Guide · AI Governance

The regulated enterprise's guide to AI governance principles.

June 19, 2026 · 12 min read

In regulated industries — healthcare, financial services, insurance, the public sector — AI adoption is no longer optional, but the rules for doing it safely are still being written. HIPAA was drafted before transformer architectures existed. GDPR's "automated decision-making" clauses predate generative models by years. The EU AI Act is in force but its technical standards are still maturing.

What's emerged from the gap is a working set of governance principles that hold up in front of regulators, internal audit committees, and the boardroom. This guide is the framework we apply when we help fintech and healthcare leaders take models from pilot into production without inheriting unmanageable risk.

Why governance is the bottleneck

In the engagements we've run over the past 18 months, the obstacle to scaling AI in regulated environments has not been model quality, infrastructure cost, or talent. It has been the absence of a defensible governance posture. Pilots clear the security team; production launches stall at compliance review. The fix isn't more committees — it's a shared set of principles every model lifecycle decision can be measured against.

Six principles that survive a regulator's review

HIPAA-specific considerations

Healthcare AI deployments require a sharper read of the Privacy and Security Rules. Treat the prompt window as a transmission channel: PHI placed there is disclosed, regardless of whether the model "remembers" it. Vector embeddings derived from PHI remain PHI under the Safe Harbor and Expert Determination standards. Every model vendor that touches PHI must be under a Business Associate Agreement — and many general-purpose foundation-model APIs will not sign one, which is itself a governance signal about whether they belong in your stack.

GDPR-specific considerations

For European deployments, three GDPR provisions deserve disproportionate attention. Article 22 governs solely-automated decisions with legal or similarly significant effects — most production AI workflows must be designed to fall outside it, or to provide the meaningful human review and contestability rights it requires. Article 35 requires a Data Protection Impact Assessment for high-risk processing, which generative and predictive AI on personal data almost always is. And the data subject's right to erasure has uncomfortable implications for training corpora; the practical answer is to keep personal data out of training sets entirely and document the boundary.

Building the operating model

Principles only matter when they're operationalized. The mechanics we recommend: a model inventory that names every model, owner, tier, and last validation date; a tiering rubric that scales scrutiny to risk; an intake process that catches shadow AI before it reaches production; and a quarterly review cadence chaired by a governance forum with representation from legal, security, data, and the business. Lightweight where the risk is low, rigorous where the risk is real.

Where to start

If your organization has more than a handful of AI initiatives running and no shared governance framework, start with the inventory. You cannot govern what you cannot count. From there, apply the tiering rubric to triage, and prioritize the highest-tier models for the controls above. Most enterprises we work with can reach a defensible posture inside a quarter — the work is structured, not exotic.