AI for Onboarding and Institutional Knowledge

§ 01 · The Pattern That Works

Three layers, one substrate.

Across the public examples reviewed, the winning architecture is not a single chatbot. It is a stack. Onboarding, learning, BD, marketing, and proposals all draw from the same foundation. Build the substrate right and each function gets its own interface on top.

Surface · what users touch
AI Interface Layer
Search, chat, expert-finding, proposal drafting, guided Q&A
Structure · who & what
Experience Layer
Resumes, project sheets, credentials, staffing history, case studies, lessons learned
Foundation · governed content
Knowledge Layer
Onboarding guides, standards, policies, training, expert interviews, internal Q&A

§ 02 · Who is Doing What

Six entry points, six different lessons.

Each case study below represents a distinct entry point. There is no single "right" first move. The question is which entry point matches the firm’s most valuable pain point and available content. Click any source to read the primary reference.

Shepley Bulfinch

Architecture · Boston

Built an "I’m New Here" onboarding ecosystem inside the firm intranet, with AI search that answers practical questions long after orientation (staffing, office-specific expertise).

Onboarding becomes an ongoing knowledge experience, not a one-time event.

Bora Architecture

70-person · Portland

Built "RoboCorey," a digital twin of their sustainability director, from his best practices, project reflections, and published book. Now queryable through their Synthesis intranet.

Expert knowledge captured once, accessible firmwide, while the expert focuses on harder work.

BWBR

Architecture · Healthcare

Landmark Learning, a decade-long program for emerging professionals, now paired with role-based upskilling guides, Communities of Practice content, and AI search on approved content.

AI accelerates judgment and technical fluency for early-career staff, not just search speed.

Skanska USA

Construction · Global

A suite of internal AI tools called "Expert Sidekicks," including a general-purpose Skanska Sidekick and a Safety Sidekick trained on their EHS Manual and OSHA standards.

Layered rollout: start general, then domain-specific. Leadership publicly says "walk before you run."

VHB

Engineering · AEC

Built a Microsoft Copilot Studio-based "Bentley Copilot" embedded in Teams, trained on Bentley documentation and forums, serving as a real-time tutor for engineers learning the software.

One team automated a design task estimated at thousands of hours into a single afternoon.

WSB

Engineering · Acquired Growth

After growing from 450 to 1,600+ employees through acquisitions, WSB centralized 900+ profiles of people and project data into Flowcase as a single searchable hub.

20% reduction in proposal prep. Tailoring 10 resumes now takes an hour. It used to take days.

McKinsey & Company

Consulting · Global

Lilli, an internal generative AI platform trained on roughly a century of proprietary documents. Used for knowledge search, proposal drafting, materials creation, and expert-finding.

72% of the firm active. 500,000+ prompts per month. Up to 30% time savings on synthesis tasks.

Super.com

Consumer Tech · US

Deployed Glean as a centralized knowledge hub across Google Drive, Slack, Confluence, and GitLab. Written culture backed by instant-answer search.

20-minute-per-day gain per employee. 1,500+ hours saved monthly. Onboarding 20% faster.

Confluent

Enterprise Software

Deployed Glean across 30+ internal data sources to surface documents, past deal cycles, help content, and messages for distributed teams.

70%+ employee adoption. 5 to 10 minutes saved per support ticket. Faster onboarding for new hires.

§ 03 · Security & Compliance

SOC 2 is not the blocker. Governance is the work.

For enterprise-tier platforms, SOC 2 Type II attestation is the rule, not the exception. Every major AI platform a US firm would reasonably consider is attested, with enterprise data excluded from model training by default.

The practical question is not whether AI can be used compliantly. It is whether a firm’s deployment sits inside its own governance layer: data classification, access controls, retention policies, audit trails, and human review.

Platform	SOC 2 Type II	Default Training	Context	Source
Claude (Enterprise)	✓ Yes	No	12-month report across all five Trust Service Criteria. ISO 27001 also.	Anthropic
ChatGPT Business / Enterprise / API	✓ Yes	No	Consumer ChatGPT (Free, Plus) is not covered. Tier matters. "Team" renamed "Business" Aug 2025.	OpenAI
Microsoft 365 Copilot	✓ Yes	No	Inherits M365 compliance stack. HIPAA/HITECH supported via BAA (no formal HIPAA cert exists).	Microsoft
Google Gemini (Workspace)	✓ Yes	No	SOC 1, 2, and 3 attested. Data stays in Workspace tenant.	Google
Glean (Enterprise Search)	✓ Yes	No	Trust Center lists SOC 2 Type 2 and ISO certs. Sits across multiple existing systems.	Glean
Flowcase (AEC Proposals)	✓ Yes	No	Purpose-built for resumes, CVs, case studies. ISO 27001 also. GDPR and EU AI Act alignment.	Flowcase
Knowledge Architecture (Synthesis)	✓ Yes	N/A	SOC 2 and GDPR compliant. Drata-powered Trust Center. Platform behind Shepley, Bora, BWBR.	KA

Relevant reference frames for a US-based AEC firm

US frameworks: NIST AI Risk Management Framework and its Generative AI Profile are the most widely expected. SOC 2 Type II and ISO 27001 for vendor evaluation. ISO/IEC 42001 (AI management systems) is emerging in enterprise vendor assessments.

US state activity: The Colorado AI Act is scheduled to take effect June 30, 2026 (after being delayed from February 1) and remains subject to amendment efforts. California’s automated decision-making rules were finalized in 2025. 20+ states now have general privacy laws in force.

EU AI Act: Has extraterritorial reach but applies to US firms only when providing AI systems to EU customers, placing AI outputs on the EU market, or having EU operations. For a Pennsylvania-based AEC firm using AI internally for staff, it is not directly applicable absent those conditions.

§ 04 · How to Evaluate This for Your Firm

Five questions worth asking before buying anything.

The tool market is loud. These questions narrow the decision to what actually matters for a disciplined rollout. Answer them before a vendor demo, not after.

What governed content do we have ready to feed an AI today?

Approved guides, standards, policies, expert captures. If the substrate is messy, the AI will surface mess.

What is the one highest-value pain point worth solving first?

Onboarding ramp, expert-finding, proposal retrieval, or client-specific knowledge recall. Pick one.

Which vendor tier meets our data governance bar?

Consumer tiers are not SOC 2 covered. Enterprise and business tiers change that, but tier and plan matter.

Who owns the governance layer internally?

IT security sets guardrails, HR owns onboarding content, marketing owns experience data. Clarity prevents stalls.

What does success look like at 90 days, 6 months, 12 months?

If you cannot name the measure, you cannot name the pilot. Agree on the success bar before anyone signs a contract.