A bank, a pharma company, and a government agency walk into an agent deployment. They share more controls than they think — and differ in ways that matter. Here is the playbook that satisfies all three sets of regulators with one engineering effort.
The shared core
Across regulated industries, five controls show up in every framework:
- Validated lifecycle — agents go through documented gates from idea to retirement. See governance framework.
- Audit completeness — every decision reproducible from logs. See audit trails.
- Vendor management — every subprocessor known, contracted, monitored.
- Change control — prompt and model changes go through a board-approved workflow.
- Human oversight — irreversible actions require human approval.
If your stack covers all five, you are 70% of the way to compliance in any specific framework.
Banking: the differentiators
Three controls beyond the shared core:
Model risk management (SR 11-7, equivalents)
Every model in production has a documented risk assessment, validation evidence, and ongoing monitoring. Treat the LLM as a model under the policy.
Stress testing
Agents that touch credit, lending, or trading must show behaviour under stress scenarios. Build the eval suite to include them.
Conduct rules
The agent must not provide advice that breaches conduct (suitability, fairness). Constrain at the prompt and validate at the eval.
Agents that touch retail customers face the most scrutiny; B2B internal use is lighter.
Pharma: the differentiators
Three controls beyond the shared core:
GxP validation
If the agent influences clinical, manufacturing, or pharmacovigilance work, it falls under GxP. Documented validation, change control logs, electronic signatures.
21 CFR Part 11
For US-regulated work: signed audit logs, controlled access, validated time stamps.
Adverse event reporting
If the agent touches patient interactions, it must recognise and report adverse events. This is operationally hard and often the gating issue.
Pharma is the strictest in terms of validation rigour. Plan months, not weeks.
Government: the differentiators
Three controls beyond the shared core:
Procurement clearance
FedRAMP, IL5, GovCloud, Cyber Essentials Plus, ENS, and equivalents. The agent stack must be on the approved list.
Specific use restrictions
Some jurisdictions ban specific use cases (biometric inference in public spaces in EU, predictive policing in some US cities).
Public-records obligations
Government agent decisions may be subject to FOIA-style disclosure. Build the audit log assuming it will be released to the public.
Procurement is usually the long pole; technical readiness comes second.
A unified architecture
The playbook that satisfies all three:
controlled lifecycle (gated, board-approved)
↓
agent runs with:
• workload identity (per-agent SSO; see SSO patterns)
• narrowed scopes per use case
• validation suite gates every change
• audit log to immutable store
• human approval for every irreversible action
↓
quarterly:
• control attestation
• risk register refresh
• independent validation review
The same primitives, configured for each industry's specifics.
Vendor stack matrix
Every subprocessor needs an evidence file:
- Model vendor — BAA / DPA, residency, SOC2, SR 11-7-aligned validation evidence.
- Cloud — sector compliance (FedRAMP for gov, HITRUST for healthcare).
- MCP servers — case-by-case; many do not have the certifications yet.
- Observability — residency, SOC2.
- Memory store — encryption attestation.
Maintain a vendor matrix; refresh quarterly. Auditors love it.
Validation pattern
For all three industries, a documented validation:
- Functional — the agent does what its specification says.
- Behavioural — how it handles edge cases (eval suite).
- Adversarial — red-team output. See red teaming agents.
- Performance — meets latency and reliability SLOs.
- Compliance — meets the framework's specific controls.
A passing validation closes most audit findings before they open.
Operating model
Three roles, regardless of industry:
- Agent Sponsor (business) — accountable for outcomes.
- Agent Operator (engineering) — accountable for operations.
- Agent Compliance Officer — accountable for the regulatory posture.
In banking, the Compliance Officer often sits in second-line risk. In pharma, in QA. In government, in procurement / privacy. Same function, different hat.
What does NOT scale across industries
- Generic AI policies — each industry's vocabulary and emphasis differ.
- One eval suite — sector-specific scenarios are required.
- Same auditor — sector-specialist auditors save time.
Common mistakes
- Treating MVP as production — regulated industries do not have MVP.
- Skipping validation cadence — quarterly minimum, not "at launch".
- No sector-specific controls — the shared core is necessary but not sufficient.
- Underestimating procurement — government especially.
Where this is heading
Three trends by 2027: industry-specific MCP server certifications (FinMCP, ClinMCP, GovMCP-style), shared sector eval suites, and pre-validated agent platforms blessed by industry consortia. Build the unified core; specialise per sector.