Voice AI Audit Readiness: What Evidence Satisfies Regulatory Review vs. What Triggers Findings

EU AI Act for Voice Agents – What changes for enterprise call flows in 2026

Link Toc Template

Why This Matters Now

Regulatory attention on voice AI is intensifying across all major jurisdictions:

United States

FCC 2024 Declaratory Ruling brought AI-generated voices explicitly under TCPA "artificial or prerecorded voice" requirements
FCC One-to-One Consent Rule vacated by 11th Circuit January 2025, but compliance infrastructure still expected
Illinois BIPA covers voiceprints explicitly with $1,000-$5,000 per violation; 2024 amendment caps per-person damages
CIPA litigation wave expanding third-party liability for cloud AI vendors under capability test

European Union

EU AI Act Article 5 banned emotion recognition in workplace/education as of February 2, 2025

Emerging Markets

Brazil LGPD requires opt-in consent with extraterritorial reach; Anatel mandates 0303 prefix for high-volume callers
China PIPL requires separate consent for cross-border transfers; first extraterritorial enforcement case in 2024
India DPDP Act full compliance deadline May 2027 with consent-centric regime
UAE PDPL requires two-party consent for call recording with AED 50,000 telemarketing fines

When regulators or auditors examine your voice AI deployment, they're not checking boxes—they're looking for evidence that your compliance program actually works. The difference between "program exists" and "program works" is where most companies fail.

Part 1: United States Federal Requirements

1.1 TCPA Consent Framework

The Telephone Consumer Protection Act establishes three distinct consent tiers. Each has specific requirements, and voice AI deployments must correctly identify which tier applies to each call type.

Prior Express Written Consent (PEWC)

When Required: Telemarketing/advertising calls using ATDS or artificial/prerecorded voice to cell phones OR residential lines.

The FCC requires PEWC to contain nine elements (47 CFR §64.1200(f)(9)):

Written Agreement — Preserved copy of exact form/webpage at time of consent capture
Signature — Electronic signature compliant with E-SIGN Act (timestamp, IP, session ID)
Telephone Number — Specific number to be called, captured at consent time
Seller Identification — Name of specific seller authorized to call (one seller per consent post-2025 best practice)
Technology Disclosure — Clear statement that calls will use ATDS and/or artificial/prerecorded voice
AI/Artificial Voice Disclosure — Post-FCC 2024: explicit mention of AI-generated voice if used
Not-a-Condition Disclosure — Statement that consent is not required as condition of purchase
Clear and Conspicuous — Disclosure not buried in fine print; font size/placement documentation
Topically Related — Call content logically related to website/context where consent obtained

Conversational AI-Specific PEWC Risks:

Scope Creep: Large language models (LLMs) free-associate across product catalog, exceeding "logically related" content boundary. Testing shows ~5% failure rate under adversarial prompting.
Hallucinated Consent: AI fabricates permission claims ("You previously agreed to...") creating evidence of willful violation.
RAG-Triggered Marketing: Informational call becomes telemarketing when retrieval-augmented generation pulls promotional content under customer pressure phrases.

Prior Express Consent (PEC)

When Required: Non-telemarketing calls using ATDS or artificial/prerecorded voice to cell phones.

PEC is less formal than PEWC but still requires demonstrable consent:

Number Provision — Consumer provided phone number to caller for related purpose
Purpose Relation — Calls closely related to purpose for which number was provided
No Contrary Instructions — Consumer did not indicate they don't want calls at that number
Oral or Written — Can be verbal or written (unlike PEWC which must be written)

Conversational AI-Specific PEC Risk: LLM + RAG access creates ~5% failure rate where AI proposes promotional content despite constraints. Edge case: customer mentions cost concerns → AI retrieves discount programs → informational call becomes telemarketing → PEC insufficient, PEWC required.

Prior Express Invitation or Permission (PEIP)

When Required: Calls to numbers on the National Do-Not-Call Registry.

PEIP allows calling DNC-registered numbers if consumer specifically invited or gave permission to call, permission is in writing (but doesn't require all 9 PEWC elements), and consumer specifically requested information about goods/services.

Established Business Relationship (EBR) Alternative:

Transaction EBR: 18 months from last transaction
Inquiry EBR: 3 months from inquiry (90 days)

Part 2: US State Recording Consent Requirements

2.1 Two-Party (All-Party) Consent States

The following 11 states require consent from ALL parties to record a telephone conversation. Voice AI systems processing calls to/from residents of these states must obtain affirmative consent before recording, transcription, or AI analysis.

