AI 扩展计划 / Playbooks
AI Consent / Preference / Purpose-Bound Data Playbook
重要说明: 本文是学习、作品集和架构训练材料, 不构成法律、隐私、合规、审计、模型风险管理或监管意见。正式项目必须由 Legal、Privacy、Compliance、Security、Data Governance、Model Risk、Product、Operations、Customer Experience 和业务责任人共同确认适用法规、合同、控制和证据要求。
769 行AI_CONSENT_PREFERENCE_PURPOSE_BOUND_DATA_PLAYBOOK.md
AI Consent / Preference / Purpose-Bound Data Architecture Playbook
适用对象: 金融零售 AI Product Manager、Senior BA、Product Architect、Privacy Architect、Data Governance Lead、Security Architect、Model Risk、Compliance Product Owner。 核心问题: 如何把客户和员工的 consent、preference、purpose limitation 从政策语言变成 AI 产品和运行时架构。 重点边界: 本 playbook 不是泛泛的 privacy-by-design。它聚焦 consent / preference / purpose 在 AI RAG、tool、memory、log、vendor、open banking、客户 UX 和证据链中的执行。
重要说明: 本文是学习、作品集和架构训练材料, 不构成法律、隐私、合规、审计、模型风险管理或监管意见。正式项目必须由 Legal、Privacy、Compliance、Security、Data Governance、Model Risk、Product、Operations、Customer Experience 和业务责任人共同确认适用法规、合同、控制和证据要求。
1. Executive Framing
AI consent architecture 的目标不是“多弹一个同意框”。它的目标是让组织能在运行时回答并证明:
This AI use of this data is allowed for this subject,
under this purpose, scope, channel, legal basis, preference,
expiry, model, tool, vendor and evidence boundary.
金融零售 AI 的高风险来自 context expansion:
- 客户为客服提供的数据可能被营销系统误用。
- 员工在 RM copilot 中看到的客户资料可能被写入长期 memory。
- 开放银行授权数据可能被内部 AI enrichment 重新利用。
- RAG index 可能继续保留已撤销授权的文档片段。
- Prompt log、eval sample、feedback queue 和 vendor telemetry 可能成为隐性副本。
高级判断:
Consent is not a universal permission. In financial AI it must be purpose-specific, revocable, evidence-backed, and coordinated with legal basis, product terms, privacy, security, customer trust, and operational controls.
本 playbook 的输出物:
- purpose taxonomy
- consent/preference event schema
- preference center capability map
- runtime enforcement architecture
- RAG/tool/data/memory/log controls
- withdrawal and re-consent lifecycle
- dashboards and KRIs
- RACI and operating model
- financial retail examples
- templates, 30-day lab and interview answers
2. Source Anchors
以下官方来源作为概念和控制设计锚点。访问日期按 2026-06-30 记录。
| Anchor | Official source | 用在本 playbook 的位置 |
|---|---|---|
| NIST Privacy Framework | https://www.nist.gov/privacy-framework | 用 Identify-P、Govern-P、Control-P、Communicate-P、Protect-P 组织 privacy risk、purpose、control、communication 和 evidence。 |
| NIST AI RMF | https://www.nist.gov/itl/ai-risk-management-framework | 用 Govern / Map / Measure / Manage 把 consent 和 purpose enforcement 纳入 AI risk lifecycle。 |
| FTC Safeguards Rule | https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know | 用客户信息保护、访问控制、服务提供商监督和信息安全计划约束金融 AI 数据路径。 |
| CFPB Personal Financial Data Rights | https://www.consumerfinance.gov/personal-financial-data-rights/ | 用于开放银行、客户授权、数据访问、第三方数据共享、撤销和客户控制的产品讨论。 |
| ISO/IEC 42001 | https://www.iso.org/standard/42001 | 用 AI management system 语言建立政策、角色、流程、监控、改进和证据机制。 |
Standards-to-artifact:
| Source lens | Artifact | 面试表达 |
|---|---|---|
| NIST Privacy Framework | Purpose and control map | “我把 privacy control 设计成可运行的 AI control plane。” |
| NIST AI RMF | AI purpose risk tier and monitoring dashboard | “我用 Map / Measure / Manage 验证 consent enforcement。” |
| FTC Safeguards Rule | Customer information safeguard matrix | “金融客户信息保护必须覆盖 AI tools, logs, vendors and access paths。” |
| CFPB data rights | Open banking authorization lifecycle | “客户授权的数据共享要和 AI secondary use 明确分离。” |
| ISO/IEC 42001 | AIMS policy, owner, evidence loop | “我把 consent architecture 放进 AI management system。” |
3. Consent Architecture Is Not Generic Privacy-by-Design
| 维度 | Privacy-by-design 问题 | Consent architecture 问题 |
|---|---|---|
| 目的 | 是否有明确目的 | 当前请求是否匹配已批准 purpose |
| 同意 | 是否告知和收集同意 | consent state 是否实时影响 RAG、tool、log、memory |
| 偏好 | 是否提供选择 | preference 是否跨渠道、模型、供应商和营销系统生效 |
| 数据 | 是否最小化 | 哪些字段被允许进入当前 AI context |
| 架构 | 是否保护数据 | 哪里执行 allow、deny、minimize、step-up、re-consent |
| 证据 | 是否有文档 | 能否查询每次 AI 使用的数据-use decision |
| 变更 | 是否做 PIA / DPIA | 新 capability、vendor、purpose、scope 是否触发 re-consent |
关键定位:
- Consent 是授权意图和客户控制的一部分, 不是万能法律依据。
- Preference 是持续产品状态, 不只是 marketing unsubscribe。
- Purpose limitation 必须进入 policy engine、token、retrieval、tool、memory 和 logging。
- Evidence 是客户信任、审计和事故复盘的生产资产。
4. Purpose Taxonomy
Purpose taxonomy 是 consent architecture 的根。没有 purpose taxonomy, 团队只能说“AI uses customer data”, 无法表达为什么、边界在哪里、何时必须阻断。
4.1 Purpose Levels
| Level | 示例 | 说明 |
|---|---|---|
| Enterprise purpose | Customer support, fraud prevention, marketing, compliance | 面向隐私政策和治理 |
