40 Managing Gen-AI in Regulated Data Markets While the federal government’s classification system presents challenges to integrating Gen-AI, we see the private sector encountering similar challenges for regulated data markets. For Healthcare, Protected Health Information (PHI) is regulated under HIPAA laws which create restrictions on the flow of sensitive patient information. For servicemembers and veterans, this can be particularly sensitive and require adherence to unique sub-rules within HIPAA that allow for appropriate information sharing in specific circumstances. For the financial sector, Anti-Money-Laundering legislation (AML) has emerged in the last two decades to track flows of funds to adversarial, criminal, or terror-linked groups, and core to this process is Know-Your-Customer data, in which banking customers must share personally identifiable information with banks to gain access to certain financial products.45 The data aggregated by financial institutions is not only used by banks but is a critical national security asset to prevent the flow of finances toward individuals and groups acting against US national security interests. Last, consumer data within the US Telecommunications sector are falling under increasing regulatory scrutiny at both the state and federal level. While states are expanding data privacy legislation—giving more discretion to individual consumers over how and where their personal data can be collected and sold—at the federal level, a 2024 Executive Order (EO) bars US citizens from selling mass data containing sensitive information of US citizens and “government related data” to foreign actors.46 The EO specifically addresses the nexus of consumer telecom data and “new national security regulatory regime focused on protecting bulk U.S. sensitive personal data and government-related data from countries of concern, including the People’s Republic of China.” 47 The Health, Finance, and Telecomm sectors are all falling under increasing scrutiny due to their overlap with US national security priorities, including significant concern that foreign adversaries are amassing “bulk U.S. sensitive personal data.” 48 Gen-AI models present significant risks to these sectors because of the existing ambiguity over how models can be employed to aggregate, analyze, and discuss large data sets with users. Paying close attention to how the DOD and intelligence community integrate Gen-AI into classified information systems (a process that has already begun and is ongoing) can demonstrate potentially useful dual-use applications in sensitive datasets collected in the private sector. One possible approach would be to devise Cloud data sensitivity categories for regulated commercial data markets that establish industry-equivalent thresholds emulative of FedRAMP or Impact Levels. Further, companies can organize data repositories and personnel access around protocols such as the long-standing firewalls embedded within NIPR, SIPR, and JWICS that serve as critical security gates for newly embedded Gen-AI models. Further, incorporating human-in-the-loop analysis and classification of data in conjunction with Gen-AI models can benefit both the DOD and companies alike, by ensuring proper classification and improving model accuracy for identifying and flagging potential violations or ambiguity in data classification. Generative AI Adoption in the US Military