I keep hearing the same question from executives: "How do we use AI without ending up in front of a regulator?" It's the right question, but most organizations are answering it the wrong way. They're treating AI adoption in regulated industries as a compliance review checklist when what they actually need is a strategic framework that makes speed and safety compatible.
The problem isn't that regulations prohibit AI. The problem is that most organizations wait until they're already deploying AI to ask what the rules require. By then, they're making compliance decisions under pressure, with limited options, and they're often forced to choose between innovation and safety. That's not a choice you should have to make.
I've worked with healthcare organizations, defense contractors, and financial services firms navigating this exact tension. The ones who get it right don't move slowly. They move deliberately. There's a difference.
The Real Barrier Isn't Regulation—It's Readiness
When organizations tell me they can't adopt AI because of HIPAA, or CMMC, or their prudential regulator, I ask them to show me the specific prohibition. Nine times out of ten, they can't. What they're really saying is that they don't have the infrastructure to adopt AI in a way that satisfies their existing obligations.
That's a data governance problem, not a regulatory problem. If you can't tell me where your sensitive data lives, how it's classified, who has access to it, and how it moves through your systems, you're not ready to deploy AI in a regulated environment. Not because the law says you can't, but because you lack the baseline visibility required to manage risk.
The pattern I see repeatedly: organizations that struggle with AI adoption in regulated industries are the same ones who struggled with cloud adoption five years ago, with mobile device management before that, and with remote access before that. The common thread isn't the technology. It's the absence of foundational controls and governance structures that make any new capability manageable.
The Three Prerequisites
Before you talk about AI policy or risk frameworks, you need three things in place:
- Data inventory and classification. You must know what data you have, where it is, and what regulatory obligations attach to it. If you're a healthcare organization and you can't produce a current inventory of systems that process PHI, you're not ready for AI.
- Access controls that actually work. Role-based access, least privilege, logging, and monitoring. If your access control model is "everyone has access to everything until we have a reason to revoke it," AI will expose that weakness immediately.
- Vendor management processes. Most AI capabilities come through third-party tools. If you don't have a structured way to assess, onboard, and monitor vendors, you'll end up with shadow AI that nobody knows about until there's an incident.
These aren't AI-specific requirements. They're table stakes for any regulated organization. But AI makes their absence catastrophic.
Sector-Specific Realities: What Actually Applies
Regulatory frameworks don't address "AI" as a monolith. They address specific risks: unauthorized access, inappropriate disclosure, lack of accountability, automated decision-making without human oversight, bias and fairness, and data retention. Your sector determines which of those risks regulators care most about.
Healthcare and HIPAA
HIPAA doesn't mention AI. It doesn't need to. The Security Rule already requires you to implement technical safeguards to protect electronic PHI from unauthorized access and disclosure. The Privacy Rule already limits how you can use and share that data. If your AI tool processes PHI, those rules apply.
The specific questions healthcare organizations need to answer:
- Does the AI vendor need to sign a Business Associate Agreement? If the tool processes, stores, or transmits PHI on your behalf, yes. If you're not sure whether it does, the answer is still yes.
- Can you produce an audit trail showing who accessed what data, when, and for what purpose? If your AI tool doesn't log access and usage in a way that integrates with your existing HIPAA compliance program, you have a gap.
- Have you conducted a risk assessment specific to this AI deployment? Not a vendor questionnaire. A real assessment of how this tool could lead to unauthorized access or disclosure of PHI.
I worked with a health system that wanted to deploy an AI-powered clinical documentation tool. The vendor's sales team assured them it was "HIPAA compliant." When we looked at the contract, there was no BAA. When we asked about data retention, the vendor couldn't tell us where the data was stored or how long it was kept. When we asked about access logging, they said it was "available on request."
That's not HIPAA compliance. That's marketing.
The health system didn't abandon the project. They required the vendor to sign a BAA, provide specific contractual commitments about data handling, and integrate access logs into the health system's SIEM. It took three months longer than the original timeline. But when OCR comes asking questions—and they will—that organization will have answers.
Defense Contractors and CMMC
If you're a defense contractor handling Controlled Unclassified Information (CUI), your AI adoption decisions are constrained by NIST 800-171 and CMMC. The question isn't whether you can use AI. The question is whether your AI deployment creates new CUI flows that aren't protected by your existing security controls.