| AI use purpose | AI account explanation, dispute drafting, RM meeting prep | 面向 AI product and risk review |
| Runtime purpose | customer_service_fee_explanation, payment_dispute_support | 面向 policy engine |
| Action purpose | retrieve, summarize, draft, submit, personalize, log, evaluate | 面向 RAG/tool/data controls |
4.2 Financial Retail Purpose Catalog
| Purpose ID | Business meaning | Typical users | Risk tier |
|---|---|---|---|
public_product_education | Explain public product terms | prospects, customers, employees | Low |
customer_service_account_help | Help authenticated customer understand account activity | customers, CSR | Moderate |
payment_dispute_support | Prepare and manage card dispute | customers, dispute ops | Moderate-high |
complaint_intake_resolution | Capture and route complaint | customers, complaint team | High |
fraud_account_protection | Detect and respond to suspected fraud | fraud ops, customers | High |
rm_meeting_preparation | Help relationship manager prepare meeting | RM, branch manager | High |
credit_assistance_review | Support credit documentation and review | underwriter, credit ops | High |
marketing_personalization | Tailor offers, messages and content | marketing, customers | Moderate-high |
open_banking_data_sharing | Share customer-authorized financial data | customers, third parties | High |
model_quality_eval | Evaluate AI outputs and regressions | model risk, QA | Moderate-high |
employee_productivity_copilot | Help employees search policy and draft notes | employees | Moderate |
4.3 Purpose Record Fields
| Field | Description |
|---|---|
purpose_id | Stable machine-readable ID |
customer_value | What user outcome this purpose supports |
allowed_ai_actions | retrieve, summarize, draft, decide, act, evaluate, train |
prohibited_ai_actions | actions explicitly blocked |
data_classes | PII, PCI, financial account, credit, AML, employee data |
legal_basis_ref | legal basis or policy register reference |
consent_required | yes, no, conditional, confirmation, employee notice |
preference_controls | opt-in, opt-out, channel preference, memory control |
expiry_policy | grant/session/token/index expiry rules |
withdrawal_effect | stop future use, delete derived artifact, suppress channel |
reconsent_triggers | capability, data, vendor, model, action, terms change |
evidence_requirement | standard, enhanced, regulated evidence |
owner | product, privacy, data and operational owners |
4.4 Purpose Compatibility Matrix
| Source purpose | Proposed AI use | Default decision | Reason |
|---|---|---|---|
| Customer service | Account explanation | Allow with authentication and minimization | Same service context |
| Customer service | Marketing personalization | Deny or require separate preference/authorization | Different expectation |
| Open banking data sharing | Internal model training | Deny unless explicitly permitted and reviewed | Secondary use risk |
| Fraud prevention | Customer-facing explanation of fraud rules | Deny or heavily limit | Security and abuse risk |
| Complaint handling | Eval regression for complaint bot | Conditional allow with minimization and evidence | Quality improvement |
| RM meeting prep | Cross-sell recommendation | Conditional | Sales and advice boundary |
5. Consent, Preference and Legal Basis Model
5.1 Distinctions
| Term | Meaning | Product implication |
|---|---|---|
| Consent | User authorization where appropriate | Specific, informed, revocable, evidenced |
| Preference | User/employee choice about experience or use | Editable and enforced across channels |
| Legal basis | Legal/contractual basis for processing | Recorded and reviewed by Legal/Privacy |
| Notice | What was explained to subject | Versioned and tied to evidence |
| Authorization | Runtime grant to use data or perform action | Scoped, time-boxed and enforced |
| Confirmation | Step-up for a specific high-impact action | Bound to exact action and object |
5.2 Consent Is Not a Universal Permission
In financial AI, consent does not mean:
- all customer data can be used for all AI features.
- future AI capabilities inherit old consent automatically.
- product terms can silently expand model training or vendor use.
- opt-in overrides security, fairness, legal hold or complaint obligations.
- a preference toggle replaces purpose limitation.
