Federal regulators and industry bodies have issued a wave of AI data governance frameworks in early 2026, placing data lineage, model auditability, and vendor accountability at the center of compliance obligations for financial institutions and healthcare providers-though no single unified cross-sector rulebook has yet been finalized.
Background
In the United States, no national AI law exists, but agencies have stepped in to address AI risks in domains such as finance, healthcare, and child safety. That sectoral momentum accelerated sharply in Q1 2026 with two significant regulatory actions.
On the banking side, on April 17, 2026, the Federal Reserve, FDIC, and OCC rescinded SR 11-7, OCC 2011-12, FIL-22-2017, and related BSA/AML issuances, replacing them with an explicitly risk-based, principles-driven framework for model risk management. The new guidance, designated SR 26-2, sets the baseline for how banking organizations identify, validate, monitor, and govern quantitative models.
In parallel, the Financial Services AI Risk Management Framework (FS AI RMF), released on March 1, 2026, by the U.S. Treasury and Cyber Risk Institute, translates the NIST AI RMF's four functions into 230 operational control objectives specific to financial services. Developed in coordination with more than 100 financial institutions, the Financial Services Sector Coordinating Council (FSSCC), and the Cyber Risk Institute (CRI), the framework spans governance, data, model development, validation, monitoring, third-party risk, and consumer protection.
On the healthcare side, on September 17, 2025, the Joint Commission and the Coalition for Health AI (CHAI) released the first installment of their joint work-Guidance on Responsible Use of AI in Healthcare-intended to help U.S. health systems safely and effectively implement AI at scale. This collaboration between the accrediting body for over 23,000 healthcare organizations and a coalition representing nearly 3,000 member organizations signals a fundamental shift in how healthcare AI compliance will be evaluated.
Details
Data lineage and provenance obligations are central to both the banking and healthcare frameworks. Under SR 26-2, AI models must track the provenance of training, validation, and test datasets, documenting sampling strategies, synthetic data augmentation, and enrichment steps. Data lineage-the ability to trace any model input back to its source-is a regulatory expectation that becomes technically challenging at the scale AI models operate.
The scope of SR 26-2 carries notable caveats. The revised guidance explicitly excludes generative and agentic AI models, on the basis that these technologies are "novel and rapidly evolving." The agencies have signaled plans to issue a request for information on model risk management, including banks' use of AI, generative AI, and agentic AI. SR 26-2 is explicitly targeted at banking organizations with more than $30 billion in total assets regulated by the Federal Reserve, the OCC, or the FDIC.
The compliance readiness gap is significant. Only 26.4% of financial institutions express confidence in their AI compliance readiness, according to a Wolters Kluwer Q1 2026 survey. AI and machine learning models now account for roughly half of the average large bank's model inventory, with AI/ML models approximately doubling model risk management complexity.
The FS AI RMF addresses governance gaps for AI systems that SR 26-2 does not cover. The framework operationalizes the NIST AI Risk Management Framework-a voluntary framework released in January 2023-into actionable guidance specific to banks and other financial services firms. Although these resources are non-binding, the FS AI RMF is explicitly positioned to integrate with legal and compliance processes. Financial services organizations should treat it as likely to influence supervisory expectations, internal audit baselines, and third-party management norms.
For healthcare providers, data obligations extend well beyond baseline HIPAA compliance. Organizations must ensure responsible management of patient data used in AI systems, with particular attention to data provenance, quality, and security.1NIST AI RMF 2025–2026 Updates: What You Need to Know About the Latest Framework Changes The Joint Commission and CHAI recommend that organizations enter into data use agreements that outline permitted uses, minimize data exports, prohibit re-identification, require third parties to comply with the organization's security and privacy policies, and provide audit rights.
Vendor accountability emerges as a shared pressure point across sectors. AI-tool providers supporting healthcare organizations play an essential role in operationalizing these principles. Providers should anticipate customer inquiries regarding validation data, bias testing, and post-deployment monitoring, and may benefit from proactively documenting their internal governance, data management, and model-update practices.
Outlook
Additional guidance documents are expected through 2026, with CHAI and the Joint Commission developing governance playbooks informed by workshops capturing input from hospitals and health systems of varying sizes, locations, and capabilities. Following those playbooks, the Joint Commission plans to develop a voluntary AI certification program open to its more than 22,000 accredited and certified healthcare organizations nationwide.
For financial institutions, the agencies have signaled a forthcoming request for information on model risk management covering banks' use of AI, generative AI, and agentic AI; institutions building GenAI governance now should expect the regulatory posture to evolve. The remaining four resources in the Treasury's FS AI RMF series will cover governance and accountability, data integrity and security, fraud and digital identity, and operational resilience.