California — Penal Code §632 requires all-party consent for confidential communications; CIPA adds AI-specific layers. Penalties: $5,000/violation (CIPA); criminal misdemeanor.

Connecticut — Gen. Stat. §52-570d. Criminal: one-party; Civil: all-party. Treat as all-party to be safe. Penalties: Class D felony (criminal); civil damages.

Delaware — 11 Del. C. §2402 requires all-party consent. Penalties: Class G felony; civil damages.

Florida — Fla. Stat. §934.03 requires all-party consent; mini-TCPA with broader autodialer definition. Penalties: 3rd degree felony; $1,000+ civil damages.

Illinois — 720 ILCS 5/14-2 requires all-party consent for private conversations; BIPA adds biometric layer for voiceprints. Penalties: Class 4 felony; BIPA: $1K-$5K/violation.

Maryland — Md. Code §10-402 requires all-party consent with strict enforcement. Penalties: Felony; up to 5 years imprisonment.

Massachusetts — M.G.L. c.272 §99 bans "secret" recordings; all parties must be aware. Penalties: Felony; up to 5 years; $10K fine.

Montana — Mont. Code §45-8-213 requires all parties know recording is occurring (notification, not explicit consent). Penalties: Misdemeanor; civil damages.

Nevada — Nev. Rev. Stat. §200.620 requires all-party consent for telephone calls (one-party for in-person). Penalties: Category D felony; civil damages.

New Hampshire — N.H. Rev. Stat. §570-A:2 requires all-party consent. Penalties: Class B felony; civil damages.

Pennsylvania — 18 Pa.C.S. §5704 strictly requires all-party consent for any oral or electronic communication. Penalties: 3rd degree felony; civil damages.

Washington — RCW 9.73.030 requires all-party consent for private conversations; most calls presumed private. Penalties: Gross misdemeanor; civil damages.

2.2 One-Party Consent States

The remaining 39 states and D.C. follow federal one-party consent rules. One party to the conversation (which can be your company) may consent to recording without notifying others.

2.3 Interstate Call Rules

Critical: When parties are in different states, the stricter law generally applies.

For national voice AI operations: default to all-party consent disclosure at call start. This satisfies both one-party and all-party jurisdictions.

Part 3: California CIPA Deep Dive

California Invasion of Privacy Act applies if the call recipient is in California, regardless of company location. With 12% of the US population, any national operation has significant CIPA exposure.

3.1 CIPA Sections Relevant to Voice AI

Section 631 (Wiretapping) — Prohibits reading contents while in transit. Voice AI processes real-time = interception by definition; Cloud processing = vendor receives contents in transit.

Section 632 (Recording) — Prohibits recording confidential communications without consent. Transcripts = recordings; Vector embeddings = recording in different format; Training use = indefinite retention.

Section 632.7 (Cellular) — Prohibits interception of cellular communications (no confidentiality requirement). Covers most calls (cell prevalence); Lower plaintiff burden than 632; Most common claim basis.

Section 632(d) (Emotion Analysis) — Examination of truthfulness/emotions requires express written consent. Sentiment analysis often runs by default; AI naturally infers emotional context; Feature creep: "caller intent detection."

3.2 Third-Party Question: Extension vs. Capability Test

Two competing legal tests determine whether your AI vendor is a "third party" under CIPA:

Extension Test (defendant-friendly) — Vendor processes data only for your benefit = your extension. Outcome: No third-party disclosure; lower consent burden.

Capability Test (plaintiff-friendly) — Vendor has capability to use data for own benefit = third party. Outcome: Third-party disclosure required; higher consent burden.

Recent Case Law Favoring Capability Test:

Javier v. Assurance IQ (N.D. Cal. 2023): Capability to use data = third party status
Ambriz v. Google (N.D. Cal. 2025): AI system itself can be "person" under CIPA; motion to dismiss denied
Yockey v. Salesforce (N.D. Cal. 2024): Could use data to train AI = third party status
Turner v. Nuance (N.D. Cal. 2024): Fraud detection database = own purposes = third party

3.3 Vendor Contract Risk Clauses

"Improve our services" — CRITICAL RISK. Capability for own benefit = third party status under capability test.