Mature interpretation:
- Use consent where it is the right mechanism.
- Use legal basis and notice where consent is not appropriate.
- Use preferences to give meaningful control.
- Use product terms and in-context disclosure to prevent surprise.
- Use runtime enforcement to make choices real.
5.3 Preference Categories
| Preference | Examples | Enforcement target |
|---|---|---|
| AI feature preference | use AI assistant, disable personalization, allow memory | orchestration, memory service |
| Communication preference | email, SMS, push, phone, language | notification tools |
| Marketing preference | product offers, partner offers, cross-sell suppression | campaign systems, recommender |
| Data sharing preference | third-party access, open banking authorization | API gateway, token service |
| Accessibility preference | plain language, large text, voice channel | UX and response formatter |
| Employee copilot preference | draft style, language, no personal metrics coaching | employee copilot policy |
5.4 Consent State Machine
not_present -> presented -> granted -> active -> narrowed
-> expired -> withdrawn -> superseded_by_new_version -> reconsent_required
Transitions must be event-driven. A CRM field update is not enough if active sessions, cached tokens, vector indexes or campaign audiences keep using stale state.
6. Consent and Preference Event Schema
6.1 Event Envelope
| Field | Type | Example |
|---|---|---|
event_id | string | pref_evt_20260630_0001 |
event_type | enum | consent_granted, preference_updated, consent_withdrawn |
event_time | timestamp | 2026-06-30T15:20:00Z |
subject_type | enum | customer, employee, representative, organization |
subject_id | string | cust_8f3a |
actor_type | enum | self, employee, system, third_party, admin |
actor_id | string | cust_8f3a or csr_204 |
channel | string | mobile_app, web, branch, contact_center, API |
jurisdiction | string | US, EU, CA, UK, SG |
tenant_id | string | retail_bank_us |
correlation_id | string | interaction, case or workflow id |
6.2 Consent Fields
| Field | Example | Notes |
|---|---|---|
purpose_id | payment_dispute_support | Must match catalog |
scope_id | transactions.read.selected_account_90d | Data/action/object scope |
data_classes | transaction, account, contact | Use data taxonomy |
object_scope | account, card, transaction, case | Avoid broad grants |
status | granted, withdrawn, expired | Current event status |
legal_basis_ref | LB-CUST-SERVICE-2026-01 | Legal/Privacy registry |
notice_version | notice-dispute-ai-v4 | Text shown to user |
capability_id | dispute_assistant | AI capability |
capability_version | v2.3 | Re-consent trigger |
model_boundary | internal gateway, no training | Vendor/model constraint |
effective_at / expires_at | timestamps | Grant window |
withdrawal_effect | stop_future_use, purge_cache | Operating consequence |
evidence_ref | evidence object id | UI/API proof |
6.3 Preference and Evidence Fields
| Field | Example |
|---|---|
preference_type | marketing, AI_memory, channel, accessibility |
preference_key | marketing_personalized_offers |
preference_value | opt_in, opt_out, disabled, push_only |
applies_to | product, channel, account, household, employee workspace |
source | preference_center, call_center, API, campaign |
conflict_resolution | most_restrictive, latest_user_choice, legal_override |
propagation_targets | campaign, recommender, AI memory, notification tool |
ui_snapshot_id | what the user saw |
copy_text_hash | proof of notice text without duplicating payload |
authentication_context | MFA, device trust, session assurance |
policy_decision_id | runtime decision linkage |
6.4 Example Event
{
"event_type": "consent_granted",
"subject_type": "customer",
"subject_id": "cust_8f3a",
"channel": "mobile_app",
"purpose_id": "payment_dispute_support",
"scope_id": "transactions.read.selected_account_90d",
"object_scope": {"account_id": "card_456", "lookback_days": 90},
"notice_version": "notice-dispute-ai-v4",
"capability_id": "dispute_assistant",
"capability_version": "v2.3",
"expires_at": "2026-08-31T23:59:59Z",
"model_boundary": "internal_model_gateway_no_training",
"withdrawal_effect": ["stop_future_use", "invalidate_tokens", "purge_session_cache"],
"evidence_ref": "evd_9217"
}
7. Preference Center Product Architecture
7.1 Capability Map
| Capability | Product behavior | Architecture dependency |
|---|---|---|
| View active grants | Customer sees active AI, marketing and data-sharing permissions | Consent event projection |
| Change preference | User updates channel, personalization, memory or marketing choice | Event write API and propagation bus |
| Withdraw consent | User revokes purpose-specific data use | Revocation workflow and policy cache invalidation |
| Re-consent prompt | User reviews material AI change | Capability versioning and notice registry |
| Download evidence | User sees authorization history where appropriate | Evidence store with redaction |
| Authorized representative | Delegate or revoke representative access | Identity, authority and account-scope controls |
| Employee notice | Employee sees copilot monitoring and data-use boundaries | Workforce notice registry |
7.2 UX Principles
| Principle | Implementation |
|---|---|
| Purpose readable | Use customer language: “help with this dispute”, not “data processing”. |
| Scope visible | Show accounts, transactions, documents and time window. |
| Action clear | Distinguish read, draft, submit, share, personalize, remember. |
| Withdrawal easy | Same or easier path than grant where feasible. |
| No dark patterns | No bundling unrelated purposes into one required toggle. |
| Consequence honest | Explain what stops, continues or must be retained. |
| Accessibility | Plain language, screen reader support, multilingual support. |
7.3 Customer Copy Patterns
Grant:
Allow the AI assistant to read transactions from this card for the last 90 days
so it can help prepare your dispute. It cannot submit the dispute or use this
permission for marketing. You can withdraw this permission in Settings.
