Federal and state regulators are converging on data provenance and lineage requirements that would govern how AI systems in banking and healthcare document, trace, and audit the data they consume. Compliance officers say the shift will reshape vendor contracts and governance architectures across both sectors. The push is unfolding amid a fragmented patchwork of state laws and federal agency initiatives that, taken together, are raising the baseline for AI auditability well above existing HIPAA and model risk management guidance.
Background
No comprehensive federal legislation in the US specifically regulates AI development or deployment. In its absence, US AI regulation has consisted primarily of a patchwork of state frameworks, while sector regulators have proceeded on separate tracks. Additional federal guidance and new sector-specific rules covering employment, financial services, and healthcare are expected.
That fragmentation is increasingly untenable for large institutions operating across both sectors. Financial services firms must demonstrate not just who accessed data, but what transformations occurred, why decisions used specific data fields, and how controls were applied - particularly under BCBS 239 guidance and evolving supervisory expectations. Healthcare AI data privacy requirements extend far beyond basic HIPAA compliance; organizations must ensure responsible management of patient data used in AI systems, with particular attention to data provenance, quality, and security.1Regulatory Data Lineage Tracking for Audit Success in 2025
The governance gap is measurable. 62% of organizations identify a lack of data governance as the main challenge inhibiting their AI initiatives. 85% of organizations are using some form of AI according to the Wiz 2025 State of AI in the Cloud report, yet governance and compliance have struggled to keep pace with the technology's rapid evolution.
Details
At the federal level, overlapping executive and agency actions have set the trajectory. The Trump Administration released a "National Policy Framework for Artificial Intelligence" on March 20, 2026, asking Congress to establish a single federal approach for regulating AI use. Under the White House AI Action Plan released on July 23, 2025, NIST was named in a large number of recommended policy actions and has since launched its AI Standards "Zero Drafts" Pilot Project to accelerate standards development. Initial focus areas for the Zero Drafts pilot include AI dataset and model documentation, testing and evaluation methodologies, and foundational concepts related to transparency and validation.
In healthcare, the FDA, CMS, CDC, and NIST are advancing policy under the current HHS administration. HHS's ASTP/ONC released a proposed rule - HTI-5 - that represents one of the most consequential shifts in federal health IT policy in years, framing deregulation as a path toward interoperable, AI-enabled health data exchange. Critically, the proposal removes certification requirements for clinical decision support algorithms, including the Biden-era requirement that developers produce "model cards" disclosing data sources and other attributes.
State legislatures have moved faster. In 2025, more than 250 AI-related healthcare bills were introduced in state legislatures, with consistent focus on patient disclosure, bias and discrimination safeguards, clinician accountability, and restrictions on AI use by health insurers in coverage determinations. California's AB 2013, which took effect on January 1, 2026, requires developers of generative AI systems to post documentation on their websites regarding the data used to train their systems. For financial institutions, AI-driven risk assessments, fraud detection, and credit scoring models must comply with Basel III, the Fair Lending Act, and SEC AI risk guidelines.
The SEC's 2026 examination priorities have elevated cybersecurity and AI concerns above cryptocurrency as the dominant risk topics in financial services oversight. The shift is notable: cybersecurity and AI have displaced cryptocurrency as the industry's dominant risk focus of the past five years.
On the vendor side, data clean rooms are emerging as critical compliance infrastructure. Multiple entities can collaborate on research or technology initiatives without compromising governance controls; the model preserves each party's data ownership and operates in accordance with applicable privacy, security, and data protection requirements, according to Lee Kim, HIMSS senior principal for cybersecurity and privacy. Leading companies including Mastercard, Intuit, and AppsFlyer have begun using data clean rooms within financial services and healthcare, with one demonstration showing two banks collaborating on fraud detection by securely sharing transaction pattern data without exposing raw records. The global data clean room market was valued at $3.2 billion in 2025 and is projected to expand to $18.6 billion by 2034.
Healthcare sector guidance from the Health Sector Coordinating Council (HSCC) calls on organizations to identify, track, and monitor third-party AI tools and supply chains and to standardize procurement and vendor vetting, including model contract and business associate agreement clauses covering data use, PHI handling, and breach reporting.
Outlook
For financial institutions operating across multiple states, a uniform federal standard could reduce the complexity of complying with a patchwork of state AI laws. However, near-term uncertainty is likely as Commerce completes its evaluation and the DOJ initiates litigation against "onerous" state mandates. Initial speculation that the December 2025 executive order could slow state activity proved unfounded, with 43 states introducing over 240 bills in the first months of 2026 - nearly as many as in all of 2025. Enterprise technology and data governance vendors positioning clean rooms and lineage platforms as compliance infrastructure can expect procurement scrutiny to intensify as both HHS and banking regulators signal further sector-specific rulemaking through the remainder of 2026.
