By Monte Fisher, CPA (Ret.), CFE  ·  Find your business's blind spots — take the free assessment →
AI Governance: The first rule is know who you're doing business with. In most of Asia, that's legally impossible. Here's what you can actually do — and why veterans need to read this too.
AI Governance · Regulated Industries · Compliance · 2026

AI Governance Is Not One Framework.
In Regulated Industries, It Is Four.

Every serious framework — NIST AI RMF, ISO 42001, COSO GenAI — tells you what to govern. None of them tells you which regulator will reach you first. In a regulated industry, that is the only question that sets your priorities.

By Monte Fisher, CPA (Ret.), CFE  ·  Fisher Governance  ·  June 2026

Every serious AI governance framework starts from the same place. NIST AI RMF wants you to map, measure, and manage risk. ISO 42001 wants a management system. COSO's GenAI guidance wants controls mapped to objectives. They are all good. They are all correct. And in a regulated industry, they all share the same blind spot.

They tell you what to govern. They do not tell you who is coming for you first.

That distinction sounds academic until you are the one deciding where to spend a limited compliance budget before a product ships. A framework gives you forty controls. A regulator gives you a subpoena. You cannot treat all forty controls as equally urgent, because the regulator who reaches you first is not interested in your framework — they are interested in the one obligation their statute assigns them to enforce.

"AI governance" is treated as one discipline. In a regulated industry it is at least four, and they do not rank the same way.

I spent nineteen years inside a major global energy company, including governance and assurance roles on a large joint venture, before I became a Certified Fraud Examiner. What that taught me is simple: compliance is not a checklist you complete. It is a question of who has jurisdiction over what you just did, and what they are empowered to do about it. The framework is the map. The regulator is the weather.

So here is the version of AI governance that actually matters if you operate in a regulated sector. It is not one framework. It is four different binding constraints, and which one binds you determines everything about your priority order.

Finance: explainability is the constraint

In financial services, the binding question is not "is the model fair" in the abstract. It is "can you explain, to a supervisor, why this specific applicant was denied credit." Model risk management guidance — the SR 11-7 lineage — already expects you to validate models, document assumptions, and demonstrate ongoing monitoring. AI does not get an exemption from that. It inherits it.

The practical consequence: a black-box model that improves approval accuracy but cannot produce an adverse-action reason is not a governance gap you can defer. It is a fair-lending exposure the moment it touches a consumer decision. Explainability moves to the top of your priority order in finance not because a framework says so, but because the regulator who reaches you first will ask the question the model cannot answer.

Healthcare: the data is the constraint, until the model becomes a device

In healthcare, the first binding constraint is data. HIPAA governs how protected health information moves, and an AI system trained on or fed patient data lives inside that obligation whether or not anyone drew a diagram of it. Vendor relationships, business associate agreements, and data minimization are not downstream concerns — they are the entry ticket.

But there is a second constraint that catches people: the moment an AI tool starts informing clinical decisions, it may cross into being regulated as software as a medical device. That is a different regulator, a different bar, and a different timeline. The governance failure mode in healthcare is treating a clinical-adjacent model as an IT project when it has quietly become a medical one.

Government contracting: provenance is the constraint

If you sell to the federal government, the binding constraint is provenance and control of the environment. FedRAMP authorization, CMMC requirements, and the supply-chain expectations that come with them are not about whether your model is fair — they are about whether you can prove where your data lives, who touched it, and that your environment meets the required baseline.

An AI feature that quietly routes data through an unvetted third-party API can be a fair, accurate, well-governed model by every framework's measure and still be a contract-ending problem, because the constraint here is not model behavior. It is chain of custody. Governance in this sector means knowing your AI supply chain well enough to attest to it.

Insurance: fairness is the constraint, state by state

Insurance is where "is the model fair" becomes a literal, enforceable, actuarial question — and where the answer changes when you cross a state line. Regulators have moved directly at algorithmic underwriting and rating, with a growing expectation that insurers can demonstrate their models do not produce unfairly discriminatory outcomes, using proxies or otherwise.

The complication that generic frameworks miss: insurance regulation is largely a state matter. A model that satisfies one state's expectations may not satisfy another's, and "we ran a bias test" is not the same as "we can show this rating is actuarially justified and not unfairly discriminatory in every state where we write." Fairness sits at the top of the insurance priority order, but it is fairness with fifty possible definitions.

Why the priority order is the whole point

Put those four side by side and the lesson is not that regulated industries are harder. It is that they are different from each other in a way generic AI governance flattens. Explainability is the first control in finance and a secondary one in government contracting. Provenance is everything to a federal contractor and a supporting concern to an insurer. Data handling is the entry ticket in healthcare and one item among many in finance.

A single framework applied uniformly will over-invest in controls that do not bind you and under-invest in the one that does. The forensic habit — ask who has jurisdiction, ask what they are empowered to do, ask where the evidence would have to come from — is what turns a forty-item framework into a ranked list you can actually execute before launch.

The framework tells you what good looks like. The regulator tells you what "first" means. In a regulated industry, you need both.

What to do with this

Start every regulated-industry AI initiative by naming the regulator most likely to reach you first, and the single obligation they exist to enforce. Rank your controls against that, not against the framework's ordering. Use NIST, ISO, and COSO for completeness — they are excellent at making sure nothing is missed — but let the jurisdiction, not the framework, set your sequence.

Do that and AI governance stops being a compliance tax and starts being what it should be: a way to ship faster, because you have already answered the question the regulator was going to ask.