { "score": 50, "grade": "D", "scoredAxes": 8, "trustCenterNormalized": 0.5 }, "scoring": { "baa": { "status": "partial", "note": "ConnectWise signs DPAs for the platform itself; BAA chain depends on the MSP's downstream contractual posture with end customers handling PHI.", "source": "ConnectWise Trust", "sourceUrl": "https://www.connectwise.com/company/trust" }, "trainingOptOut": { "status": "yes", "note": "Customer data not used for cross-customer model training within Asio AI features.", "source": "ConnectWise Trust", "sourceUrl": "https://www.connectwise.com/company/trust" }, "usDataResidency": { "status": "partial", "note": "Multi-region architecture; US residency available with customer configuration but not the default across all Asio modules.", "source": "ConnectWise Trust", "sourceUrl": "https://www.connectwise.com/company/trust" }, "soc2": { "status": "yes", "note": "SOC 2 Type II held across core Asio platform modules.", "source": "ConnectWise Trust", "sourceUrl": "https://www.connectwise.com/company/trust" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation.", "source": "Public posture review" }, "nistAiRmf": { "status": "no", "note": "No public NIST AI RMF self-attestation for Asio AI features as of May 2026.", "source": "Public posture review" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act readiness statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "MSP platform — Section 1557 obligation sits with the downstream healthcare end customer, with the MSP as intermediate operator.", "source": "ConnectWise positioning" }, "sr117": { "status": "na", "note": "MSP platform — SR 11-7 obligation sits with the financial institution end customer.", "source": "ConnectWise positioning" }, "abaOp512": { "status": "na", "note": "MSP platform — ABA Formal Opinion 512 obligation sits with the law firm end customer.", "source": "ConnectWise positioning" }, "subprocessor": { "status": "yes", "note": "Subprocessor list published.", "source": "ConnectWise Trust", "sourceUrl": "https://www.connectwise.com/company/trust" }, "trustCenter": { "score": 3, "note": "Platform compliance documentation is solid (SOC 2, subprocessor list) but AI-specific governance documentation is materially thinner than direct-to-enterprise MDR vendors. Distribution model is MSP-channel — governance posture reflects that downstream chain.", "source": "ConnectWise Trust", "sourceUrl": "https://www.connectwise.com/company/trust" } }, "deepDive": { "overview": "ConnectWise is platform-and-channel rather than direct-to-enterprise — sold to MSPs who deliver downstream IT services. AI features in Asio accelerate MSP workflow (ticket automation, asset insights, PSA workflows) but the governance posture reflects the indirect distribution model. Platform fundamentals are solid; AI-specific documentation lags direct-MDR vendors.", "strengths": [ "SOC 2 Type II across core Asio modules", "Public subprocessor list", "Training opt-out standard for Asio AI features", "Mature MSP-channel distribution and partner enablement" ], "weaknesses": [ "No NIST AI RMF self-attestation", "No ISO/IEC 42001 attestation", "No Colorado AI Act readiness statement", "BAA chain depends on downstream MSP contracts — not a single-vendor compliance answer for end customers" ], "bestUseCase": "MSPs delivering managed IT services to SMB and mid-market end customers, where AI features are workflow acceleration for the MSP operator rather than autonomous decisioning for end customers.", "avoidWhen": "Enterprises buying direct — ConnectWise's distribution model is MSP-channel, and the governance posture reflects that. Direct-to-enterprise MDR vendors are a closer match for direct buyers." }, "lastReviewed": "2026-05-13" }, { "slug": "sophos", "name": "Sophos", "vendor": "Sophos