← Findings 🕐 13 min read
Findings

AI and Your Industry's Regulations: Four Vertical Overlays for Regulated Mid-Market Companies

Brandon Sneider · March 2026

This document sits on top of the AI Compliance Regulatory Quick-Reference, which maps the horizontal AI laws that apply regardless of industry. Read that document first.

Executive Summary

  • The horizontal AI laws — Colorado, Illinois, Texas, EU AI Act — apply to every company. But a 300-person healthcare services firm, a mid-market insurance carrier, or a financial services company each faces a second layer of industry-specific regulation that the general compliance quick-reference does not cover. This document fills that gap with four one-page overlays: healthcare (HIPAA), financial services (SOX/SEC), insurance (NAIC/state bulletins), and education (FERPA).
  • The HIPAA overlay is the most immediately consequential. HHS’s proposed Security Rule update (January 2025) would require a written inventory of every AI system that touches electronic protected health information — including AI tools employees use informally. A mid-market healthcare company that deployed a note-summarization tool without documenting it in the risk analysis is already non-compliant with proposed requirements that could finalize in 2026.
  • The SEC overlay is the most underestimated. The SEC’s 2026 Examination Priorities explicitly name AI as a focus area. Any company that claims AI capabilities in investor communications, annual reports, or marketing faces “AI washing” enforcement risk — and SOX internal controls must now account for AI systems touching financial data.
  • Build horizontal compliance first, then add the vertical overlay. A governance framework designed for Colorado’s requirements — the strictest horizontal law — covers 80-90% of obligations across all jurisdictions. The overlays below add the 10-20% that is industry-specific. Total additional effort for a 300-person company: 10-20 hours of GC time per vertical, not a new compliance program.

How to Use This Document

This document sits on top of the AI Compliance Regulatory Quick-Reference, which maps the horizontal AI laws that apply regardless of industry. Read that document first. Then find the overlay for the industry or industries where the company operates. Each overlay answers three questions:

  1. What does this industry’s regulator specifically require for AI?
  2. Where does industry regulation create obligations beyond the horizontal laws?
  3. What is the one thing to do this quarter?

Companies operating across multiple verticals — a healthcare staffing firm that also holds insurance licenses, for example — stack the relevant overlays.

Overlay 1: Healthcare — HIPAA and HHS Requirements

What the Regulator Requires

The proposed HIPAA Security Rule update (HHS, published January 6, 2025, Federal Register 2024-30983) eliminates the distinction between “required” and “addressable” safeguards. For AI, three new obligations are specific:

Requirement Detail Status
AI technology asset inventory Written inventory of every technology asset — including AI systems — that creates, receives, maintains, or transmits ePHI. Each entry must include vendor details, version numbers, and accountable individual. Proposed; comment period closed March 7, 2025. New administration has paused HHS rulemaking, but the standard of care has shifted — auditors and plaintiffs will reference these requirements regardless of finalization timeline.
AI-inclusive risk analysis Risk assessments must include AI tools, covering the type and amount of ePHI accessed, to whom outputs are disclosed, and effects on confidentiality, integrity, and availability. Proposed; aligns with existing HIPAA risk analysis obligation, which most mid-market healthcare companies already underperform.
Vulnerability monitoring for AI systems Covered entities must monitor authoritative sources for known vulnerabilities in AI systems and remediate promptly per their patch management program. Proposed; applies to third-party AI tools as well as internally developed systems.

The HHS Section 1557 Final Rule (effective January 2026) adds a non-discrimination overlay: covered entities must identify AI-based patient care decision support tools that use variables correlated with protected characteristics and take reasonable steps to mitigate bias. This applies to clinical AI, scheduling algorithms, and triage tools.

Where This Goes Beyond Horizontal Laws

The horizontal AI laws (Colorado, Illinois) regulate AI decisions affecting consumers. HIPAA regulates the data environment in which AI operates — whether or not the AI makes a decision. An AI tool that summarizes medical notes but does not make any clinical decision still falls under HIPAA if it touches ePHI. Colorado requires impact assessments for “consequential decisions.” HIPAA requires documentation for any AI system that interacts with patient data, regardless of decision authority.

The One Thing to Do This Quarter

Inventory every AI system that touches patient data. Not just the EHR’s built-in AI features — every browser extension, every free-tier summarization tool, every dictation app an employee downloaded. The proposed rule requires a written inventory with vendor, version, and accountable person. Building this inventory now takes 8-12 hours of IT time for a 300-person company and closes the single largest compliance gap before the rule finalizes.

Sources: HHS Proposed HIPAA Security Rule (Federal Register 2024-30983, January 6, 2025); HHS Section 1557 Final Rule (effective January 2026); Amundsen Davis analysis (2025); RubinBrown HIPAA 2025-2026 update; Ankura compliance analysis (2025).