Withdrawal:
Withdrawing this permission stops future AI access for this dispute support
purpose. We may retain records needed to manage your dispute, security,
complaints or legal obligations.
Capability change:
This assistant can now attach merchant evidence to your dispute draft.
Because this changes what data the AI can use, please review and confirm.
8. Runtime Enforcement Architecture
8.1 Reference Architecture
User / Employee / Third Party
-> channel app or API
-> identity and authentication
-> consent and preference service
-> purpose catalog and legal basis registry
-> policy decision point
-> AI orchestrator
-> prompt assembly service
-> RAG retrieval gateway
-> tool gateway
-> memory service
-> logging and evidence service
-> vendor/model gateway
-> policy decision log
-> evidence store
-> dashboards, alerts, recertification
8.2 Runtime Decision Inputs and Outputs
| Input | Example |
|---|---|
| Identity | subject, actor, representative, employee role |
| Purpose | customer_service_account_help |
| Consent state | granted, withdrawn, expired, reconsent required |
| Preference state | personalized marketing opted out |
| Legal basis | service fulfillment, customer authorization, legal obligation |
| Data class | transaction, credit, AML, employee monitoring |
| Action | retrieve, summarize, draft, submit, log, evaluate, train |
| Object scope | account, transaction, document, case, household |
| Channel | mobile, contact center, RM desktop, third-party API |
| Model/vendor | internal, external, no-training, data residency |
| Decision | Meaning | Example |
|---|---|---|
| allow | Within purpose, scope and policy | Retrieve selected account transactions |
| deny | Conflicts with purpose or preference | Block marketing use after opt-out |
| minimize | Use reduced fields | Return last4, amount and merchant category |
| step_up | Require confirmation or approval | Submit dispute after customer confirmation |
| reconsent_required | Material change from previous authorization | New vendor or new data class |
| human_review | Need employee/compliance review | Complaint or credit explanation |
| quarantine | Stop capability or data path | Suspected policy violation |
8.3 Enforcement Locations
| Location | Control |
|---|---|
| UI | Show purpose, scope, consequence and withdrawal path |
| API gateway | Validate identity, token, tenant and scope |
| Policy engine | Decide allow, deny, minimize, step-up, re-consent |
| RAG retriever | Filter by purpose, ACL, consent, freshness and data class |
| Tool gateway | Enforce action, object scope, rate, schema and approval |
| Prompt assembly | Include only authorized context and policy manifests |
| Memory service | Use write allowlist, TTL and user controls |
| Logging service | Store evidence without unnecessary payload |
| Vendor gateway | Enforce no-training, region, minimization and retention |
| Event bus | Propagate withdrawal and preference changes |
8.4 Policy Pseudocode
function evaluate_ai_data_use(request):
purpose = purpose_catalog.get(request.purpose_id)
consent = consent_store.current(request.subject_id, request.purpose_id)
preference = preference_store.current(request.subject_id)
data_policy = data_policy_store.get(request.data_class, request.action)
if purpose.status != "approved": return deny("purpose_not_approved")
if request.action not in purpose.allowed_ai_actions: return deny("action_not_allowed")
if consent.required and consent.status != "granted": return reconsent_required("missing_consent")
if consent.expires_at < now(): return reconsent_required("consent_expired")
if preference.blocks(request.action, request.channel, request.purpose_id): return deny("preference_block")
if request.object_scope exceeds consent.scope: return deny("scope_exceeded")
if data_policy.requires_minimization: return minimize(data_policy.allowed_fields)
if purpose.high_risk_action(request.action): return step_up("confirmation_required")
return allow("policy_pass")
9. RAG, Tool, Data, Memory and Log Controls
9.1 RAG Controls
| Failure | Example | Control |
|---|---|---|
| Consent-blind retrieval | Retrieves customer material after withdrawal | Retrieval-time consent filter |
| Purpose creep | Service grant used for marketing insights | Purpose metadata and policy gate |
| ACL mismatch | Employee sees documents they cannot view in source system | Source ACL sync and negative tests |
| Stale index | Expired authorization remains embedded | Tombstone and targeted purge |
| Metadata leakage | Citation exposes customer/case name | Safe citation renderer |
| Cross-context retrieval | RM copilot retrieves another client’s notes | Customer/account/case context lock |
RAG corpus manifest fields:
| Field | Description |
|---|---|
corpus_id | Stable index/corpus identifier |
source_system | System of record |
allowed_purposes | Purpose IDs permitted |
data_classes | PII, financial, credit, AML, employee |
consent_dependency | none, customer consent, employee notice, open banking token |
access_filter | ACL, tenant, account, case, region, product |
deletion_propagation | tombstone, purge, rebuild, cache clear |
evidence_fields | retrieved chunk IDs, filter result, excluded reason |
9.2 Tool Controls
| Tool | Allowed purpose | Scope | Step-up |
|---|---|---|---|
| Transaction lookup | service, dispute, fraud | account-bound, date-limited | high amount or old session |
| Dispute draft API | dispute support | selected transaction | no, draft only |
| Dispute submit API | dispute support | selected transaction and action hash | customer confirmation |
| CRM note draft | customer service, RM prep | assigned case/client | employee confirmation for write |
| Marketing recommender | marketing personalization | opted-in customers only | campaign approval |
| Open banking API | data rights sharing | third-party authorization scope | token renewal/withdrawal |
| Notification sender | service, dispute, marketing | channel preference and content policy | regulated messages |
Tool gateway checks:
- token audience targets this tool.
