AI in regulated industries: where governance breaks at production

TL;DR: Regulated industries are adopting AI faster than they can prove governance, security, and compliance in live environments, and only 44% of AI proofs of concept had reached production as of early 2025, according to the article’s cited research. The real bottleneck is evidence, not model quality, because legacy controls were not built for conversational AI or runtime policy enforcement.

NHIMG editorial — based on content published by WitnessAI: AI governance for regulated industries and the production gap

By the numbers:

• Only 44% of AI proofs of concept had reached production as of early 2025.
• Gartner predicted 30% of generative AI projects would be abandoned after proof of concept by end of 2025.
• A survey of 3,235 business and IT leaders across 24 countries found that governance is central to successfully scaling AI.

Questions worth separating out

Q: How should regulated industries move AI from pilot to production without losing control?

A: They should require auditable governance before scale, not after it.

Q: Why do traditional security controls fail for conversational AI in regulated environments?

A: Because they were built for static content and fixed destinations, not for interactions that change context, invoke tools, and trigger actions.

Q: How do organisations know if AI governance is strong enough for regulators?

A: They know it is working when they can produce repeatable evidence of enforcement, not just written policy.

Practitioner guidance

• Build production evidence before expanding scope Require every regulated AI deployment to produce auditable proof of governance, policy enforcement, and human accountability before broad rollout.
• Replace content-only controls with context-aware policy Move from file and web inspection to intent-based enforcement that can evaluate prompts, tool calls, and response handling in the same session.
• Map controls to named frameworks early Anchor the programme to NIST AI RMF and ISO/IEC 42001 so compliance teams can trace governance, measurement, and management evidence back to recognised structures.

What's in the full article

WitnessAI's full article covers the operational detail this post intentionally leaves for the source:

• The article’s breakdown of EU AI Act, DORA, U.S. oversight, and NIST AI RMF overlap in regulated deployments
• The vendor’s examples of production AI use in financial services, healthcare, government, and energy
• The control architecture for bidirectional inspection, intent-based policy, and runtime enforcement
• The staged path from discovery to policy encoding to graduated enforcement in live AI environments

👉 Read WitnessAI’s analysis of AI governance in regulated industries →

AI in regulated industries: where governance breaks at production?

Explore further

View Full Forum →  |  NHI Foundation Course →