The specific issues that trip up defense contractors:
- CUI in training data. If you're using AI to analyze contracts, proposals, or technical documents, there's a strong chance that data includes CUI. Is it being processed in a CMMC-compliant environment? Is the AI vendor's infrastructure FedRAMP authorized or otherwise approved for CUI?
- Model outputs that contain CUI. Even if your training data is sanitized, AI-generated outputs can inadvertently reconstruct or infer CUI. How are you preventing that data from leaving controlled environments?
- Third-party AI tools and FCI/CUI boundaries. Many contractors use commercial AI tools for business functions—HR, finance, proposal writing. If those tools touch systems or datasets that also handle CUI, you've just expanded your CMMC boundary. Have you accounted for that in your System Security Plan?
The defense contractors who navigate this well treat AI vendors the same way they treat any other subcontractor: with a clear scope, defined data handling requirements, and contractual flow-down of DFARS and NIST 800-171 obligations. The ones who struggle treat AI tools as "just software" and wake up six months later realizing they've created a compliance gap they can't close without ripping the tool out.
Financial Services and Prudential Regulators
Banks, credit unions, and other financial institutions face a different set of constraints. Prudential regulators—OCC, FDIC, NCUA, the Fed—care about operational risk, third-party risk management, and model risk management. If your AI tool makes or influences decisions about credit, fraud detection, or risk assessment, you're operating in an environment with decades of regulatory precedent about models and accountability.
The specific concerns regulators raise:
- Model validation and explainability. If your AI model makes credit decisions, can you explain how it reached that conclusion? Can you validate that it's not introducing bias? Regulators expect the same rigor for AI models that they've historically required for traditional credit scoring models.
- Third-party risk management. Financial services regulators have detailed expectations about how you assess, monitor, and manage third-party vendors. AI vendors aren't exempt. You need to evaluate their financial stability, security controls, business continuity plans, and compliance posture just like any other critical vendor.
- Consumer protection and fairness. If your AI tool affects consumer outcomes, regulators will scrutinize it for fairness and disparate impact. That's not a theoretical concern. Enforcement actions are already happening.
Financial institutions that get this right build AI adoption into their existing model risk management frameworks. They don't treat AI as a separate category. They treat it as a new type of model that requires the same governance, validation, and oversight as any other decision-making tool.
Need a Framework for AI Adoption in Your Regulated Environment?
Carl speaks to healthcare, defense, and financial services organizations about building AI governance frameworks that satisfy regulators without stalling innovation. His keynotes are built on real implementation experience, not vendor talking points.
Book Carl to Speak
Building a Framework That Works: Strategy Over Prohibition
Most AI policies I see are lists of things employees can't do. Don't upload customer data. Don't use unapproved tools. Don't share proprietary information. That's not a strategy. That's risk avoidance masquerading as governance.
A real framework does three things: it defines what "approved use" looks like, it creates a process for evaluating new AI tools and use cases, and it establishes accountability for decisions. Here's how that breaks down in practice.
Define Approved Use Cases and Risk Tiers
Not all AI use carries the same risk. Using AI to summarize internal meeting notes is not the same as using AI to draft patient care plans or make credit decisions. Your framework should distinguish between risk tiers and apply proportional controls.
In my experience, a three-tier model works well:
- Low-risk use: AI tools that don't process regulated data, don't make decisions that affect individuals, and don't create compliance obligations. Example: using AI to generate internal training materials. These use cases can operate with lightweight approval—manager sign-off and a simple checklist.
- Medium-risk use: AI tools that process regulated data but don't make autonomous decisions, or tools that influence decisions but are subject to human review. Example: AI-assisted contract review where a human makes the final call. These require vendor assessment, a business owner, IT review, and compliance sign-off.
- High-risk use: AI tools that make or heavily influence decisions affecting individuals, that process sensitive regulated data at scale, or that create new regulatory obligations. Example: AI-powered clinical decision support, fraud detection models, or automated underwriting. These require full risk assessment, model validation, executive approval, and ongoing monitoring.
The point isn't to create bureaucracy. The point is to make risk-based decisions transparent and repeatable. When someone in your organization wants to adopt a new AI tool, they should know immediately which tier it falls into and what the approval process looks like.
