Regulated AI Companies

Yes, any AI vendor that handles Protected Health Information on behalf of a covered entity is a Business Associate under HIPAA, and the BAA is the precondition for the relationship. The BAA imposes the HIPAA Security Rule on you directly: encryption, access controls, breach notification, and subcontractor flow-down. Hospitals will not deploy your product without one, and most enterprise procurement teams now require BAA review before evaluating clinical fit.

The employer carries the legal duty under NYC Local Law 144, but the bias audit is unworkable without your data, your model documentation, and your scoring methodology. Practical reality: you cooperate, contractually commit to it, and price the cooperation into your contract. Most enterprise customers now require a vendor commitment to deliver audit-ready data on a defined cadence; pushing back stalls the deal.

Your AI is a medical device when it is intended for medical purposes (diagnosis, treatment, mitigation, prevention) without being part of a hardware device. The FDA's Software as a Medical Device framework treats most AI/ML clinical decision support as SaMD, with 510(k) clearance the most common pathway against a predicate device and De Novo for novel low-to-moderate risk software. The classification turns on intended use as you market it, not on what the model can technically do.

The Federal Reserve, OCC, and FDIC rescinded the 2011 model-risk guidance (SR 11-7) and replaced it with a principles-based framework (SR 26-2) explicitly addressing generative and agentic AI. Practical impact: validation expectations now apply to LLM-based tools that the 2011 framework treated ambiguously, third-party model attestations expand, and the agencies have committed to issuing further AI-specific guidance. Banks and their fintech AI vendors share the validation burden in every exam cycle.

When an insurer in an adopting state contracts with you, the NAIC Model Bulletin requires that insurer to maintain a documented AI Systems Program covering every AI used, including yours. The insurer pushes the documentation request, audit rights, and incident reporting downstream to you. Roughly twenty-four states have adopted the bulletin, and the NAIC's 2026 multistate AI Evaluation Tool pilot signals broader market-conduct examination attention.

The October 2024 NYDFS industry letter directs New York-licensed Covered Entities to assess AI cybersecurity risks, including third-party vendor risk passed downstream to you. The bank is the regulated party but cannot satisfy the assessment without your access controls documentation, supply-chain attestations, and monitoring artifacts. Expect the letter's expectations to surface in your contract as cooperation obligations, audit rights, and incident-notification windows.

Federal courts now allow AI hiring vendors and employers to be named in the same discrimination action, following Mobley v. Workday in the Northern District of California. The May 2025 collective-action certification treated the AI vendor as an "agent" of the employer for liability purposes; Harper v. Sirius XM and follow-on cases extend the pattern. The practical effect: your customer agreement must allocate this risk explicitly through indemnification, cooperation, and dispute-resolution provisions, not leave it to default agency law.

The employer is the legal target under the ADA and Title VII, but recent class actions name the AI vendor and employer together when the model rejects accommodations. Under federal disparate-impact theory still in force, an employer remains liable even if the discriminatory outcome was produced by a third-party tool, and the vendor's contractual indemnity becomes the deciding factor in who absorbs cost. Meaningful human review on every adverse decision is the regulator's expected baseline.

Under Colorado SB 24-205, a high-risk AI deployer must complete an impact assessment plus implement a risk-management policy modeled on a recognized framework like NIST AI RMF. The impact assessment covers purpose, intended outputs, training-data summary, performance metrics, and known risks of algorithmic discrimination. The statute originally took effect February 1, 2026; SB25B-004 delayed it to June 30, 2026. The Generative AI Profile released July 2024 covers gen-AI-specific risks.

Yes, the Equal Credit Opportunity Act and Regulation B prohibit creditor practices with a disparate impact on protected classes regardless of whether a human or AI made the decision. Federal banking regulators (Fed, OCC, FDIC) and the CFPB treat algorithmic discrimination in lending as a current enforcement priority; the U.S. Treasury's AI in Financial Services report flags adverse-action notice, model documentation, and explainability as live exam topics. Vendor model attestations become part of your customer's defense file.

Yes, all three are now standard for AI vendors selling into regulated buyers; pushing back on the principle stalls deals, and the negotiation lives in scope and dollar caps. Audit rights typically narrow to once-yearly with reasonable notice and confidentiality. Indemnification is capped at the higher of fees-paid or a negotiated dollar floor, with carve-outs for IP infringement and gross negligence. Regulator-cooperation provisions specify defined notice windows, attorney-direction, and reasonable-expense reimbursement.

Both pages can fit; many AI companies straddle, and the right starting point depends on your near-term cost driver. This page is the right home if sector-specific compliance is the constraint: HIPAA BAAs, NAIC documentation, FDA classification, or NYC bias audits, with regulated buyers gating procurement. The AI & Generative AI Companies page is the right home if training-data exposure, output liability, IP cap-table cleanup for investors, or AI-specific regulatory frameworks (EU AI Act, California SB 942, generic high-risk Colorado rules) are the constraint. The strategy call covers both paths if you straddle.