U.S. federal regulators and standards bodies are coalescing around mandatory data provenance and data lineage requirements for enterprise AI workflows, with financial services institutions facing the most immediate compliance pressure. The wave of guidance, proposed rules, and executive directives issued between late 2024 and early 2026 signals a shift from voluntary best practices to enforceable accountability-reshaping how organizations must document, trace, and govern the data powering their AI systems.
Background
The regulatory drive toward AI data provenance has been building across multiple federal agencies. In 2024 alone, U.S. federal agencies introduced 59 AI-related regulations, more than double the prior year, while legislative mentions of AI rose across 75 countries. Meanwhile, 78% of organizations reported using AI, up sharply from 55% in 2023, according to research cited by AI governance firm Credo AI-a gap between adoption velocity and governance maturity that regulators have moved to close.
Financial services has long operated under data governance expectations that anticipate current AI requirements. The Federal Reserve and OCC's Supervisory Guidance on Model Risk Management (SR 11-7), first issued in April 2011 and later adopted by the FDIC in 2017, established foundational standards for model documentation, independent validation, and ongoing monitoring that regulators now apply directly to AI systems. Under BCBS 239-the Basel Committee's principles for risk data aggregation-financial institutions must demonstrate clear lineage, timely reconciliation, and comprehensive governance evidence across their data pipelines.
Against this backdrop, the current administration has moved to consolidate AI oversight at the federal level. On January 20, 2025, President Trump revoked Biden's Executive Order 14110 on AI safety, and on December 11, 2025, signed a new executive order titled "Ensuring a National Policy Framework for Artificial Intelligence", directing agencies to pursue a minimally burdensome national policy framework and challenging state-level AI rules deemed inconsistent with federal policy.
Details
Despite the administration's deregulatory posture, sector-specific agencies and standards bodies have continued advancing concrete provenance and lineage requirements. On December 16, 2025, NIST released its preliminary Cyber AI Profile (NIST IR 8596), a framework that harmonizes more than 2,500 regulatory expectations from the Federal Reserve, OCC, and FDIC into a unified set of diagnostic statements. The profile explicitly requires that "the provenance and integrity of training and input data should be verified as rigorously as with software and hardware," and extends supply chain risk management obligations to model and data supply chains.
NIST accepted public comments on the preliminary draft until January 30, 2026, with a full initial public draft expected later in the year. The profile was issued alongside NIST's development of SP 800-53 Control Overlays for AI Systems, which address model integrity, data provenance, adversarial robustness, and transparency within existing federal security control catalogs.
On the financial services side, FINRA's 2025 Annual Regulatory Oversight Report, published in January 2025, highlighted several AI-related regulatory risks across financial crimes prevention, fraud and ransomware attacks, and the use of AI provided by third-party vendors. The SEC has directed registrants to document AI-related governance and controls, conduct periodic monitoring and testing, and provide transparent disclosures on AI's impact on financial performance, according to Alvarez & Marsal's Q4 2025 regulatory update. In August 2025, the SEC launched an AI Task Force and created a Chief AI Officer role to advance internal AI use and strengthen oversight of AI-related disclosures.
At the operational level, regulators expect financial institutions to demonstrate that data governance controls operated continuously and effectively throughout AI development and deployment-requiring audit trails that capture every decision, every access, and every transformation with sufficient detail to reconstruct compliance during examinations, according to analysis by Kiteworks. Regulators are increasingly asking not just whether a model works correctly, but whether the organization had lawful authority to use the underlying training data.
Compliance pressure is also intensifying vendor and procurement dynamics across the enterprise software ecosystem. Buyers increasingly demand AI-specific vendor terms covering training-data provenance, intellectual property rights, indemnities, bias testing, and audit rights, according to governance advisory firm Promise Legal. A 2025 survey by EY found that 72% of organizations have already integrated AI into their initiatives, yet half are now making significant investments in governance frameworks to mitigate AI risks-a governance gap that vendors of data catalog, lineage, and observability platforms are actively working to address.
Outlook
State-level enforcement will add further compliance layers in 2026. Colorado's AI Act, delayed to June 30, 2026, requires deployers of high-risk AI systems to conduct risk management assessments, impact evaluations, and consumer disclosures, with penalties up to $20,000 per violation. Internationally, EU AI Act obligations for high-risk AI systems are scheduled to take effect in August 2026-with extraterritorial provisions applying to U.S. firms that develop, deploy, or distribute AI systems within the EU. Enterprise legal and compliance teams face a compound challenge: building provenance infrastructure that satisfies prudential banking examiners, federal AI frameworks, and overlapping state and international rules simultaneously-with no single unified standard yet in force.
