Federal regulators in the United States have issued coordinated guidance and proposed rules requiring banks and hospitals to establish auditable data lineage, documented provenance, and strict access controls for AI systems - a shift that forces both sectors to overhaul how they manage the data underpinning AI models.
Background
The regulatory push spans multiple agencies and reflects a broader recognition that AI governance cannot be separated from the quality and traceability of the data feeding these systems. Organizations must establish policies for sourcing data legally, documenting provenance, and maintaining logs of data access and transformations across AI workflows.1AI Data Governance 2025: Complete Framework for Compliance & Security
On the banking side, the regulatory architecture was reshaped by a landmark April 2026 action. On April 17, 2026, the OCC, Federal Reserve, and FDIC jointly issued revised supervisory guidance on model risk management, replacing frameworks in place since 2011. The revised guidance shifts toward a more flexible, principles-based approach. While it explicitly excludes generative and agentic AI models on the basis that these technologies are "novel and rapidly evolving," it recommends that banking organizations apply their broader risk management and governance practices to those tools as well.
In healthcare, the HHS Office of the National Coordinator for Health Information Technology (ASTP/ONC) published the HTI-5 proposed rule on December 22, 2025, targeting a foundational reset of the federal Health IT Certification Program. The HTI-5 proposed rule includes deregulatory actions that streamline certification, revise definitions to prevent information blocking, and advance AI-enabled interoperability through modernized standards. It also promotes FHIR-based interoperability, strengthens information-blocking rules, and simplifies certification of AI models.
Details
Across both sectors, regulators are converging on the same core requirement: institutions must know where their AI training and inference data came from, how it was transformed, and who accessed it. Healthcare AI data privacy requirements now extend well beyond basic HIPAA compliance, demanding responsible management of patient data used in AI systems with particular attention to provenance, quality, and security. When protected health information is involved, healthcare entities must establish appropriate business associate agreements with AI vendors and implement robust data protection protocols - including encryption, strict access controls, regular security assessments, and incident response plans.
For financial institutions, the pressure is compounded by state-level action and new federal instruments. State regulators are amplifying governance expectations with AI-relevant requirements, as outlined in the New York Department of Financial Services' October 2025 industry letter, which directed supervised entities to manage cybersecurity and operational risks across the full lifecycle of third-party service providers that use AI. At the federal level, the US Treasury released its Financial Services AI Risk Management Framework in February 2026, translating NIST AI RMF principles into 230 control objectives specifically for financial institutions.
The DOJ's Data Security Program adds a cross-sector dimension to access control requirements. The program took effect in April 2025 - with enforcement beginning July 8, 2025 - and spans organization-, system-, and data-level protections including data minimization, masking, encryption, and privacy-enhancing techniques.
On the technical standards front, a March 2025 update to the NIST AI Risk Management Framework emphasizes model provenance, data integrity, and third-party model assessment, recognizing that most organizations rely on external or open-source AI components. Sector regulators including the CFPB, FDA, SEC, FTC, and EEOC increasingly reference NIST AI RMF principles in their expectations for safe AI deployment. These agencies cite framework principles when evaluating whether AI practices meet reasonable standards of care.
The compliance burden is significant. Gartner predicts that by 2026, 50% of large enterprises will have formal AI risk management programs, up from less than 10% in 2023. IDC forecasts the global AI governance software market will surpass $5 billion by 2027.
Outlook
The agencies have indicated they plan to issue a request for information on generative and agentic AI, meaning institutions currently excluded from the revised model risk guidance should expect sector-specific rules to follow. For healthcare organizations, the FDA's 2025 draft guidance for AI-enabled devices centers on documentation, transparency, bias prevention, and post-market monitoring, applying a "total product lifecycle" approach that acknowledges algorithms will evolve and require continuous oversight. Together, the regulatory trajectory across both sectors points toward mandatory, auditable data lineage as a baseline compliance requirement - not a best practice.
