Blog

Agent Governance in Regulated Industries: Financial Services, Healthcare, and Legal

Agent governance for regulated industries requires controls that generic AI frameworks miss. Learn how financial services, healthcare, and legal teams map SR 11-7, HIPAA, and bar-association rules to production agent governance.

15 min read

Agent governance for regulated industries is not a variation on standard enterprise AI governance — it is a fundamentally different problem. Generic model-risk frameworks assume a human reviews every consequential output before it reaches a customer, a patient, or a court filing. Autonomous agents do not work that way. They plan, call tools, write to systems of record, and complete multi-step tasks without a human in the loop at each step. When those tasks touch a brokerage account, a clinical decision, or a privileged communication, the regulatory exposure compounds fast. This post maps the specific obligations in financial services, healthcare, and legal to the governance controls that actually satisfy them — and closes with a sequenced agent governance roadmap that Dir/VP AI Risk leaders can adapt regardless of which regulated vertical they operate in. For a broader treatment of how enterprise teams structure these programs end to end, see AI Agent Governance: The Complete Guide for Enterprise Teams.

Further reading: For the foundational framework that underpins everything below, start with AI Agent Governance and Oversight: The Complete Guide.


Why Regulated Industries Face a Distinct Agent Governance Problem

Most enterprise AI governance programs were designed for predictive models: a model scores something, a human decides, the model is retrained on a schedule. The governance artifacts — model cards, validation reports, champion/challenger logs — reflect that architecture. Autonomous agents break every assumption in that design. A production agent governance program must account for:

  • Dynamic tool use. An agent does not just return a prediction; it calls APIs, queries databases, and writes outputs. Each tool call is a potential compliance event.
  • Non-deterministic execution paths. The same prompt can produce different action sequences across runs, making pre-deployment validation insufficient on its own.
  • Compounding actions. A single agent session may touch dozens of systems. An error in step three can propagate through steps four through twelve before any human sees a result.
  • Delegated authority. Agents often act under a user’s credentials or a service account with broad permissions. The question of who is legally responsible for an agent’s action is unresolved in most jurisdictions — and regulators are starting to ask it.

Generic enterprise AI governance frameworks treat these as edge cases. For regulated industries, they are the core use case. Financial services firms, healthcare organizations, and legal practices each face a distinct set of statutory and regulatory obligations that require purpose-built agent governance policy — not a model-risk checklist with "agent" substituted for "model." For a detailed mapping of which regulatory frameworks apply to which agent capabilities, see AI Agent Compliance: Regulatory Requirements and Framework Mapping.


Agent Governance Requirements in Financial Services

Financial services is the regulated vertical with the most mature model-risk infrastructure — which is both an asset and a liability when governing agents. Teams know how to validate models. They are less practiced at governing systems that take actions.

SR 11-7 and Model Risk Management

The Federal Reserve’s SR 11-7 guidance defines a model as "a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and tools to process input data into quantitative estimates." Most legal interpretations now extend this definition to cover LLM-based agents operating in financial workflows — particularly those making credit, fraud, or trading-adjacent decisions. SR 11-7 requires three things that are especially challenging for agents: independent validation, ongoing monitoring, and documentation of conceptual soundness. For agents, "conceptual soundness" must address not just the underlying model but the agent’s planning logic, tool-selection behavior, and error-handling paths. Firms that have attempted to satisfy SR 11-7 with standard LLM evaluation benchmarks have found those benchmarks inadequate — they measure output quality, not action reliability. Practical controls for SR 11-7 compliance in agent deployments include:

  • Action-level audit logs that capture every tool call, the inputs passed, and the outputs received — not just the final agent response.
  • Scope constraints that limit which tools an agent can invoke based on the sensitivity of the underlying data or transaction type.
  • Challenger agent testing that runs alternative agent configurations against the same task sequences to surface behavioral variance before production.

MiFID II and Algorithmic Trading Constraints

Under MiFID II, firms deploying algorithmic systems in trading workflows must maintain pre-trade and post-trade controls, demonstrate that systems behave within defined parameters, and provide regulators with detailed records on demand. An agent that can place, modify, or cancel orders — or that influences a human trader’s decisions through autonomous research and summarization — likely falls within scope. The governance implication: agent governance financial services teams must treat any agent with market-facing tool access as a regulated algorithmic system, not a productivity tool. That means kill-switch capability, real-time behavioral monitoring, and parameter-breach alerting are not optional.

