← All issues

2026-06-20

A methodology for leveraging AI across your policies and procedures

Every kit we ship updates one regulation against your P&Ps. This issue is the method underneath all of them — the reframe that takes your policies and procedures from a binder you maintain to an instrument you operate. It rests on four propositions, each building on the last.

If you’ve tried to use AI on your P&Ps before, you may have run into hallucination — invented citations, confident misreadings. That’s the exact problem this method is built to contain: let AI do what it’s genuinely good at (reading), and forbid, mechanically, what it isn’t (inventing). The infrastructure below is how.

There is a full white paper version of this with the worked example and the guardrails spelled out:

1. AI is good at reviewing documents

Strip away the hype and one capability is solid enough to build on: AI reads well. It holds a long document in view, compares it to another, and finds the passage that matters. That is the most time-expensive part of a compliance officer’s job — reading a regulation, reading a policy, and finding where the two meet or fail to.

This isn’t our claim alone: Anthropic’s own legal use-case guide points compliance and legal teams at exactly this work — reviewing contracts and regulatory text — and adds, tellingly, that the output “should be reviewed by legal professionals.” The known limit cuts the same way: models track the start and end of a long document better than its middle, which is precisely why this method keeps each policy in its own focused chat instead of dumping the whole library into one window.

State it plainly because the industry skips past it toward flashier claims, and the flashier claims are where the risk lives. Reading and locating is reliable. Inventing and asserting is not. A method that leans entirely on the first and structurally forbids the second is one you can stand behind.

2. With the right instructions and data, that becomes regulatory maintenance

Give the AI two things — the verbatim text of the new or changed rule and the policy it may touch — and instruct it carefully. It can then do what manual review does slowly and unevenly:

That second output is the one teams underestimate. A good AI pass produces two deltas: the document delta (what the policy should now say) and the operational delta (what the business must start, stop, or change). Both are first drafts for you to review and own — but starting from a structured draft instead of a blank page next to a 300-page rule is the difference between a week and an afternoon.

3. Projects + Skills make it consistent across your whole set

One well-prompted document is a parlor trick. A program is forty policies, and the bar is every policy, the same way, every time — because an examiner doesn’t grade your best document, and a missed one is where exposure hides. Two platform features turn the trick into a method:

You review and decide on all of it. The labor of finding, analyzing, and drafting — thoroughness, not judgment — is done consistently across every policy in one coordinated pass.

4. Then it becomes a shared operating method

Once the policies are current, create a new shared Project with the operational people the P&Ps govern — origination, servicing, marketing, vendor management. There, the now-current policies become a working surface, not an archive:

At that point the P&Ps have changed category: from a binder consulted after a problem to part of the methodology by which the firm stays compliant in the first place — catching first-draft issues at the point of creation, with your judgment encoded into the rules and applied to the review.

That’s the whole arc: P&Ps as liability → P&Ps as asset → P&Ps as methodology.

The guardrails that make it defensible

Built into the mechanics, not left to good intentions:

  1. Verbatim source, no invented citations. Every cite is the actual rule text, traceable. Can’t ground a claim? It says so and stops. It’s the same principle behind Anthropic’s Citations feature — tie each statement back to its source sentence.
  2. First drafts for human review — never final, never legal advice. Every output is a working draft a qualified professional reviews, corrects, and owns.
  3. The compliance officer decides. Materiality, risk, adequacy — the load-bearing judgment stays with the human accountable for it. AI reads and drafts; you decide. This mirrors the NIST AI Risk Management Framework: define human review points, override rights, and clear ownership for high-risk decisions. The goal is never to route around the compliance pro; it’s to give the hardest thinkers in the building a system that scales with them.

What goes in a prompt — and what goes in a Skill

The method lives or dies on two artifacts. Here’s what belongs in each.

A good compliance prompt has five parts: a role and the job; the source named as the only citable input (the keystone anti-hallucination move); the task stated concretely; the discipline (cite verbatim, flag gaps don’t assert, run to completion, first-draft-for-review); and a fixed output format. A compact example that does all five — a one-prompt regulatory-maintenance pass:

You are a mortgage compliance analyst. I'm giving you two things: an
Update Kit (verbatim rule text — your ONLY citable source) and one of
my loss-mitigation P&Ps.

Find every section of my P&P that reflects the OLD rule. For each:
  - quote the kit requirement that changed it (verbatim, with its ID),
  - draft a compliant first-pass revision,
  - name the operational gap: what the business must start, stop, or
    change to actually comply — not just what the document should say.

Rules: cite only from the kit; if it isn't in there, say "outside this
kit" — never invent a citation. Where the P&P is silent rather than
wrong, flag it as a gap; don't assert. Run to completion. First draft
for my review, not legal advice.

End with a change-log table: section · what changed · kit ID · operational owner.

That’s the whole Level-1 move — and exactly what our FHA Loss-Mitigation update kit packages: one file you attach, one prompt, a verbatim self-checked gap analysis against Mortgagee Letter 2025-06.

A Skill turns that one-off prompt into something every chat runs identically. Its structure: frontmatter (a name, a description with the trigger phrases, a version) so Claude knows when to use it; the operating rules applied every run (cite verbatim, never assert what’s unevidenced, run to completion); a source-of-truth resolution order (in-chat → Project knowledge → bundled fallback, so currency is a one-file swap); the output contract every run ends with, so many chats merge cleanly; stage routing to pick the right step; and references/ (one file per stage) + assets/ (the verbatim rule kit). Every one of these is visible in the FNMA AI Lender Letter Skill — download it, open the folder, and read the SKILL.md.

See it made concrete

The FNMA AI Lender Letter (LL-2026-04) — published April 8, 2026, effective August 6 — is this method applied to one broad rule: scan every P&P, reconcile against your vendor and app inventory, synthesize the master AI policy, realign each P&P, produce the change log. The free, build-it-yourself kit is the methodology made specific.

Further reading

Get each issue in your inbox One regulatory update at a time, with the copy-paste block and the kit built in. Forward it to anyone; no spam; one-click unsubscribe.

Find this useful? Forward it to someone who’d want it — they can subscribe at the top.