Every year a new ranked list of automation platforms drops, and every year mid-market operators in regulated industries buy the wrong thing for the wrong reasons. Here's what the rankings don't tell you.
Another year, another ranked list of AI-driven automation platforms. UiPath at number two. IBM Watsonx Orchestrate with multi-agent capabilities. Automation Anywhere going cloud-native. All rated on implementation quality, scalability, support.
These lists aren't wrong. The vendors are real. The capabilities are real. But if you're running operations at a mid-market company in medical devices, financial services, manufacturing, or any other regulated space — the list is not your problem.
Your problem is what happens after you pick one.
Here's what the rankings don't score: how well a platform survives contact with your compliance team, your change control board, your legacy ERP that hasn't been touched since 2014, and the three department heads who have wildly different definitions of what "automated" should mean.
Most automation failures in regulated industries aren't technology failures. They're integration failures — not in the technical sense, but in the organizational sense. A workflow that works perfectly in a sandbox falls apart when it hits a SOC 2 audit requirement, or when the FDA asks for a complete audit trail on every decision the system made, or when a process owner realizes the new workflow bypassed a manual review step that was actually a regulatory control in disguise.
No star rating catches that.
The buzzword making the rounds right now is "agentic" — AI systems that can take sequences of actions autonomously, not just respond to a single prompt. UiPath is pitching it. IBM Watsonx is pitching it. Pega combines it with decision intelligence.
For a general enterprise, agentic automation is exciting. For a regulated operation, it's a risk surface that needs to be scoped very carefully before you turn it on.
When an autonomous agent makes a decision — routing a claim, flagging a supplier, updating a patient record — who owns that decision? How is it logged? How does it hold up under audit? If the agent takes an action that turns out to be wrong, what's the remediation path?
These aren't hypothetical questions. They're the questions your compliance team is going to ask the morning after your go-live. And if you don't have answers ready, the workflow gets paused — or worse, it runs unchecked and creates a liability you find out about six months later.
The pattern we see repeatedly: a company evaluates platforms, selects one with strong feature scores, runs a pilot in a low-stakes process, sees promising results, and then tries to scale that success into a higher-stakes, compliance-adjacent workflow.
That's where it breaks.
The pilot worked because it was isolated. It had clean data, a single process owner, and no regulatory implications. The scale environment has none of those things. It has fragmented data across three systems, four stakeholders with competing priorities, and a compliance requirement that nobody fully documented.
Platform choice didn't cause that failure. Process design did. Governance design did.
Before you evaluate a single vendor, four things need to be true:
1. You've mapped the regulatory touchpoints in the workflow. Not at a high level — specifically. Which steps involve data that falls under HIPAA, SOX, FDA 21 CFR Part 11, or your industry equivalent? Which outputs need to be defensible to an auditor?
2. You've defined what human-in-the-loop means for your context. Agentic automation can reduce manual steps dramatically — but in regulated industries, some manual steps exist for legal or compliance reasons, not just efficiency reasons. Know which ones before you automate them out.
3. You have a change control process that can accommodate AI workflow updates. When the model changes, when the rules update, when the vendor pushes a new version — does that trigger a revalidation requirement? In medical devices, often yes. Map this before you're in production.
4. You've got a named owner for the workflow, not just the technology. The platform vendor will support the software. Nobody but you owns the process. That needs to be a person with accountability, not a team with diffused responsibility.
If you're a mid-market operator using a ranked list to shortlist automation vendors, that's a reasonable starting point. But the decision framework shouldn't be "which platform has the best scores" — it should be "which platform can we actually govern, validate, and defend in our regulatory environment."
That's a different evaluation. It involves your compliance team earlier. It involves documenting the regulatory context of every workflow before the first demo. It involves asking vendors not just what the platform can do, but what it produces by way of audit logs, change history, and decision traceability.
The platforms on these lists are capable. The question is whether your organization is ready to operate them responsibly. That readiness isn't something a vendor can give you — and it's not something a star rating can measure.
Dealing with a similar challenge?
We work with mid-market companies in regulated industries to build AI workflows that actually hold up.
Let's TalkSean Cummings
Founder of Laminar Flow Analytics. Specializes in AI workflow automation for regulated industries — medical device, financial services, and complex logistics operations.