"Aggregated data for analytics" — HIGH RISK. Depends on whether aggregation can be traced; likely third party.

"Train models" — CRITICAL RISK. Clear independent use; definite third party status.

"Act as service provider only" — LOW RISK. Agency positioning; supports extension test argument.

3.4 CIPA Penalty Stacking

Theoretical maximum exposure per call:

CIPA 631 (wiretapping): $5,000
CIPA 632.7 (cellular interception): $5,000
CIPA 632(d) (emotion analysis): $5,000
TCPA (if applicable): $1,500

Total per-call exposure: Up to $16,500

Part 4: Illinois BIPA Biometric Requirements

The Illinois Biometric Information Privacy Act explicitly covers voiceprints. Any voice AI system that creates voiceprints for speaker identification must comply with BIPA for Illinois residents.

4.1 BIPA Definition of Voiceprint

740 ILCS 14/10: "Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.

A voiceprint is created when voice data is processed to identify a specific individual. This includes:

Speaker verification ("Is this the account holder?")
Speaker identification ("Who is speaking?")
Voice enrollment ("Say these phrases to train the system")

4.2 BIPA Requirements

Section 15(a) — Written policy on retention and destruction, made publicly available. Evidence needed: Published policy with specific retention periods and destruction procedures.

Section 15(b) — Written notice of collection + purpose + retention period; Written release (consent). Evidence needed: Consent form with all required disclosures; Electronic signature with timestamp.

Section 15(c) — Prohibition on selling, leasing, or profiting from biometric data. Evidence needed: Vendor contracts prohibiting commercialization; No revenue from voice data.

Section 15(d) — No disclosure without consent (or narrow exceptions). Evidence needed: Data flow documentation; Third-party agreements.

Section 15(e) — Reasonable security measures. Evidence needed: Security documentation; Industry-standard protections.

4.3 2024 BIPA Amendment (SB 2979)

Key Change: Same biometric identifier from same person = single violation (not per-scan).

Penalties Post-Amendment:

$1,000 per negligent violation
$5,000 per intentional/reckless violation
Electronic signatures now explicitly valid for consent

Part 5: European Union Requirements

5.1 GDPR Call Recording Framework

Under GDPR, voice recordings and transcripts are personal data. Voice can also be biometric data if used for identification.

Lawful Bases for Processing (Article 6)

Consent (Art. 6(1)(a)) — When applicable: Training, quality assurance, marketing analysis. Documentation required: Freely given, specific, informed, unambiguous; Affirmative action; Withdrawal mechanism.

Contract (Art. 6(1)(b)) — When applicable: Recording necessary to perform contract with caller. Documentation required: Contract documentation; Necessity analysis.

Legal Obligation (Art. 6(1)(c)) — When applicable: Financial services (MiFID II), regulated industries. Documentation required: Regulatory requirement documentation.

Legitimate Interest (Art. 6(1)(f)) — When applicable: Fraud prevention, security, limited training. Documentation required: LIA (Legitimate Interest Assessment); Balancing test; Data subject rights don't override.

Critical: Implied consent (continuing call after disclosure) is no longer sufficient under GDPR. Affirmative consent (press 1, say "I agree") required.

5.2 EU AI Act Requirements

Article 5 Prohibited Practices (Effective February 2, 2025)

Emotion Recognition in Workplace — AI inferring emotions of workers based on biometric data (including voice) is prohibited. Exceptions: Medical reasons; Safety reasons (e.g., driver fatigue detection).

Emotion Recognition in Education — AI inferring emotions of students based on biometric data is prohibited. Exceptions: Medical reasons; Safety reasons.

Biometric Categorization — Categorizing individuals based on biometrics to infer race, political opinions, religion, sexual orientation is prohibited. Exceptions: Lawfully acquired data labeling/filtering (e.g., law enforcement).

Voice AI Impact: Employee call monitoring with sentiment/emotion analysis is now prohibited in the EU unless for medical/safety purposes. Customer emotion analysis remains permitted but subject to Article 50 transparency requirements.

