U.S. regulatory bodies are converging on unified frameworks for AI data provenance spanning financial services and healthcare, pressing institutions and their technology vendors to establish traceable, auditable chains of custody for data used in AI training and decision-making. On February 19, 2026, the U.S. Department of the Treasury released a Financial Services AI Risk Management Framework (FS AI RMF) and a companion AI Lexicon, developed in collaboration with more than 100 financial institutions and government agencies including NIST. Parallel action in healthcare has seen the FDA issue draft guidance for AI-enabled medical devices, while sector regulators including the CFPB, FTC, and EEOC increasingly cite NIST AI Risk Management Framework principles in oversight guidance.
Background
The regulatory push comes as AI deployments across banking and health systems have outpaced existing governance infrastructure. The Treasury's FS AI RMF was developed through public-private collaboration with the Financial Services Sector Coordinating Council (FSSCC) and the Cyber Risk Institute (CRI), and is the first of a planned six-resource series also covering identity, fraud, explainability, and data governance. In December 2025, NIST released a preliminary Cybersecurity Framework Profile for Artificial Intelligence, developed with input from over 6,500 individuals, mapping AI-specific risks to the widely adopted NIST CSF 2.0.
On the healthcare side, the FDA in 2025 issued draft guidance for AI-enabled devices classified as "Software as a Medical Device" (SaMD), focused on documentation, transparency, bias prevention, and post-market monitoring. Regulators in both sectors have identified data provenance-the traceable origin, transformation history, and lineage of data used to train and operate AI models-as a foundational requirement for explainability, risk oversight, and regulatory compliance.
Sector regulators including the CFPB, FDA, SEC, FTC, and EEOC are increasingly referencing NIST AI RMF principles in their enforcement guidance, even though the framework remains technically voluntary for most institutions.
Details
The FS AI RMF provides 230 control objectives mapped across the AI lifecycle, covering governance, data, model development, validation, monitoring, third-party risk, and consumer protection. The framework's FS AI RMF devotes specific attention to third-party AI risk management, including due diligence that incorporates data provenance, secondary data use, and intellectual property considerations. Derek Theurer, performing the duties of Deputy Secretary of the Treasury, stated that the resources are designed to create "a common language for AI and a tailored framework for managing AI risks in financial services."
FINRA's 2026 Annual Regulatory Oversight Report introduced a new section devoted to generative AI, directing broker-dealers to assess whether cybersecurity programs "appropriately contemplate" risks from vendor use of generative AI and how "data provenance and processes identify how threat actors use AI or GenAI against the firm or its customers."
A Grant Thornton survey of banking leaders revealed significant readiness gaps: only 18% of banking leaders said they were fully confident in their ability to pass an independent review of their AI controls within 90 days, and 50% cited governance and compliance barriers as limiting AI performance.
In healthcare, data clean rooms are gaining traction as core infrastructure for privacy-preserving AI workloads, providing controlled environments for data exchange that allow institutions to monitor data usage and enforce compliance with regulatory requirements. The use of clean rooms is expanding beyond advertising into sectors such as healthcare and finance, where secure data collaboration and interoperability are subject to strict regulatory requirements. Achieving cross-sector interoperability, however, requires harmonized data schemas, robust identity and access controls, and consistent model risk management practices-challenges that vendors and institutions are still working to resolve.
The 2026 update to the NIST Privacy Framework emphasizes privacy-enhancing technologies (PETs) such as differential privacy, synthetic data, homomorphic encryption, and federated learning as operational controls for institutions managing sensitive AI training data.
Outlook
Treasury has indicated it will continue releasing the remaining four resources in the FS AI RMF series, covering governance and accountability, data integrity and security, fraud and digital identity, and operational resilience. Industry stakeholders expect formal rulemaking, cross-sector working groups, and pilot programs to follow in the months ahead, with certification programs and reference architectures likely to emerge as compliance expectations solidify. State regulators are expected to reference frameworks such as the FS AI RMF to define emerging best practices even where federal enforcement remains light, putting early-adopting institutions at a structural advantage in supervisory examinations.
