Revuity Logo
    Business

    Compliance in Regulated Industries: Healthcare, Finance, and Legal

    How agentic systems interact with the specific compliance requirements of healthcare, financial services, and legal — and what project managers in these industries must account for in scope, design, and governance.

    Jay Burgess7 min read

    Regulated industries present compliance requirements that are not suggestions — they are legally enforceable obligations with material penalties for violations. A product or project manager deploying agentic systems in healthcare, financial services, or legal contexts operates in an environment where a compliance failure is not just a process problem. It is a regulatory event that can result in fines, license revocations, reputational damage, and personal liability for named officers and executives. Understanding the specific compliance landscape of your industry is therefore not optional professional development — it is a prerequisite for responsible deployment.

    In healthcare, HIPAA governs how protected health information (PHI) can be used, stored, and shared. An agentic system that processes patient records, clinical notes, medical imaging reports, or billing data is handling PHI regardless of its purpose. This triggers requirements for business associate agreements with any vendor who processes the data, minimum necessary use standards that limit data exposure to what the agent actually needs, breach notification obligations if PHI is improperly accessed or disclosed, and specific restrictions on using PHI to train models without patient authorization. Project managers in healthcare must verify that every tool in the agent's environment, every vendor in the data chain, and every log that captures agent inputs has been assessed against HIPAA requirements before deployment.

    In financial services, the compliance landscape is broader and more fragmented. Consumer-facing AI systems that make or influence credit decisions face Equal Credit Opportunity Act requirements for adverse action notices and Fair Credit Reporting Act obligations around accuracy and dispute rights. Systems that provide investment-related information may trigger securities regulations. Anti-money laundering systems must meet BSA requirements. Trading systems are subject to SEC and FINRA surveillance. The common thread is explainability: financial regulators expect that institutions can explain how an AI system reached a specific decision for a specific consumer, in plain language, when asked. Product managers must build explanation capability into the system design — it cannot be retrofitted after a regulatory inquiry.

    In legal contexts, the core compliance issues are privilege, confidentiality, and professional responsibility. Communications between attorneys and clients are protected by attorney-client privilege — an agentic system that processes privileged communications must be designed so that privilege is not inadvertently waived through disclosure to a vendor whose data handling creates third-party access. Attorneys in most jurisdictions have competence obligations that now include understanding the AI tools they use, and supervisory obligations that require meaningful review of AI-generated work product before it is submitted to a court or client. Project managers building agentic tools for legal use must understand that the attorney using the tool is the regulated professional — and the tool must be designed to support, not undermine, the attorney's ability to exercise the judgment the professional rules require.

    What this means in practice

    The practical implementation question is not whether the idea is interesting. It is how a team turns it into a workflow that can be inspected, repeated, and improved. For this topic, the operating focus is direct: Apply the specific compliance requirements of healthcare, financial services, and legal to agentic system design — with explainability and privilege preservation as non-negotiable design inputs.

    That means the engineering work starts before the first model call. The team must decide what the agent is allowed to know, what it is allowed to do, what evidence it must produce, and which actions require a human decision. This is the difference between an impressive demo and a system that can survive real users, changing inputs, and production constraints.

    A credible implementation also includes a feedback path. Every agent run should leave behind enough context for another engineer to answer four questions: what goal was attempted, what context was used, which tools were called, and why the system believed the task was complete. If those questions cannot be answered from logs, traces, or structured outputs, the agent is still operating as a black box.

    Reference Diagram

    A simple architecture to reason from

    Use this diagram as a starting point, not as a universal blueprint. The important move is to make the stages visible. Once stages are visible, you can assign owners, define contracts, set permissions, measure quality, and decide where human review belongs.

    Workflow Map
    Read left to right: state moves through controlled boundaries.
    1
    Industry Classification

    Identify applicable regulatory framework before scope is defined.

    2
    Healthcare: HIPAA

    PHI handling: BAA required for all vendors, minimum necessary use, breach notification, no training use.

    3
    Financial: Explainability

    ECOA/FCRA: plain-language adverse action explanation on demand for any AI-influenced credit decision.

    4
    Legal: Privilege + Competence

    Competence obligation + supervisory obligation: tool must support, not replace, attorney judgment.

    5
    BAA / DPA Review

    Every vendor in the data chain requires verification — not just the primary AI vendor.

