Regulated industries keep buying better AI models and still failing compliance reviews. The problem isn't the model — it's everything the model touches.
Every compliance conversation about AI in regulated industries eventually lands on the same question: *Is the model safe?*
Wrong question.
The model is a component. What actually gets you into trouble — with your regulator, your legal team, or your customers — is the workflow the model lives inside. The data it touches. The decisions it influences. The humans (or lack of humans) in the loop. The audit trail that either exists or doesn't.
Until your organization understands that distinction, you will keep buying AI tools and failing compliance reviews.
Here's what we see consistently across financial services, medical device, and professional services clients: the compliance team gets looped in to evaluate the AI vendor. They review the model card, check the data processing agreements, ask about SOC 2. They sign off — or they don't.
But nobody maps the workflow.
Nobody asks: What data flows into this model, from which systems, with what access controls? What does the output trigger downstream? Who is accountable when the output is wrong — and how would you even know it was wrong? Can you reconstruct the decision chain eighteen months from now when a regulator asks?
Those are compliance questions. They have nothing to do with the model itself.
The Glean research on industries with stringent AI compliance needs makes this explicit: workflow automation raises the compliance bar *beyond the model*. Controls have to follow the workflow — not just the algorithm. That's not a technical observation. It's an operational mandate.
Not all AI use cases carry the same risk. That sounds obvious, but most mid-market companies aren't acting on it.
A document summarization tool that helps a paralegal draft a first-pass memo is low stakes. The human reviews everything before it leaves the building. An AI agent that routes insurance claims, flags anomalies in a financial audit, or surfaces clinical decision support in a care workflow? Entirely different risk tier.
The variable isn't the sophistication of the model. It's the decision impact — what happens downstream when the model is wrong, and how quickly a human can catch and correct it.
High decision impact means you need:
Low decision impact means you can move faster — but you still need to know which category you're in before you deploy.
Large enterprises have dedicated AI governance teams. They're building internal control frameworks, hiring model risk officers, running formal change control on every deployment.
Most mid-market companies don't have that. They have a VP of Operations who is genuinely trying to move fast, a compliance officer who is already stretched, and an IT team that's being asked to integrate tools they've never seen before.
The trap is thinking you need enterprise-scale governance infrastructure before you can deploy AI responsibly. You don't. But you do need to answer a short, hard set of questions before you go live with anything that touches regulated data or regulated decisions:
1. What data does this workflow access, and what's the classification of that data?
2. What decision does this workflow influence, and what's the consequence of a wrong answer?
3. Who is accountable when it fails — and do they know they're accountable?
4. What does the audit trail look like, and who can pull it?
5. What's the process for changing this workflow, and does change control apply?
Five questions. Not fifty. But you have to actually answer them — in writing, before deployment.
One more thing that gets missed: access controls and system integrations are not IT configuration details. They are compliance controls.
If your AI workflow can read any document in your SharePoint environment because it was provisioned with broad permissions, that's a compliance gap — regardless of what the model does with the information. If your AI agent can push outputs directly to a customer-facing system without human review, that's a compliance gap. If your integration between the AI tool and your EHR doesn't maintain a complete, tamper-evident log, that's a compliance gap.
Fix the provisioning. Tighten the integrations. Require human-in-the-loop gates at the right decision points. These aren't nice-to-haves — they're the difference between a workflow that survives a regulatory inquiry and one that doesn't.
Stop auditing your AI models in isolation. Start auditing your AI workflows end to end.
Map the data flows. Assign the accountability. Enforce the review gates. Document the change process. Do it before you deploy, not after your first incident.
The companies that get AI right in regulated industries aren't necessarily using better models. They're running better-designed workflows around them.
That's the work. And it's entirely doable — if you start with the right questions.
Dealing with a similar challenge?
We work with mid-market companies in regulated industries to build AI workflows that actually hold up.
Let's TalkSean Cummings
Founder of Laminar Flow Analytics. Specializes in AI workflow automation for regulated industries — medical device, financial services, and complex logistics operations.