GLBA Safeguards Rule Tightens AI Use Controls for Financial Firms

3 min readSources: National Law Review

The GLBA Safeguards Rule update imposes new controls to manage AI risks in financial institutions.

Why it matters: Financial services legal teams face growing risks from employees using unapproved AI tools. The updated GLBA Safeguards Rule clarifies compliance requirements, helping avoid data breaches and regulatory penalties.

  • The GLBA Safeguards Rule update took effect June 9, 2023, adding 9 specific IT security and governance controls.
  • Institutions must now appoint a 'Qualified Individual' to oversee compliance and enforce vendor risk management.
  • Multi-factor authentication and encryption of nonpublic personal information (NPI) are mandatory under the update.
  • A 2024 IBM report found 38% of employees share sensitive data with AI tools without employer approval, creating compliance risks.

The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule requires financial institutions to protect nonpublic personal information (NPI) through comprehensive administrative, technical, and physical safeguards. The Federal Trade Commission (FTC) implemented an updated version effective June 9, 2023, specifying nine clear controls to strengthen data protection (FTC GLBA updates).

Key new obligations include designating a "Qualified Individual" responsible for overall compliance coordination, enforcing multi-factor authentication, requiring encryption of NPI both in transit and storage, expanding vendor oversight to ensure third-party compliance, and mandating breach notifications to regulators within 30 days.

In parallel, unapproved use of artificial intelligence tools by employees — referred to as "Shadow AI" — is introducing hidden risks by bypassing IT governance and exposing NPI. Shadow AI can include chatbots or generative AI processing sensitive data outside approved environments, escalating legal and security vulnerabilities.

According to a 2024 IBM study, 38% of employees in enterprises admit to sharing sensitive information with AI tools without prior authorization (IBM Shadow AI report). For financial institutions, this behavior risks violating the GLBA’s updated controls, especially on vendor and data access oversight.

Compliance and legal teams should interpret the GLBA updates as mandating stricter governance over AI tool adoption. This includes formal approval workflows for AI services, robust monitoring of AI data handling, and integration of AI-related vendor risks into compliance programs. Failure to manage these obligations can lead to enforcement actions, penalties, and reputational harm.

While regulatory guidance on AI use under GLBA is still evolving, adherence to the updated Safeguards Rule’s explicit requirements offers a clear compliance framework. Firms should proactively assess their AI risk exposure and update internal policies accordingly.

By the numbers:

  • 9 — new controls in the 2023 GLBA Safeguards Rule update
  • 38% — employees admitting to unauthorized sharing of sensitive data with AI tools (2024 IBM report)
  • 30 days — maximum time to notify regulators after a data breach under the updated rule

Yes, but: Enforcement actions specifically citing AI-related violations under GLBA have not yet been widely reported. Legal teams should monitor regulatory developments as agencies clarify expectations.

What's next: Financial institutions should prepare for forthcoming regulatory guidance and best practices on AI risks as federal agencies continue examining AI’s compliance impact.