    6
    Explainability Design

    Build explanation capability into the data model from the start — it cannot be retrofitted.

    7
    Attorney Oversight Design

    Design for meaningful review of AI work product — legal AI that removes meaningful attorney review is non-compliant.

    Code Example

    Regulated industry compliance checklist by sector

    The example below is intentionally small. Production agentic systems should start with compact contracts like this because small contracts are testable. Once the boundary is working, you can add richer orchestration without losing control of the core behavior.

    ts·Regulated industry compliance checklist by sector
    const regulatedIndustryChecklist = {
  healthcare: {
    preDeployment: [
      "BAA signed with every vendor in the data chain",
      "Minimum necessary use documented and enforced",
      "PHI scope defined — every log and tool call assessed",
      "Training data use restriction verified in vendor contract",
    ],
    ongoingRequirements: [
      "Breach notification procedure documented and tested",
      "PHI access log maintained and reviewable",
    ],
  },
  financialServices: {
    preDeployment: [
      "Adverse action notice mechanism designed and tested",
      "Plain-language explanation interface built for all credit-influencing decisions",
      "Fair lending analysis completed on evaluation set before launch",
    ],
    ongoingRequirements: [
      "Explanation can be produced within regulatory timeframe for any specific decision",
      "Disparate impact monitoring running continuously in production",
    ],
  },
  legal: {
    preDeployment: [
      "Privilege preservation assessed for all data the agent processes",
      "Supervisory obligation design: attorney review is meaningful, not rubber-stamp",
      "Professional competence training completed for attorneys using the tool",
    ],
  },
};
    Illustrative pattern — not production-ready

    Implementation notes

    Treat these notes as the first design review checklist. They are deliberately concrete because agentic systems fail most often in the gaps between the model, the tools, the data, and the human operating process.

    Design note 1

    HIPAA applies to every vendor in the data chain — verify each one, not just the primary AI vendor.

    Design note 2

    Explainability for financial services decisions must be designed into the data model — it cannot be retrofitted after a regulatory inquiry.

    Design note 3

    Legal AI tools must be designed to support attorney judgment, not to replace it — the tool's design determines the attorney's ability to meet supervisory obligations.

    Compliance failures are enforcement events
    In regulated industries, a compliance failure is not a process problem — it is a regulatory event with material penalties, potential license implications, and personal liability for named officers. Build compliance requirements into scope before any engineering work begins.

    Common failure modes

    The fastest way to make an article useful is to name how the pattern breaks. These are the failure modes to watch for when a team moves from reading about this idea to deploying it inside a real workflow.

    PHI flows to a logging or observability vendor that has not signed a BAA — constituting an unauthorized disclosure.
    Explanation mechanism is built as a post-launch enhancement — a regulatory inquiry arrives before it exists.
    Legal AI tool is designed for efficiency gains that require the attorney to review outputs too quickly for meaningful judgment.

    Operating checklist

    Before this pattern graduates from experiment to production, require a short operating checklist. The checklist should include the owner of the workflow, the allowed tools, the risk rating for each tool, the data sources the agent can use, the completion criteria, the review path, and the rollback plan. If a team cannot fill out that checklist, the workflow is not ready for higher autonomy.

    The checklist should also define how the system will be evaluated after launch. Useful metrics include task success rate, human correction rate, average iterations per completed task, cost per successful run, escalation rate, and the number of blocked tool calls. These metrics turn agent quality into an engineering conversation instead of an opinion about whether the output felt good.

    Finally, make the learning loop explicit. When the agent fails, decide whether the fix belongs in the prompt, the retrieval layer, the tool contract, the permission model, the evaluation suite, or the human process. Mature agentic engineering is not the absence of failures. It is the ability to classify failures quickly and improve the system without expanding risk.

    Key Takeaways
    Healthcare: verify HIPAA compliance across every vendor, tool, and log before deployment — PHI handling obligations do not depend on the agent's purpose.
    Financial services: build explainability into the system design from the start — regulators expect plain-language explanations of specific decisions on demand.
    Legal: design agentic tools to support attorney judgment and preserve privilege — the attorney is the regulated professional and bears responsibility for AI-generated work product.
    Learn the full system

    Build real fluency in agentic engineering.

    The Academy turns these concepts into a full curriculum, AI tutor, templates, and the CAE credential path.

    Start Learning