Ltd.", "category": "security-mssp", "primarySector": "general", "homepage": "https://www.sophos.com", "trustCenter": "https://www.sophos.com/en-us/legal/trust-center", "enterpriseTier": "Sophos Central, Intercept X (Endpoint AI), Sophos MDR, Sophos XGS Firewall AI", "consumerTier": null, "shortDescription": "Vendor-integrated endpoint AI with the longest-running deep-learning malware detection lineage in the category (Invincea acquisition, 2017). Sophos MDR overlays managed detection on top of the platform.", "url": "https://efros.com/research/us-ai-vendor-governance-index/sophos/", "composite": { "score": 69, "grade": "C", "scoredAxes": 8, "trustCenterNormalized": 0.75 }, "scoring": { "baa": { "status": "yes", "note": "Sophos signs BAAs for healthcare customers within scope of platform and MDR engagement.", "source": "Sophos Trust Center", "sourceUrl": "https://www.sophos.com/en-us/legal/trust-center" }, "trainingOptOut": { "status": "yes", "note": "Customer data not used for cross-customer model training; Intercept X models updated via Sophos research pipeline rather than tenant data.", "source": "Sophos Trust Center", "sourceUrl": "https://www.sophos.com/en-us/legal/trust-center" }, "usDataResidency": { "status": "yes", "note": "US data residency available via Sophos Central region configuration.", "source": "Sophos Trust Center", "sourceUrl": "https://www.sophos.com/en-us/legal/trust-center" }, "soc2": { "status": "yes", "note": "SOC 2 and ISO 27001 held; reports available under NDA via Trust Center.", "source": "Sophos Trust Center", "sourceUrl": "https://www.sophos.com/en-us/legal/trust-center" }, "iso42001": { "status": "no", "note": "No ISO/IEC 42001 attestation for Intercept X or Sophos AI features as of May 2026.", "source": "Public posture review" }, "nistAiRmf": { "status": "partial", "note": "Sophos AI research publications and product documentation cover model governance themes; no formal NIST AI RMF self-attestation document published.", "source": "Sophos AI research", "sourceUrl": "https://www.sophos.com/en-us/products/endpoint-antivirus" }, "coloradoAiAct": { "status": "no", "note": "No Colorado AI Act readiness statement.", "source": "Public posture review" }, "section1557": { "status": "na", "note": "MSSP / platform vendor — Section 1557 obligation sits with the healthcare customer.", "source": "Sophos positioning" }, "sr117": { "status": "na", "note": "MSSP / platform vendor — SR 11-7 obligation sits with the financial institution customer.", "source": "Sophos positioning" }, "abaOp512": { "status": "na", "note": "MSSP / platform vendor — ABA Formal Opinion 512 obligation sits with the law firm customer.", "source": "Sophos positioning" }, "subprocessor": { "status": "yes", "note": "Subprocessor list public via Trust Center.", "source": "Sophos Trust Center", "sourceUrl": "https://www.sophos.com/en-us/legal/trust-center" }, "trustCenter": { "score": 4, "note": "Mature trust center with SOC 2, ISO 27001, subprocessor list, and active AI research publications. AI governance documentation is product-research-led rather than formal attestation.", "source": "Sophos Trust Center", "sourceUrl": "https://www.sophos.com/en-us/legal/trust-center" } }, "deepDive": { "overview": "Sophos AI is the longest-established AI in endpoint security — the Invincea acquisition in 2017 brought deep-learning malware detection into Intercept X well before the category was crowded. Sophos MDR overlays managed detection on top of the platform. Best fit for organizations wanting vendor-integrated endpoint AI without a separate MDR contract.", "strengths": [ "Longest-running deep-learning endpoint AI lineage in the category", "SOC 2 + ISO 27001 + BAA + US residency standard", "Vendor-integrated stack — endpoint, firewall, MDR from one platform", "Active AI research publications" ], "weaknesses": [ "No ISO/IEC 42001 attestation", "No Colorado AI Act readiness statement", "Coverage breadth concentrated on endpoint + network — XDR depth varies by module", "AI governance documentation product-research-led rather than formal attestation" ], "bestUseCase": "Organizations wanting vendor-integrated endpoint AI without a separate MDR contract — particularly mid-market buyers who value a single-pane Sophos Central platform across endpoint, firewall, and managed detection.", "avoidWhen": "Enterprises needing full-spectrum XDR coverage beyond endpoint and network — cloud workload protection and identity threat detection are stronger in dedicated MDR competitors." }, "lastReviewed": "2026-05-13" } ], "rankings": { "overall": [ { "slug": "abridge", "name": "Abridge", "category": "healthcare", "score": 87, "grade": "A" }, { "slug": "thomson-reuters-cocounsel", "name": "Thomson Reuters CoCounsel", "category": "legal", "score": 80, "grade": "B" }, { "slug": "fico-falcon-fraud-manager", "name": "FICO Falcon Fraud Manager + FICO Score AI", "category": "banking", "score": 80, "grade": "B" }, { "slug": "lexis-plus-ai", "name": "Lexis+ AI", "category": "legal", "score": 76, "grade": "B" }, { "slug": "westlaw-precision-ai", "name": "Westlaw Precision AI", "category": "legal", "score": 76, "grade": "B" }, { "slug": "microsoft-365-copilot", "name": "Microsoft 365 Copilot", "category": "productivity", "score": 75, "grade": "B" }, { "slug": "harvey", "name": "Harvey", "category": "legal", "score": 74, "grade": "B" }, { "slug": "zest-ai", "name": "Zest AI", "category": "banking", "score": 74, "grade": "B" }, { "slug": "upstart", "name": "Upstart", "category": "banking", "score": 74, "grade": "B" }, { "slug": "suki", "name": "Suki AI", "category": "healthcare", "score": 72, "grade": "B" }, { "slug": "nuance-dax-copilot", "name": "Nuance DAX Copilot (Microsoft)", "category": "healthcare", "score": 70, "grade": "B" }, { "slug": "salesforce-einstein", "name": "Salesforce Einstein / Agentforce", "category": "productivity", "score": 69, "grade": "C" }, { "slug": "glean", "name": "Glean", "category": "productivity", "score": 69, "grade": "C" }, { "slug": "arctic-wolf", "name": "Arctic Wolf", "category": "security-mssp", "score": 69, "grade": "C" }, { "slug": "huntress", "name": "Huntress", "category": "security-mssp", "score": 69, "grade": "C" }, { "slug": "esentire", "name": "eSentire", "category": "security-mssp", "score": 69, "grade": "C" }, { "slug": "sophos", "name": "Sophos", "category": "security-mssp", "score": 69, "grade": "C" }, { "slug": "unit21", "name": "Unit21", "category": "banking", "score": 68, "grade": "C" }, { "slug": "ironclad-ai", "name": "Ironclad AI", "category": "legal", "score": 63, "grade": "C" }, { "slug": "anthropic-claude", "name": "Anthropic Claude", "category": "foundation", "score": 58, "grade": "C" }, { "slug": "google-gemini", "name": "Google Gemini for Workspace", "category": "foundation", "score": 58, "grade": "C" }, { "slug": "hummingbird", "name": "Hummingbird", "category": "banking", "score": 56, "grade": "C" }, { "slug": "openai-chatgpt", "name": "OpenAI ChatGPT & API", "category": "foundation", "score": 53, "grade": "D" }, { "slug": "connectwise", "name": "ConnectWise", "category": "security-mssp", "score": 50, "grade": "D" }, { "slug": "spellbook", "name": "Spellbook", "category": "legal", "score": 45, "grade": "D" }, { "slug": "heidi-health", "name": "Heidi Health", "category": "healthcare", "score": 45, "grade": "D" }, { "slug": "notion-ai", "name": "Notion AI", "category": "productivity", "score": 33, "grade": "F" }, { "slug": "meta-llama", "name": "Meta Llama", "category": "foundation", "score": 25, "grade": "F" }, { "slug": "otter-ai", "name": "Otter.ai", "category": "productivity", "score": 25, "grade": "F" }, { "slug": "perplexity", "name": "Perplexity