Overlay 2: Financial Services — SEC and SOX Requirements

What the Regulator Requires

The SEC’s 2026 Examination Priorities name AI as a top focus area. The Division of Examinations stated it will “review for accuracy registrant representations regarding their AI capabilities” and scrutinize whether disclosures, supervisory frameworks, and controls align with actual practices.

Requirement Detail Status
AI disclosure accuracy Companies must define what they mean by AI, describe board oversight mechanisms, and separate internal-use AI from customer-facing deployments. Claims about AI capabilities must be substantiated. Active enforcement. The 2025 Presto Automation settlement demonstrated SEC willingness to pursue “AI washing” — materially false or misleading statements about AI products.
SOX internal controls for AI AI systems that touch financial data — forecasting models, automated reconciliation, AI-assisted close processes — must be documented within the SOX 404 control framework. Auditors now expect AI systems to be treated as IT general controls with testing, validation, and change management documentation. Active. SOX 404 compliance has shifted from static documentation to continuous verification. AI systems that influence financial reporting require the same control rigor as any other system in the financial data chain.
SEC Investor Advisory Committee AI disclosure recommendations The IAC voted in December 2025 to recommend AI-specific disclosure guidance: define AI, disclose board oversight, report material AI deployments. Not yet formal guidance. Recommendation stage. The IAC’s recommendations carry weight with examiners even before formal rulemaking.

Where This Goes Beyond Horizontal Laws

The horizontal AI laws regulate AI decisions affecting consumers and employees. The SEC regulates what companies say about AI — in 10-K filings, earnings calls, investor presentations, and marketing materials. A company that describes itself as “AI-powered” in its annual report without documenting actual AI deployment status, budget, and staffing faces the same scrutiny as a company that overstated revenue.

SOX adds a separate dimension: AI systems in the financial reporting chain are now internal controls, not just technology assets. The AI tool that auto-categorizes expenses or generates financial forecasts requires change management, access controls, testing, and validation documentation — the same governance applied to the ERP system.

The One Thing to Do This Quarter

Map every AI system that touches financial data and add it to the SOX control inventory. For each system, document: what data it accesses, who approved its deployment, how it is tested for accuracy, and what happens when it produces an error. For the 10-K and investor communications, audit every reference to “AI” and ensure it is substantiated by actual deployment, not aspiration. A mid-market CFO can complete this mapping in 6-10 hours; the consequence of not doing it is an examiner finding a gap between what the company claims and what it controls.

Sources: SEC Division of Examinations 2026 Priorities; SEC Investor Advisory Committee AI Disclosure Recommendation (December 2025); D&O Diary: AI, the SEC, and the 2026 Reporting Season (February 2026); SafePaaS: 2026 SOX Compliance and AI Agents; KnowCraft Analytics: SOX 404 Compliance in 2026.

Overlay 3: Insurance — NAIC Model Bulletin and State Requirements

What the Regulator Requires

The NAIC Model Bulletin on Use of AI Systems by Insurers (adopted December 2023) has been adopted by 23 states plus Washington, D.C. as of late 2025. The 12-state NAIC AI Evaluation Tool pilot runs January through September 2026 — meaning regulatory examinations using a standardized AI assessment framework are happening now.

Requirement Detail Status
Written AI governance program Insurers must implement and maintain a written program ensuring AI is used responsibly. Senior management or a board-accountable committee must oversee it. Policies must address transparency, fairness, and accountability. Active in 23 states. The 11 earliest adopters (Alaska, Connecticut, Illinois, Kentucky, Maryland, Nevada, New Hampshire, Pennsylvania, Rhode Island, Vermont, Washington) issued bulletins in Q1 2024.
Third-party vendor management Carriers bear responsibility for third-party AI decisions. Contracts must include audit rights and regulatory cooperation provisions. A model law on third-party vendor licensing is anticipated in 2026. Active obligation; enhanced requirements expected 2026-2027.
Bias testing Regular testing of AI models for discriminatory impact in underwriting, claims, and pricing. Nearly one-third of health insurers still do not regularly test models for bias (Fenwick, 2025). Active. Colorado SB 24-205 adds additional requirements for insurance AI effective June 30, 2026, including mandatory impact assessments and consumer disclosure before adverse decisions.

AI adoption in insurance is high and accelerating: 92% of health insurers, 88% of auto insurers, 70% of home insurers, and 58% of life insurers report current or planned AI usage (NAIC survey data, 2025). The regulatory infrastructure is catching up to this adoption rate.

Where This Goes Beyond Horizontal Laws

Insurance regulation adds two layers the horizontal laws do not reach. First, the fiduciary duty embedded in insurance law means AI-influenced underwriting or claims decisions carry a higher legal standard than AI decisions in most other industries — the insurer cannot delegate judgment to an algorithm without retaining accountability. Second, state insurance regulators have examination authority that general-purpose AG offices do not: the NAIC AI Evaluation Tool gives examiners a standardized checklist to assess AI governance during routine market conduct examinations. A horizontal AI law requires governance in theory. An insurance examination verifies governance in practice.