AML Audit Trails

Anti-money laundering programs require firms to document the rationale behind suspicious activity reports and transaction monitoring decisions. When an agent assists in that process — flagging transactions, drafting SARs, or triaging alerts — the audit trail must capture the agent’s reasoning, not just its conclusion. Firms that log only the final output cannot demonstrate to examiners that the agent’s analysis was sound. Agent governance policy in financial services should specify that reasoning traces are retained alongside action logs for any agent operating in a compliance workflow, with retention periods aligned to BSA/AML record-keeping requirements (typically five years).


Agent Governance Requirements in Healthcare and Life Sciences

Healthcare presents a different governance challenge: the primary risk is not financial loss but patient harm, and the regulatory framework reflects that priority.

HIPAA and PHI Handling

The HIPAA Privacy and Security Rules apply to any system that creates, receives, maintains, or transmits protected health information. An agent that queries an EHR, drafts a clinical note, or retrieves lab results is a covered function — and the business associate agreement (BAA) obligations extend to every tool the agent calls. Agent governance healthcare programs must map the agent’s tool graph to the data flows it creates. Every API call that touches PHI is a potential HIPAA event. Controls required:

  • Minimum necessary access. Agents should be provisioned with the narrowest data access that allows task completion. An agent summarizing discharge notes does not need access to billing records.
  • De-identification before logging. Audit logs that capture agent inputs and outputs must not retain PHI in plain text. Logging pipelines need de-identification or tokenization steps.
  • BAA coverage for all tool endpoints. If an agent calls a third-party API — a coding service, a prior authorization platform, a scheduling system — that vendor must be under a BAA.

FDA Software as a Medical Device (SaMD) Guidance

The FDA’s SaMD framework applies to software that is "intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device." An agent that supports clinical decision-making — recommending diagnoses, suggesting treatment protocols, or flagging drug interactions — may qualify as SaMD, triggering pre-market review requirements and post-market surveillance obligations. The FDA’s 2021 AI/ML-Based SaMD Action Plan introduced the concept of a Predetermined Change Control Plan (PCCP), which requires manufacturers to describe in advance the types of changes an AI system may undergo and the validation steps that will accompany each change. For agents, this is particularly demanding: because agents can exhibit behavioral drift without explicit retraining — through changes in the underlying model, tool availability, or prompt context — the PCCP must address drift detection and response, not just version-controlled updates.

Clinical Decision Support Constraints

Not all clinical-facing agents qualify as SaMD. The 21st Century Cures Act created a carve-out for clinical decision support (CDS) software that meets four criteria: it displays the basis for its recommendations, allows clinicians to independently review that basis, is not intended to replace clinical judgment, and is not intended for use in acquiring, processing, or analyzing medical images or signals. Agent governance policy for healthcare organizations should explicitly classify each agent deployment against these criteria. Agents that fail the CDS carve-out — because they obscure their reasoning or are designed to operate without clinician review — require a higher tier of governance controls and likely FDA engagement.


Agent Governance Requirements in Legal Services

Legal services is the regulated vertical where agent governance has received the least systematic attention — and where the consequences of getting it wrong are most immediate for individual practitioners.

Attorney-Client Privilege and Confidentiality

The attorney-client privilege protects confidential communications between attorneys and clients made for the purpose of obtaining legal advice. When an agent processes client communications — drafting correspondence, summarizing deposition transcripts, researching case strategy — those communications are potentially privileged. The governance question is whether routing privileged material through an agent’s tool calls, API endpoints, or third-party model providers constitutes a disclosure that could waive privilege. Most bar associations have not issued definitive guidance on this question, but the majority view among legal ethics scholars is that privilege is not waived by using technology to process communications, provided the attorney takes reasonable precautions to maintain confidentiality. "Reasonable precautions" in the context of production agent governance means: understanding where data goes when an agent calls a tool, ensuring that third-party providers do not train on client data, and documenting those assurances.