Article 50 Transparency Obligations

AI Disclosure: Must inform person they are interacting with AI (unless obvious from context)
Emotion Recognition Disclosure: Must inform exposed persons about operation of emotion recognition system
Synthetic Voice Disclosure: AI-generated voice content must be disclosed as artificially generated

5.3 EU Penalties

GDPR (standard violations): Up to €20 million or 4% global annual turnover
EU AI Act (prohibited practices): Up to €35 million or 7% global annual turnover

Part 6: United Kingdom Requirements

6.1 UK GDPR + Data Protection Act 2018

Post-Brexit, UK maintains GDPR-equivalent requirements under UK GDPR:

ICO (Information Commissioner's Office) is the supervisory authority
UK GDPR fines: Up to £17.5 million or 4% of global turnover
Same consent standards as EU GDPR

6.2 Privacy and Electronic Communications Regulations (PECR)

PECR governs direct marketing calls in the UK:

TPS/CTPS: Telephone Preference Service and Corporate TPS must be checked before marketing calls
Automated Calls: Specific consent required before making automated/prerecorded marketing calls
AI Voice Calls: AI-generated voice calls treated as automated calls requiring specific consent

PECR Penalties: Up to £500,000 (increasing to GDPR-level penalties under pending legislation). Directors can be personally liable.

Part 7: Canada Requirements

7.1 Federal: PIPEDA

Personal Information Protection and Electronic Documents Act applies to private sector organizations across Canada.

PIPEDA Call Recording Requirements:

Inform at call start with automated message or agent disclosure that call is being recorded
State purpose clearly with specific purposes stated; cannot say "quality assurance" if used for marketing
Obtain consent; implied consent acceptable if notification given and call continues; express consent recommended
Limit use to stated purpose; recording can only be used for purposes disclosed at time of collection
Provide access on request; customers have right to access their call recordings

7.2 Quebec Law 25 (Loi 25)

Quebec has stricter requirements than federal PIPEDA:

Privacy Impact Assessments required before launching tech projects involving personal data
Clear opt-in consent for sensitive data
Notice required when automated decision-making affects rights
Effective: Fully rolled out September 2024

7.3 Criminal Code One-Party Consent

Section 184 of the Criminal Code: Recording is legal if one party consents. However, this only addresses criminal liability—PIPEDA/provincial laws add additional requirements for business use.

Part 8: Latin America Requirements

8.1 Brazil: LGPD (Lei Geral de Proteção de Dados)

Brazil's LGPD is one of the most comprehensive data protection frameworks in Latin America, with GDPR-like requirements and extraterritorial reach.

Key LGPD Requirements for Voice AI

Consent Model: Opt-in consent required; must be free, informed, unambiguous, and specific
Written Consent: Must be in writing for specified purpose; general authorizations void
Withdrawal Rights: Data subject can revoke consent at any time; must be as easy as giving consent
Burden of Proof: Controller must prove consent was obtained in compliance with LGPD
DPO Appointment: Data Protection Officer required regardless of processing volume

Brazil Call Center Regulations (SAC Decree + Anatel)

Call Recording Mandatory: All customer service contacts must be recorded
Recording Availability: Interaction history must be available to consumers on request
0303 Prefix Requirement: Companies making >10,000 daily calls must use 0303 prefix (effective March 2025)
Maximum Wait Time: 60 seconds maximum for customer to reach representative
24/7 Availability: Customer service must be available around the clock

LGPD Penalties

Warning with deadline for corrective measures
Simple fine up to 2% of revenue (capped at R$50 million per violation)
Daily fine
Publicization of infraction
Data deletion

8.2 Mexico: Ley Federal de Protección de Datos Personales

Mexico's federal data protection law applies to private sector entities processing personal data of Mexican residents:

Privacy Notice: Must be provided before or at time of data collection
Consent: Express consent required for sensitive data; tacit consent may be sufficient for non-sensitive
Revocation: Data subjects can revoke consent at any time
ARCO Rights: Access, Rectification, Cancellation, Opposition rights must be honored

Part 9: Middle East Requirements

9.1 UAE: PDPL (Federal Decree-Law No. 45/2021)

The UAE has implemented comprehensive data protection through the PDPL, with strict call recording requirements under the Cybercrime Law.