Create a Cross-Functional Review Process
AI adoption decisions shouldn't live in IT alone. They require input from legal, compliance, risk management, the business unit that will use the tool, and IT security. The organizations that move fastest are the ones who assemble this group once and give them a clear mandate: evaluate AI proposals against defined criteria and make go/no-go decisions within a set timeframe.
The criteria should be specific:
- Does this tool process regulated data? What kind?
- What's the vendor's security posture? Have they completed a security assessment?
- What data residency and sovereignty requirements apply?
- Can we meet our contractual and regulatory obligations if this vendor has an outage or goes out of business?
- What's the data retention and deletion process?
- How do we monitor and audit use of this tool once it's deployed?
These aren't hypothetical questions. They're the questions auditors and regulators will ask after an incident. Answering them before deployment is the difference between controlled adoption and crisis management.
Establish Clear Accountability
Every AI deployment needs an owner. Not an IT owner. A business owner who is accountable for how the tool is used, who has access, and whether it's delivering value without creating unacceptable risk. That person should be identified during the approval process and should be responsible for periodic review.
In practice, this looks like a quarterly or semi-annual check-in: Is the tool still being used as intended? Have there been any incidents or near-misses? Has the vendor's risk profile changed? Are we still meeting our compliance obligations?
This isn't heavy process. It's basic operational hygiene. But most organizations skip it because nobody's job description says "AI tool owner." Make it someone's job.
The Vendor Conversation You're Probably Not Having
AI vendors are very good at selling capability. They're less good at transparency. When you ask a vendor whether their tool is HIPAA-compliant or meets NIST 800-171, the answer is almost always yes. When you ask for evidence, things get interesting.
The questions I ask every AI vendor, regardless of sector:
- Where is data processed and stored? Not "in the cloud." Specific regions, specific infrastructure. If you're subject to data residency requirements, this isn't optional.
- How is data used to train or improve models? Some vendors use customer data to improve their models. That may be fine for low-risk use cases. It's unacceptable if the data includes PHI, CUI, or personal financial information. Get it in writing.
- What's your data retention and deletion policy? When you delete data from the application interface, is it actually deleted from their infrastructure? How long does that take? Can you verify it?
- What certifications and attestations do you have? SOC 2 Type II is a start. FedRAMP, HITRUST, ISO 27001, and specific regulatory frameworks matter depending on your sector. Ask for the reports, not just the logos.
- What happens if you have a security incident? What's the notification timeline? What information will you provide? Will you support our regulatory reporting obligations?
If a vendor can't or won't answer these questions, that's a signal. You're not being difficult. You're doing due diligence.
One healthcare organization I worked with was evaluating an AI scribe tool. The vendor's contract included a clause saying they could use de-identified data for research and product improvement. When we asked how they de-identified the data, they said it was "automated." When we asked what de-identification standard they used, they said it met "industry best practices." When we asked for a technical specification, they stopped responding.
That organization walked away. Not because the tool wasn't useful, but because the vendor couldn't demonstrate that they understood the regulatory obligations involved. Six months later, that same vendor had a data breach. The healthcare organization had made the right call.
When "Compliant AI" Is Really Just Theatre
There's a growing market for AI tools marketed specifically to regulated industries: "HIPAA-compliant AI," "secure AI for defense contractors," "regulatory-ready AI." Some of these tools are legitimate. Many are not.
The warning signs I look for:
- Compliance as a checkbox. If the vendor's security documentation is a one-page PDF that lists frameworks without evidence, be skeptical. Real compliance requires detailed technical and administrative controls, third-party validation, and ongoing monitoring. A logo on a website isn't compliance.
- Vague data handling practices. If you can't get a straight answer about where data is stored, how it's encrypted, and who has access to it, the vendor either doesn't know or doesn't want to tell you. Neither is acceptable.
- Contracts that disclaim liability. If the vendor's contract says they're not responsible for your regulatory compliance, believe them. You own the compliance risk. Make sure you're actually getting the controls and commitments you need to manage it.
I'm not anti-vendor. I'm anti-vendor-theatre. The AI vendors who earn trust in regulated industries are the ones who understand that compliance is an ongoing operational commitment, not a marketing claim. They provide detailed documentation, they're transparent about limitations, and they're willing to put commitments in writing.