- purpose matches granted purpose.
- operation is within consent and role.
- account, customer, transaction or case is in scope.
- preference does not block channel/use.
- consent, token and approval are active.
- high-impact action has confirmation/approval.
- parameters are allowlisted, typed and rate-limited.
- evidence log captures decision and outcome.
9.3 Data and Memory Controls
| Data class | Default AI use | Required control |
|---|---|---|
| Public product info | RAG and explanation | source freshness and citation |
| Customer profile | Service and verified employee workflows | identity, purpose, role and minimization |
| Transaction data | Service, dispute, fraud | account scope, date range, consent where required |
| Credit data | Credit support only | model risk, fair lending, reason-code control |
| AML/KYC data | Restricted internal workflows | need-to-know, no customer-facing leakage |
| Marketing behavior | Personalization only if permitted | preference and suppression list |
| Open banking data | Customer-authorized sharing | token scope, third-party purpose and withdrawal |
| Employee data | Workforce AI only under policy | notice, role, monitoring minimization |
Memory rule:
No AI memory write unless purpose allows it, data class permits it,
user/employee controls support it, retention is defined,
and deletion/withdrawal propagation is implemented.
9.4 Logging Controls
| Log object | Recommended content |
|---|---|
| Operational metric | latency, cost, policy decision count |
| Policy decision log | purpose, scope, decision, reason, version |
| Evidence vault | encrypted payload only when required |
| Prompt manifest | template, retrieved IDs, masking, model endpoint |
| Consent event log | notice, status, scope, evidence ref |
| Security audit log | identity, token, tool, denial, anomaly |
| Vendor log | endpoint, retention class, no-training flag |
Do not default to storing full prompt, completion, tool response and raw identifiers in a general observability platform. Evidence should be deliberate, classified and access-controlled.
10. Withdrawal, Expiry and Re-Consent Lifecycle
10.1 Withdrawal Flow
User withdraws consent or changes preference
-> event written to consent/preference store
-> projection updates current state
-> policy cache invalidated
-> active sessions and tokens revoked or narrowed
-> RAG cache/index receives tombstone or suppression event
-> tools receive suppression/update event
-> marketing/recommender audiences refreshed
-> memory store deletes or disables entries as policy requires
-> evidence record created
-> customer/employee confirmation shown
10.2 Withdrawal Effects
| Effect | Meaning | Example |
|---|---|---|
| Stop future use | New AI calls denied | Marketing personalization opt-out |
| Invalidate token | Active API authorization stops | Open banking third-party access |
| Narrow scope | Keep one account, remove another | Selected card dispute access |
| Purge session cache | Remove temporary AI context | Chat session transaction cache |
| Tombstone index | Prevent retrieval of revoked material | Customer-uploaded document in RAG |
| Suppress audience | Remove from campaign/recommender | Product offer opt-out |
| Retain evidence | Keep proof of grant/withdrawal | Dispute record or audit log |
| Legal hold exception | Deletion delayed or blocked | Complaint, investigation, litigation |
10.3 Re-Consent Triggers
| Trigger | Example |
|---|---|
| New purpose | Service data now proposed for marketing |
| New data class | Assistant wants to use credit bureau data |
| New action | Draft-only tool becomes submit-capable |
| New vendor | External model or processor added |
| New model behavior | AI memory or personalization introduced |
| Longer retention | Prompt/evidence retained longer than shown |
| Cross-channel expansion | Mobile consent reused in contact center |
| Open banking scope change | More accounts or longer transaction history |
| Material terms change | Product terms or notice meaning changes |
Re-consent UX must explain the change, show old vs new scope, avoid forced bundling, preserve evidence, respect previous withdrawal and update runtime state immediately.