The One Thing to Do This Quarter

Confirm the written AI governance program exists and covers third-party vendors. If the company operates in any of the 23 states that adopted the NAIC bulletin, the requirement is active. The program must name the accountable executive, describe the oversight process for each AI system used in underwriting, claims, or pricing, and include audit provisions in vendor contracts. The 12-state NAIC pilot means examiners have a standardized tool for assessing this program — and “it is under development” is not a passing answer.

Sources: NAIC Model Bulletin on Use of AI Systems by Insurers (December 2023); McDermott Will & Emery: State Regulators Address Insurers’ Use of AI (2025); Fenwick: Tracking the Evolution of AI Insurance Regulation (2025); Holland & Knight: Implications of the NAIC Model Bulletin (May 2025); Colorado SB 24-205; NAIC AI Evaluation Tool multistate pilot announcement (January 2026).

Overlay 4: Education — FERPA and Student Data Requirements

What the Regulator Requires

FERPA applies to any institution receiving federal education funding — and to the technology vendors those institutions contract with. For mid-market companies selling to, servicing, or operating within the education sector, FERPA obligations flow through vendor agreements and data processing contracts.

Requirement Detail Status
Consent for AI processing of student data FERPA requires explicit consent before education records are used with AI tools, unless the data falls under directory information or the “school official” exception. The 2025 COPPA amendments shifted children’s data from opt-out to opt-in consent, tightening the standard for K-12 AI tools. Active. The April 2025 Department of Education Dear Colleague letter reinforced annual privacy notice requirements and parental consent obligations.
Data minimization for AI systems AI tools processing student data must use only the minimum amount of data necessary. Vendor contracts must specify what data the AI system accesses, how long it retains it, and what happens at contract termination. Active under FERPA “school official” exception requirements and emerging state student privacy laws.
Vendor security obligations A growing body of commentary and pending legislation recognizes that FERPA lacks explicit cybersecurity requirements despite schools relying on hundreds of ed-tech tools. Companies selling AI tools to education institutions should prepare for vendor security mandates by building to NIST standards now. Emerging. Federal modernization is under discussion; several states (California, Illinois, New York) have enacted or introduced supplementary student privacy laws with vendor obligations.

Where This Goes Beyond Horizontal Laws

FERPA creates a unique compliance surface because the regulated party (the school) and the technology provider (the vendor) share obligation through contractual arrangements. A mid-market company whose AI tool processes student data — even indirectly, through a SaaS integration — faces compliance exposure not through its own regulatory relationship but through its customer’s. The “school official” exception that allows data sharing without parental consent only applies when the vendor agreement includes specific use limitations, data retention terms, and re-disclosure restrictions. An AI tool that uses student data for model training — even anonymized — likely exceeds this exception.

The One Thing to Do This Quarter

Audit every AI feature that touches student data against the “school official” exception requirements. For each tool, answer: does the vendor agreement restrict use to the educational purpose? Does it prohibit re-disclosure? Does it specify data retention and deletion terms? Does it address whether student data enters AI training pipelines? If any answer is no, the school’s FERPA compliance — and the vendor’s contractual standing — is at risk. For a mid-market company providing services to education institutions, this audit protects the customer relationship as much as it protects the data.

Sources: FERPA (20 U.S.C. § 1232g); U.S. Department of Education Dear Colleague Letter (April 2025); COPPA 2025 Amendments (FTC); ArentFox Schiff: The Development of AI and Protecting Student Data Privacy (2025); Future of Privacy Forum: Vetting Generative AI Tools for Use in Schools (October 2024); NEA: Federal Regulations Related to Artificial Intelligence (June 2025).

Key Data Points

Metric Value Source
States adopting NAIC AI Model Bulletin 23 + D.C. NAIC / McDermott Will & Emery (2025)
States in NAIC AI Evaluation Tool pilot 12 NAIC (January 2026)
Health insurers using or planning AI 92% NAIC survey data (2025)
Health insurers not regularly testing AI for bias ~33% Fenwick (2025)
HHS proposed rule: AI inventory requirement Written inventory of all AI touching ePHI Federal Register 2024-30983 (January 2025)
SEC 2026 exam priority AI accuracy and “AI washing” SEC Division of Examinations (2026)
SOX shift Static documentation → continuous verification KnowCraft Analytics / SafePaaS (2026)
COPPA consent shift for education AI Opt-out → opt-in FTC COPPA 2025 Amendments
Colorado AI Act insurance effective date June 30, 2026 Colorado SB 24-205
SEC AI washing enforcement precedent Presto Automation settlement SEC (2025)

What This Means for Your Organization

The GC who hears “the Colorado AI Act applies to you” in a briefing and immediately asks “what about HIPAA?” or “what about SOX?” is asking the right question. The horizontal AI laws create a baseline governance obligation. The industry-specific regulations create a second layer that is more prescriptive, more examined, and — in the case of HIPAA and insurance — more frequently enforced.

