U.S. banking and healthcare regulators advanced overlapping frameworks for AI model governance and data provenance in 2025 and 2026, creating a converging compliance landscape that enterprise software vendors and large organizations in both sectors must now navigate. The moves signal a shift from siloed, sector-specific AI oversight toward coordinated, cross-industry standards emphasizing end-to-end data lineage, auditability, and verifiable model governance.
Background
The regulatory push stems from a shared concern: AI systems deployed in high-stakes environments-credit underwriting, clinical decision support, fraud detection-have outpaced governance frameworks originally designed for traditional statistical models. Federal Reserve SR 11-7, initially focused on credit and market risk models, now applies with full force to AI and machine learning systems as banks deploy generative AI, fraud detection models, and algorithmic decisioning at scale. Similarly, healthcare AI data privacy requirements extend well beyond basic HIPAA compliance; organizations must ensure responsible management of patient data used in AI systems, with particular attention to data provenance, quality, and security.
The fragmentation problem is well-documented. At the federal level, the U.S. has adopted a pro-innovation posture that largely defers to agencies for specific enforcement guidance, while certain states have advanced AI regulations focused on consumer protection and workplace practices-creating a complex and at times contradictory enforcement environment. Internationally, the EU AI Act's compliance requirements for high-risk AI in regulated products have an extended transition deadline of August 2027, while most other obligations under the regulation take effect in August 2026.
Details
On the banking side, the OCC, Federal Reserve, and FDIC jointly issued revised interagency model risk management guidance on April 17, 2026, superseding the original 2011 framework. The revised guidance represents a shift toward a more flexible, principles-based approach to model risk management. Critically, the Fed, OCC, and FDIC amended the guidance to clarify that it does not apply to generative or agentic AI-but this carve-out is explicitly temporary. The three agencies plan to issue a request for information addressing model risk management broadly and considering, in particular, banks' use of AI, including generative AI, agentic AI, and AI-based models.
State-level regulators have moved in parallel. The New York Department of Financial Services' October 2025 industry letter, for example, requires supervised entities to manage cybersecurity and operational risks across the full lifecycle of third-party service providers, including vendors that use advanced technologies such as AI in ways that affect customers or core operations.
In healthcare, the Joint Commission and the Coalition for Health AI (CHAI) released the Guidance on Responsible Use of AI in Healthcare on September 17, 2025, the first output of a strategic partnership launched in June 2025. The guidance outlines principles for responsible AI use covering governance, privacy and transparency, data security, safety event reporting, and risk and bias assessment. Although voluntary, the recommendations align with themes in FDA guidance on AI-enabled medical devices and drug discovery. The Joint Commission accredits more than 22,000 healthcare organizations across the United States, giving the framework significant practical reach beyond formal regulation.
CHAI and The Joint Commission are developing governance playbooks informed by workshops designed to capture input from hospitals and health systems of varying sizes. These playbooks will provide more practical, implementation-focused direction. The Joint Commission intends to develop a voluntary AI certification program derived from the finalized playbooks.
For enterprise software vendors and their customers, practical obligations converge on data lineage and model auditability. Data lineage creates a technical roadmap showing data flows and transformations, while provenance builds the authenticity and historical context needed to meet regulatory requirements. Most AI failures originate not from the model itself but from the data feeding it. Regulators in both sectors are responding: the EU AI Act and U.S. model risk management guidance require documentation of decision processes, including for AI agents that plan multi-step action sequences across ERP, HCM, and data systems.
Organizations must establish policies for sourcing data legally, ensuring consent where applicable, and documenting data provenance.1Joint Commission Online - Sept. 24, 2025 | Joint Commission Compliance solutions must detect changes and flag regulatory risks as they arise, requiring embedded compliance checks throughout the AI development pipeline-from data ingestion to model deployment and post-production monitoring.2How The Joint Commission & CHAI Are Quietly Building A Parallel FDA For Hospital AI & Why The Governance Infrastructure Layer Will Eat More Of The Health AI Market Than The Models Themselves
Outlook
The pending RFI from the OCC, Federal Reserve, and FDIC on generative and agentic AI model risk will be the next inflection point for banking compliance teams and their enterprise technology vendors. In healthcare, governance playbooks and a voluntary AI certification program from The Joint Commission are expected later in 2026, with certification open to its full network of accredited organizations. In the U.S., the policy landscape remains volatile following the January 2025 revocation of Executive Order 14110, making the banking agencies' forthcoming RFI-and subsequent enforcement posture-a critical variable for enterprises planning AI deployments across regulated functions.
