Federal regulators overseeing banking and healthcare are moving toward harmonized requirements for tracing the origin, transformation, and use of data in AI systems - a shift that would impose new audit and governance obligations on financial institutions and health systems simultaneously. The initiative draws on overlapping mandates from the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB), the Federal Reserve, and the Department of Health and Human Services (HHS). It reflects a broader effort to address opaque AI decision-making in high-stakes operations including lending, claims processing, and patient triage.
Background
The push for cross-sector AI data provenance standards follows years of fragmented oversight. The OCC, Federal Reserve, and CFPB have consistently emphasized that explainability and transparency are compliance requirements - particularly when AI systems influence credit decisions or customer outcomes subject to fair lending laws. A Q1 2026 Wolters Kluwer Banking Compliance AI Trend Report found that explainability and transparency (28.4%) and bias and discrimination were the most acute regulatory concerns cited by financial institutions.
On the healthcare side, HHS released its formal AI strategy on December 4, 2025, and has since moved to embed governance requirements across its divisions. HHS requires every division to identify high-impact AI systems and implement minimum risk management practices - covering bias mitigation, outcome monitoring, security, and human oversight - by April 3, 2026. If an AI tool cannot meet the required safeguards by that deadline, it must be stopped or phased out until compliance is achieved.
In September 2025, the Joint Commission - the accrediting body for over 23,000 healthcare organizations - partnered with the Coalition for Health AI (CHAI), representing nearly 3,000 member organizations, to release the first comprehensive guidance for responsible AI adoption across U.S. health systems. By mid-2025, over 250 healthcare AI bills had been introduced across more than 34 states, with laws like Utah's AI Policy Act requiring disclosure of AI use.
Interagency coordination has also accelerated in financial services. A 2023 interagency memorandum of understanding on AI oversight was signed by the FTC, DOJ, EEOC, and CFPB, formalizing closer coordination among regulators.
Details
The proposed framework centers on four pillars: data sourcing disclosures, end-to-end lineage tracking, model governance controls, and interoperability mandates. For banks, the CFPB requires institutions to document how AI-generated adverse decisions are reached. Lenders must be able to explain adverse decisions and test models for potential discrimination under the Equal Credit Opportunity Act (ECOA). The OCC, Federal Reserve, and FDIC apply model risk management expectations to AI and machine learning, requiring banks that use AI for critical decisions to validate models and document controls.
Healthcare providers face parallel obligations. Governance frameworks must require comprehensive documentation of AI model development, including data lineage, feature selection, validation methods, and bias mitigation strategies. Healthcare organizations must independently validate vendor AI model performance on their own data, as vendor-reported results may not hold in specific clinical or operational contexts. Healthcare organizations are legally responsible for compliance failures by their AI vendors, with HIPAA violations potentially resulting in fines up to $1.5 million per category annually.
On data security, 47% of breaches in 2025 were linked to supply chain attacks and AI tools handling sensitive patient data. The proposed provenance standards aim to close this gap by requiring verifiable audit trails that link model outputs to source data at each stage of transformation - a requirement that applies equally to internally built systems and vendor-supplied AI agents.
For technology vendors, the emerging standards signal that embedded governance features - including lineage metadata, model cards, and reproducibility logs - will become procurement prerequisites rather than optional enhancements. Regulators advise that AI governance must be embedded in the operating model, not bolted on, with model risk management frameworks extended explicitly to AI and bias detection built into the model development lifecycle.
Outlook
Smaller financial institutions and community health systems face the steepest implementation costs. Banks that move fast without governance face significant regulatory and operational challenges. Regulators have flagged data infrastructure as a strategic priority: without clean, accessible data and data lineage frameworks, every AI initiative - from credit underwriting to fraud detection - is compromised at the foundation. The Joint Commission and CHAI plan to release additional detailed implementation playbooks, followed by a voluntary AI certification program in 2026. Federal agencies are expected to issue further supervisory guidance after the April 2026 risk management deadline, with enforcement likely tightening as interoperability and audit requirements phase in across both sectors.
