U.S. and EU regulators have issued overlapping frameworks requiring financial institutions and healthcare providers to implement auditable AI data provenance - the continuous traceability of data origin, transformation, and use throughout AI workflows - placing both sectors under coordinated compliance pressure for the first time.

The U.S. Department of the Treasury released its Financial Services AI Risk Management Framework (FS AI RMF) in February 2026, establishing 230 discrete control objectives for financial institutions, covering lineage tracking, feature store governance, training data documentation, de-identification, and cross-border data handling. Simultaneously, the Centers for Medicare & Medicaid Services (CMS) introduced AI Playbook v4, mandating prompt-level safeguards and auditable data lineage for every model interaction and output used in Medicare-funded workflows, with payment denials as the enforcement mechanism.

Background

The parallel pressure on both sectors stems from converging regulatory timelines on either side of the Atlantic. The EU AI Act entered into force in 2024 and imposes documentation, data governance, and oversight requirements on high-risk AI systems - including new duties for providers of general-purpose models beginning in 2025.[1] Article 50 of the Act, effective August 2, 2026, requires deployers to disclose when content has been artificially generated or manipulated, using both visible markings and machine-readable metadata.

The European Parliament has stressed that the financial services sector is already subject to multiple pieces of sectoral legislation requiring actors to manage risks across data protection, data lineage, data quality, data governance, operational resilience, model risk, and discriminatory outcomes - collectively forming the framework for AI deployment and governance in the sector.

In the U.S., the legal landscape remains fragmented and sector-specific, with federal policy leaning toward enabling innovation through flexible, non-binding guidance. Without a unified federal AI law, governance has been largely reactive - particularly at the state level, where over 500 AI bills were proposed in Q1 2025 alone.

Details

For banks, the provenance challenge is structural. Provenance entails continuous traceability of origin, transformation, and usage across data flows - connecting source systems, enrichment pipelines, feature engineering, and model outputs into an auditable chain. For institutions deploying AI in risk-sensitive domains such as credit underwriting, fraud detection, or compliance monitoring, this transparency is becoming essential. Financial institutions are contending with accumulated governance debt: information sprawl, identity fragmentation, opaque model lifecycles, and infrastructure never designed for AI velocity. Legacy technology stacks, siloed data governance, and inconsistent identity resolution must now support AI-driven decisioning in highly regulated environments.

Hospitals face an analogous challenge around clinical AI. CMS's AI Playbook v4 introduces two mandates that may prove burdensome for many facilities: prompt-level safeguards for any generative AI used in care delivery, and auditable data lineage for every prompt, model interaction, and output. Where an AI model in a Medicare-funded workflow - such as billing, coding, or clinical documentation - lacks mandated safeguards, CMS can deny or recoup associated payments.

Several U.S. states have also enacted AI disclosure, impact assessment, and opt-out requirements for high-risk healthcare AI applications. Meeting these requirements depends on infrastructure most compliance teams have not previously maintained: version history for every AI model affecting patient care, demographic performance records at the subgroup level, and lineage connecting AI outputs to the data that produced them.

Research published in February 2026 in Frontiers in Artificial Intelligence outlined a conceptual framework for auditable clinical decision support. The framework integrates a curated medical knowledge base with explicit provenance metadata, a retrieval-augmented reasoning engine linking recommendations to identifiable clinical guidelines, and a tamper-evident audit logging mechanism recording system inputs and outputs.

Vendors including Atlan, Collibra, and Informatica are addressing the tooling gap, though integration challenges remain significant. Connecting legacy EHR systems in healthcare and mapping across multiple data systems in financial services present substantial engineering obstacles. The Treasury Department's FS AI RMF translates NIST principles into 230 control objectives tailored for financial institutions. The IAPP AI Governance Profession Report 2025 found that 77% of organizations are building or refining AI governance programs, but only 36% have adopted a formal framework such as the NIST AI RMF.

Across sectors, a significant gap persists between AI adoption and compliance preparedness, with many organizations unaware that the AI Act applies to them as deployers.

Outlook

Credibility will favor platforms that make provenance and governance visible. Health systems and life sciences organizations that can demonstrate data lineage, audit models, and monitor real-world performance will complete the transition from pilot to production. In 2026, boards are increasingly expected to attest to AI risk posture - a shift that places data provenance infrastructure squarely on the enterprise governance agenda, beyond the remit of AI policy teams alone. With the EU AI Act's high-risk obligations entering phased enforcement and the U.S. Treasury's sector-specific controls now published, institutions that have not yet inventoried their AI systems and data pipelines face tightening timelines on both sides of the Atlantic.