AI", "category": "foundation", "score": 19, "grade": "F" } ], "byCategory": { "foundation": [ { "slug": "anthropic-claude", "name": "Anthropic Claude", "category": "foundation", "score": 58, "grade": "C" }, { "slug": "google-gemini", "name": "Google Gemini for Workspace", "category": "foundation", "score": 58, "grade": "C" }, { "slug": "openai-chatgpt", "name": "OpenAI ChatGPT & API", "category": "foundation", "score": 53, "grade": "D" }, { "slug": "meta-llama", "name": "Meta Llama", "category": "foundation", "score": 25, "grade": "F" }, { "slug": "perplexity", "name": "Perplexity AI", "category": "foundation", "score": 19, "grade": "F" } ], "productivity": [ { "slug": "microsoft-365-copilot", "name": "Microsoft 365 Copilot", "category": "productivity", "score": 75, "grade": "B" }, { "slug": "salesforce-einstein", "name": "Salesforce Einstein / Agentforce", "category": "productivity", "score": 69, "grade": "C" }, { "slug": "glean", "name": "Glean", "category": "productivity", "score": 69, "grade": "C" }, { "slug": "notion-ai", "name": "Notion AI", "category": "productivity", "score": 33, "grade": "F" }, { "slug": "otter-ai", "name": "Otter.ai", "category": "productivity", "score": 25, "grade": "F" } ], "legal": [ { "slug": "thomson-reuters-cocounsel", "name": "Thomson Reuters CoCounsel", "category": "legal", "score": 80, "grade": "B" }, { "slug": "lexis-plus-ai", "name": "Lexis+ AI", "category": "legal", "score": 76, "grade": "B" }, { "slug": "westlaw-precision-ai", "name": "Westlaw Precision AI", "category": "legal", "score": 76, "grade": "B" }, { "slug": "harvey", "name": "Harvey", "category": "legal", "score": 74, "grade": "B" }, { "slug": "ironclad-ai", "name": "Ironclad AI", "category": "legal", "score": 63, "grade": "C" }, { "slug": "spellbook", "name": "Spellbook", "category": "legal", "score": 45, "grade": "D" } ], "healthcare": [ { "slug": "abridge", "name": "Abridge", "category": "healthcare", "score": 87, "grade": "A" }, { "slug": "suki", "name": "Suki AI", "category": "healthcare", "score": 72, "grade": "B" }, { "slug": "nuance-dax-copilot", "name": "Nuance DAX Copilot (Microsoft)", "category": "healthcare", "score": 70, "grade": "B" }, { "slug": "heidi-health", "name": "Heidi Health", "category": "healthcare", "score": 45, "grade": "D" } ], "banking": [ { "slug": "fico-falcon-fraud-manager", "name": "FICO Falcon Fraud Manager + FICO Score AI", "category": "banking", "score": 80, "grade": "B" }, { "slug": "zest-ai", "name": "Zest AI", "category": "banking", "score": 74, "grade": "B" }, { "slug": "upstart", "name": "Upstart", "category": "banking", "score": 74, "grade": "B" }, { "slug": "unit21", "name": "Unit21", "category": "banking", "score": 68, "grade": "C" }, { "slug": "hummingbird", "name": "Hummingbird", "category": "banking", "score": 56, "grade": "C" } ], "security-mssp": [ { "slug": "arctic-wolf", "name": "Arctic Wolf", "category": "security-mssp", "score": 69, "grade": "C" }, { "slug": "huntress", "name": "Huntress", "category": "security-mssp", "score": 69, "grade": "C" }, { "slug": "esentire", "name": "eSentire", "category": "security-mssp", "score": 69, "grade": "C" }, { "slug": "sophos", "name": "Sophos", "category": "security-mssp", "score": 69, "grade": "C" }, { "slug": "connectwise", "name": "ConnectWise", "category": "security-mssp", "score": 50, "grade": "D" } ] } }, "generated": "2026-05-13T18:20:48.724Z", "license": "CC-BY-4.0", "attribution": "EFROS — https://efros.com — Cite as: EFROS US AI Vendor Governance Index, 2026-Q2", "feed": "https://efros.com/research/us-ai-vendor-governance-index/feed.xml", "changelog": "https://efros.com/research/us-ai-vendor-governance-index/changelog/", "disclaimer": "Posture changes frequently. Re-verify with each vendor's trust center before contract." }