11. Dashboards and KRIs
11.1 Product Dashboard
| Metric | What it reveals |
|---|---|
| Consent grant rate by purpose | User trust and UX clarity |
| Withdrawal rate by purpose | Surprise, dissatisfaction or overreach |
| Re-consent completion rate | Change communication quality |
| Preference center usage | Whether controls are discoverable |
| Human handoff after consent denial | Impact on service completion |
| AI feature adoption by preference segment | Value without coercion |
11.2 Control Dashboard
| KRI | Signal |
|---|---|
| Denied AI data-use attempts | Product misconfiguration or abuse |
| Purpose mismatch rate | AI or workflow requesting wrong data |
| Expired consent usage attempts | Token/cache/index propagation gaps |
| Withdrawal propagation latency | Operational control health |
| Re-consent overdue capabilities | Change governance backlog |
| RAG chunks excluded by consent/preference | Enforcement working |
| Tool calls blocked by scope/object | Tool gateway effectiveness |
| Evidence completeness rate | Audit readiness |
| Vendor payload policy violations | Third-party risk |
| Suppression list lag | Marketing and personalization risk |
11.3 Board / Executive View
| Theme | Executive question |
|---|---|
| Customer trust | Are customers using controls and staying engaged? |
| Regulatory readiness | Can we prove purpose-specific enforcement? |
| Operational resilience | How fast do withdrawals propagate? |
| AI change control | How many capabilities require re-consent? |
| Vendor risk | Which vendors process consent-bound data? |
| Customer harm | Are complaints linked to AI data-use surprise? |
12. RACI
| Activity | PM | BA | Architect | Privacy | Legal | Security | Data Gov | Model Risk | Ops |
|---|---|---|---|---|---|---|---|---|---|
| Define purpose catalog | A | R | C | C | C | C | C | C | C |
| Write consent UX requirements | A | R | C | C | C | C | C | C | R |
| Approve legal basis | C | C | C | R | A | C | C | C | C |
| Design event schema | C | R | A | C | C | C | R | C | C |
| Build runtime policy | C | C | A | C | C | R | R | C | C |
| Configure RAG/tool controls | C | C | A | C | C | R | R | C | C |
| Define re-consent triggers | A | R | C | R | C | C | C | R | C |
| Monitor KRIs | A | R | C | C | C | R | R | R | R |
| Handle withdrawal incidents | C | C | R | A | C | R | R | C | R |
| Maintain evidence pack | C | R | C | R | C | C | C | C | A |
Legend: R = responsible, A = accountable, C = consulted.
13. Financial Retail Examples
| Case | Consent/preference design | Runtime controls |
|---|---|---|
| Customer service AI assistant | Purpose customer_service_account_help; notice and authenticated service context matter; preferences include AI assistance, language, channel and memory. | RAG retrieves current fee policy; tools read only relevant account/transaction fields; logs store manifests and source IDs, not full history. |
| Relationship manager copilot | Purpose rm_meeting_preparation; marketing preferences and advice boundaries shape recommendations; employee access is client-assignment bound. | RM retrieves only assigned client data; opt-out suppresses cross-sell; wealth/credit advice moves to regulated workflow; sensitive inferences are not persistent memory. |
| Marketing personalization | Purpose marketing_personalization; service interactions are not automatically reusable; vulnerable customer and complaint states can suppress campaigns. | Feature store filters opted-out customers; content generation uses segment-level context where possible; campaign launch checks suppression freshness and inclusion evidence. |
| Open banking / Personal Financial Data Rights | Purpose open_banking_data_sharing; authorization scope includes accounts, data types, duration and third party; internal AI secondary use cannot piggyback. | API gateway validates scope and expiry; AI can explain authorization but not expand it; withdrawal revokes token; evidence records grant, revocation and API decisions. |
Cross-case lesson: service, advice, marketing and data sharing may all involve the same customer record, but they are different purposes with different consent, preference, evidence and runtime controls.
14. Templates
14.1 Purpose Catalog Template
| Field | Example |
|---|---|
| Purpose ID | payment_dispute_support |
| Business name | Card dispute AI support |
| Customer value | Help customer prepare dispute accurately |
| User groups | Mobile customers, dispute operations |
| Allowed AI actions | retrieve transaction, summarize policy, draft dispute |
| Prohibited AI actions | auto-deny, unrelated profiling, marketing reuse |
| Data classes | transaction, account, contact, dispute evidence |
| Consent requirement | purpose-specific authorization for selected data |
| Preference controls | AI assistant off, channel preference, language |
| Legal basis reference | service/dispute policy register reference |
| Retention | session cache short TTL; dispute evidence per case policy |
| Re-consent triggers | new vendor, submit action, expanded lookback, new data class |
