How to implement AI in regulated industries

Knowledge
Written By Kimia Kiser

AI is moving deeper into the core systems of organisations. Banks are exploring new ways to detect fraud, hospitals are using clinical-decision tools, and law firms are testing AI assistants for research and documentation. The momentum is real, but so are the constraints. Regulated industries do not have the luxury of experimenting freely. Their systems carry legal obligations, operational risks, and responsibilities that cannot be delegated to vendors or hidden behind technical complexity.

What makes implementation difficult is not the technology itself. It is the interplay between regulation, governance and day-to-day operations. When you look at the guidance from European and Swiss authorities and the experiences of organisations that are already deploying these systems, a clearer picture emerges of what actually matters.

1. Start with the environment, not the model

A consistent message from regulators and research institutions is that oversight begins with context. Whether it is the European Data Protection Board, the Swiss Federal Data Protection and Information Commissioner or sector-specific bodies such as FINMA and the European Medicines Agency, the emphasis is the same. Implementation must begin with understanding how the system fits into existing processes, where sensitive data is handled, and what type of decisions are influenced.

In legal, financial services and healthcare, this context carries weight. These industries operate under strict rules around confidentiality, traceability and the handling of personal or clinical information. AI systems placed inside these environments must adapt to the operational reality, not the other way around.

2. Build an architecture that can be explained and audited

The architecture behind AI systems determines whether they will stand up to regulatory scrutiny. Guidance from authorities in Europe and Switzerland points to several recurring expectations. Data pipelines must be traceable, access must be controlled, and the behaviour of the system must be observable through logging. In finance, this is reinforced through ICT risk requirements and model governance expectations. In healthcare, agencies focus on understanding how data moves and how recommendations are generated.

What this means in practice is that organisations need infrastructure capable of showing where data originated, how it was processed and how outputs were formed. Without this, even well-performing systems can become difficult to defend.

3. Treat governance as an operational function

Strong governance is not the same as writing policies. Regulators expect companies to demonstrate how oversight works in practice. This includes who is responsible for which decisions, how exceptions are handled and how risks are monitored over time. Studies from OECD, Stanford and various industry bodies show that organisations in regulated sectors often struggle not with the principles of governance, but with integrating those principles into their actual workflows.

In regulated industries, governance must be part of operations. Committees need clear mandates. Owners of AI systems must know what they are accountable for. Escalation paths must be defined rather than assumed. Without this clarity, even compliant policies lose their grounding.

4. Align implementation with the rules that apply to your sector

Although AI regulation is becoming more harmonised, the specific requirements differ by industry. Banks must align AI with FINMA guidance on ICT risk, outsourcing and operational resilience. Healthcare organisations must reflect the expectations of the European Medicines Agency and the ethical frameworks published by global health institutions. Legal teams must ensure that AI tools handling client data meet the standards of confidentiality, privacy and auditable decision-making.

Switzerland adds another layer with the CH-DSG and sector-specific industry expectations, particularly around data protection and data localisation. These rules do not forbid innovation, but they shape it. Successful implementations treat regulation as part of the design process, not as a final step.

5. Work incrementally and keep the system alive

Large transformations often fail in regulated environments because they demand more change than the organisation can absorb at once. This is why many regulators emphasise iterative implementation. AI systems evolve, data changes, and contexts shift. Oversight has to evolve with them.

Documentation needs to be maintained continuously, not written once and forgotten. Monitoring should reflect real use rather than theoretical scenarios. And as more departments adopt AI tools, governance and processes need to adapt so that visibility is preserved across the organisation.

The companies that succeed are usually the ones that take a steady and transparent approach. They build the foundation first, test in controlled environments and expand when the organisation demonstrates readiness.

A path that is rigorous but workable

Implementing AI in regulated industries is demanding because the stakes are high. Yet when you look at the guidance from regulators and the experiences of early adopters, the themes are consistent and practical. Understand the environment you operate in. Build systems that can be explained and defended. Integrate governance into daily operations. Reflect the specific rules of your industry. And maintain the system over time rather than treating compliance as a one-time effort.

Regulation does not eliminate the opportunity to innovate. It shapes how innovation can be used safely in places where trust, accountability and human impact matter most.

Kimia Kiser
Next

Purpose, persistence and the future of fashion tech