U.S. and European financial and health regulators published joint data provenance standards Friday, requiring banks and hospitals to document the full lineage of data used in AI-driven decisions. The move marks a coordinated cross-border step toward enforceable AI accountability in two of the world's most regulated sectors.
The standards were developed by a cross-border task force comprising the Federal Reserve, the Office of the Comptroller of the Currency (OCC), and their EU supervisory counterparts. They cover AI models deployed across financial institutions and healthcare providers, regardless of whether those systems run on-premise or in the cloud.
Background
The move reflects intensifying pressure on regulated industries to align AI governance with existing data protection and model risk frameworks. The Federal Reserve and OCC have maintained joint model risk management guidance since 2011, under supervisory framework SR 11-7, which defines documentation and independent validation requirements that have since been replicated by banking regulators worldwide.
On the European side, the regulatory landscape has grown more prescriptive. The EU AI Act entered into force in August 2024 and began applying obligations in stages, with rules for general-purpose AI models taking effect in August 2025. The European Health Data Space (EHDS) regulation was published in March 2025 and is now in force, with key application milestones extending toward 2029. Industry analysts have flagged the convergence of these frameworks as a catalyst for cross-jurisdictional compliance demands, particularly for vendors and institutions operating in both markets.
Traditional data governance frameworks were designed for reporting compliance, not to support autonomous decision engines operating at scale. Digital provenance-the continuous traceability of origin, transformation, and usage across data flows-is becoming indispensable as AI enters risk-sensitive operations.
Details
The published standards set out four core obligations for covered institutions. Organizations must maintain immutable data lineage records that can be queried in near real time, implement versioning of datasets and training corpora, disclose data quality metrics and bias mitigation steps, and produce auditable governance logs recording who accessed which data and when-with heightened requirements for sensitive health and financial information.
The standards explicitly bring no-code AI workflow builders and automated decision systems within scope, requiring the same documentation rigor applied to traditional software pipelines. This provision has direct implications for enterprise workflow platforms increasingly used in loan underwriting, claims adjudication, patient triage, and clinical decision support.
For hospitals deploying generative AI in care delivery, the requirements align with an emerging trend: mandating prompt-level safeguards and auditable data lineage for every model interaction and output. Tracing an AI output back to its original training data is notoriously difficult, particularly in systems that use multi-model dependency chains where the output of one model becomes the input for another-a configuration that obscures which dataset influenced a biased or incorrect prediction.
Implementation is structured in phases, with initial compliance checkpoints within 12 months and full enforcement over 24 to 36 months, depending on sector and risk profile. Vendors of no-code AI agents and enterprise workflow platforms have already begun updating product roadmaps to incorporate provenance dashboards, policy enforcement hooks, and interoperability interfaces feeding provenance data to regulatory audit portals, according to industry watchers.
Regulators expect organizations to establish policies for documenting data provenance, verifying the accuracy, completeness, and diversity of AI training data to prevent biased outcomes, and maintaining logs of data access and transformations in AI workflows.
Critics have raised concerns about the cost and complexity of retrofitting legacy systems to meet the new requirements, as well as the potential for uneven adoption across vendors and geographies. Data lineage is a critical enabler of compliance under existing banking frameworks, yet implementing meaningful lineage remains a challenge across legacy systems, siloed architectures, and diverse risk environments.
Outlook
The standards are expected to serve as a de facto cross-border baseline for AI usage in regulated sectors, effectively extending compliance obligations to third-party vendors and technology partners serving banks and hospitals. For banks deploying AI in risk-sensitive domains such as credit underwriting, fraud detection, or compliance monitoring, this level of data transparency is becoming a regulatory mandate that internal model risk committees will also require. Institutions face a near-term choice between accelerating compliance investment or pursuing phased, risk-based approaches as AI adoption scales across core operations.