| Evidence | notice version, consent event, policy decisions, tool logs |
14.2 Runtime Policy Decision Table
| Condition | Decision | Reason |
|---|---|---|
| Purpose not approved | deny | Governance gap |
| Consent withdrawn | deny | Subject control |
| Scope exceeded | deny | Object/action boundary |
| Marketing opt-out active | deny | Preference enforcement |
| Same service purpose, minimal fields | allow | Purpose compatible |
| High-impact action | step_up | Confirmation needed |
| New vendor added | reconsent_required | Material change |
| Sensitive data class | minimize | Data protection |
| Complaint or legal hold | human_review | Regulated handling |
14.3 RAG and Tool Checklists
| Check | Evidence |
|---|---|
| Corpus has allowed purposes | Corpus manifest |
| Source ACL mirrors retrieval ACL | Positive/negative tests |
| Consent filter runs before prompt assembly | Retrieval trace |
| Withdrawal tombstone tested | Purge evidence |
| Tool has purpose allowlist | Tool policy |
| Token audience is tool-specific | Auth server logs |
| Object scope checked | Tool gateway decision |
| Step-up action hash recorded | Approval record |
| Vendor egress minimized | Vendor gateway log |
14.4 Withdrawal Runbook Card
| Step | Action |
|---|---|
| 1 | Write withdrawal/preference event with subject, purpose, scope and evidence |
| 2 | Update current-state projection and invalidate policy cache |
| 3 | Revoke or narrow active tokens and sessions |
| 4 | Notify RAG, tool, memory, campaign, vendor and logging services |
| 5 | Execute purge, tombstone or suppression actions according to policy |
| 6 | Verify propagation with synthetic calls and dashboard checks |
| 7 | Confirm to customer or employee with clear consequence |
| 8 | Preserve evidence and route exceptions to Privacy/Ops |
14.5 Evidence Query Examples
SELECT
pd.policy_decision_id,
pd.interaction_id,
pd.purpose_id,
pd.action,
ce.event_id AS consent_event_id,
ce.status,
ce.notice_version,
pd.decision,
pd.reason_code
FROM ai_policy_decision pd
LEFT JOIN consent_event_current ce
ON pd.subject_id = ce.subject_id
AND pd.purpose_id = ce.purpose_id
WHERE pd.interaction_id = :interaction_id;
15. 30-Day Lab
目标: 30 天内产出一个可展示的 consent / preference / purpose-bound AI data architecture portfolio pack。
| Days | Focus | Outputs |
|---|---|---|
| 1-7 | Choose one use case; define purpose, non-purpose boundary, data classes, legal basis, consent assumptions, preferences and surprise risks. | Use case brief, data-use map, purpose catalog v1, journey with consent moments. |
| 8-14 | Design consent/preference events, current-state projection, preference center controls, grant/withdrawal/re-consent copy and evidence fields. | Event schema, state model, UX copy pack, evidence inventory, grant/withdraw/expire examples. |
| 15-21 | Draw runtime architecture; define PDP inputs/outputs; design RAG, tool, memory and logging controls; write withdrawal runbook and policy pseudocode. | Architecture diagram, PDP spec, RAG/tool control specs, memory/log policy, runbook, code-lite experiment. |
| 22-30 | Build dashboards and RACI; complete customer service, RM copilot, marketing and open banking cases; prepare evidence query and interview pack. | Dashboard spec, operating model, four case studies, audit query, interview set, portfolio narrative. |
16. Interview Answers
Q1: 为什么 consent 不是 AI 的万能许可?
30 秒版本:
Consent 只能覆盖特定目的、范围、时间和告知内容。金融 AI 里, 客户同意客服读取交易, 不等于同意营销、训练、长期记忆或新供应商使用这些数据。真正的架构要把 consent 和 purpose 绑定到 RAG、tool、memory、log 和 vendor controls。
2 分钟版本:
我会先区分 consent、preference、legal basis 和 runtime authorization。Purpose catalog 记录每个 AI capability 的允许用途、数据类别、动作、scope、expiry 和 re-consent triggers。运行时由 policy engine 检查 consent state、preference state、data class、object scope、model/vendor 和 action。旧 consent 不会自动覆盖新功能, 撤销也能传播到 tokens、RAG、tools、memory 和 campaigns。
Q2: 如何设计 purpose catalog?
30 秒版本:
Purpose catalog 要把业务语言转成可执行策略。每个 purpose 记录业务价值、允许 AI actions、禁止用途、数据类别、法律基础、consent requirement、preference controls、expiry、withdrawal effect、re-consent triggers 和 evidence owner。
2 分钟版本:
我会从用户旅程和业务 outcome 出发。Customer service, payment dispute, RM prep, marketing personalization, open banking 都是不同 purpose。每个 purpose 定义 allowed actions、data classes、scope、channels、legal basis、consent requirement、preference controls 和 evidence owner。最后把 purpose ID 放进 policy engine、RAG metadata、tool policy、log schema 和 dashboard。
Q3: consent/preference event schema 必须有哪些字段?
30 秒版本:
至少包括 event type、subject、actor、channel、purpose、scope、status、notice version、legal basis reference、capability version、effective/expiry、withdrawal effect 和 evidence reference。
2 分钟版本:
我会采用 event-sourcing 思路, 因为 consent 是 grant、narrow、withdraw、expire、supersede、re-consent 的历史。Envelope 记录 subject、actor、channel、tenant、jurisdiction 和 correlation ID。Consent 字段记录 purpose、scope、data class、object scope、notice/capability version、model/vendor boundary、effective/expiry 和 withdrawal effect。Preference 字段记录 type、value、source 和 propagation targets。Evidence 字段记录 UI snapshot、text hash、auth context、API hash 和 policy decision ID。
Q4: 如何在 RAG 中执行 purpose limitation?