Bar Association AI Guidance

Several state bars have issued formal guidance on attorney use of AI. The Florida Bar’s 2024 guidance requires attorneys using AI tools to understand the technology’s limitations, supervise AI-generated work product, and disclose AI use to clients when it is material. The California State Bar’s 2024 interim guidance similarly emphasizes competence, supervision, and confidentiality as the three pillars of responsible AI use. For enterprise agent governance in legal settings, these obligations translate directly into governance controls:

  • Human review gates before any agent-generated work product is filed, sent to a client, or relied upon in a proceeding.
  • Competence documentation — attorneys must be able to explain how the agent works, what its limitations are, and how they verified its output. This requires governance infrastructure that surfaces agent reasoning, not just results.
  • Disclosure workflows that flag when an agent contributed materially to a deliverable, enabling attorneys to make informed disclosure decisions.

Conflicts and Data Segregation

Law firms representing multiple clients face an additional governance constraint: agents must not cross-contaminate client matters. An agent with access to the full firm knowledge base — case files, correspondence, research — could inadvertently surface confidential information from one client matter while working on another. Enterprise agent governance programs in legal must implement matter-level data segregation, ensuring that agents operating on a given matter can only access data associated with that matter.


Building a Cross-Industry Agent Governance Implementation Roadmap

Regardless of vertical, the agent governance implementation sequence follows a consistent logic: you cannot govern what you have not inventoried, you cannot monitor what you have not instrumented, and you cannot enforce policy without defined scope constraints.

Phase 1: Agent Inventory and Classification (Weeks 1–4)

Catalog every agent deployment — including pilots, proofs of concept, and shadow deployments in business units. For each agent, document: the tasks it performs, the tools it can call, the data it accesses, and the regulatory frameworks that apply to those tasks and data types. This inventory is the foundation of your agent governance roadmap. Classification should produce at least three tiers: agents with no access to regulated data or consequential actions (low governance overhead), agents that access regulated data but do not take consequential actions (moderate controls), and agents that both access regulated data and take consequential actions (full governance stack required).

Phase 2: Policy Definition and Scope Constraints (Weeks 5–8)

Draft agent governance policy that specifies, for each tier: permitted tool access, data retention requirements for logs and reasoning traces, human review gates, and escalation paths for anomalous behavior. Policy should be written at the agent-class level, not the individual agent level — you want policy that scales. Scope constraints should be implemented technically, not just documented. An agent that is policy-prohibited from accessing PHI should be provisioned without the credentials to do so — not just instructed not to.

Phase 3: Instrumentation and Monitoring (Weeks 9–16)

Deploy logging infrastructure that captures action-level audit trails for all Tier 2 and Tier 3 agents. Establish behavioral baselines during a controlled observation period, then configure alerting for deviations: unexpected tool calls, access to data outside the agent’s defined scope, error rates above threshold, or output patterns inconsistent with the baseline. For regulated industries, monitoring is not optional — it is the mechanism by which you demonstrate ongoing compliance to examiners, auditors, and bar associations. Monitoring infrastructure that cannot produce structured audit reports on demand will fail at the moment it matters most.

Phase 4: Validation and Continuous Review (Ongoing)

Establish a review cadence for each agent tier. High-risk agents in financial services or healthcare should be reviewed quarterly at minimum, with ad hoc reviews triggered by model updates, tool changes, or incident reports. Validation should cover behavioral consistency, scope adherence, and alignment with current regulatory guidance — which continues to evolve across all three verticals. For a detailed evaluation of the platforms that support this governance stack, see How to Evaluate and Select an AI Agent Governance Platform.


Assess Your Governance Posture

If your organization is deploying agents in financial services, healthcare, or legal — or planning to — the gap between your current governance infrastructure and what regulators will expect is likely larger than your current risk register reflects. The frameworks above are not aspirational; they are the baseline that examiners, auditors, and bar associations are beginning to apply.

  • Request a governance readiness assessment to see where your agent deployments stand against SR 11-7, HIPAA, SaMD, and bar-association requirements — and get a prioritized remediation plan your team can act on immediately.
Brine

Build, hire, and govern every AI system in your environment.

Describe a workflow in plain English and Brine builds it, runs it on your data, and governs every step — costing and attributing each action to its agent and model, with a pre-dispatch cap that holds a step before it overspends and a signed audit trail as standard.

Scope a pilot More resources