Reviewing AI-Drafted Compliance Text Before It Ships

When a language model drafts a privacy notice, a vendor clause, or a disclosure paragraph, the output usually reads cleanly. That fluency is the trap. Clean prose hides the gaps a regulator or opposing counsel will find first: a defined term used before it is defined, a jurisdiction that does not match the governing-law clause, a commitment the business never agreed to make. The model has no idea which of those mistakes is expensive.

A review list closes that gap. It is not a substitute for a lawyer, and it does not turn a generalist into one. What it does is force a consistent set of checks on every draft before a human spends expensive attention on it, so the cheap errors are caught cheaply. Below is a list you can copy into a checklist tool or paste at the top of your review document. Each item has a one-line reason, because a check you do not understand is a check you will eventually skip.

Before You Prompt: Inputs That Decide the Output

Most defects in an AI compliance draft trace back to a thin or contradictory prompt, not to the model. Verify these before generation, because fixing them after is slower.

Source-of-Truth Inputs

• Confirm the governing regulation or standard is named explicitly (GDPR, CCPA, SOC 2, HIPAA). A model will invent plausible-sounding obligations if you leave the regime vague.
• Paste the actual defined terms the business uses rather than letting the model coin its own.
• Supply the real party names, entity types, and jurisdictions. Placeholders survive into final drafts more often than anyone admits.
• State what the document must not say (no new warranties, no commitments outside the SOW).

Scope Boundaries

• Tell the model the document type and its audience: a regulator, a customer, an internal team. Tone and specificity differ sharply.
• Set the length and section structure you expect, so review is comparing against a known shape.

Substance Checks: Does It Say the Right Thing

This is the layer where fluency is most dangerous. Read for meaning, not flow.

Obligations and Commitments

• Every "shall," "will," and "must" creates a duty. Confirm the business can actually perform each one.
• Check that rights and obligations are reciprocal where they should be and one-sided only where intended.
• Verify no clause silently expands liability, indemnity, or data-use scope beyond what was authorized.

Accuracy Against the Regime

• Cross-check each cited regulation, article number, and retention period against a primary source. Models routinely hallucinate citation numbers that look correct.
• Confirm consent language matches the lawful basis actually relied on.
• Make sure breach-notification timelines match the strictest applicable jurisdiction, not an average.

Consistency Checks: Internal Coherence

A document can be locally correct and globally broken. These checks catch contradictions the model could not see across a long output.

Terms and References

• Confirm every defined term is defined once, before first use, and used consistently after.
• Check that cross-references ("as described in Section 4") point to the section that actually contains that content.
• Verify numbering, schedules, and appendices are all present and referenced.

Tone and Register

• Compliance text should be plain enough to be enforceable and precise enough to be unambiguous. Flag sentences that are merely impressive.
• Remove hedging the model adds by habit ("we may, from time to time, in certain circumstances") where a firm statement is required.

Risk and Escalation Checks

Some findings should stop the draft from moving forward at all. Mark these clearly so a reviewer cannot wave them through.

Hard Stops

• Any invented citation, statute, or case reference is a hard stop until verified.
• Any commitment with financial, regulatory, or contractual exposure goes to qualified counsel, full stop.
• Anything touching individual rights, data subject requests, or breach handling gets human sign-off.

Documentation

• Record which model and prompt produced the draft, so a later question about provenance has an answer.
• Keep the human edits visible in version history; "AI wrote it, a person approved it" is the standard you want to be able to prove.

Document-Specific Additions

A core list catches the universal defects, but different document types carry their own characteristic failure modes. Layer these on top of the core checks rather than maintaining separate lists that drift apart over time.

Privacy Notices and Data Documents

• Confirm the lawful basis stated matches the actual processing activity, not a generic placeholder.
• Verify every data category, retention period, and recipient is grounded in real practice rather than a plausible default the model supplied.
• Check that data-subject rights are described in the terms the governing regime actually uses, and that the exercise mechanism named is one the business can honor.

Contracts and Commercial Clauses

• Trace each obligation back to what was negotiated; a model will smooth a one-sided term into a reciprocal one or vice versa.
• Confirm liability caps, indemnities, and termination rights match the agreed commercial position exactly.
• Verify that incorporated schedules, exhibits, and prior agreements are referenced correctly and actually exist.

Internal Policies

• Check that the policy is enforceable as written, not merely aspirational; a policy nobody can comply with is worse than none.
• Confirm the policy does not contradict an existing policy, which is a failure the model cannot see because it lacks the other document.
• Verify the named owners, review cadence, and escalation paths are real roles in your organization.

Common Failure Patterns the List Catches

It helps to know the shapes these defects take, because recognizing the pattern is faster than checking blindly. Most AI compliance defects fall into a handful of recurring categories.

The Recurring Shapes

• Confident invention: a citation, retention period, or statutory reference that looks authoritative and is simply fabricated.
• Silent scope creep: a clause that quietly broadens liability, data use, or a commitment beyond what was authorized.
• Aggregate drift: a defined term used correctly in every sentence yet shifting meaning across a long document.
• Jurisdiction defaulting: the model applying the most common regime from its training data rather than the one you specified.

Once you can name the pattern, the relevant check stops feeling like a chore and starts feeling like aimed attention. The same instinct underpins the structured prompting in The DRAFT Method: Structuring Prompts for Regulated Writing.

Turning the List Into a Habit

A list helps only if it runs every time. Bake it into the workflow rather than relying on memory. The way you operationalize a list mirrors the discipline in The DRAFT Method: Structuring Prompts for Regulated Writing, and the same checks become the basis for the Signals That Tell You AI Compliance Drafts Are Holding Up.

Making It Stick

• Attach the list to your document template so it travels with every new draft.
• Assign each section of the list to a role: drafter does inputs and consistency, reviewer does substance and risk.
• Review the list itself quarterly; a check that never catches anything may be wasting attention, and a recurring miss means you need a new item.

Frequently Asked Questions

Does a review list replace having a lawyer review the document?

No, and it should not pretend to. The list catches cheap, mechanical errors so that expensive legal review focuses on judgment calls. Anything with real regulatory or financial exposure still needs qualified counsel.

How long should running the list take?

For a short document, ten to fifteen minutes once you are practiced. The point is consistency, not speed. If a check is slow, that usually means the input was thin and the draft needs regeneration rather than patching.

What is the single most common defect this list catches?

Hallucinated citations. Models produce statute numbers, article references, and retention periods that look authoritative and are simply wrong. Every cited reference must be verified against a primary source.

Can I automate any of these checks?

Some. Defined-term consistency, cross-reference validity, and presence of required sections can be partly scripted. Substance and risk checks need a human, because they depend on knowing what the business actually agreed to.

Should the list change by document type?

Yes. A privacy notice, a vendor contract, and an internal policy stress different items. Keep a core list and add document-specific checks rather than maintaining ten separate lists that drift apart.

How do I keep the list from becoming a box-ticking ritual?

Track what each check actually catches. Checks that never find anything are candidates for removal; recurring misses are signals to add an item. A living list earns its place.

Key Takeaways

• Most AI compliance defects come from thin prompts, so check inputs before you check output.
• Fluent prose hides substantive errors; read for meaning and verify every citation against a primary source.
• Separate checks into hard stops that block a draft and soft findings that a reviewer can resolve.
• Document which model and prompt produced each draft, and keep human edits visible for provenance.
• A review list earns its place only when it runs every time and is pruned for checks that never catch anything.