Federal banking and health regulators have moved in parallel to update their AI governance frameworks, imposing new expectations around data auditability, model traceability, and provenance tracking across the banking and healthcare sectors-with several key compliance milestones landing in 2026.
Background
The regulatory push reflects years of concern that AI-generated decisions in high-stakes sectors lack sufficient documentary evidence. In banking, the OCC and Federal Reserve's original supervisory guidance on model risk management dated to 2011, well before machine learning and large language models entered mainstream use. In healthcare, the FDA and HHS have faced mounting pressure to clarify when AI tools constitute regulated medical devices and what evidence of data lineage regulators expect.
President Trump's December 2025 Executive Order signaled federal intent to consolidate AI oversight alongside comprehensive governance frameworks in Colorado and California, and evolving international requirements under the EU AI Act. Companies developing or deploying AI systems face a rapidly shifting compliance landscape. Federal agencies are directed to evaluate whether uniform federal standards should replace or supersede differing state requirements.
The result is a 2026 regulatory calendar where obligations arrive from multiple directions simultaneously-and enterprise IT and compliance teams must map requirements from federal supervisors, sector-specific agencies, and state legislatures at once.
Details
Banking: OCC, Federal Reserve, and FDIC Revise Model Risk Framework
On April 17, 2026, the OCC, Federal Reserve Board, and FDIC jointly issued revised supervisory guidance on model risk management-formally replacing the framework that had governed bank model risk practices since 2011. The revised guidance represents a shift toward a more flexible, principles-based approach to model risk management.
The updated guidance clarifies that model risk management practices should be risk-based, tailored, and commensurate with a banking organization's size, complexity, and extent of model use. The guidance is expected to be most relevant to banking organizations with over $30 billion in total assets, though it may also apply to smaller institutions with significant or complex model risk exposure.
Crucially, the guidance narrows the definition of what constitutes a "model" and expressly excludes generative and agentic AI from its scope. The OCC, Federal Reserve Board, and FDIC plan to issue a request for information addressing model risk management generally and considering, in particular, banks' use of AI-including generative AI, agentic AI, and AI-based models. Federal Reserve Vice Chair for Supervision Michelle Bowman, speaking at a symposium on April 27, 2026, stated that "the revised guidance now applies narrowly to traditional models and basic AI applications," and that going forward, "other risk-management and governance practices" are expected to support adoption of generative and agentic AI in ways that encourage ongoing innovation.
Healthcare: FDA and HHS Press for Auditability and Traceability
On the healthcare side, several common priorities are emerging across HHS: auditability, or the ability to understand and reconstruct how AI outputs are generated; traceability of data sources, training methods, and model versioning; and human oversight.
In 2026, the FDA will update its rules under the Quality Management System Regulation (QMSR), aligning U.S. oversight with international standards under ISO 13485:2016. The most significant change is a shift from one-time approval to a continuous, adaptive oversight model. By adopting AI internally while mandating provenance and traceability, the FDA has redefined compliance across drug and device development. Auditability has evolved from a quality metric to a fundamental requirement for every function handling regulatory data, making transparent data lineage and AI-ready documentation prerequisites for approval rather than competitive advantages.
HHS OCR published a proposed update to the HIPAA Security Rule in late 2024, aimed at strengthening cybersecurity protections for electronic protected health information (ePHI). Among other requirements, the proposal highlights technology asset inventories and network maps to track how protected health data moves through systems.
State-Level Pressure and Data Provenance
State mandates are compounding federal expectations. Provenance and disclosure requirements are converging across states, making content-origin tracking an operational necessity. Washington's HB 1170, Arizona's SB 1786, California's SB 1000, Illinois' Provenance Data Requirements Act (HB 4711), and New York's companion bills all target the same capability: attaching provenance metadata to AI-generated or AI-modified content.1Federal Banking Agencies Issue Revised Guidance on Model Risk Management | Sullivan & Cromwell LLP When this content crosses organizational boundaries-into healthcare records, legal filings, or regulatory submissions-provenance becomes a compliance essential that most organizations are not equipped to deliver.2Speech by Vice Chair for Supervision Bowman on artificial intelligence in the financial system - Federal Reserve Board
Colorado's AI Act, enforcing from June 30, 2026, requires disclosure whenever AI is used in high-risk decisions, annual impact assessments, anti-bias controls, and record-keeping for at least three years. These state healthcare AI laws create compliance challenges for multi-state health systems and potential conflicts with federal policy frameworks.
Data Clean Rooms and Vendor Implications
Data clean rooms-secure environments where multiple parties can analyze and share data without exposing raw data to each other-enable collaborative analysis while ensuring privacy, regulatory compliance, and strict access controls. Organizations increasingly operate data clean rooms, federated data networks, and cross-industry intelligence workflows while maintaining full control, auditability, and regulatory compliance. Adoption of AI governance tooling is accelerating, with 54% of IT leaders citing AI governance as a top enterprise risk priority, up from 29% two years earlier.
For AI vendors supplying regulated institutions, certified EHR vendors must also disclose and mitigate risks associated with AI-based decision support systems. Responsibility may be distributed among model developers, data providers, systems integrators, health systems, and end users, yet existing governance structures rarely define how these relationships interact.
Outlook
The April 2026 guidance is not the last supervisory shift expected this cycle. Agentic AI principles, third-party model oversight, and climate risk modeling are all in motion. For enterprise IT teams, the near-term priority is establishing end-to-end data lineage infrastructure capable of satisfying both banking supervisors and health regulators-and flexible enough to absorb the forthcoming interagency request for information on generative and agentic AI. IT will increasingly serve as a strategic compliance ally: IT teams need a deeper understanding of compliance risks, and compliance functions need a stronger grasp of technology and AI.
