AI Keeps Making Up Policy Details: What Guardrails Actually Help?

I have spent a decade in Learning and Development, mostly in the trenches of compliance. I’ve survived audits, survived mergers, and—most recently—survived the chaotic reddit.com https://www.reddit.com/r/LearningDevelopment/comments/1u9m41z/has_anyone_changed_how_they_validate_aigenerated/ rollout of Generative AI in our content pipeline. If there is one thing I’ve learned, it’s that AI is a fantastic intern but a liability-prone subject matter expert (SME).

Early on, I started a "hallucination log." It sits on our team SharePoint. It tracks every time an LLM invented a deadline that didn't exist or quoted a policy document that was retired in 2021. Why? Because whenever an AI produces a hallucination, I ask my team one question: "What is the risk if this is wrong?" If the answer is "a user gets slightly confused," that’s a bug. If the answer is "we violate a federal labor law," that’s a catastrophe.

You cannot rely on the "black box" to keep your compliance training honest. You need guardrails. Here is how we build them.
1. The First Guardrail: Prompt Constraints are Not Suggestions
Most people prompt an AI like they are talking to a human: "Write a summary of our anti-harassment policy." That is a recipe for disaster. You are effectively asking the machine to gamble with your corporate reputation. To stop hallucinations, you must use restrictive, logic-based prompt engineering.

Stop asking the AI to "be creative." Start asking it to "process data."
Role-Locking: Explicitly define the persona. "You are a technical compliance editor. Your only job is to extract text from the provided source document." Strict Constraints: Add a "No-Invent" clause. "You are strictly forbidden from adding any information, deadlines, or definitions not explicitly present in the provided source text. If the answer is not in the source text, state 'Information not provided.'" Citation Requirement: Force the model to cite the exact section or page of the source document for every claim it makes. If it cannot link to a source, it shouldn't be in your draft. 2. Policy Source Linking: Building a Trail of Breadcrumbs
Compliance training is only as good as its audit trail. If you ship training without a named owner and a verifiable source link, you aren't training—you're gambling. AI guardrails are useless if you don’t have a "Single Source of Truth" (SSOT) architecture.

We mandate that every AI draft includes an automated footer. It looks something like this: "Generated from: [Link to internal policy doc]. Verified by: [AI Tool Name]. Reviewed by: [Human SME Name]."

When the AI pulls a policy detail, it must pull the actual text string. We then cross-reference that string against the SSOT. If the AI "summarizes" the policy, it has failed the compliance check. We require direct extraction for all safety and legal policies. Summarization is for internal newsletters; extraction is for compliance training.
3. Risk-Based Validation: Low vs. High Stakes
Not every piece of content requires the same level of scrutiny. We categorize our validation process based on the potential for catastrophic failure. This stops us from wasting time on "performative paperwork" while ensuring we don't miss the big stuff.
Content Category Risk Level Validation Strategy Tone/Voice/Structure Low AI-check + Peer review General Process Steps Medium SME spot-check against documentation Regulatory Requirements/Law High Line-by-line verification against Legal-approved source Safety/Crisis Response Critical Multi-person sign-off + Source-link mapping
If the training covers something like "how to request a desk chair" (low risk), we speed through the review. If it covers "reporting suspected fraud under the Dodd-Frank Act" (critical risk), we mandate a legal sign-off. Don't waste your General Counsel's time on formatting, but involve them immediately when the AI touches legal definitions.
4. SME Review Design: Killing the "Looks Good to Me" Trap
The greatest enemy of compliance is the SME who clicks "Looks good to me" because they are too busy to read a 40-slide deck. This is a failure of your review process, not the SME. If you send an SME a massive wall of text and ask them to "check it," they will skim it and approve it blindly.

Instead, design your review process as a data validation task:
Fragmented Reviews: Break the training into granular chunks. Ask the SME to review only the specific policy section relevant to their expertise. The "Fact-Check" Worksheet: Send the SME a table. Column A: "Training Claim." Column B: "Source Policy Excerpt." Ask them to verify that A matches B. The Forced Disagreement: Ask the SME to highlight any sentence that implies a legal requirement that isn't clearly stated in the source policy.
This approach moves the SME from passive approval to active verification. It makes it harder for them to rubber-stamp the document without looking at it.
5. Hallucination Detection: The "What If" Loop
I maintain the "hallucination log" for a reason. Once a month, the L&D team reviews this log. We look for patterns. Does the AI struggle with specific acronyms? Does it always hallucinate a 30-day window when the actual policy says 60?

Once we identify a pattern, we update our "System Prompt." If we know the AI consistently struggles with a specific policy, we add an explicit guardrail to the system instructions to address that specific quirk. We are constantly hardening our prompts based on previous errors. This is the difference between a team that "uses AI" and a team that "manages an AI workflow."
Conclusion: Accountability is Not Algorithmic
I see far too many L&D departments treat AI like a magic spell. They press "Generate" and hope for the best. That is irresponsible.

When you use AI, you are still the owner of the content. If the training is wrong, the audit finding is yours, not the software vendor's. We build these guardrails—the prompt constraints, the source-linking, the risk-based validation—not to stifle the speed of AI, but to protect the integrity of our instruction.

Don't trust the machine. Trust the process you wrap around it. If you can't verify the fact, don't ship the training. It’s that simple. And if you’re ever in doubt, just ask yourself: What is the risk if this is wrong? If the risk is high, keep your humans in the loop.