30 秒版本:
RAG 必须在 retrieval time 做 purpose、ACL、consent、preference、freshness 和 data-class filtering, 不能先检索再让模型自觉不说。每次检索要记录 corpus、filter policy、excluded reason 和 retrieved chunk IDs。
2 分钟版本:
我会给每个 corpus 建 manifest, 记录 source system、allowed purposes、data classes、consent dependency、access filters、retention 和 deletion propagation。检索时, retriever 用 identity、purpose、current consent/preference state、object scope 和 policy version 过滤候选 chunk。被排除的 chunk 记录 reason。撤销后触发 tombstone 或 targeted purge, 并用 negative tests 证明 withdrawn data 不会再被检索到。
Q5: 如何处理 withdrawal?
30 秒版本:
Withdrawal 不是只更新一个偏好字段。它要写事件、更新状态投影、失效 policy cache、撤销 token/session、通知 RAG/tool/memory/campaign/vendor, 并生成传播和验证证据。
2 分钟版本:
我会设计 withdrawal propagation runbook。写入 event 后更新 current-state projection, 让 policy engine 立即看到新状态。然后撤销或缩小 active tokens and sessions, 向 RAG、tool gateway、memory、campaign、vendor gateway 和 evidence services 发送 propagation task。最后执行 purge、tombstone、suppression 或 retain-evidence action, 并用 synthetic calls 和 dashboard 验证被撤销的 data use 已被拒绝。
Q6: 什么时候需要 re-consent?
30 秒版本:
当 purpose、data class、action、vendor、model behavior、retention、channel 或 open banking scope 发生 material change 时, 通常需要 re-consent 或至少 legal/privacy review。
2 分钟版本:
我会把 re-consent triggers 写入 purpose catalog 和 capability registry。典型触发包括: 从客服扩展到营销, 新增 credit bureau data, draft-only 变成 submit-capable, 引入外部模型, 启用 AI memory, 延长 retention, 跨渠道复用授权, 或开放银行 scope 扩大。产品上展示 old vs new scope, 解释变化和后果, 允许拒绝, 并把新 notice/capability version 写入 evidence。
Q7: 如何证明没有使用 opted-out data 做 personalization?
30 秒版本:
需要 suppression-aware feature pipeline、policy decision logs、campaign inclusion evidence、recommender input manifest 和 negative tests。不能只说“我们尊重 opt-out”。
2 分钟版本:
我会让 marketing preference event 传播到 campaign、feature store、recommender、AI content generator 和 analytics。每次 personalized offer 生成时记录 purpose、preference snapshot、feature set version、suppression list version、policy decision ID 和 inclusion reason。对 opted-out 客户做 negative test: 他们不应出现在 audience、feature retrieval、prompt context 或 vendor payload 中。
Q8: Open banking 授权数据能否用于内部 AI?
30 秒版本:
不能自动使用。开放银行授权通常是特定第三方、数据范围、期限和目的的授权。内部 AI secondary use 必须单独做 purpose compatibility、legal/privacy review、notice/consent 和 runtime enforcement。
2 分钟版本:
我会把 open banking authorization 当成独立 purpose: open_banking_data_sharing。它允许 API 在客户授权范围内向指定第三方共享数据, 不代表银行内部可以训练模型、营销或 enrichment。Token service 和 API gateway 按 account/data/time/third-party scope 执行; withdrawal 立即阻止未来访问。内部 AI 若解释授权状态或做安全监控, 必须使用自己的合法目的和最小化数据。
17. Production Readiness Checklist
- 每个 AI capability 有 approved purpose catalog entry。
- Consent、preference、legal basis 和 notice version 能被区分和查询。
- Consent/preference event schema 支持 grant、withdraw、expire、supersede、re-consent。
- Preference center 能修改 AI、marketing、channel、memory 和 data sharing choices。
- Runtime policy engine 在 RAG、tool、memory、log、vendor 前执行。
- RAG corpus manifest 包含 allowed purposes、consent dependency、ACL 和 deletion propagation。
- Tool gateway 强制 audience、purpose、scope、object、expiry 和 step-up。
- Memory write 使用 allowlist、TTL、user controls 和 deletion propagation。
- Logs 使用 manifest/hash/policy decision, 高风险 payload 进入受控 evidence vault。
- Withdrawal runbook 演练过 token、session、RAG、tool、memory、campaign、vendor propagation。
- Re-consent triggers 和 capability versioning 已接入 release gate。
- Dashboard 覆盖 grant、withdrawal、purpose mismatch、expired usage、propagation latency 和 evidence completeness。
- RACI 明确 PM、BA、Architect、Privacy、Legal、Security、Data Governance、Model Risk 和 Ops 责任。
- 四类案例至少完成一个端到端设计: customer service、RM copilot、marketing personalization、open banking。
18. Closing View
金融零售 AI 的 consent / preference / purpose-bound data architecture 成熟度, 决定了客户控制是否真实、产品承诺是否可信、监管证据是否可查、AI 变更是否可控。
真正的目标不是收集更多同意, 而是让每一次 AI 数据使用都能被设计、限制、执行、撤销、解释和证明。