Looking for Practical Guidance on AI Governance?
Carl delivers keynotes on AI risk, governance, and regulatory strategy for organizations that need frameworks, not fear. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventWhat Regulators Are Actually Watching
Regulators aren't waiting for comprehensive AI legislation to start scrutinizing how organizations use these tools. They're applying existing frameworks and making clear that "we didn't know AI was covered" isn't a defense.
OCR has already issued guidance making clear that HIPAA applies to AI tools that process PHI. The FTC has brought enforcement actions against companies whose AI systems caused consumer harm or violated fairness standards. The EU AI Act is creating compliance obligations for U.S. companies operating in Europe, and states are beginning to pass their own AI-related requirements.
What regulators are looking for isn't perfect AI. They're looking for evidence that you took reasonable steps to understand and manage risk. That means:
- Documentation. Risk assessments, vendor evaluations, approval records, incident response plans. If you can't show that you made deliberate, informed decisions, regulators assume you didn't.
- Accountability. Someone in your organization needs to be responsible for AI governance. Not a working group. Not a committee. A person with authority and resources.
- Proportionality. Your controls should match the risk. High-risk AI use cases should have robust safeguards. Low-risk use cases can operate with lighter-touch oversight. What doesn't work is treating everything the same or ignoring risk entirely.
The organizations that will face enforcement actions aren't the ones using AI. They're the ones using AI carelessly, without governance, without accountability, and without documentation. Don't be that organization.
Moving Forward: What This Looks Like in Practice
AI adoption in regulated industries doesn't require a two-year planning process. It requires a framework, a decision-making process, and a commitment to doing it right. Here's what that looks like for most organizations:
Start with inventory. You can't govern what you don't know about. Identify where AI is already being used in your organization—sanctioned and unsanctioned. Most organizations are surprised by what they find. That inventory becomes the foundation for your risk assessment and policy development.
Define your risk appetite and approval process. Decide what AI use cases are acceptable, which require review, and which are prohibited. Document the approval criteria and the people responsible for making decisions. Make the process transparent so employees know how to get AI tools approved instead of working around the rules.
Build vendor evaluation into procurement. AI vendors should go through the same due diligence process as any other critical vendor. Security assessment, contract review, compliance validation. If your procurement team doesn't know how to evaluate AI vendors, train them or bring in expertise.
Establish monitoring and review cadences. AI tools and use cases aren't static. The vendor's risk profile changes. Your regulatory obligations evolve. New use cases emerge. Set up a process to review AI deployments on a regular basis and adjust controls as needed.
Prepare for incidents. At some point, something will go wrong. An employee will use an unapproved tool. A vendor will have a breach. A model will produce an output that creates a compliance issue. Your incident response plan should account for AI-related scenarios and specify who's responsible for containment, investigation, and regulatory notification.
These steps aren't revolutionary. They're the same risk management practices that regulated organizations have been using for decades, applied to a new category of technology. The organizations that treat AI as fundamentally different from every other operational risk are the ones who get stuck. The ones who treat it as a manageable risk within existing frameworks are the ones who move forward.
The Strategic Advantage of Getting This Right
Organizations that build real AI governance frameworks don't just reduce compliance risk. They create a competitive advantage. When your competitors are paralyzed by uncertainty or forced to pull back AI deployments after an incident, you're operating with confidence because you've done the work up front.
Customers and partners notice. In healthcare, patients are asking which organizations are using AI and how they're protecting privacy. In defense contracting, primes are asking subs about their AI security posture. In financial services, regulators are making AI risk management part of their examination process. The organizations that can demonstrate mature AI governance aren't just checking a box—they're signaling operational competence.
The executive conversation should shift from "Can we use AI?" to "How do we use AI in a way that strengthens trust and manages risk?" That's a conversation worth having. And it's one that requires leadership, not just technical implementation. If your AI strategy is being driven entirely by IT or a single business unit, you're missing the bigger picture. This is a business strategy question that happens to involve technology and regulation.
The organizations that will lead in AI adoption in regulated industries aren't the ones with the most resources or the most sophisticated technology. They're the ones with the clearest frameworks, the most disciplined processes, and the strongest alignment between business objectives and risk management. Build that foundation, and speed becomes possible. Skip it, and you'll spend the next three years reacting to problems you could have prevented.