GLBA compliance with Sonomos

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to safeguard the security and confidentiality of customer non-public personal information (NPI). The FTC Safeguards Rule (16 CFR Part 314) and its 2023 amendments add concrete technical and administrative requirements. Sonomos is a technical safeguard that prevents NPI from being inadvertently disclosed to AI tools — currently the fastest-growing unmonitored channel inside financial firms.

A technical safeguard, not a complete program

This guide describes how Sonomos maps to common GLBA Safeguards Rule elements. It’s not a substitute for your written information security program (WISP), your qualified individual, or independent assessment. The browser extension is also a prototype; broader rollouts will benefit from Sonomos Desktop when it ships.

What counts as NPI

NPI is any personally identifiable financial information that a customer provides to a financial institution, that results from a transaction with the institution, or that the institution otherwise obtains. In practice this is broad:

• Account numbers, balances, transaction histories
• Social Security numbers, tax IDs (EINs)
• Names, addresses, phone numbers when paired with financial relationships
• Loan applications, credit histories, payment information
• Information obtained from a consumer report

Sonomos detects every category above; see the Detector Reference for the complete list.

How AI use creates GLBA exposure

Financial firms increasingly use AI tools for: drafting client correspondence, summarizing meeting notes, explaining account behavior, building internal training material, and accelerating ops workflows. Each of these can quietly pull NPI into a prompt:

• A relationship manager pastes a client email — including SSN and account number — into Claude to “rewrite this professionally.”
• An analyst pastes a sample of customer transactions into Gemini to find patterns; the sample includes account numbers and names.
• A KYC reviewer drops a redacted ID image into an AI tool — except the redaction isn’t comprehensive.
• A compliance team summarizes a regulator response in ChatGPT; the response references specific customers.

GLBA doesn’t care whether the disclosure was deliberate. It requires that the institution implement reasonable safeguards. Sonomos is one of them.

How Sonomos supports the Safeguards Rule

§314.4(c)(1) — Access controls

Cloak removes NPI from outgoing prompts before AI tools receive it. Teams admin policy controls let you require Cloak on supported platforms and a minimum Send Guard level on uncovered ones — an effective access control for the AI-tool channel.

§314.4(c)(2) — Asset inventory

Compliance reports surface which AI platforms staff actually use and at what frequency. This is useful input for the inventory of systems and data flows the Safeguards Rule expects you to maintain.

§314.4(c)(3) — Encryption

NPI in transit is required to be encrypted. TLS covers the wire; Cloak removes the NPI from the payload before transmission. This is a stronger control than encryption alone because there is nothing sensitive in the encrypted payload to begin with.

§314.4(c)(4) — Secure development practices

For institutions that build internal AI tooling, Sonomos’s local-first detection model is a useful reference architecture for secure-by-default AI usage. Canary is open source and can be reviewed directly.

§314.4(c)(5) — Multi-factor authentication

Out of Sonomos’s direct scope, but the Teams plan’s SSO integration (planned more fully for Sonomos Desktop) lets you tie Sonomos access to your existing MFA-enforced identity provider.

§314.4(c)(6) — Secure data disposal

Sonomos does not retain NPI on disk. Detection text is never persisted; only category counts and timestamps are. There is no disposal procedure to define for Sonomos because there is no NPI to dispose of.

§314.4(c)(7) — Change management

The browser extension auto-updates via Chrome / Edge stores. Major changes are listed in the changelog. For environments that need stricter change control, watch for Sonomos Desktop’s MDM-managed deployment.

§314.4(c)(8) — Monitoring user activity

Compliance reports (Professional / Teams) show what categories of NPI were detected and what action was taken (masked / blocked / acknowledged), with timestamps. For Teams plans, aggregated per-member detection statistics give the qualified individual visibility into where exposure is concentrated.

§314.4(d) — Regular testing

The recommended workflow is to run the Quickstart on every supported platform after each major Sonomos release. For Teams, monthly compliance reports give you a continuous feedback loop without bespoke testing.

§314.4(e) — Training

Pair the rollout with training that explains: what NPI looks like, that Cloak is a safety net and not a license to paste freely, and how to read the risk widget. The Teams plan’s per-member statistics are a useful basis for targeted refresher training where exposure is high.

§314.4(f) — Service provider oversight

Sonomos does not receive NPI in the course of providing the service. The vendor due-diligence story is short: no NPI in transit to or at rest with Sonomos; only account and billing metadata.

§314.4(h) — Incident response

A confirmed disclosure of NPI to an AI service should be treated as a security event under your incident-response plan. Compliance reports make it easier to scope the event by showing the timeline and categories of detections.

Recommended configuration for financial services

1. Enable Cloak on every supported AI platform used by staff.
2. Set Send Guard to “Modal always” for desks that routinely handle NPI (KYC, lending, fraud, ops).
3. Pin policy via the Teams plan so members can’t disable safeguards.
4. Schedule compliance reports to the qualified individual and to the BSA / compliance officer.
5. Document residual scope — the extension is browser-only; non-browser AI usage (native apps, IDE assistants, local LLMs) is covered by other controls until Sonomos Desktop ships.
6. Pair with awareness training — make Cloak’s existence visible so staff understand both the protection and its limits.

Coming in Sonomos Desktop

For financial institutions specifically:

• OS-wide coverage — native AI clients, IDE assistants, local LLMs, clipboard, screenshots, file-drop scanning.
• Air-gapped mode — for trading floors and other restricted environments.
• SSO + SCIM + MDM — automated provisioning and managed deployment integrated with your identity provider.
• Tamper-evident audit log — append-only event log suitable for examiner review.

See the Sonomos Desktop overview.

Next steps

PCI-DSS compliance The cardholder-data sibling to GLBA — relevant if you process card payments.

Teams setup Roll Sonomos out across the firm with admin policy enforcement.

Compliance reports Generate, schedule, and route reports to the qualified individual.