UAE Call Recording Requirements

Two-Party Consent: All parties must provide explicit permission before recording
Consent Type: Verbal consent (and recorded) acceptable, but written preferred
Criminal Liability: Recording without consent violates Cybercrime Law (Federal Law No. 5/2012)
Corporate Exception: Call centers may record with automated disclaimer if caller continues

UAE Telemarketing Regulations (Cabinet Resolutions 56 & 57 of 2024)

Prior Approval: Explicit approval from authorities required before telemarketing
Recording Disclosure: Callers must be informed at outset that call is recorded
Do Not Call Registry: Must respect consumers listed in DNC registry
Operational Hours: Telemarketing calls permitted only 9 AM - 6 PM
Local Numbers: All marketing calls must originate from locally registered numbers

UAE Penalties

Administrative fines (amounts to be specified in Executive Regulations)
2024 enforcement: 159 companies fined AED 50,000 each for telemarketing violations
Total fines reached AED 3.8 million for DNC violations

9.2 Saudi Arabia: PDPL

Saudi Arabia's Personal Data Protection Law came into effect September 2023:

Consent: Express consent required before processing personal data
Purpose Limitation: Processing limited to purposes disclosed at collection
Data Minimization: Collect only necessary data
Cross-Border Transfer: Restrictions on transferring data outside Saudi Arabia

Part 10: Africa Requirements

10.1 South Africa: POPIA + RICA

South Africa has a dual framework: POPIA governs data protection while RICA governs interception of communications.

Recording Consent Framework

RICA allows one-party consent — Recording legal if one party consents; exceptions for business purposes.

POPIA requires processing consent — Personal information cannot be processed (recorded) without consent.

Combined Effect: While RICA allows one-party, POPIA's processing requirements effectively require disclosure. Treat as all-party for compliance.

2025 POPIA Amendments (Effective April 17, 2025)

Opt-Out ≠ Consent: Providing opt-out mechanism alone does not constitute valid consent
Telephonic Consent Recording: If consent obtained by phone, must be electronically recorded and available to data subject
Response Timeline: 30 days to respond to correction/deletion requests
Compliance Framework: Must be "continuously improved"

South Africa Penalties

Fine up to R10 million
Imprisonment up to 10 years
Civil liability for privacy infringement

10.2 Nigeria: NDPR (Nigeria Data Protection Regulation)

Nigeria's NDPR applies to all transactions involving Nigerian data subjects:

Consent: Data subjects must consent to processing of personal data
Purpose Specification: Purpose must be specified at time of collection
Data Minimization: Only collect data necessary for purpose
Security: Appropriate technical and organizational measures required

Part 11: Asia-Pacific Requirements (Expanded)

11.1 Japan: APPI

Act on the Protection of Personal Information applies to any business handling personal information of Japanese individuals:

Purpose Specification: Specify and notify purpose of use before collection
Consent for Sensitive Data: Explicit consent required for sensitive personal information
Third-Party Transfer: Consent required before providing personal data to third parties
Cross-Border Transfer: Special requirements for transfers outside Japan

Japan AI Act (May 2025): Japan's first comprehensive AI law takes a voluntary, best-practices approach (no strict prescriptive rules like EU AI Act).

11.2 Australia: Privacy Act 1988 + Telecommunications (Interception) Act

Call Recording Rules

General Rule: Calls may not be recorded (Section 7 prohibition)
Exception: Recording permitted with knowledge of person making communication
State Laws: Listening device laws may also apply
APPs: Notice of collection required; purpose limitation applies

11.3 Singapore: PDPA (Personal Data Protection Act)

Singapore's PDPA is one of the most developed frameworks in Southeast Asia.

PDPA Call Recording Requirements

Consent: Clear, unambiguous, voluntary consent required before recording
Notification: Inform callers that calls may be recorded with specific purposes
Opt-In: Pre-ticked boxes or assumed consent not valid
Withdrawal: Must inform of right to withdraw consent; mechanism required
Do Not Call Registry: Must check DNC before marketing calls

PDPA Penalties

Individuals: Up to S$200,000 or 5% of annual Singapore turnover (whichever higher)
Organizations: Up to S$1 million or 10% of annual Singapore turnover (whichever higher)
Private right of action for individuals who suffered loss

11.4 South Korea: PIPA (Personal Information Protection Act)

South Korea's PIPA is one of the world's strictest data protection regimes, with opt-in consent requirements.

