Artificial Intelligence June 18, 2026 By Yves Mulkers

AI Compliance for Regulated Sectors: Finance, Healthcare, Hiring

A financial ledger and a medical chart placed side by side on a desk.
10 min read

The most expensive misread I keep walking into with sector teams sounds like this: “AI is too new for our regulator to have a view.” It is not. If you work in finance, healthcare, or hiring, your regulator has almost certainly already published a view, usually built on a rulebook that predates the current AI wave by years or decades. The AI-specific law arrived recently. The obligations did not.

That confusion is where the trap lives. People hear “EU AI Act, 2024″ and assume nothing existed before it. Meanwhile, a US bank deploying an AI underwriter is sitting inside a model-risk regime that turned fourteen years old last year. A hospital running an imaging classifier is squarely under medical-device law that has regulated software since the 1990s. An employer using an AI screener in New York City has been answering to a bias-audit ordinance since 2023. The existing rules apply to a faster, more opaque decision-maker; they do not pause politely until someone writes “AI” into the title.

Finance: SR 11-7 was already your AI rulebook

US bank supervisors did not wait for the AI wave to think about model governance. The Federal Reserve and OCC published SR 11-7 in 2011, and it has been the load-bearing wall under model risk management at every supervised bank since. Read it today and the prose is uncannily current. It asks for model inventories, conceptual soundness, ongoing monitoring, independent validation, and clear ownership. Swap “statistical model” for “machine learning system” and the requirements barely flinch.

What changed in 2023 to 2025 is that bank supervisors started saying out loud that SR 11-7 applies to AI. The OCC’s risk-management guidance on AI, the Fed’s speeches on generative AI in banking, and the FDIC’s supervisory letters all converge on the same point: if you are using a model to make or inform a credit, fraud, market, or operational decision, the existing model-risk framework covers it. The supervisor expects a model card, a validation report from a second-line team, a monitoring plan for drift, and a documented owner. The fact that the model is a transformer instead of a logistic regression does not buy you an exemption; it raises the bar on validation.

The practical move for a financial-services team is to walk the SR 11-7 checklist against your AI inventory before you write a single line of new policy. The gaps you find are the gaps the examiner will find. The bonus: a well-run model-risk program is what most of the EU AI Act‘s high-risk requirements ask for anyway, in slightly different vocabulary. You are not building twice; you are extending one program.

Healthcare: FDA SaMD and HIPAA are the two pillars

Healthcare AI sits under two regimes at once, and confusing them is how teams ship and then panic. The first is the FDA’s Software as a Medical Device pathway. If your AI diagnoses, screens, triages, or informs treatment, it is probably a medical device, and the FDA wants to know before you sell it. The agency has been clearing AI-enabled devices for years; the public list runs into the high hundreds. The pathway depends on risk class, the clinical claim, and whether you are modifying a previously cleared device. The newer wrinkle, the predetermined change control plan, is the FDA acknowledging that ML models update and asking you to declare the boundary inside which updates do not require a new submission. That is a useful concession, not an escape hatch.

The second pillar is HIPAA. Training and inference on protected health information has all the privacy duties HIPAA has always carried: minimum necessary, business-associate agreements with anyone touching the data including the model vendor, breach notification, the works. The cross-cutting question I keep asking healthcare teams: did your model vendor sign a BAA, and does the training-data lineage satisfy the privacy rule. If the answer to either is fuzzy, the privacy regulator can be at your door faster than the FDA.

The cross-sector lesson finance teams should steal here: FDA’s post-market surveillance model is rigorous, and bank supervisors are starting to borrow its logic for AI monitoring.

Hiring: NYC Local Law 144 and the EEOC are awake

Hiring AI is the regulated sector people forget is regulated. It always was; the AI part just made enforcement easier. The US Equal Employment Opportunity Commission has been clear since 2023 that Title VII applies to algorithmic hiring tools, and it published technical assistance explaining how the four-fifths rule and disparate-impact analysis carry over to AI screeners. The EEOC settled its first AI-discrimination case in 2023. The agency is awake.

On top of federal law, jurisdictions are layering AI-specific hiring rules. NYC Local Law 144 requires an independent bias audit before an automated employment decision tool is used on candidates in New York City, plus candidate notice and posting of audit results. Illinois requires consent for AI video-interview analysis. Colorado’s AI Act layers another set of duties for high-risk employment AI. Maryland, California, and several others have rules in flight. If you hire across states or countries, you are not facing one rule; you are facing a patchwork that converges on the same principle: test for bias, disclose to candidates, keep records.

The deployer trap is sharp here. Most companies buy the screening tool; they do not build it. Under the EU AI Act, NYC Local Law 144, and Colorado’s framework, the deployer carries duties the vendor cannot discharge for them, especially candidate notice, the right to request human review, and (often) the bias audit itself. Your contract with the vendor is where this either works or unravels.

Get the AI & data signal, daily.

335k+ subscribers read this every morning. One email, both newsletters. Unsubscribe anytime.

The cross-sector pattern

Step back from the three sectors and the same shape appears every time.

Existing sector rule
SR 11-7, FDA SaMD, EEOC Title VII

Combined obligation
on the AI system

AI-specific guidance
OCC AI, FDA AI/ML, EEOC TA, Local Law 144

Workflow controls
monitoring, audit, human review, documentation

7wData

The existing sector rule plus the AI-specific guidance combine into one obligation. The two never replace each other. The supervisor expects you to read both and act on the union, not the intersection.

That pattern also tells you how to read your regulator’s recent guidance without drowning. Start with the AI-specific publications from the last twenty-four months: speeches, supervisory letters, technical-assistance documents, enforcement actions. Map each one back to the older rule it interprets. The new document is almost never a brand-new rule; it is an interpretation of an old one through the AI lens. Once you see the lineage, the obligations stop feeling like a moving target. They feel like a familiar rulebook with a new chapter.

The other reason to read this way: when a GDPR Article 22 issue, an SR 11-7 finding, and an EEOC technical-assistance note all point at the same workflow, you do not need three programs. You need one control with three citations. That is the operating shape.

Yves Mulkers

Yves Mulkers is the founder of 7wData and a widely followed voice in the data and AI community. He curates the 7wData and AI Beat newsletters, reaching hundreds of thousands of data and AI professionals, and writes on data strategy, analytics, AI, and the evolving data ecosystem.

Related Articles