The practical path is not four separate compliance programs. It is one governance framework — built to the strictest horizontal standard — with a vertical overlay for each regulated industry where the company operates. Each overlay adds 10-20 hours of GC time, not a new department.

The quarter-by-quarter sequence: horizontal governance framework first (the regulatory quick-reference maps this), then the relevant vertical overlay (this document), then ongoing monitoring as proposed rules finalize and state-level enforcement intensifies. If your organization operates in a regulated vertical and the intersection of AI and industry regulation raises questions specific to your situation, I am available for that conversation — brandon@brandonsneider.com.

Sources

  1. HHS Proposed HIPAA Security Rule Update. Federal Register, Document 2024-30983, January 6, 2025. Primary source — proposed federal regulation. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information

  2. HHS Section 1557 Final Rule on Non-Discrimination. HHS Office for Civil Rights, effective January 2026. Primary source — finalized federal regulation. Referenced in Reed Smith: HHS Recent Guidance on AI Use in Health Care (2025). https://www.reedsmith.com/our-insights/blogs/health-industry-washington-watch/102k29k/hhs-recent-guidance-on-ai-use-in-health-care/

  3. SEC Division of Examinations 2026 Priorities. U.S. Securities and Exchange Commission, 2026. Primary source — federal regulatory guidance. Referenced in D&O Diary: Guest Post: AI, the SEC, and the 2026 Reporting Season (February 2026). https://www.dandodiary.com/2026/02/articles/artificial-intelligence/guest-post-ai-the-sec-and-the-2026-reporting-season/

  4. SEC Investor Advisory Committee AI Disclosure Recommendation. SEC IAC, December 2025. Primary source — federal advisory committee vote. Not binding, but influential on examiner priorities. https://www.dandodiary.com/2025/12/articles/securities-laws/sec-investor-advisory-committee-recommends-ai-related-disclosure-guidelines/

  5. NAIC Model Bulletin on Use of AI Systems by Insurers. National Association of Insurance Commissioners, December 2023. Primary source — model regulation. https://content.naic.org/sites/default/files/cmte-h-big-data-artificial-intelligence-wg-map-ai-model-bulletin.pdf

  6. McDermott Will & Emery. “State Regulators Address Insurers’ Use of AI: 11 States Adopt NAIC Model Bulletin.” 2025. Law firm analysis — independent, credible. https://www.mcdermottlaw.com/insights/state-regulators-address-insurers-use-of-ai-11-states-adopt-naic-model-bulletin/

  7. Fenwick. “Tracking the Evolution of AI Insurance Regulation.” 2025. Law firm analysis — independent, comprehensive tracker. https://www.fenwick.com/insights/publications/tracking-the-evolution-of-ai-insurance-regulation

  8. FERPA (20 U.S.C. § 1232g) and U.S. Department of Education Dear Colleague Letter. April 2025. Primary source — federal statute and agency guidance.

  9. ArentFox Schiff. “The Development of AI and Protecting Student Data Privacy.” 2025. Law firm analysis — independent. https://www.afslaw.com/perspectives/ai-law-blog/the-development-ai-and-protecting-student-data-privacy

  10. Future of Privacy Forum. “Vetting Generative AI Tools for Use in Schools.” October 2024. Independent nonprofit analysis — high credibility. https://fpf.org/wp-content/uploads/2024/10/Ed_AI_legal_compliance.pdf_FInal_OCT24.pdf

  11. NEA. “Federal Regulations Related to Artificial Intelligence.” June 2025. Professional association analysis. https://www.nea.org/sites/default/files/2025-06/5.1-ai-policy-overview-of-federal-regulations-final.pdf

  12. Colorado SB 24-205. Colorado General Assembly, May 2024. Effective June 30, 2026 (pending legislative revision). Primary source — state statute.

  13. Ankura. “Proposed Changes to HIPAA Security Rule.” 2025. Consulting firm analysis — independent. https://ankura.com/insights/proposed-changes-to-hipaa-security-rule-strengthening-cybersecurity-for-electronic-protected-health-information

  14. RubinBrown. “HIPAA Security Rule Changes: 2025 & 2026 Updates.” 2025. Accounting/advisory firm analysis — independent. https://www.rubinbrown.com/insights-events/insight-articles/hipaa-security-rule-changes-2025-2026-hipaa-updates/

Brandon Sneider | brandon@brandonsneider.com March 2026