PIPA Requirements for Voice AI

Opt-In Consent: Explicit, informed, opt-in consent required (not opt-out)
Consent Specificity: Must specify: purpose, data items collected, retention period, right to refuse
Separate Consent: Sensitive data requires separate, specific consent
2024 Amendment: Mandatory consent for contract performance no longer permitted; bundled consent prohibited
Call Recordings: Phone lists and recordings = personal data; consent required

PIPA Penalties

Administrative fines up to 3% of relevant revenue
Corrective orders
Criminal sanctions possible

11.5 India: DPDP Act (Digital Personal Data Protection Act)

India's DPDP Act establishes a consent-centric regime with phased implementation through May 2027.

DPDP Act Requirements

Consent Standard: Free, specific, informed, unconditional, unambiguous through clear affirmative action
Privacy Notice: Must accompany or precede consent request; must include purposes, data categories, grievance mechanism
Language: Notice must be in English or any of 22 scheduled Indian languages
Consent Manager: Novel concept: intermediaries help data principals manage consent
Children's Data: Verifiable parental consent required for under-18s

DPDP Implementation Timeline

November 13, 2025: Data Protection Board established
November 13, 2026: Consent Manager registration opens
May 13, 2027: Full compliance required (consent, notice, security, breach notification)

India Call Recording Rules

Self-Recording: Legal if you are party to conversation (similar to US one-party)
Interception: Prohibited except with government authorization (Telegraph Act Section 5)
Business Recording: Since August 2023, businesses recording calls are "Data Fiduciaries"
DPDP Requirements: Clear notice, free/specific/informed consent, secure storage, delete when purpose served

DPDP Penalties

Up to ₹250 crore (approximately $30 million) per violation

11.6 China: PIPL (Personal Information Protection Law)

China's PIPL imposes GDPR-style obligations with additional requirements for cross-border transfers.

PIPL Consent Requirements

General Consent: Free, voluntary, explicit, based on full information
Separate Consent: Required for: third-party transfers, public disclosure, overseas transfers, sensitive data
Sensitive Data: Includes: biometrics, financial accounts, location, health, minors' data
Written Consent: May be required for biometrics and certain financial data
New Consent: Required if processing purposes, means, or data categories change

PIPL Voice AI Specific Rules

Call Recordings: Voice recordings may constitute biometric data (sensitive PI)
Cross-Border Transfers: Separate consent + security assessment/certification/standard contract required
2024 Enforcement: First extraterritorial case: French hotel group found non-compliant for cross-border data sharing

PIPL Penalties

Confiscation of illegal gains
Fines up to RMB 50 million or 5% of previous year's revenue
Individuals: Up to RMB 1 million; may be prohibited from senior management roles

Part 12: Unified Consent Architecture for Voice AI

For multinational voice AI operations, a unified consent architecture must satisfy the strictest requirements across all applicable jurisdictions.

12.1 Pre-Call Consent (Written)

Your written consent form must include:

TCPA PEWC Elements: Autodialer/artificial voice disclosure; Specific seller; Not-a-condition; Phone number; Signature
Recording Consent: Calls will be recorded; Transcripts created; Retention period
AI Processing Consent: AI/automated systems will analyze call; Purposes specified
Third-Party Disclosure: Data shared with [named technology providers] for processing
Training Consent (CIPA 632(d)): Separate consent if data may be used to train AI models
Biometric Notice (BIPA): Voiceprint collection notice; Purpose; Retention; Destruction policy
Cross-Border Transfer (PIPL/LGPD): Separate consent for international data transfers

12.2 Call-Start Disclosure (Scripted, Not AI-Generated)

Critical: Disclosure must be delivered by deterministic system (IVR, scripted audio) before conversational AI takes control. AI cannot skip, modify, or delay required disclosures.

Sample compliant disclosure:

"This call is being recorded and may be analyzed by AI systems for [stated purposes]. By continuing this call, you consent to recording and AI analysis. To speak with a human agent at any time, say 'agent' or press zero. Do you consent to proceed?"

12.3 Affirmative Consent Capture

Press 1: DTMF tone capture logged with timestamp
Say "I agree": Speech recognition logged with timestamp and audio segment
Decline: Route to non-recorded continuation or human agent

Timing Problem Solution: CIPA requires consent before interception, but AI needs to listen to hear consent. Solution: Consent capture runs on separate non-AI system; only after consent captured does AI processing begin.

Part 13: Audit Evidence Matrix

The following sections map each compliance area to specific evidence requirements, distinguishing between evidence that passes regulatory review and evidence gaps that trigger findings.